Risk Registers and Risk and Control Self Assessments

The risk register

Most organisations have one or more risk registers.

These registers may be spreadsheets or database applications and are used to store information on the risk events that have been identified and assessed

Where more than one register exists, it is important to ensure that data is collected and organised in a way that allows data to be aggregated across different registers

Risk registers are updated on a regular basis

The frequency varies depending on how often risk exposure change - typical frequency are monthly or quarterly

A simple risk register may include

A description of the risk event that has been identified

The risk category that the risk event is linked to

The person responsible for managing the risk event on a day to day basis

A qualitative probability and impact assessment of the risk event

Any actions currently under way to control the probability of the risk event

More comprehensive risk registers may include

A qualitative probability and impact assessment of the inherent risk

A qualitative probability and impact assessment of the residual risk

Any maximum exposure limit that has been assigned for residual risk exposure

Information on the potential causes of the risk event

Information on the potential fianncial and non financial impacts of the risk event

Any risk metrics that are used to monitor the organisation's exposure to the risk event

Recent trends in terms of any movements in residual risk exposure up or down

RCSA

Risk and control self assessment is a process that combines risk identification, qualitative risk assessment and an assessment of control effectiveness

RCSA provides a systematic means for identifying control weaknesses and gaps that may threaten the achievement of an organisation's objectives or the operational efficiency of its systems and processes

A key output is the production of action plans that help to allocate scarce resources to address control gaps or weaknesses where the benefits of doing so exceed the associated costs of increased control

RCSA can be used to support internal audit and governance activities, by identifying control gaps and weaknesses in a proactive way (such as before an internal auditor picks up the issue) and by prioritising these on cost benefit grounds, an organisation can demonstrate that it is using its resources effectively

RCA documentation will include the typical components of a risk register, plus an assessment of the effectiveness of the controls that are in place - this assessment is used to estimate the residual risk exposure

Risk reporting

An important element of risk management is risk reporting - it is not an end in itself nor is it an activity that should be done in isolation

Effective risk reporting exists to support decision making in an organisation

All decisions involve an element of risk

Decision makers need information on the nature and extent of these risks to make the best possible choices whether this is in relation to the achievement of strategic goals, such as business expansion or operational considerations such s delivering a service or manufacturing a product

RAG Reporting

The concept may be used to help prioritise risk exposures, control weaknesses, internal audit issues or any other aspect of an organisations risk management activiites

RED: the level of risk exposure is very high (or low) and could threaten the achievement of an organisation's strategic objectives - immediate action is required on the part of management to manage the risk in question

Amber: the level of risk exposure is higher/lower than normal. Management attention is required to determine whether action needs to be taken in the near future

Green: the level of risk exposure is within normal parameters - no action is required the risk is under adequate control

Heat maps

Heat maps use the concept of RAG reporting

Occasionally heat maps add additional colours such as black to denote extreme risks and blue to show insignificant risks

Many types of heat map are used in organisations

Some heat maps show the status of risk, control or performance indicators - others are used to show trends in risk exposure

Small heat maps can help management to focus on the most significant red or amber risk exposures or control weaknesses

It is possible to produce objective heat maps which illustrate the level of risk that is currently associated with not meeting each objective

Risk event and near miss database

Statistics collected from risk event and near miss databases may be reported on

Usually the focus is on negative risk events and near misses: in other words, risk events or near misses that have or could have resulted in a financial or non financial loss

Organisations may report the number of risk events or near misses as well as the value of any financial or non financial loss

Non financial losses may be estimated using ordinal impact scales or in terms of the number of complaints or negative media stories

If there is sufficient data, it may be possible to provide reports by risk category or business unit and function

This can help to focus management attention on key categories of risk or high risk business units and fucntions

Risk, control and performance indicators

Many organisations monitor and report performance indicators to different levels of management

For example, the board and senior management may receive a range of financial performance indicators such as revenues, profit or surplus

Functional and department managers may receive HR information of staff absences or operational infromation relating to the efficiency of the systems and processes that they mange (customer waiting times, production rates and employee absence levels)

Organisations may also monitor and report a range of risk and control indicators

Risk indicators provide information on an organisation's inherent exposure to one or more risks

Control indicators provide information on the effectiveness of one or more controls

Common risk indicators include staff turnover (because new staff are more likely to make mistakes), the number of attempted IT firewall breaches or the credit scores of any suppliers or customers that owe money to an organisation

Common control indicators include the frequency of electrical testing, unresolved IA issues and number of breaches of policies or procedures

As with performance indicators, different reports may be produced for different departments and functions, as well as different levels of management

Risk dashboards

Risk dashboards are risk reports that combine various risk and control indicators as well as heat maps, risk event and near miss data

Risk dashboards may be presented thematically - for example, the board may receive a strategic risk dashboard

Senior managers may receive dashboards on topics such as health and safety, and department and function managers may receive dashboards relating to their areas of responsibility

Effective dashboards are not long. People can find it very hard to process dashboards that run over two or more pages. Care is needed to provide the most relevant sources of information in the clearest way

Balanced scorecards

Are used for strategic planning

As part of this, they provide a means of structuring a risk dashboard around an organisation's objectives so that the risks to these objectives cane monitored and reported

Balanced scorecards typically use four focus elements

Financial performance

Opperational efficiency

Human resources

Compliance

Narrative reporting

Uses words to explain how a risk exposure is changing

Narrative reporting is common where there is no numerical data that can be reported

It can also be combined with nuermcial data to help provide context

Designing and implementing risk reports

Audience

Board

High level risk reports to support governance and strategic decisions

Need to be kept simple and short

Common to use heat maps and short KRI reports

Senior management

More detailed to support allocation of resources and escalation but still relatively high level

Focus on key areas of risk (fraud, h&s)

Heat maps and KRIs common

Business unit

More detailed

Review risk registers, KRIs and KCIs

Loss and near miss data

Tend to be very specific

Individual teams and support functions

Strong functional and performance focus

Review local risk registers and KRIs/KCIs

Local loss events and near misses

Size and level of details

More detail is not necessarily better in a risk report

Include too much data and the report's audience will not be able to make sense of it

They will also have to spend time reviewing the report and less on other matters

The key is to determine the essential pieces of data including narrative reporting that is needed by the report's audience

This should involve consultation with the intended audience to ensure that they have the length of report and level of detail they need

Level of statistical complexity

Risk reports can get very complex, especially when quantitative risk assessment approaches are used

Not every audience for a risk report will understand statistics or need a statistically complex report even where data is available that can be analysed and reported using statistical methods

Frequency

The frequency of a risk report depends on the frequency with which risk exposures change

In volatile areas, such as in financial markets, reporting may be daily or on a real time basis

For areas such as cash flow or treasury management or credit risk, weekly or monthly is common

Monthly or quarterly is normal for other risk areas, such as health and safety