Please enable JavaScript.
Coggle requires JavaScript to display documents.
Risk Registers and Risk and Control Self Assessments - Coggle Diagram
Risk Registers and Risk and Control Self Assessments
The risk register
Most organisations have one or more risk registers.
These registers may be spreadsheets or database applications and are used to store information on the risk events that have been identified and assessed
Where more than one register exists, it is important to ensure that data is collected and organised in a way that allows data to be aggregated across different registers
Risk registers are updated on a regular basis
The frequency varies depending on how often risk exposure change - typical frequency are monthly or quarterly
A simple risk register may include
A description of the risk event that has been identified
The risk category that the risk event is linked to
The person responsible for managing the risk event on a day to day basis
A qualitative probability and impact assessment of the risk event
Any actions currently under way to control the probability of the risk event
More comprehensive risk registers may include
A qualitative probability and impact assessment of the inherent risk
A qualitative probability and impact assessment of the residual risk
Any maximum exposure limit that has been assigned for residual risk exposure
Information on the potential causes of the risk event
Information on the potential fianncial and non financial impacts of the risk event
Any risk metrics that are used to monitor the organisation's exposure to the risk event
Recent trends in terms of any movements in residual risk exposure up or down
RCSA
Risk and control self assessment is a process that combines risk identification, qualitative risk assessment and an assessment of control effectiveness
RCSA provides a systematic means for identifying control weaknesses and gaps that may threaten the achievement of an organisation's objectives or the operational efficiency of its systems and processes
A key output is the production of action plans that help to allocate scarce resources to address control gaps or weaknesses where the benefits of doing so exceed the associated costs of increased control
RCSA can be used to support internal audit and governance activities, by identifying control gaps and weaknesses in a proactive way (such as before an internal auditor picks up the issue) and by prioritising these on cost benefit grounds, an organisation can demonstrate that it is using its resources effectively
RCA documentation will include the typical components of a risk register, plus an assessment of the effectiveness of the controls that are in place - this assessment is used to estimate the residual risk exposure
Risk reporting
An important element of risk management is risk reporting - it is not an end in itself nor is it an activity that should be done in isolation
Effective risk reporting exists to support decision making in an organisation
All decisions involve an element of risk
Decision makers need information on the nature and extent of these risks to make the best possible choices whether this is in relation to the achievement of strategic goals, such as business expansion or operational considerations such s delivering a service or manufacturing a product
RAG Reporting
The concept may be used to help prioritise risk exposures, control weaknesses, internal audit issues or any other aspect of an organisations risk management activiites
RED: the level of risk exposure is very high (or low) and could threaten the achievement of an organisation's strategic objectives - immediate action is required on the part of management to manage the risk in question
Amber: the level of risk exposure is higher/lower than normal. Management attention is required to determine whether action needs to be taken in the near future
Green: the level of risk exposure is within normal parameters - no action is required the risk is under adequate control
Heat maps
Heat maps use the concept of RAG reporting
Occasionally heat maps add additional colours such as black to denote extreme risks and blue to show insignificant risks
Many types of heat map are used in organisations
Some heat maps show the status of risk, control or performance indicators - others are used to show trends in risk exposure
Small heat maps can help management to focus on the most significant red or amber risk exposures or control weaknesses
It is possible to produce objective heat maps which illustrate the level of risk that is currently associated with not meeting each objective
Risk event and near miss database
Statistics collected from risk event and near miss databases may be reported on
Usually the focus is on negative risk events and near misses: in other words, risk events or near misses that have or could have resulted in a financial or non financial loss
Organisations may report the number of risk events or near misses as well as the value of any financial or non financial loss
Non financial losses may be estimated using ordinal impact scales or in terms of the number of complaints or negative media stories
If there is sufficient data, it may be possible to provide reports by risk category or business unit and function
This can help to focus management attention on key categories of risk or high risk business units and fucntions
Risk, control and performance indicators
Many organisations monitor and report performance indicators to different levels of management
For example, the board and senior management may receive a range of financial performance indicators such as revenues, profit or surplus
Functional and department managers may receive HR information of staff absences or operational infromation relating to the efficiency of the systems and processes that they mange (customer waiting times, production rates and employee absence levels)
Organisations may also monitor and report a range of risk and control indicators
Risk indicators provide information on an organisation's inherent exposure to one or more risks
Control indicators provide information on the effectiveness of one or more controls
Common risk indicators include staff turnover (because new staff are more likely to make mistakes), the number of attempted IT firewall breaches or the credit scores of any suppliers or customers that owe money to an organisation
Common control indicators include the frequency of electrical testing, unresolved IA issues and number of breaches of policies or procedures
As with performance indicators, different reports may be produced for different departments and functions, as well as different levels of management
Risk dashboards
Risk dashboards are risk reports that combine various risk and control indicators as well as heat maps, risk event and near miss data
Risk dashboards may be presented thematically - for example, the board may receive a strategic risk dashboard
Senior managers may receive dashboards on topics such as health and safety, and department and function managers may receive dashboards relating to their areas of responsibility
Effective dashboards are not long. People can find it very hard to process dashboards that run over two or more pages. Care is needed to provide the most relevant sources of information in the clearest way
Balanced scorecards
Are used for strategic planning
As part of this, they provide a means of structuring a risk dashboard around an organisation's objectives so that the risks to these objectives cane monitored and reported
Balanced scorecards typically use four focus elements
Financial performance
Opperational efficiency
Human resources
Compliance
Narrative reporting
Uses words to explain how a risk exposure is changing
Narrative reporting is common where there is no numerical data that can be reported
It can also be combined with nuermcial data to help provide context
Designing and implementing risk reports
Audience
Board
High level risk reports to support governance and strategic decisions
Need to be kept simple and short
Common to use heat maps and short KRI reports
Senior management
More detailed to support allocation of resources and escalation but still relatively high level
Focus on key areas of risk (fraud, h&s)
Heat maps and KRIs common
Business unit
More detailed
Review risk registers, KRIs and KCIs
Loss and near miss data
Tend to be very specific
Individual teams and support functions
Strong functional and performance focus
Review local risk registers and KRIs/KCIs
Local loss events and near misses
Size and level of details
More detail is not necessarily better in a risk report
Include too much data and the report's audience will not be able to make sense of it
They will also have to spend time reviewing the report and less on other matters
The key is to determine the essential pieces of data including narrative reporting that is needed by the report's audience
This should involve consultation with the intended audience to ensure that they have the length of report and level of detail they need
Level of statistical complexity
Risk reports can get very complex, especially when quantitative risk assessment approaches are used
Not every audience for a risk report will understand statistics or need a statistically complex report even where data is available that can be analysed and reported using statistical methods
Frequency
The frequency of a risk report depends on the frequency with which risk exposures change
In volatile areas, such as in financial markets, reporting may be daily or on a real time basis
For areas such as cash flow or treasury management or credit risk, weekly or monthly is common
Monthly or quarterly is normal for other risk areas, such as health and safety