Developing your BRA (WRA-FWRA) & Risk Register

Risk Management is a business function with abundant insider terminology. For the “uninitiated,” the jargon can be dizzying.

Just as

1. Astrophysicists talk of quasars, gravitational waves, and
2. Financial planners opine about amortisation and turnover rates,
3. Risk management professionals speak fluently about velocity, persistence, inherent and residual risk, heat maps, etc.

RISK REGISTER.

One term you’ll hear while hanging out with risk management professionals (don’t we all?) is

• RISK REGISTER.

But what is a risk register?

The basic definition is simple: A repository of ALL RISKS that could impact a project, a legal entity or an enterprise.

Accurate reporting from the risk register enables management to make informed decisions.

Without a current, accurate risk register, management is not operating from a place of confidence.

That’s why a risk register with clearly defined risk ownership is crucial.

Keeping a risk register up to date takes time and resources, but I’ve never seen a situation where it wasn’t worth the effort.

OTHER QUESTIONS AND ANSWERS

1. Q: What’s the purpose of a risk register?
2. A: A risk register allows you to see all your potential risks in one place, prioritise them, assign ownership, and respond to them.

• • Risks pop up all over the organisation.
  • If you don’t have a mechanism to capture and track them, you’ll never have a clear picture of risk (and potential business consequences) from a management perspective.

3. Q: When discussing risk ownership, what does that look like?
4. A: Every risk needs an owner, usually 2-3 layers deep.

• • First, you have the actual “RISK OWNER,” who is typically an executive responsible for managing and controlling identified risks.
  • This is the big-picture person.
    1. Risk owners and managers are not typically your Chief Risk Officer or VP of Risk Management
    2. The CRO or VP of Risk Management is responsible for leading enterprise-wide

1. Identification,
2. Analysis and
3. Response to risks.

• • Then you have a “RISK MANAGER” or “RISK DELEGATE” responsible for keeping tabs on the risk.
  • That’s the detail person. In most cases, RISK MANAGER or RISK DELEGATE are the owner and manager who is out in the lines of business, deeply involved in the projects and processes where risks arise.

5. Q: Who’s involved, and what info should you capture when logging a risk in the risk register?
6. A: In an ideal world, anyone in the organisation could establish a risk, which would then be reviewed to determine its validity.

• • However, the Enterprise Risk Management (ERM) Office typically interfaces with different business areas to draw out information and capture it in the risk register.
  • When logging a risk, you need:
    1. A title and description with sufficient detail to understand what the risk is and how it could impact the organisation
    2. A risk category:

1. STRATEGIC,
2. FINANCIAL,
3. REPUTATIONAL,
4. OPERATIONAL,
5. IT,
6. CYBER
7. DATA
8. COMPLIANCE,
9. FINANCIAL CRIME
10. AML/CTF/CPF
11. EMPLOYEE/HR
12. ETC.

• • OWNER
    1. An assigned risk owner and manager/delegate who will be responsible for monitoring and responding to the risk
  • LIKELIHOOD AND IMPACT
    1. The likelihood that the risk could occur and the potential impact the risk could have on the organisation (typically measured on a 5×5 scale…more on this below)
  • CAUSES
    1. What would cause (or could cause) the risk to occur, which is not always known
  • “RISK TREATMENT”
    1. How you’re going to respond to the risk, which is also called “risk treatment” (i.e., mitigate, accept, transfer or avoid)
  • Additionally, you may have:
    1. Related objectives, processes, and assets
    2. Supporting controls
    3. Risk metrics (key performance indicators and key risk indicators), Incident mitigation plans, Incidents of risk occurrence (if any)

7. Q: Once a risk is in the register, how do you measure and monitor it?
8. A: When setting up a risk register, you may not always have metrics to quantify risk.

• • Your evaluation may be qualitative.
    1. However, over time, you can begin to gather metrics data and get more precise about risk likelihood and impact.
    2. For example, you might be better able to project the financial impact of a risk once you have a few months or years’ worth of metrics to analyse.
  • Regarding reporting on risk, a standard format is a risk heat map.
    1. Typically, a 5×5 scale with impact on the X-axis and likelihood on the Y-axis. This allows you to plot risks and quickly identify those that require prioritised attention.
  • In many cases, organisations will plot inherent and residual risk on separate heat maps.
    1. Inherent risk is “untreated.” In other words, no response actions have yet been taken.
    2. Residual risk remains after some response, such as mitigating controls, risk transfer (i.e., purchasing insurance), etc.

9. Q: What does the review process look like once you have a risk register?
10. A: The industry standard is a quarterly review of risks, which can be onerous. Reviews are more often performed annually.
    • If you have process management technology in place for your risk register, you can automatically notify risk owners on a set schedule that they need to review the risk information.
    • They must attest that they’ve looked at it and note any material changes. All these are captured in the risk register.
    • Executive management will also want to periodically review the organisation’s risk landscape, emphasising the most significant risks.
    • This reporting shows upper management where the organisation may have problems and what’s being done to address them.

Source

11. The above is an extract from an interview with Evan Stos, a Governance, Risk, and Compliance (GRC) consultant who has helped over 60 Fortune 500 companies gain control of audit, risk, compliance, and information security processes and can be found here: https://onspring.com/blog/demystifying-risk-whats-in-a-risk-register/