top of page
you need a Risk Register because

It is a cornerstone of any risk management and insurance programme. 

Only about 20% of business risk is insurable and even that level is declining year-on-year as insurers become more restrictive about coverage available.

That clearly puts the onus back on you to "manage" the 80% of risks that commercial insurers do not readily cover.  A few examples are listed in the red box here.

List of Insurance Exclusions.png

Creating a register or log of your most significant exposures is the simplest and most practical approach to identifying, analysing and managing risks.

It provides a tried and trusted way for you to spot potential threats, take steps to mitigate them and prepare contingency plans that will minimise their impact.

it provides resilience in a nutshell:

Developing a KeyRisks Register provides “an essential understanding of risks that threaten the ability to grow and prosper"

The standard format allows decision makers to 

  1. visualise their risk landscape 

  2. keep track of  identified risks, mitigation plans, changes to existing risks, response and recovery plans

  3. demonstrate regulatory compliance

  4. continuously monitor risk management activity

  5. communicate risk management information up and down all levels

this is what goes into a KeyRisks Register
  1. Risk category 

  2. Risk description

  3. Root cause / risk trigger

  4. Impact rating

  5. Likelihood

  6. Quantified outcome

  7. Risk level

  8. Mitigation actions

  9. Cost of action

  10. Next review date

Our risk categorisation (taxonomy) helps simplify data entry:

  1. External

  2. Legislative, Litigation, Regulatory and Conduct Risks

  3. Loss/Damage to Tangible Assets
    (eg. physical property) which you own or are responsible for in your care, custody or control)

  4. Loss / Damage to Intangible Assets
    (eg. information)

  5. Loss of Earnings from Business Interruption

  6. Technology/Cyber Risks
    (own & third party risks)

  7. People / Employment Risks


It should be noted that there are gaps, duplication and ambiguities in any classification method.

Our approach keeps in mind that different types of business threats, such as financial and operational risks, may be both internal and external and affect assets, earnings and/or liabilities.

External risks, such as interest rate fluctuations, new regulations, natural events and increased competition, are those where there is little or no means of prevention, only mitigation! 

KeyRisksRR SS MasterView.png

Identifying risk causes

The triggers that cause the incident to occur which are largely evaluated through scenario modelling and data analysis


Costing risk outcomes

An evaluation of your maximum possible loss (MPL) over a specified timescale

  • quantifies, as far as possible, your financial exposure to identified risks, potential risks and residual risks

  • Matches the probability and financial severity of a worst case scenario against your risk appetite*

 note: *Your risk appetite is the defined level of financial and/or reputational exposure your Board is prepared to accept

Managing priority levels

Risk response dictated by probability and severity of impact

Managing Priority Levels.png

Allocating risk control resources through ranking the order of identified risks based on their impact and probability assessment

Risk Matrix Image.png

Choosing mitigation actions in response to each threat and risk assessment


Costing Risk Response Activity

Calculating the cost of your mitigation actions against the cost of the Risk if it materialised

  • Costing the probability and outcome of an identified key risk is essential for risk mitigation decision making and budgeting

  • All risk mitigation actions cost money, upfront and backend, so which ones are most worthy

The formula to help work this out is:


Note: mitigating risks upfront usually lowers the costs of risks over time

to develop an up-to-date record of your risk information

The relationship between risk and awareness is brought together in a KeyRisks Register.

Delivering a big impact at relatively little cost by helping you to:

  • identify and categorise the most harmful risks you face

  • seek to understand their causes and triggers

  • quantify consequences and outcomes

  • evaluate and select mitigation and control options

  • prioritise and implement risk treatments

  • guide actions, monitor & communicate

What a RR Does.png
bottom of page