One term you’ll hear while standing around the water cooler with a bunch of risk management professionals (don’t we all?) is risk register. The basic definition is simple: A repository of all risks that could impact a project, a legal entity or an entire enterprise.
But when you get beyond the basic definition, you’ll find plenty of variation in the details. To gain a better understand of what a risk register is, why it exists and what information it should contain, I interviewed Evan Stos, a Governance, Risk and Compliance (GRC) consultant who has helped more than 60 Fortune 500 companies gain control of audit, risk, compliance and information security processes. Here are a few insights from our conversation:
Q: What’s the purpose of a risk register?
A: A risk register allows you to see all of your potential risks in one place, to prioritize those risks and assign ownership, and to respond to them in some way. Risks pop up all over the organization, and if you don’t have a mechanism to capture and track them, you’ll never have a clear picture of risk (and potential business consequences) from a management perspective.
Q: When you talk about risk ownership, what does that look like?
A: Every risk needs an owner, and it’s usually 2-3 layers deep. First, you have the actual “risk owner,” who is typically an executive who’s responsible for managing and controlling identified risks. This is the big-picture person. Then you have a “risk manager” or “risk delegate” who is responsible for keeping tabs on the risk. That’s the detail person.
Risk owners and managers are not typically your Chief Risk Officer or VP of Risk Management (though for global, company-wide risks, they can be). In most cases, the owners and managers are out in the lines of business, deeply involved in the projects and processes where risks arise. By contrast, the CRO or VP of Risk Management is responsible for leading enterprise-wide identification, analysis and response to risks.
Q: When logging a risk in the risk register, who’s involved and what info should you capture?
A: In an ideal world, anyone in the organization could establish a risk, which would then go into a review process to determine its validity. But in reality, it’s typically the Enterprise Risk Management (ERM) Office that’s interfacing with different areas of the business to draw out information and capture it in the risk register.