How to Build Your Gamble Annals

Developing a Risk Register with a GRC Proficient

Adventure Management is a business office with abundant insider terminology. Simply as astrophysicists talk of quasars and gravitational waves and financial planners opine almost acquittal and turnover rates, gamble management professionals speak fluently almost velocity, persistence, inherent and remainder risk, heat maps and more. For the "uninitiated," the jargon can be boundless.

One term y'all'll hear while standing effectually the h2o libation with a bunch of take chances management professionals (don't we all?) is hazard register . Only, what is a risk register? The basic definition is unproblematic: A repository of all risks that could affect a project, a legal entity or an entire enterprise.

But when you get beyond the basic definition, you'll find enough of variation in the details. To gain a better understanding of what a take chances register is, why it exists and what data information technology should comprise, I interviewed Evan Stos, a Governance, Risk and Compliance (GRC) consultant who has helped more than 60 Fortune 500 companies gain command of audit, take a chance, compliance and information security processes. Here are a few insights from our conversation:

Q: What'due south the purpose of a chance register?

A: A risk register allows y'all to meet all of your potential risks in ane identify, to prioritize those risks and assign ownership, and to answer to them in some mode. Risks pop up all over the organization, and if you lot don't have a machinery to capture and track them, you'll never have a clear picture show of risk (and potential business consequences) from a management perspective.

Q: When you lot talk about take a chance ownership, what does that look like?

A: Every chance needs an owner, and it'southward ordinarily 2-3 layers deep. First, y'all have the actual "adventure owner," who is typically an executive who's responsible for managing and controlling identified risks. This is the large-motion picture person. And then yous accept a "take a chance manager" or "risk delegate" who is responsible for keeping tabs on the risk. That'south the detail person.

Risk owners and managers are not typically your Chief Risk Officer or VP of Hazard Management (though for global, company-wide risks, they can be). In most cases, the owners and managers are out in the lines of business concern, deeply involved in the projects and processes where risks arise. By contrast, the CRO or VP of Risk Management is responsible for leading enterprise-broad identification, analysis and response to risks.

Q: When logging a hazard in the risk register, who'southward involved and what info should you capture?

A: In an ideal world, anyone in the organization could found a risk, which would then go into a review procedure to determine its validity. Just in reality, it'due south typically the Enterprise Risk Management (ERM) Office that'due south interfacing with different areas of the business to depict out data and capture it in the adventure register.

When logging a chance you demand:

  • A title and description with sufficient detail to understand what the risk is and how information technology could impact the organization

  • An assigned risk possessor and manager/delegate who will exist responsible for monitoring and responding to the risk

  • The run a risk category: strategic, financial, reputational, operational, It, compliance, etc.

  • The likelihood that the run a risk could occur and the potential impact the risk could have on the organization (typically measured on a five×five scale…more than on this below)

  • What causes (or could crusade) the risk to occur, which is not always known

  • How y'all're going to reply to the take chances, which is also called "risk treatment" (i.e., mitigate, accept, transfer or avoid)

Additionally, yous may have:

  • Related objectives, processes and avails

  • Run a risk metrics (key performance indicators and central risk indicators)

  • Incidents of gamble occurrence (if any)

Q: In one case you have a risk in the risk annals, how do you mensurate and monitor it?

A: If yous're just setting upwards a risk annals, you don't always have metrics to quantify risk. Your evaluation may be qualitative in nature. But over fourth dimension, you can brainstorm to gather metrics data and become more precise about risk likelihood and touch on. For instance, you lot might be better able to project the financial impact of a take a chance once yous have a few months or years' worth of metrics to analyze.

When information technology comes to reporting on take a chance, a common format is a take a chance rut map, which is typically a five×5 scale with touch on on the X-axis and likelihood on the Y-axis. This allows you to plot risks and quickly place those that crave prioritized attention.

In many cases, organizations volition plot inherent and residual adventure on separate heat maps. Inherent risk is "untreated." In other words, no response actions have yet been taken. Residual run a risk is what remains after some response, such as mitigating controls, gamble transfer (i.e., purchasing insurance), etc.

Inherent & Residual Risk Heat Maps for Enterprise Risk Management in Onspring

Q: In one case you have a risk register in place, what does the review process look like?

A:The industry standard is to review risks quarterly, merely that can exist pretty onerous. More often, reviews are performed annually. If you lot take some sort of process management technology in place for your chance register, yous tin automatically notify gamble owners on a set schedule that they need to come in and have some other look at the hazard information. They need to adjure that they've looked at it and note whatever material changes. This is all captured in the risk register.

Executive management will also want to periodically review the organization's risk landscape, with emphasis on the most meaning risks. This reporting shows upper management where the organization may have problems and what's beingness done to address them.

Accurate reporting from the risk register enables management to make informed decisions. Without a current, accurate risk register, direction is non operating from a place of confidence. That's why a risk register with clearly divers risk ownership is and then crucial. It takes an investment of fourth dimension and resources to go along a risk register up to appointment, but I've never seen a state of affairs where it wasn't worth the endeavor.

Best Reports for Risk Management from Onspring

Explore the top reports that chief risk officers use daily for managing enterprise risk.

Download the reports >

So there you accept information technology: the adventure register, demystified. Thank you to Evan Stos for sharing his expertise!

If you're struggling to maintain an accurate and comprehensive risk annals for your organisation, we'd honey to assistance. Explore our Take a chance Management solution, and delight let united states of america know if you'd like to take a closer await.

About the writer

Evan Stos Vice President Customer Experience Onspring GRC Software

Evan Stos
Vice President at Onspring
15 years GRC experience