Risk Management

by Peter Parkes

Starting a risk register

(Lord) give me the means to change the risks I can, the grace to accept the ones I cannot, and tools to know the difference.

Peter Parkes

A risk register captures the stages of the risk management process and helps us to view our overall risks, the ones we need to prioritise, and the status of any progress in mitigating them.

Many corporate risk registers can become very complex when supported by an in-house expert. They are often built with proprietary risk management software, but the basics are the same.

A basic risk register, in MS Excel format so that it can be used straight away and easily maintained, is included here.

To add value, an effective risk register needs, at the very minimum, the following fields (which are built up and refined over time):

  1. A unique identifier or reference so that we can track each risk
  2. A description of each risk, so that we have a common understanding (often lost after the original workshop)
  3. A guess at what the root cause or initiating event that may cause the problem might be (there may be several)
  4. A description of what the consequences of the risk may be
  5. An estimate of what might be the likelihood of an event occurring that would precipitate a risk
  6. An estimate of what the consequences might be if the event happens
  7. A column for risk severity, usually a multiplication of the probability and the impact
  8. Some agreed actions, even if this is ‘do nothing’, with a responsible person ascribed to doing the action
  9. A column to capture and monitor progress during reviews in order to confirm that we are on top of our risks.

More complex risk registers will attempt to show probability or impact post mitigation, that is, assuming the actions are complete, to confirm that the actions in hand are sufficient.

Many people use colour for all types of management report to indicate the need for management attention in general. These are usually referred to as traffic light reports or RAG (Red Amber Green) reports. In this context, actions that are on track would be coded green, while those which are behind would be coded red. Red is often used to codify high on risk severity (the product of impact and likelihood).

The process of developing the risk register, ideally using a risk workshop, is described in the page on Organising a risk workshop.