Building Your Risk Register: What to Include and Why

How many risks should I have in my risk register? And what risks should be included?

These are common questions when people are creating or reviewing a risk register.  You may have signed up for a risk management portal to make risk management easier, but realised, they don’t include generic risks for you!

And of course the answer to ‘how many risks?’ is – it depends … I can hear the groans … ‘but I came here for a specific answer’ you cry! 

While there isn’t one specific answer, there are some guidelines, which I’ll come back to in a minute.

Why have a Risk Register?

First, lets talk about why the risk register is important, what it is and what it should not be.

The risk register should not be a box ticking exercise that is looked at once a year so that you can say ‘we have a risk register’.  The risk register should be a dynamic document that exists to support decision making and planning and generates actions that mitigate or reduce risk.

Understanding your organisation’s risk profile means having a solid risk register and an ongoing process to identify new or emerging risks and analyse the threats and opportunities they may represent.  Doing this will mean you are well placed to understand the impact that a changed risk profile could have on stakeholders and anticipate change and disruption to operations.

The point of this is that when you are making a big decision, such as entering a new market or taking a new direction, you can quickly identify how this would change your risk profile and whether the risk is proportionate to the potential reward.

How do I populate the Risk Register?

The risk register should be populated off the back of a risk assessment that is workshopped across the organisation from the bottom up.

The risk register should incorporate as a minimum,

• The name of the risk with a brief description that includes potential causes and consequences of that risk.

• The controls that are (or should be) in place to manage the risk.

• A ranking system that enables you to prioritise your risks.

• An action plan for any gaps or need for improvement that are identified in our controls.

A ranking system, usually in the form of a risk matrix or heat map, ranks risk from low to high based on how likely the risk is to occur and the consequence if it does.  Those risks with the greatest likelihood combined with the worst consequences are the highest risks and should be prioritised for further analysis and or action.

Depending on the size of the business, you may also consider including a code for each risk and designating an owner of each risk and each control, i.e. who’s responsibility it is to manage and monitor the risks and the effectiveness of the controls.

It can be helpful to start with some risk categories, an example list could include Governance Risk, Credit Risk, Operational Risk, People Risk, Reputational Risk and Environmental Risk.  Again, these categories should be specific to your business.

It is important not to include a risk register entry for each individual hazard or potential scenario in the business, this makes for a register that is way too long that no one is going to read because it puts them to sleep.

To illustrate this point, in a hospitality context you might identify many risks of an employee or customer getting injured. You might note there is a risk a person is hurt from tripping over a power cable, is injured in the kitchen using a knife or a customer could slip on a spilt drink.  While these are all real risks, they boil down to the one underlying risk, which is, the risk of someone being hurt.

Rather than including all of these scenarios, you can record one risk as follows:

Risk Name: Safety Risk

Risk Description: The organisation fails to develop, and effectively implement, a documented Work Health and Safety program that is compliant with relevant legislation and includes a risk management strategy designed to identify, assess, treat and control all potential safety hazards and risk areas.

The potential outcome of this risk is that a person is injured because a hazard is not identified, or proper training is not provided.  The control in this risk is a formally documented Work Health and Safety policy and procedures that include the identification, documenting and management of specific hazards in the workplace.  Whilst accidents will still happen, these controls, done properly, should significantly reduce the potential of them happening and the severity if they do happen.

So, rather than thinking I need ‘X’ number of risks, instead consider what are the risks that can stop my business or organisation from being able to operate, whether that be systems, processes, people, regulations and law or reputation. 

How Many Risks?

Back to the question at hand … how many risks? … While there is no silver bullet, there is a general consensus of around 10 to 15 risks being recorded at the enterprise level.  These are the top level risks that a board or business owner would consider and should be broad based or macro risks and not super specific or heavy on the detail.

Then depending on the size of the business, the industry, how many staff, you might consider an operational risk register or departmental risk registers that capture the more specific risks in the day to day of the operations. 

The key thing is to customise the risk register to your business, aligning it to your operations and keeping it in proportion to your businesses.

If you are not sure where to start or need some help refining, please get in touch to see if Ellevate Solutions can help.