The Risk Register is the main depository of key risks and controls identified across the organisation’s departments and business units. These identified risks are the result of systematic (e.g. RCSA) or ad-hoc risk assessments performed at a given point in time across all departments or specifically for a business line. The characteristics and size of a risk register will depend fundamentally on the size of the company and the complexity of its business model.
Risk Sources
The risk register will therefore feed from different sources, being them internal or external.
Examples of ad-hoc risk assessments may result of:
- a new business area being introduced in the organisation
- changes in political, economic, social, technical, legal or environmental (PESTLE)
- regulatory changes
The Risk and Control Self-Assessments (RCSA) process allows the Risk Management department to identify risks and controls across the business. The RCSA processes typically allows to evaluate:
- inherent risk (the risk before controls are considered),
- the effectiveness of the control environment,
- and residual risk (the risk exposure after controls are considered)
Maintaining the Risk Register
The risk register must be closely monitored and constantly kept up to date.
Risks and controls resulting from the RCSA are recorded in the firm’s risk register and owned by the business. Scorecards build on RCSAs by weighting residual risks to provide a means of translating the RCSA output into metrics that give a relative ranking of the control environment – these scorecards will include the quantification of the impact and likelihood of the risks occurring by using scoring methodologies (e.g. 4×4 i.e. VH/H/M/L). The RCSA process considers financial, client, legal & regulatory and reputation when considering the risk impact.
The outcome of risk assessments (adhoc, specific or process driven) will result in a list of potential risks that the organisation is exposed to. These identified risks, along with their scoring, their mitigation controls, and the controls scoring, will be must be stored in a structured and formal risk register. Nowadays banks and other financial regulated firms take this topic very seriously and keep their risk register updated and ready to disclose to a regulator if that requirement arises.
Action Points
Where risk mitigating controls are scored low or weak, either in terms of design or performance, action points must be defined immediately and assigned to one or more owners. The risk management department must follow up on any action point in progress until completion, since in the interim there might be a control in place which won’t be robust enough. Ultimately, the head of risk might block or condition a certain initiative if a risk mitigation control is not in place or found to be not robust enough.
Read more (external links, PDF files)
- The Basic Principles of Compiling a Risk Register for Smaller Companies – this paper covers a good range of concepts related to risk register and also includes a risk register template for smaller companies
- Risk Identification and Assessment Methodologies for Securities Regulators – this is a International Organization of Securities Commissions (IOSCO) publication that covers several concepts, namely on how a risk register can be effectively used in risk identification methods used by securities regulators. Ii also includes good examples of risk register and heat map methodologies used for different countries (annex 3)