How to Build Your Risk Register
Q&A with GRC Consultant Evan Stos
By Sarah Nord
Risk Management is a business function with abundant insider terminology. Just as astrophysicists talk of quasars and gravitational waves and financial planners opine about amortization and turnover rates, risk management professionals speak fluently about velocity, persistence, inherent and residual risk, heat maps and more. For the “uninitiated,” the jargon can be dizzying.
One term you’ll hear while standing around the water cooler with a bunch of risk management professionals (don’t we all?) is risk register. The basic definition is simple: A repository of all risks that could impact a project, a legal entity or an entire enterprise.
But when you get beyond the basic definition, you’ll find plenty of variation in the details. To gain a better understand of what a risk register is, why it exists and what information it should contain, I interviewed Evan Stos, a Governance, Risk and Compliance (GRC) consultant who has helped more than 60 Fortune 500 companies gain control of audit, risk, compliance and information security processes. Here are a few insights from our conversation:
Q. What’s the purpose of a risk register?
A. A risk register allows you to see all of your potential risks in one place, to prioritize those risks and assign ownership, and to respond to them in some way. Risks pop up all over the organization, and if you don’t have a mechanism to capture and track them, you’ll never have a clear picture of risk (and potential business consequences) from a management perspective.
Q. When you talk about risk ownership, what does that look like?
A. Every risk needs an owner, and it’s usually 2-3 layers deep. First, you have the actual “risk owner,” who is typically an executive who’s responsible for managing and controlling identified risks. This is the big-picture person. Then you have a “risk manager” or “risk delegate” who is responsible for keeping tabs on the risk. That’s the detail person.
Risk owners and managers are not typically your Chief Risk Officer or VP of Risk Management (though for global, company-wide risks, they can be). In most cases, the owners and managers are out in the lines of business, deeply involved in the projects and processes where risks arise. By contrast, the CRO or VP of Risk Management is responsible for leading enterprise-wide identification, analysis and response to risks.
Q. When logging a risk in the risk register, who’s involved and what info should you capture?
A. In an ideal world, anyone in the organization could establish a risk, which would then go into a review process to determine its validity. But in reality, it’s typically the Enterprise Risk Management (ERM) Office that’s interfacing with different areas of the business to draw out information and capture it in the risk register.
When logging a risk, you need:
- A title and description with sufficient detail to understand what the risk is and how it could impact the organization
- An assigned risk owner and manager/delegate who will be responsible for monitoring and responding to the risk
- The risk category: strategic, financial, reputational, operational, IT, compliance, etc.
- The likelihood that the risk could occur and the potential impact the risk could have on the organization (typically measured on a 5×5 scale…more on this below)
- What causes (or could cause) the risk to occur, which is not always known
- How you’re going to respond to the risk, which is also called “risk treatment” (i.e., mitigate, accept, transfer or avoid) (See “Understanding Risk: Just Like Learning to Ride a Bike” for more details on risk response.)
Additionally, you may have:
- Related objectives, processes and assets
- Supporting controls
- Related risk assessments
- Risk metrics (key performance indicators and key risk indicators)
- Related mitigation plans
- Incidents of risk occurrence (if any)
Q. Once you have a risk in the risk register, how do you measure and monitor it?
A. If you’re just setting up a risk register, you don’t always have metrics to quantify risk. Your evaluation may be qualitative in nature. But over time, you can begin to gather metrics data and get more precise about risk likelihood and impact. For example, you might be better able to project the financial impact of a risk once you have a few months or years worth of metrics to analyze.
When it comes to reporting on risk, a common format is a risk heat map, which is typically a 5×5 scale with impact on the X axis and likelihood on the Y axis. This allows you to plot risks and quickly identify those that require prioritized attention.
In many cases, organizations will plot inherent and residual risk on separate heat maps. Inherent risk is “untreated.” In other words, no response actions have yet been taken. Residual risk is what remains after some response, such as mitigating controls, risk transfer (i.e., purchasing insurance), etc.
Q. Once you have a risk register in place, what does the review process look like?
A. The industry standard is to review risks quarterly, but that can be pretty onerous. More often, reviews are performed annually. If you have some sort of process management technology in place for your risk register, you can automatically notify risk owners on a set schedule that they need to come in and take another look at the risk information. They need to attest that they’ve looked at it and note any material changes. This is all captured in the risk register.
Executive management will also want to periodically review the organization’s risk landscape, with emphasis on the most significant risks. This reporting shows upper management where the organization may have problems and what’s being done to address them.
Accurate reporting from the risk register enables management to make informed decisions. Without a current, accurate risk register, management is not operating from a place of confidence. That’s why a risk register with clearly defined risk ownership is so crucial. It takes an investment of time and resources to keep a risk register up to date, but I’ve never seen a situation where it wasn’t worth the effort.
So there you have it: the risk register, demystified. Thanks to Evan Stos for sharing his expertise!
If you’re struggling to maintain an accurate and comprehensive risk register for your organization, we’d love to help. Explore our Risk Management solution, and please let us know if you’d like to take a closer look.