You might have resolved to tidy up some processes and press the “reset” button on your risk register in the new year. Whether you’ve started a new position, want to improve your company’s operations or just overhaul your existing register, the basic foundations are out there.
Demonstrating their altruistic nature, many RIMS members have been offering their insight to those seeking suggestions – even going so far as to send their Excel sheet registers. Here are some criteria for your X and Y axes, culled from the OPIS network and existing resources on Risk Knowledge. While they are by no means a finite list, they can act as building blocks for your new template or register.
- Exposure. Define the imminent or possible risk event.
buy lipitor online desiredsmiles.com/wp-content/uploads/2023/10/lipitor.html no prescription pharmacy
Examples could be a data breach or earthquake.
- Risk Category. Itemize by who or what was affected by the exposure. Employees, property, locations, and systems are some examples.
buy trazodone online desiredsmiles.com/wp-content/uploads/2023/10/trazodone.html no prescription pharmacy
If the exposure was public-facing, be sure to include your customers and shareholders.
- Cause of Loss. In addition to simply entering the risk origin, also detail whether it was on the radar or completely unforeseen. You might choose to add subcategory (or row) if necessary to document the specifics.
- Consequences (Primary and secondary). While many exposures impact the bottom line, it might also include damages to systems, infrastructure, and absences. There are other consequences that are tougher to quantify, such as reputation and employee morale. Subcategories for secondary (and tertiary, and possibly beyond) might be necessary.
- Target Risk Level. Driven by each company’s risk appetite level, the target risk level should be the mitigated level. “For example, risk appetite for strategic can be 4 (out of 5), operations 3 and safety 2,” wrote one member on an OPIS thread. “Therefore, any risk should be mitigated to the acceptable risk appetite level within each risk category – hence, a safety risk of 4 needs to be mitigated to a 2 level.”
- Expected Losses and Gains. Establish value to the projected outcome. There is certainly a downside risk to natural disasters, particularly where injuries, casualties, and property damage are concerned. But not all risks will be negative; selecting a new cybersecurity system, for example, may have costs but also estimated savings.
- Assignee. Just because you are the risk manager does not mean you are responsible for solving all the problems or having all the answers to each risk. A data breach would typically be assigned to the IT leader. However, depending on the size and structure of your organization, you might be the de facto authority on certain exposures, such as emergency preparedness and natural disasters. In those cases, enter your own name and get ready to act.
As stated earlier, these qualities are just starting points as you build your register – you should customize it to your organization and personal preferences.
When reflecting upon the makings of the risk register, one member said that the most critical issue was not the format, but rather “the dialogue that surrounds the register,” adding that “the discovery and discussions were what made that part of the ERM activity useful. Of course, having a nice means of communicating it makes it easier to focus the dialogue.”
RIMS also offers suggestions for ERM programs. Visit the OPIS network to get feedback from members and Risk Knowledge for resources such as the ERM Starter Risk Log Template.
Thanks Justin for the 7 quality of an impactful risk register. It would be more powerful if we can consider ” action status” tracking and make it 8 qualities in total. all the time, I found without monitoring action status, the left 7 qualities wouldn’t achieve what we expected.
5. Target Risk Level is important. Over the years as my organization’s risk maturity has increased we have moved away from trying to assess “Raw Risk” due to the fact one is always considering the current mitigating factors. The Risk Register now includes a “Current Risk Rating” and a “Future Risk Rating”. A new or emerging risk would then be reviewed, documenting the impacts and likelihood which would we believe reflect as close to a raw rating as ever, then we would identify actions required.
Where is the caveat that risk registers are based on flawed math, you can’t multiply or add likelihood and consequence to derive risk levels, subject to continuities biases and will likely lead to ineffective mitigations and bad management decisions?