KeyRisks Risk Register
you need a Risk Register because
It is a cornerstone of any risk management and insurance programme.
Only about 20% of business risk is insurable and even that level is declining year-on-year as insurers become more restrictive about coverage available.
That clearly puts the onus back on you to "manage" the 80% of risks that commercial insurers do not readily cover. A few examples are listed in the red box here.
Creating a register or log of your most significant exposures is the simplest and most practical approach to identifying, analysing and managing risks.
It provides a tried and trusted way for you to spot potential threats, take steps to mitigate them and prepare contingency plans that will minimise their impact.
it provides resilience in a nutshell:
Developing a KeyRisks Register provides “an essential understanding of risks that threaten the ability to grow and prosper"
The standard format allows decision makers to
-
visualise their risk landscape
-
keep track of identified risks, mitigation plans, changes to existing risks, response and recovery plans
-
demonstrate regulatory compliance
-
continuously monitor risk management activity
-
communicate risk management information up and down all levels
this is what goes into a KeyRisks Register
-
Risk category
-
Risk description
-
Root cause / risk trigger
-
Impact rating
-
Likelihood
-
Quantified outcome
-
Risk level
-
Mitigation actions
-
Cost of action
-
Next review date
Our risk categorisation (taxonomy) helps simplify data entry:
-
External
-
Legislative, Litigation, Regulatory and Conduct Risks
-
Loss/Damage to Tangible Assets
(eg. physical property) which you own or are responsible for in your care, custody or control) -
Loss / Damage to Intangible Assets
(eg. information) -
Loss of Earnings from Business Interruption
(supply/disruption/outages) -
Technology/Cyber Risks
(own & third party risks) -
People / Employment Risks
It should be noted that there are gaps, duplication and ambiguities in any classification method.
Our approach keeps in mind that different types of business threats, such as financial and operational risks, may be both internal and external and affect assets, earnings and/or liabilities.
External risks, such as interest rate fluctuations, new regulations, natural events and increased competition, are those where there is little or no means of prevention, only mitigation!
Identifying risk causes
The triggers that cause the incident to occur which are largely evaluated through scenario modelling and data analysis
Costing risk outcomes
An evaluation of your maximum possible loss (MPL) over a specified timescale
-
quantifies, as far as possible, your financial exposure to identified risks, potential risks and residual risks
-
Matches the probability and financial severity of a worst case scenario against your risk appetite*
note: *Your risk appetite is the defined level of financial and/or reputational exposure your Board is prepared to accept
Managing priority levels
Risk response dictated by probability and severity of impact
Allocating risk control resources through ranking the order of identified risks based on their impact and probability assessment
Choosing mitigation actions in response to each threat and risk assessment
Costing Risk Response Activity
Calculating the cost of your mitigation actions against the cost of the Risk if it materialised
-
Costing the probability and outcome of an identified key risk is essential for risk mitigation decision making and budgeting
-
All risk mitigation actions cost money, upfront and backend, so which ones are most worthy
The formula to help work this out is:
Note: mitigating risks upfront usually lowers the costs of risks over time
to develop an up-to-date record of your risk information
The relationship between risk and awareness is brought together in a KeyRisks Register.
Delivering a big impact at relatively little cost by helping you to:
-
identify and categorise the most harmful risks you face
-
seek to understand their causes and triggers
-
quantify consequences and outcomes
-
evaluate and select mitigation and control options
-
prioritise and implement risk treatments
-
guide actions, monitor & communicate