What goes in the risk register?
In this session what I’m going to discuss is a very, very vexed issue and one that sits at the heart of managing risks and that is what risks do we actually put into a risk register?
Now, I had a course recently where somebody said that their risk managers in their organisation at all the different divisions, it was almost like a competition to see how many risks they could identify to put into their risk registers.
Now, I have seen risk registers with hundreds of risks in them and the difficulty of the challenge there is how do you effectively manage them? What we get is a situation whereby you can’t see the wood for the trees because you’ve captured all of these risks.
When I look at these particular risk registers I find that the majority of the risk that they’ve got in there are causes and consequences which we have discussed in another blog and is also a topic in the e-book.
What should we be putting in there? And one of the things that I’ve come to think about recently is what does management actually want to know? The reality is that management really wants to know not only those high-level risks but for me as a manger, I would want to know those risks with the highest level consequences to us that could potentially impact on our objectives.
Let’s face it, if we’ve got our 5×5 risk matrix and our consequence tables and our likelihood tables, if you’ve got something identified as rare or unlikely with only minor or insignificant consequences, realistically that’s going to be covered through business as usual and maybe it doesn’t need to do into a risk register at all.
You just need to keep an eye on the environment to see whether that becomes something that is emerging. Whereas when we start to get up into the moderate consequences and then into major and severe consequences, of course people are going to want to understand the events that would lead to those particular outcomes.
Maybe it’s a case of for the major risk registers that we use for reporting and so forth that we capture all of those risks regardless of their likelihood where the consequences are severe or major and at a pinch the moderate as well.
If you have captured a consequence matrix that actually means something to the organisation, then realistically your lows or your minors and your insignificant, all you’re really doing is putting the risks in the risk register for the sake of putting risks in the risk register. Ultimately, as I’ve said, they become noise or part of business as usual.
Think about it; first and foremost make sure that the statements that you’ve got in your risk register are actually risks and not causes or consequences. Then when you are starting to do the analysis, of those risks, look at the likelihood in the consequence and ask yourself really if this was to occur once every 5 years, and the impact of that from a safety level was that someone would have to go to the doctor but there’s no tern affects, do you really, really want to see that in a risk register?
It’s not a competition to see how many risk you can get into your risk register. It’s about getting the right risks in the register so that you have visibility of them and the ability to manage them.
That’s all I’ve got for this session, and as always, let’s be careful out there.