How to build your risk register
As a GRC consultant I’m asked quite frequently ‘what should I put on my risk register?’. As a risk is anything that can affect your business, it’s understandable that compiling a risk register can be difficult to get your head around.
Here I provide an overview to start you thinking about how to structure your risk register, and the controls you could implement to overcome them:
Core Risk Data
Firstly let’s start with what to capture. The minimum set of data you should capture about a risk is:
- A reference name/number that is unique across the business. As you grow the register and different teams get involved it’s important to know whether you are talking about the same risk or similar risks.
- A name and description this should clearly explain what the risk is and can extend to categories etc.
- An owner. All risks should be owed by an individual who is responsible for the risk. This can become more complicated by adding in particular business areas, delegated persons etc. but should always have a name individual as the owner.
- A risk score. Some way of measuring risks with one another.
- An overview of remediation (or not). Whether you are doing something or not you should explain what your plans are. See Risk 101 for working out what to do.
Where to start
Anything can be a risk but you should focus on the things that effect your business, these will broadly fall into these high level categories.
- Strategic – This allows you to look at external risks, which may affect your organisation such as changes in the environment in which you operate. It also lets you look at setting organisational objectives and ensuring you set the right ones and then meet them.
- Operational – These are risks related to the creation or delivery of your products and services.
- Financial – Anything related to the cash flow, credit, liquidity all fall into the category of Financial.
- People – risks related to staff.
- Regulatory – The risk of any external regulation impacting your business either by changing regulations or falling fowl of those that exist.
- Governance – Anything that relates to the management of the organisation.
- Information Technology – This could be considered as operational risk but specifically relates to IT, things like data breaches and cyber attacks are becoming more commonplace.
When identifying a risk you should always ensure your focus is on the event of the risk. By this I mean not the cause or the impact but the event itself.
For example extreme weather is the risk, flooding is one possible cause and being unable to access the building is one of the impacts.
Here’s a few risks to get you started.
- Lack of staff / Lack of skilled resource – Whether caused by a massive pandemic or rock bottom staff morale having no one to help run your organisation is a very real risk.
- Cyber risk – This could be someone changing your website or breaching your database.
- Excessive / Changing Regulation – 5p for shopping bags is an example of this risk occurring.
- Conduct, Fraud and Corruption – Could be separated out depending on the size of the organisation. Concentrating on the fallible nature of humans when there is an incentive.
- Loss of customers/cancelled orders – For a variety of reasons but a risk that must be managed.
- Supply chain – This is a very broad topic but includes changes to costs, instability, potential fourth parties within your supply chain.
- Rapid technological changes – technology changes how your customers interact with you and how you interact with them. A failure to keep up can make you obsolete.
With hundreds of potential risks across your organisation, creating a risk register is a difficult and
labour intensive task. If you need some help, or have any questions, please contact me