There seem to be two trains of thought on Risk Registers; they are terrible and should be banned, or they are a critical part of a risk management programme and environment. I can see both perspectives, though I come down on the side favorable to Risk Registers. I also have some sympathy for those that say "Risk Registers are dead boring".
A good friend is very happy to tell me that Risk Registers are the bane of the risk management profession, and that they do significantly more damage than any benefit the provide. Risk Registers, with their attempt (or not) to create a defined universe of risks only serve to distract management and the Board from the wider range of risks, and thus provide a completely false sense of security. Use a Risk Register, he says, and you will absolutely be blind-sided by the actualisation of a risk that will kill the business.
Risk Registers also do not facilitate the quantification of all risks, or even necessarily the quantification of the value at risk for any particular risk. And without a quantification of the risk, it is impossible to have confidence in the application of resources to manage the risk.
He is right, of course, while also being completely wrong.
Any methodology or framework applied without adequate thought will court disaster. Anyone who actually thinks that their Risk Register actually contains either all the risks, or even all the important risks, is deluding themselves. Equally, anyone who thinks that they can quantify all risks either has a bloated risk function, is a major engineering conglomerate, or is delusional. Quantification can only go so far, and over-reliance on models can be just as dangerous as no assessment of potential consequences.
However, Risk Registers are an important part of risk management's ongoing processes of assisting management in the identification and management of risk. Note "a part of" and "assisting". These are critical. A Risk Register is so much more than simply an enumeration of risks, even if each has an associated description and a likelihood / impact scoring.
But a Risk Register can contain and drive so much more.
So what then is the purpose of a Risk Register. I would suggest Risk Registers can provide the following:
1. A common framework for the understanding of risk and the language for describing and managing risk within the organisation.
2. An agreed view of risks (but not all risks, as this simply is impossible, and counterproductive to attempt).
3. A linkage between organisational objectives and the risks to achievement of those objectives (as per COSO '92).
4. A central repository of the key controls associated with the risks, at a high level. In this way a control could be considered the inverse representation of a risk, or a subset of category of a risk.
5. The ability to identify control gaps, and to identify controls that need to be put in place.
6. A single source for reporting to determine the current, past and future level of risk (subjective) against the organisation's Risk Appetite.
A Risk Register does not prove that risks are being managed, nor does it record all risks. It also does not, by itself, ensure that control are effective.
Finally, reiterating the "does not record all risks" point - there are risks that should not be put on a Risk Register. I have this discussion frequently, sometimes with a look of incredulity and a statement that "of course all risks should be on the register". There are some risks that do not belong on the register. These range from exit strategy risk to some specific regulatory risk to name two types. We can have a discussion about other risks, and I'd be happy to hear views on what risks belong on, and which should not be on the risk register.
Why should some risks not be recorded? Ah, that is NOT what I am saying. I am saying that some risks should not be on the Risk Register. These risks should of course be recorded and considered, but a Risk Register frequently is a document, system, spreadsheet, SharePoint directory(ies) or other repository of risks that will be visible by a number of individuals in the business. The Risk Register is also a living entity, with risks changing, being added, upgraded and downgraded.
I think the best summary comes from another friend, who said after attempting to build his Risk Register, "This is dead boring, but the process has actually made me think about the risks in my business, and is showing me that we have a lot more to do before I'll be comfortable that we are managing our risks".
A good friend is very happy to tell me that Risk Registers are the bane of the risk management profession, and that they do significantly more damage than any benefit the provide. Risk Registers, with their attempt (or not) to create a defined universe of risks only serve to distract management and the Board from the wider range of risks, and thus provide a completely false sense of security. Use a Risk Register, he says, and you will absolutely be blind-sided by the actualisation of a risk that will kill the business.
Risk Registers also do not facilitate the quantification of all risks, or even necessarily the quantification of the value at risk for any particular risk. And without a quantification of the risk, it is impossible to have confidence in the application of resources to manage the risk.
He is right, of course, while also being completely wrong.
Any methodology or framework applied without adequate thought will court disaster. Anyone who actually thinks that their Risk Register actually contains either all the risks, or even all the important risks, is deluding themselves. Equally, anyone who thinks that they can quantify all risks either has a bloated risk function, is a major engineering conglomerate, or is delusional. Quantification can only go so far, and over-reliance on models can be just as dangerous as no assessment of potential consequences.
However, Risk Registers are an important part of risk management's ongoing processes of assisting management in the identification and management of risk. Note "a part of" and "assisting". These are critical. A Risk Register is so much more than simply an enumeration of risks, even if each has an associated description and a likelihood / impact scoring.
But a Risk Register can contain and drive so much more.
So what then is the purpose of a Risk Register. I would suggest Risk Registers can provide the following:
1. A common framework for the understanding of risk and the language for describing and managing risk within the organisation.
2. An agreed view of risks (but not all risks, as this simply is impossible, and counterproductive to attempt).
3. A linkage between organisational objectives and the risks to achievement of those objectives (as per COSO '92).
4. A central repository of the key controls associated with the risks, at a high level. In this way a control could be considered the inverse representation of a risk, or a subset of category of a risk.
5. The ability to identify control gaps, and to identify controls that need to be put in place.
6. A single source for reporting to determine the current, past and future level of risk (subjective) against the organisation's Risk Appetite.
A Risk Register does not prove that risks are being managed, nor does it record all risks. It also does not, by itself, ensure that control are effective.
Finally, reiterating the "does not record all risks" point - there are risks that should not be put on a Risk Register. I have this discussion frequently, sometimes with a look of incredulity and a statement that "of course all risks should be on the register". There are some risks that do not belong on the register. These range from exit strategy risk to some specific regulatory risk to name two types. We can have a discussion about other risks, and I'd be happy to hear views on what risks belong on, and which should not be on the risk register.
Why should some risks not be recorded? Ah, that is NOT what I am saying. I am saying that some risks should not be on the Risk Register. These risks should of course be recorded and considered, but a Risk Register frequently is a document, system, spreadsheet, SharePoint directory(ies) or other repository of risks that will be visible by a number of individuals in the business. The Risk Register is also a living entity, with risks changing, being added, upgraded and downgraded.
I think the best summary comes from another friend, who said after attempting to build his Risk Register, "This is dead boring, but the process has actually made me think about the risks in my business, and is showing me that we have a lot more to do before I'll be comfortable that we are managing our risks".
Dan, I think you have scored some very important points. A risk register or equivalent can delude people into thinking that (a) they have identified all the risks to objectives, (b) understood and are managing them. It is a point-in-time list when our world is dynamic.
ReplyDeleteRisk is being taken or modified with every decision at all levels across the organization. The management of that risk must be continuous, part of our decision-making process and integrated into how the business is run.
Decision-makers are the real risk managers.
So, those that rely on risk registers as the core of the management of risk are missing 80% of the picture. Again, you cannot hope to manage risk when it is only considered as part of a periodic exercise when you update and review a risk register.
But, at the same time, that periodic exercise is a valuable "taking stock" exercise, when the aggregate view of risk across the enterprise can be considered.
So, risk registers are, IMHO, valuable but only if seen as a component and not the core of risk management.