What is a Risk Register? [Inc Free Risk Log Template]
Published: February 15th, 2021
Author: Matthew Quinn
Categories: Risk Management
Managing risk is an essential part of doing business – but how can a risk register (or risk log) help? All organisations, whatever their focus, will be exposed to some risk. Risks occur, it is impossible to avoid them all. As the pandemic has shown, many material factors will lie outside of your control.
But that is not a reason to give up on risk management. While it is not possible to be 100% risk free, you can certainly reduce the level of risk your organisation faces. Doing so can have a significant (and positive) impact in a variety of different areas.
An effective risk management approach can help you fulfill your regulatory compliance obligations. It can help you avoid customer complaints. And it can help with general project planning.
But it can also provide you with a competitive advantage. When you fully understand the potential risks you face (post risk identification), you can choose to take a calculated risk. Fully aware of, and reconciled to, the potential impact.
This is where a risk register (or risk log) can come in useful. In simple terms, a risk register is tool you can use as a store of all your risks. It is where your formally record the risks you face, and additional information about each one.
Risk registers come in a variety of shapes and sizes. Many organisations will use a risk register template and then adapt it for their needs. These are often word documents or spreadsheets.
However, for those looking for something with more functionality, there are also software solutions that provide an ‘online’ register (Apomatix’s Risk Manager is one such solution!)
In addition to the standard fields you will see included in most templates, software solutions will offer deeper functionality. Perhaps the best example of this would be reporting capabilities. All software solutions will have such as standard. These can help you make more informed decisions, often reducing time and money spent.
What’s the point of a risk register/risk log?
As mentioned above, an organisation’s risk register should be a record of its risks. It should record all identified risks so organisational leaders can understand the level of risk currently faced. In turn, this information can be used to stay on top of those same risks, helping avoid any nasty consequences!
Your risk register will also have a role to play in identify potential risks. It can be used to help understand what those risks are and how significant they may be (risk analysis).
For organisations of all types, therefore, a risk register is very much ‘a should have’. It is difficult to guard against a threat you are ignorant of. Ideally, your register (or registers, if necessary) should cover the entire scope of your organisation.
It is also worth noting that there are certain cases in which risk registers are required. For example, if your organisation is ISO certified (e.g. ISO 9001, ISO 14001, ISO 27001, etc) you are required to document your risks.
Though ISO 31000 (Risk Management Guidelines) does not use the term “risk register”, in practice, many organisations use a risk register to satisfy the risk requirements of the ISO standards.
Depending on your industry, you may also find that your clients requires a “project risk register”, to record any risks in your project. As such, risk registers can be a vital project management tool, keeping the project team abreast of anything that could derail the matter at hand. (Note, Risk is one of Seven Themes of the project management methodology PRINCE2. With a risk register being one of the management products.)
What’s included in a risk register/risk log?
What’s included in a risk register will vary from organisation to organisation. However, there are a number of fields that should be included to ensure the register is effective.
-A risk description (this should be clearly written and easy to understand)
-The source of the risk
-Potential consequences if the risk was realized.
-The impact of the risk if it took place, rated on a numeric scale (often 1-5)
-The likelihood of the risk if it took place, rated on a numeric scale (often 1-5).
-An overall Risk Rating or Score, created by combining (multiplying or adding) the impact and likelihood. This can be used to rank the risks from High to Medium to Low.
-The decision you took with regards to the risk (i.e. your risk response). For example, did you decide to mitigate or treat the risk? Did you accept the risk, that is, determine no action was necessary?
-If you chose to mitigate, a description of your mitigation plan. E.g. what should be implemented, when and which team members will be responsible.
-A reassessment date, as all risks should be frequently reviewed/reassessed (e.g. every six months). They should also be reviewed whenever (relevant) significant change is proposed or occurs.
-Risk categories, a way to group similar risks together (e.g. Financial Risks, Compliance Risks, etc)
-A risk owner, the person responsible for managing the risk.
-This is by no means an exhaustive list. There are other fields you could include, but these are some of the most essential pieces of information to capture.
In conclusion, a risk register/risk log is an incredibly useful tool that can you reduce the level of risk your organisation faces. Doing so will not only make you ‘safer’, but will also allow you to make informed ‘risky’ decisions. In business, these are often the decisions that can help you get the jump on your competitors and grow!