A guide to risk registers: Benefits and examples

Why should you use a risk register?

Organizations of every kind, from governmental agencies to nonprofits to the global giants, have always had to contend with risks.

However, organizations today generally face more and more complex risks than their counterparts from the past. Current business risks include volatile economic conditions, rapidly changing geopolitical policies, cyberthreats, talent shortages, third-party vulnerabilities and disruptive innovation.

Consequently, organizations need a systematic way to view the totality of their risks and responses.

A well-constructed and well-maintained risk register gives executives, board members, auditors and other stakeholders the visibility they need into the organization's risk position, including reassurance that its risk management plan does the following:

• Identifies the organization's top risks.
• Assesses each risk's probability and potential impact.
• Devises responses that align with both the organization's risk appetite and its risk tolerance.
• Allocates resources to response efforts that align with the potential severity of each risk.
• Assigns responsibility for each risk to ensure accountability for response actions.

Additionally, organizations can use a risk register to track risk response activities and spending, which, in turn, can help executives identify ways to become more efficient and effective in their risk management processes.

Organizations can think of a risk register as their tracking device, said Sarah Lynn, a partner at assurance and advisory firm BPM.

"It tracks every risk, and it tracks what you commit to do," she said, adding that "if you don't know what the risks are, people will make mistakes or do what they think is easiest to do."

Furthermore, some organizations are required by regulatory authorities to have a risk register. Others are required to have one in order to conduct business with certain partners or in certain industry sectors. For example, a cloud company seeking to do business with the federal government must be compliant with the Federal Risk and Authorization Management Program (FedRAMP), which requires a comprehensive risk management program.

In addition, investors and regulators often require companies to maintain a risk register, seeing it as a demonstration of a mature risk management strategy.

Benefits of risk registers

The existence of a risk register in an organization generally produces the following benefits:

• Visibility and transparency. As previously noted, a risk register provides a holistic view of the key risks facing the organization, along with assessments of each risk and planned response.
• Accurate prioritization of risks and response activities. That consolidated view of enterprise risks gives executives and risk leaders the ability to effectively rank risks and prioritize response activities to ensure they're allocating the most resources to those risks that warrant it.
• Accountability. Likewise, that holistic view enables executives to ensure that each risk is assigned to an owner.
• Enhanced decision-making. Executives, stakeholders and business leaders responsible for risks have the information they need to make more effective decisions and to make those decisions more quickly using a risk register than if they had to seek out and piece together siloed risk information.
• Alignment and understanding of risks throughout the organization. Executives, managers and risk leaders can use the risk register to share information with employees at all levels of the organization, leveraging the visibility provided by the register to build alignment and buy-in.
• Improved adherence to risk management strategies. That alignment and buy-in typically leads to better adherence to the organization's risk management program because people understand why risk reduction policies exist and how those policies protect the organization and individuals.
• Regulatory compliance support. Similarly, that alignment and buy-in mean better compliance with regulations, not just internal risk management policies.
• Reduced costs for the risk management program. Because the risk register helps organizations prioritize risks and responses, they're more effective in their spending. For example, a risk register could help a company understand whether it needs a sophisticated fire suppression system or just a few fire extinguishers to adequately address its risk of fire.

Challenges of using a risk register

Although business leaders generally recognize the importance of having a risk register, many struggle with creating and using this tool. That's not surprising, considering the multiple challenges that come along with devising and maintaining a risk register.

The first challenge is identifying the risks that should go onto the risk register. It's a balancing act as the risk register should give a holistic view of risk but not be bogged down with minutia on every possible risk.

"The risk register is used to rank the risks, give that overarching view and perspective," said Caitlin Holmes, senior managing director at FTI Consulting. "You don't want to be overzealous."

Once risks are identified, executives face another challenge: evaluating and rating each risk based on its probability and potential impact on the organization.

Another big challenge is actually using the risk register. The risk register should not be a check-the-box activity, nor a checklist of to-do, one-and-done items. Rather, it is meant to be consulted, integrated into the risk management program and updated as activities happen and risks evolve. If all that doesn't happen, then the investment into developing a risk register could be wasted.

"You don't want a risk register to be just a checklist of things you did. That's meaningless," Grace said. "Its purpose is meaningless if you do not have a monitoring phase, if it isn't actively reviewed monthly or quarterly."

What is included in a risk register?

Multiple risk register templates exist, and many corporate software programs -- particularly those for governance, risk and compliance -- have risk register components. Registers typically provide fields for the following information:

1. The risk itself, including a unique identifier such as a name or code.
2. A description of the risk, with concise supporting details.
3. The risk's category (e.g., strategic, operational, process, financial, technical, etc.).
4. Each risk's probability or likelihood of occurrence.
5. Information on the impact of the risk, should it occur.
6. Details on the criticality of the asset affected by the risk.
7. A priority ranking to understand how quickly a risk must be addressed.
8. A risk score, which is often listed numerically on a 1-to-3 or 1-to-5 scale, or sometimes as red-yellow-green.
9. A response plan on whether to accept, transfer, mitigate or eliminate the risk and a summary of how to accomplish the planned response.
10. The owner of each risk.
11. Status reports.
12. Space to record any additional relevant information.

"The final thing is you want to keep track of how much time and dollars are spent on each risk," Grace added.

How to create a risk register

Click here to download
our free risk register
template.

Writing an effective risk register is a collaborative effort in all but the smallest companies. It should involve executives, risk professionals and, in some cases, line-of-business leaders, and perhaps even frontline workers.

At a high level, these teams should take the following actions:

1. Determine whether the risk register is for the whole organization, a specific department or a particular project.
2. Identify, describe and classify the risks.
3. Assess each risk for the likelihood of occurrence and the potential severity of that occurrence.
4. Assign a rating to each risk.
5. Prioritize risks based on their likelihood and impact to focus on the most critical ones.
6. Craft a response plan for each risk.
7. Assign an owner to each risk.
8. Establish an owner of the overall risk register to ensure the register is used to inform risk management activities and to update the risk register on an ongoing basis.

Conclusion

The risk register is a key component of a successful risk management strategy -- provided it is seen as a living document that changes as often as risks do, so it can effectively guide organizational leaders on risk-related decisions.

When used as part of a risk management program, a risk register pays big dividends, enabling leaders to anticipate risks while minimizing the cost of doing so. That, in turn, helps the organization succeed, even as it contends with the numerous, complex risks that are constantly changing around it.

"A risk register gives the overarching view of the [organization's] risk position," Holmes said, "and it allows leadership to be more proactive in managing it, meaning they'll have to use less resources to deal with risk, and they can be more effective in doing so."

Mary K. Pratt is an award-winning freelance journalist with a focus on covering enterprise IT and cybersecurity management.