Why should organisations invest time and effort into developing, maintaining and utilising risk registers?

Using a risk register to capture, organise, manage and utilise risk information is commonly perceived as a component of strong governance.

For example, the Financial Reporting Council establishes a number of requirements1 for risk management that a risk register will help to deliver, including the following:

A company's systems of risk management and internal control will include: risk assessment; management or mitigation of risks, including the use of control processes; information and communication systems; and processes for monitoring and reviewing their continuing effectiveness.

The board should define the processes to be adopted for its on-going monitoring and review, including specifying the requirements, scope and frequency for reporting and assurance.

A risk register is far more than simply a way of achieving compliance with governance standards. Effective risk registers can also be a strategic and operational tool capable of adding significant value to your organisation.

Why should your organisation have a risk register in place?

We set out five clear reasons explaining how your organisation will benefit from a risk register:

  1. Bring structure to chaotic data The organisation-wide view of risk pursued by Enterprise Risk Management (ERM) involves dealing with a huge variety of diverse data, including multiple risk events, their causes, classifications, impacts, severity scores and the required responses to effectively manage these risks. In an unstructured format, this data is susceptible to chaos. Consider receiving 50 emails, each containing slightly different information - some meticulously researched, others subjective or opinion-based, some clear and concise, while others brief and inconclusive. Trying to organise and leverage such data would be immensely challenging. Similarly, managing organisation-wide risk without a consistent structure can feel just as overwhelming. A risk register provides a structured framework for capturing data in a clear and consistent manner. Organisations have the flexibility to define the specific information they want to capture, how it's organised and presented, and who can access it. This structured approach brings simplicity. Instead of facing the daunting question, "What are our risks?" stakeholders can use the risk register to logically and sequentially capture data. This streamlined process allows for seamless transition from data capture to analysis within a single document.
  2. Drive focus on priority issues Organisations face limitations on their resources, both in terms of budgetary constraints and the capacity of employees to execute tasks. Effective risk management should prioritize issues that present the greatest threat to an organisation's strategic objectives. However, without a risk register, this can be quite challenging. The multitude and diversity of risks can be a barrier to effective prioritisation and human factors must not be overlooked. Individuals may be inclined to downplay risks due to apprehension about drawing attention to them, while multiple risk owners competing for resources may be tempted to overstate a risk. A well-designed risk register, supported by a clear and consistent risk framework, can drive attention to the issues that demand priority within an organisation. A risk register can provide easy access to defined and objective criteria for scoring risks, enabling stakeholders to document and justify their assessments of the risk, while also facilitating filtering and sorting to enhance visibility of priority issues.
  3. Escalate and delegate to save time and headspace Management structures serve a purpose and should be leveraged as integral components of an effective ERM approach. It is unrealistic to expect any single individual or committee to have the capacity to oversee every risk confronting a modern organisation. Whilst those responsible for governance maintain ultimate accountability for risk management systems, the day-to-day management of risk should be delivered throughout an organisation. The FRC states: "It is the role of management to implement and take day-to-day responsibility for board policies on risk management and internal control. But the board needs to satisfy itself that management has understood the risks, implemented and monitored appropriate policies and controls, and are providing the board with timely information so that it can discharge its own responsibilities."2 Risk registers play a crucial role in achieving this goal and streamlining the escalation and delegation process. By incorporating escalation and delegation pathways based on the severity of a risk, risk registers ensure that ownership of the risk is appropriately assigned up the governance or management chain. Automation within a risk register enables consistency and reduces the likelihood of manual errors or process non-compliance.
  4. Monitor without micro-managing Put yourself in the shoes of a technical specialist who has identified a risk within your area of expertise. While it's a concern, it's not immediately critical and you have a plan to address it. However, before you can implement your solution, control is taken away by the committee that lacks understanding of your work. Instead, you're assigned a set of actions that are far more complex than necessary. How would you feel? Likely frustrated and disengaged.

1449508a.jpg

A well-designed risk register can eliminate the need for micromanagement, which can disengage employees who were initially supportive of the risk management approach. Employees like the technical specialist mentioned can be assigned as the risk owner and tasked with updating risk records within the register at specified intervals, while adhering to the described escalation pathways in case the situation deteriorates. Senior management gains visibility into the information contained within the risk register, allowing them to confirm that everything is under control without needing to intervene unless they have concerns.

 

  1. Empower employees to take reasonable risks Last, but certainly not least, is the consideration of when risk becomes necessary and valuable. A risk register serves as a powerful tool for communicating to employees: "These are the risks we acknowledge exist, and as long as they remain stable, we accept them". It may even enable an organisation to assert: "We have the capacity to assume additional risk in this area– what are our available options?". This can be achieved by integrating concepts like risk appetite, risk tolerance or target risk scoring into a risk register. Automation can streamline this process, providing immediate feedback to employees scoring the risk on whether further action is necessary and how well the risk aligns with the established tolerance levels.

Designing, developing or enhancing a risk register

There is no one-size-fits-all risk register. Every organisation must consider the data they aim to capture, the logistics of maintaining an updated register, utilising its outputs effectively, and determining the format for presenting risk information. Clear, concise and consistent data enables robust reporting.

A risk register can significantly enhance your organisation's ability to meet expected governance standards but, when appropriately designed, it can also achieve this in an engaging and empowering way.

Footnotes

1. "https://media.frc.org.uk/documents/Guidance_on_Risk_Management_Internal_Control_and_Related_Financial_and_Business_Reporting_September.pdf. Return to article undo

2. "https://media.frc.org.uk/documents/Guidance_on_Risk_Management_Internal_Control_and_Related_Financial_and_Business_Reporting_September.pdf. Return to article undo

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.