A Risk Register is a Risk Management tool commonly used in Project Management and organizational risk assessments. It acts as a central repository for all risks identified by the project or organization and, for each risk, includes information such as risk probability, impact, counter-measures, and risk owner and so on. It can sometimes be referred to as a Risk Log.
A wide range of suggested contents for a risk register exist and recommendations are made by the Project Management Institute Body of Knowledge (PMBOK) and PRINCE2 among others. In addition many companies provide software tools that act as risk registers.
Typically a risk register contains:
- A description of the risk
- The impact of the event
- The probability of its occurrence
- Risk Score (the multiplication of Probability and Impact)
- A summary of the planned response
- A summary of the mitigation
The risks are often ranked by Risk Score so as to highlight the highest priority risks to all involved.Although risk registers are commonly used tools not only in projects and programs but also in Banks / corporate companies. Risk registers often lead to formalized decision-making, illusion of control, and fallacy of misplaced concreteness: mistaking the map for the territory. However, if used with common sense, risk registers are a useful tool to stimu late cross-functional debate and cooperation.
The risk appetite for each activity needs to be determined. The risk appetite of the Bank/Branch/Division defines its preparedness to accept and manage risk on any given activity. The concept recognizes that risk elements arising from proposed or actual developments may fall into one of three categories.
- Risk elements which are deemed to have a low risk and do not need to be managed
- Risk elements that have a MODERATE or high risk and will need to be managed
- Risk elements which have an extreme risk and therefore the activity should probably not proceed.
The Risk Register records details of all the risks identified for the activity of the Branches and Corporate office divisions. Risks associated with activities and strategies are identified and then graded in terms of probability of occurring and seriousness of impact.
Risk registers should identify:
- A description of each risk and its potential consequences (operational and strategic);
- Factors that may impact upon the probability and consequence of the risk;
- An assessed risk grade – low, moderate, high or extreme;
- Whether the risk grade is acceptable;
- Actions and controls that currently exist to mitigate risks;
- Early warning factors and upward reporting thresholds.
Risk registers should be maintained for all contract activities. It is expected that the contract owner will engage in risk assessment as part of the business development process and highlight emerging risk areas.
Steps to complete the register:
- Identify potential risks.
- Identify the consequences to the activity if the risk were to materialize
- Identify the likelihood and probability that the risk would result in adverse consequences.
- For those risks that have been ranked as low, moderate, high and extreme, address with mitigating actions: Low: Existing security measures to be continued.
Moderate: Mitigation actions to reduce the probability and seriousness should be identified and appropriate actions to be endorsed at a Divisional level.
High: If uncontrolled, a risk event at this level may have a significant impact on the operations of a cost center or the bank as a whole. Mitigating actions need to be very reliable and should be approved and monitored by the contract owner with reporting to the responsible CEO and managing director. Even with mitigating actions in place, the executor (contract signatory) should be advised of identified or potential risks which have been graded at this level.
Extreme: Activities and projects with unmitigated risks at this level should be avoided or terminated. Mitigation actions of these types of risks may outweigh the benefits of the activity to the Bank. This is because risk events graded at this level have the potential to have significant adverse effects to the Bank.
- Identify if there are any controls currently in place to mitigate those risk
- If not, develop and document Risk mitigation actions. These could include:
• Planned actions to reduce the probability -a negative risk will occur and/or reduce the seriousness should it occur (What should you do now?)
• Contingency actions-planned actions to reduce the immediate seriousness of a negative risk when it does occur. (What should you do when?)
• Recovery actions-planned actions taken once a negative risk has occurred to allow you to move on. (What should you do after?)
• Risk Transfer (e.g. through assignment of contractual responsibilities or insurance.
• Actions necessary to ensure the realization of opportunities (positive risks)
When an organization has identified that it has a potential risk, it will either perform a risk assessment in house, or hire an independent company to carry out an assessment. There are many elements to a risk assessment that depend on the type of risk assessment required, but there is a process to be followed when carrying out an assessment. This article will identify the most common steps that would be followed in performing a risk assessment.
Performing a Risk Assessment
When a risk assessment is performed, it will require that the process is suitable for the organization. Large companies may have different requirements than smaller companies and have the time and money to perform an in depth evaluation. Smaller companies may need any evaluation to be performed quickly and as cheaply as possible. Whatever the size and depth of the assessment the process should commence with the creation of a scope and plan. It should consider the overall objectives, responsibilities, timing, and final deliverable.
