Every organization should ask themselves seven questions about the health of their risk management program.
- Do you have a risk management plan?
- Have you identified and captured your risks in a risk register?
- How have you evaluated and prioritized your risks?
- Have you engaged the appropriate stakeholders in the risk identification and evaluation processes?
- What about risk owners? Does each risk have a risk owner?
- Have the risk owners developed risk response plans for the highest risks?
- Are you facilitating a review of your risks periodically, resulting in updates to the risk register and effective risk responses?
At the heart of this program sits the Risk Register, which brings together information about risks to inform those exposed to risks and those who have responsibility for their management. A risk register is used to record and track information about individual risks and how they are being controlled. It can be used to communicate information about risks to stakeholders and highlight particularly important risks. While it can be used at any level of the organization where there are a large number of risks, controls and treatments that need to be tracked, a risk register really shines as a central component of a quality management review. The risk register includes:
- List of risks, failure modes or hazards and expected outcomes
- A statement about the probability of consequences occurring
- Sources or causes of the risk
- Priority or risk levels
- What is currently being done to control the risk
- Risk owner
- Actual outcome, if and when available
Risks are generally listed individually as separate events but interdependencies should be flagged.
In recording information about risks, the distinction between risks (the potential effects of what might happen) and risk sources (how or why it might happen) and controls that might fail should be explicit. It can also be useful to indicate the early warning signs that an event might be about to occur.
Many risk registers also include some rating of the significance of a risk, an indication of whether a risk is considered to be acceptable or tolerable, or whether further treatment is needed and the reasons for this decision. Where a significance rating is applied to a risk based on consequences and their likelihood, this should take account of the possibility that controls will fail. A level of risk should not be allocated for the failure of a control as if it were an independent risk.
A risk register is used as the basis for tracking implementation of proposed treatments, so it should contain information about treatments and how they will be implemented, or make reference to other documents or data bases with this information. (Such information can include risk owners, actions, action owners, action business case summaries, budgets and timelines, etc.). This living document can usually roll (or even serve as) the Quality Plan.
Strengths of risk registers include the following.
- Information about risks is brought together in a form where actions required can be identified and tracked.
- Information about different risks is presented in a comparable format, which can be used to indicate priorities and is relatively easy to interrogate.
- The construction of a risk register usually involves many people and raises general awareness of the need to manage risk.
By doing this, the risk register serves as a central underpining for the organization as it builds a risk culture, driving transparency and accountability.
Pay attention the the following limitations:
- Risks captured in risk registers are typically based on events, which can make it difficult to accurately characterize some forms of risk
- The apparent ease of use can give misplaced confidence in the information because it can be difficult to describe risks consistently and sources of risk, risks, and weaknesses in controls for risk are often confused.
- There are many different ways to describe a risk and any priority allocated will depend on the way the risk is described and the level of disaggregation of the issue.
- Considerable effort is required to keep a risk register up to date (for example, all proposed treatments should be listed as current controls once they are implemented, new risks should be continually added and those that no longer exist removed).
- Risks are typically captured in risk registers individually. This can make it difficult to consolidate information to develop an overall treatment program.