For some companies their risk register plays a leading role in their risk management. But we can place a burden on a risk register which is inappropriate and too big. But at the same time as asking less of our risk management we should be asking more in terms of its central function: efficient administration and reporting.
Ask LESS of your risk register
A risk register is risk-related administration system; a record of risks and associated information. It keeps a record over time. It doesn't assess risks, control risks or do risk management. So don't ask your risk register to:
- Identify risks: That's (implicitly) done by your corporate plans and models. Starting with these is better than brainstorming.
- Assess risks: It records those probabilities and impacts – or preferably something better. It doesn't set them – you do.
- Design and implement controls: An important and underplayed job and certainly not one to be left to an administration system.
- Match controls to risk: A risk register can make a contribution here, by recording the correspondence and making it easy to spot oddities. See below.
But if we ask less of our risk registers what else takes up the slack? As suggested above it's people who (for example) do the risk assessments. But there are other tools to help them, such as corporate models. Let's take a simplistic example – one we might only just call a model. Suppose we may have to pay £100 in exactly one year's time. What is an appropriate amount to put aside today for that potential payment?
Leaving aside any requirements such as to "play safe" our best guess of the appropriate amount depends on (a) the likelihood that we will have to pay the amount and (b) the interest we earn on the invested amount in the meantime. Suppose there are four scenarios:
|Likelihood||Interest rate||Amount to put aside||£ amount|
|High = 90%||High = 10%||P = 100 * 90% / 1.1 as P (amount invested) + 10% * P (interest earned) = 110% * P = 90, the expected amount||£81.82|
|High = 90%||Low = 3%||100 * 90% / 1.03||£87.38|
|Low = 60%||High = 10%||100 * 60% / 1.1||£54.55|
|Low = 60%||Low = 3%||100 * 60% / 1.03||£58.25|
That's hard with just with a risk register and someone's judgement. A finance person could do it with a calculator, or Excel. But make it just a little harder; "what's the impact of interest rates being 1% lower than we expect over the next 10 years?" You need a model. A risk register is not the only tool.
Ask MORE of your risk register
One of the insights of time management guru David Allen of Getting Things Done fame is that the task we work on should be determined by the task's mental and physical requirements. Some tasks require a high degree of concentration, while others require an ability to plod through the boredom threshhold. Some require access to a desk and a computer, while others can be done on a walk or on the train. It might, therefore, be an idea to classify tasks across these two dimensions.
Risk register effectiveness analogy: in building a risk register we should carefully choose the important dimensions, which should be chosen to help make decisions e.g. on what needs our attention. Despite risk registers having a lot of "columns" they often seem to miss this point.
But however good the ideas, no time management system is going to work if you can't find, prioritise, delete and in various other ways manage your task list, including the tasks you've put off for more than 6 months. Excellent implementation allows you to invest the mental energy saved on memory into problem solving.
Risk register efficiency analogy: how easy is it to extract the key information from your risk register? Can a risk owner see how he has deployed controls across "his" risks? Can he see if any risks have no controls? Or if some controls have no risks? Can you update and prioritise in seconds? And compare to last month?
BEWARE of your risk register
The siren song
In A risk register is the siren song of risk management David Ingram warns that a risk register can lure us on to the rocks. We start with a long list of risks which is difficult to manage. After a herculean effort of coding (or buying and learning) new software we have an efficient administration system. We can manage the list effectively. But as Ingram says, risk management is not a spectator sport; it is all about DOING. We should be changing something, actually managing the risks rather than just analysing and reporting the list of risks. There's a big difference. Ask what "non-risk" decision changed because of risk management.
The maths teacher
Ingram's article Doing ERM is the control cycle suggests that important elements of enterprise risk management (ERM) are transparency, alignment and discipline. A good risk register can demonstrate, support and prompt these:
- Transparency: Transparency is like the maths teacher who insists you show your working. A risk register can ensure your work is seen to be done.
- Alignment: Risk management which is not aligned with objectives will be ineffective. A risk register can force you to demonstrate this alignment.
- Discipline: Not everything can be done at once. But risk management is about doing. A risk register can support the regular review of all things uncertain.
More on transparency: it's the working that is seen to be done. What is this working and why does it matter?
In terms of the risk register, the working is the willingness to populate columns in the risk register, thereby ensuring an appropriate coverage of an organisation's risk and uncertainty. And here's the crunch point: all risk registers are not equal.
A risk register is not (should not be) just software. What really matters is the type of risk management they record. Is your type right?
Insights from Matthew Leitch
In an article which included the results of a survey of risk professionals regarding integration issues for future risk management standards, Matthew Leitch included a range of tools and techniques which can be used as alternatives to or complements of risk registers. The Appendix helpfully explains the techniques:
- Scenario planning
- War gaming
- Decision-support model with probabilities
- Decision-support model used to answer 'what if' questions
- Incremental delivery/agile
- Establishing high level 'risks' or objectives that cover 'risk' concerns
- Risk register with 'risks' for each of the alternatives in a decision
- Risk register with risk events not linked to a decision
The 8th technique described is "Risk register with risk events not linked to a decision" in which a risk event list is created by considering objectives or activities, not by considering a decision in which some factors are uncertain. Matthew believes the natural follow up is "Risk Listing" – see below. My points in this article are that:
- Risk is more than events. Specifically it includes uncertainty surrounding the achievement of objectives.
- Self-imposed decisions is a useful concept. These go beyond core decisions and include balance sheet management.
Models: the natural complement to risk registers
A risk register is a simple tool. Often we don't get enough from it. A risk register is, by its very nature, a list means and doesn't allow well for:
- Dependencies between risk. Combined impacts may not be the sum of indivudual impacts. Probabilities may not be independent.
- Aggregation. Sometimes total risk across the organisation is important. Because of (1) above risk registers don't really support this
A model which projects cashflows can provide solutions to the above. Even a completely deterministic model can produce combined impacts. A financial projection model should be central to a business as an internal tool used to support value maximisation. A basic model can extended to support risk-adjusted value.
Where next? The risk register series
User beware. Many risk experts have warned of the common flaws in risk registers. It doesn't have to be this way. The first half of the set of articles below is generally positive, starting with how five potential audiences might make better use of risk registers. The second half warns of some really dangerous flaws.
- Risk registers: who, what, why and how? : Starting with the positive we ask the basic and practical question: how can we best use risk registers?
- Risk registers: good, bad, odd and ugly use : For most organisations risk registers work best alongside other tools. This article compares them to models.
- Risk management is more than risk registers : Why we should be asking both more and less of our risk registers. Includes a range of additional tools.
- Risk registers: the claimed flaws : A list of claimed flaws, with brief comments, plus a brief look at Matthew Leitch's critique of "Risk Listing".
- Risk registers: what your auditor probably won't tell you : Is your risk register inconsistent and incomplete by design? An accident waiting to happen?
- Risk is more than events : Risk registers often focus on future things that might / might not happen. But the most areas of uncertainty are not usually events.
- How to miss 75% of your risks without trying : How bad could a risk register get? Could a common approach miss 75% of all risk, for example?
- Slicing and dicing risk : Shows the flaws in probability-impact risk assessment, using a simple example. Turn on your brain and turn off probability-impact.