Creating a Risk Register + [Free Risk Register Template]
Published: January 29th, 2021
Author: Matthew Quinn
Categories: Risk Management
Creating a risk register is often the first step many organizations take in their risk management journey. At Apomatix, we believe managing risk is critically important. No matter the size of your organisation, you will face a variety of risks.
Identifying and tracking these risks will help keep your organisation safe. Understanding your risks will also allow you to take more informed decisions, aware of any potential risks & their potential impact.
A risk register (sometimes called a risk log) is an essential weapon in any risk manager’s arsenal. It serves as a record of all your risks and risk related information (e.g. action plans, risk owner, etc). Allowing you to track your risks over the course of their life cycle (i.e. from risk identification through to monitor/review).
But knowing what to information to record can be challenging.
This is something Apomatix’s Head of Operations Matthew Quinn experienced personally in his previous role:
“I went from a purely commercial role to managing my company’s ISO 27001 certification. While the whole experience was a learning curve, the topic I found most demanding was risk management.
It was an organisational (e.g. getting the project team to meet deadlines) and conceptual (e.g. inherent risks vs residual risks, understanding the impact on the project) challenge.
Creating a risk register and then implementing risk management processes will be difficult. However, it is ultimately a worthwhile activity, as the benefits are numerous.”
1) Getting Started & Creating a Risk Register
When creating a risk register, the first thing you need to decide is what information to record/include.
We covered the basics in our article “What is a Risk Register“. If you are new to risk management it makes sense to check that out first. It provides an overview of what a risk register can help an organisation achieve.
It is worth noting that not all risk registers are the same. Depending on the topic, you may see some variation in the information/fields included in a given register.
For example, information security risk registers will often list the (information) assets that are at risk. This is known as an Asset Risk Register. It’s more common in the information security field because of the types of risk such organisations face (e.g. threats to: computers, laptops and phones).
However, there are several fields you should always include in your risk register to ensure your risks are accurately appraised. These are:
-A risk description
-The source of the risk
-The impact of the risk if it took place, rated on a numeric scale (often 1-5)
-The likelihood of the risk if it took place, rated on a numeric scale (often 1-5).
-An overall Risk Rating or Score, created by combining (multiplying or adding) the impact and likelihood.
-The decision you took with regards to the risk. Is your organisation going to ‘fix’ or treat the risk that has been identified? Did you accept the risk i.e. decide that no action was necessary?
-If you chose to treat the risk, then you should include a description of your mitigation plan (a contingency plan). This should include when the mitigation will be implemented and which team members will be responsible.
-A reassessment date: all risks should be regularly reviewed/reassessed (e.g. every six months). They should also be reviewed whenever (relevant) significant change is proposed or occurs.
-Risk categories, a way to group similar risks together (e.g. Financial Risks, Compliance Risks, etc)
-A risk owner, i.e. the person responsible for managing the risk.
This is by no means an exhaustive list. Depending on the ‘field’ (e.g. project risk management, information security risk management, financial risk management, etc) you may need to include additional information.
The important thing is that you record what is relevant to your organisation.
2) Recording your Risks
Once you have decided what information you are going to record in your risk register you can start assessing your risks!
There are a number of best practice guides you can refer to. Particularly if you are looking for a fully fledged risk management methodology.
ISO 31000 is one of the best known methodologies. Indeed, Apomatix’s own Risk Manager can accommodates this methodology.
3) An Example
However, for those new to risk management, such methodologies may seem a little overwhelming!
But do not worry, the basic idea behind them is relatively simple.
Firstly, you need to identify the risks you face. Make sure not to fall into the trap of thinking too broadly or too narrowly. You are trying to identify all relevant risks.
Once you have identified a risk, you should record it in your risk register. The description should be clear, easy to understand and comprehensive.
You should also identify (and record) the source of the risk and any consequences.
At this point it also makes sense to categories the risk (e.g. Laptops) and assign a risk owner.
A: The risk of the Chief Executive’s Laptop being stolen.
B: There are third party contractors in the office.
C: Loss of important company documents.
In this case: A is a description of the risk, B is the source of the risk and C is the consequence.
Next you want to assess the level of risk you face. This is commonly broken up into two parts: (i) likelihood and (ii) impact. In other words, how likely is it that the risk highlighted take place? And if it did, how significant would the impact be.
These two scores (often on a 1 (low) to 5 (high) scale) are then combined (multiplied, added together) to provide an overall risk score.
Returning to our example, how likely is it that the CEO’s laptop will be stolen?
As there are contractors in the office, we may want to say that it is quite likely, perhaps a score of 3. And the impact? As it’s the CEO’s laptop, the impact would be significant – a score of 5 seems fitting.
To calculate the overall risk score, we multiply Likelihood and Impact – (3×5) 15
Now you need to decide what to do about the level of risk you face. In our example, the overall level of risk is moderate (15/25). While the level of risk faced is not catastrophic, it would certainly disrupt day to day operations.
In this case, treating (or fixing) the risk is the most reasonable decision.
An obvious mitigation would be to keep the laptop under lock and key. This would prevent 3rd parties in the office from stealing it.
This mitigation should be recorded and a due date assigned.
Once the mitigation has been implemented, the risk should be reassessed.
In our example, the mitigation we chose did not reduce the impact. If the CEO’s Laptop is stolen, those important company documents would still be lost. However, locking up the Laptop would reduce the likelihood of it being taken.
Therefore, when assessing the risk again, we would want to say that the risk is no longer as likely to occur, so a score of 1 is fair. The Impact remains unchanged at 5.
That means that the new overall risk score is (1×5) 5, significantly lower than before!
4) Creating a Risk Register – Summary
Creating a risk register can seem like a difficult task. And some of the ‘theory’ behind it may, at first, appear very complicated.
But the basic idea is a relatively straight forward one. The key to a good risk register lies in the information you capture. If you include the right fields, then you are on the path to becoming a more risk informed organisation.
For those looking for help getting started, please feel free to download our Risk Register Template. This is a topic neutral template and can be adapted to serve a number of different use cases (e.g. project risk register template, quality risk register template, etc).