How to create your Risk Register
We often get asked when setting up a new risk platform, “Where do we start”? and the answer is simple – start by logging your business objectives. The international standard on risk management ISO 31000, brilliantly describes risk management as “The effect of uncertainty on your business objectives”. Business objectives are the cornerstone of risk management and where the whole threat identification process should start.
Not only is this the correct way to build your risk registers, it’s also the safest and in many ways the easiest because you have something to focus on.
All companies have objectives, large and small. A small firm might only have a handful but a medium to large company could have hundreds. All the business managers would have objectives, there could be hundreds just from middle management, you’ve then got the directors and stakeholders to account for. The secret here is to treat an objective like an issue. So rather than a quick summary in a dropdown menu, log it as an entity and include relevant details such as, which departments, products, services, etc., are affected and who owns the objective, as much detail as possible to get a full understanding of its level of importance to the business. This technique also helps owners to achieve their objectives, by giving them the information to properly manage & comprehend them.
Once you have identified your main business objectives you can then look at the risks that could potentially impact them. What could happen that would negatively affect your business in achieving that objective?
By linking risks to your objectives, you start to get a holistic view of the potential problems that might impact your different business objectives. By deciding how important those objectives are you can then determine a risk appetite for each risk. E.G.:-
Business objective 1. “Increase annual turnover by 45%” – This is an aggressive target that would require you to take the odd gamble which means risk-taking, so the risks that would impact upon this would have to be more easily accepted and therefore have a high-risk appetite.
Business objective 2. “Be compliant with all regulations, legislations and laws”. – This objective on the other hand would require you to have a low-risk appetite for risks that could cause you to not meet that objective because the slightest failing could mean you are not compliant.
By seeing how your risks connect to your business objectives, you can see risks that will affect objectives with both high and low-risk appetites and so make a better judgement on mitigation strategies. This method also allows you to identify risks that cause a conflict by effecting objectives that require different appetites. Something that could easily be overlooked by using inadequate software to manage your risks.
You might think a Risk Management software solution to accomplish all this would cost you a fortune but you would be wrong. With Symbiant, it actually costs you less than using a spreadsheet.
Booking a demonstration: To find out how Symbiant can help you and much more. Book a free demonstration.