Whether it is one of the many integrated software solutions or a more fundamental spreadsheet type version, your organisation has a critical relationship with its Risk Register(s).
From its early relationship beginnings, including nervous or reluctant interactions with new operators, through to the more mature and forward-thinking discussions about opportunities just peaking over the horizon, each organisation is on a unique journey with their Risk Register. This article steps through the stages of this relationship lifecycle, offering some advice on how to get the most out of the relationship.
In the early tentative stages of the organisation’s use of a Risk Register, the register itself tends to focus on immediate, obvious threats, and as a result, the risk-related thought processes are more-straight forward (based on a direct “cause and effect” calculation). Caution tends to dominate, with stakeholders assessing risks conservatively, typically resulting in a number of ‘high’ risks that may not in reality be high. The understanding around the process, and the ‘so-what’ consequence, often has to be affirmed with the stakeholders to avoid confusion and a skewed risk assessment focus.
These early days in the relationship have to be worked through: both in terms of the register process as it helps define key risk fields, responsibilities, the risk appetite and reporting / monitoring structures; and the personnel involved, as their knowledge and understanding grows exponentially through this process. The key here is to acknowledge that time is required, and rushing through it may have a detrimental impact. Further, the evaluation of risk is an ever-evolving process, and as experience is gained, so too is a more accurate picture of the actual organisational risk.
As things develop within the organisation, there are typically some departments/sections that can see the benefits of the Risk Register and become early adopters. These early adopters are quite useful in leading the maturing of the risk register and related processes. As this maturity grows, so too does a common risk language and understanding. Processes become standardised, and risk assessments become less cautious; potentially with the realisation that, now that we have studied the likelihood or considered the probability, some of those ‘high’ risks may actually be more like a ‘medium’ risk.
The challenge now lies in taking the next steps toward having the relationship hit its prime. With documentation and responsibilities becoming engrained, there is a real risk that the relationship will plateau or stagnate, as the same material is reviewed on a quarterly or monthly basis, with only adjustments to some of the micro-details. In stepping out of the weeds and ensuring the risk register is dynamic, there is benefit in searching for any unidentified risk exposures that can be used as a catalyst point for changing the organisation’s thinking. While all the obvious risk exposures have been captured on the risk register and assessed diligently every month, there are often other risks that have potential negative (or positive!) impacts that have been missed or glossed over. It is at this point of contextual learning that the organisation may have its ‘ah-ha’ moment, and this becomes the catalyst for growth and change – and the moment when all Managers around the table can see the benefit of the risk register and what it should do.
Once the organisation has hit this point, with the internal stakeholders really starting to think about risk, the register and the relationship become interwoven, part of strategic decision-making. At full maturity, the register transforms into a strategic tool. Risks are evaluated against defined tolerance thresholds, tracked with performance indicators and metrics, and reported up to the executive leadership team and the board with confidence and a full understanding. The register becomes an aid in seeing the red flags in a timely fashion as the organisation manages its risks, avoids the threats and capitalises on opportunities.
The effectiveness and net benefit of a risk register is dependent upon the relationship between the register and its stakeholders, and the knowledge and understanding that those human stakeholders have identifying, assessing and treating the organisation’s risks.
Please contact us for more information or assistance.
