All businesses face a level of risk. A Risk Register provides you with a risk management tool to control and reduce threats to your firm. It also ensures you are fulfilling your regulatory, strategic, operational, and compliance obligations.
The register is generally used to reduce the chances of a risk occurring or lessen the impact if one does happen. It is a digital container for any risks your business faces and includes information about each one, such as its nature, references, owners, and mitigation measures.
The Risk Register is an ongoing tool for your senior management to evaluate risks, understand their severity, review controls, and put any contingency plans in place should any controls fail. It should be used to record high-level risks, not specific topics where breaches or possible risks have happened. For example, a complaint needs to entered in your Complaints Register, and the threat of being sued should be recorded in your E&O Register, neither would need to be included in the Risk Register.
How do I operate a Risk Register?
The best Risk Registers have two different tabs or sections – Register and Definitions – to allow your senior management to stay on top of the risks your business faces. We’d advise nominating a senior manager to be responsible for each risk, so they can oversee it from start to finish.
What should I include in the Register section?
Within this tab, we recommend breaking it down by:
- Risk number
- Date of identification
- Risk category, such as financial, strategic, legal, and regulatory or operational
- Inherent risk, splitting out by descriptions, such as impact, likelihood, and priority for action
- Key controls/management action
- Residual risk, again breaking it down by descriptions, such as impact, likelihood, and priority of actions needed
- Risk mitigation plan if any controls fail, increasing the residual risk to a level where actions would be necessary to further mitigate it
What should I include in the Definition section?
Include descriptors for the level of a risk, split into two parts – impact (high, medium, low, very low) and likelihood (unlikely, possible, likely, highly likely).
Once the impact and likelihood levels have been chosen, introduce a risk matrix which identifies the priority for which action such be taken. You could look at introducing a scale of low to high or one to four or five, as well as what the action should be taken for each rating. For example, any risks that come under the highest priority rating must be acted upon, whereas ones in the lowest risk priority may require no action.
It may sound like a lot to include in your Risk Register. However, it should be a source of all your risks, provide thorough documentation of them and any examination carried out because of the threat or proposed threat.
To save Members time and make it easier for you to protect your business, our Risk & Compliance team have produced a detailed Risk Register. It is pre-populated with risk categories, key controls, an impact and likelihood table with descriptions of each level, and a priority matrix.
Not a Member? To discover more about our flexible broker proposition, call Simon Bailey on 07483 929046 or email her at email@example.com.