Identify the Objectives
Before the assessment can begin in earnest, the overall objectives should be clearly defined and agreed upon. If the objectives are unclear or incorrect, the assessment will be flawed and invalid. When the exact objectives are identified then the assessment will be able to identify the risks correctly.
After the objectives and scope of the assessment has been defined it is important to understand how these fit in with the organization’s overall strategy and how much risk the organization is willing to assume in achieving the objectives. An organization may be willing to take more risks in winning business than in ensuring it is complying with state and federal regulations.
Identifying Risk Events
Based on the objectives of the organization, the assessment will identify any events or risks that could affect the company’s business. These can be potential incidents that may occur inside or external to the organization that can have a positive or negative effect. External influences can include economic, social, political, technological, and environmental events that could be a risk for the organization.
Events that could be risk that are internal to an organization can include internal processes, people, technology, and data security. An assessment can review business plans and budgets, prior risk assessments, financial performance, past and pending litigation, annual reports, as well as internal policies and procedures.
When the risks are identified, they should be divided into opportunities, which offer a positive outcome or risks, which are deemed as negative. The negative risks should then be further assessed.
Risk tolerance is the organizations acceptable level of risk that it is willing to bear in order to achieve a specific objective. The assessment should identify the level of risk tolerance and limits that an organization wishes. In some instances, an organization may be unwilling to take much of a risk on their supply chain, and will therefore require that a risk assessment identify all possible risks and how they can be avoided. It may take more of a risk on the evaluation of vendors and be satisfied with events that show a greater level of risk. An organization may, however, put a limit on the amount of risk it is willing to accept.
Assessing the Impact of a Risk The risk assessment will identify each risk and it should determine the likelihood of the risk occurring and the significance of the risks impact on the organizations objectives. When the evaluation of each risk is complete, the assessment should show the potential of each risk, high, medium or low, and how they relate to each other. The organization should be able to see which are, the most significant risks at the current time, although this will change in the future.
Step 1: Determine the probability as to whether the risk would actually occur and give it a score
The risk assessment will identify the risks for an organization and the next step is for an organization to decide how it wants to respond to these risks. Depending on the risk tolerance of the organization, it may want to avoid some risks all together or use some kind of risk strategy such as risk reduction, risk retention, or transfer the risk.
Step 1: Determine the probability as to whether the risk would actually occur and give it a score
Risks can be covered or avoided with some basic business savvy and common sense. The followings are just a few areas to check into and protect the Bank against.
- Assume the potential for fraud. Do your “due diligence” no matter what. Don’t succumb to the ease of accepting information someone else provides. Build a team of experts and resources to provide objective, independent verification of facts.
- Verify all documents, facts and figures. Look at the potential consequences if a particular document were not correct, real or legitimate.
- Suspect, verify or reject existing appraisals or appraisals ordered by anyone but yourself.
- Rely only on current values and verify the legal documents and recording through title reports.
Risk Assessment-Ranking Tool
This document should be used as a tool to assess and rank the sources of identified risk and potential consequences.
For each identified risk perform the following steps:
The results of this assessment should be documented as part of the Risk Register. Risks identified low, moderate, high or extreme require documented mitigating actions as part of completing the Risk Register.
Assessed Rating Bands
Minimal Risk – Rating of 1 or 2 Low Risk – Rating of 3 or 4 Even if the risk is low, there may be things that can still be done to bring the risk rating back down to minimal.
Moderate Risk –
Rating of 6, 8, 9 or 10 If the Rating Action Band is greater than 3 or 4 then we should review our existing safety/control measures and add whatever additional control measures may be necessary to bring the risk back to a low or minimal risk. If we identify any hazard which, after applying any applicable control measures, is still rated as moderate, then it needs to be brought to the management’s notice for safety measures.
High Risk –
Rating of 12, 15 or 16 Under no circumstances operations should be continued that have a high risk rating without informing to the higher authority with a view to re-examining the hazard, the system of work in operation, the training and protection of our employees and the information to be provided to them.
Extreme Risk –
Rating of 20 or 25 Not acceptable. It is likely to threaten the survival or continued effective functioning of the program or the organization, either financially or politically. Immediate action is required here and it must be managed by senior management with a detailed treatment plan reported to the Board.
Risk is an uncertain event or condition that, if it occurs, has an effect on at least one objective.The probability or threat of quantifiable damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided through preemptive action.
The solution is to assign the mitigation plan to an unwanted/uncertain event. Traditional risk management frameworks include identification, evaluation and prioritization followed by eliminating ambiguities, minimizing the possibility and impact of adverse events along with monitoring and controlling them. The entire area of risk management is an extensive subject.