Is It Time to Declutter Your Risk Register?

Let’s start our risk management process on the right footing in 2022 and declutter our risk register!

It’s that time of year when many take a step back to re-evaluate business goals. We assess what has worked and what did not work as planned and make adjustments where needed. With the uncertainties and challenges the last two years have presented, it is unquestionably a logical thing to do.

The risks inherent in your business typically do not change frequently. However, they may need to be updated to reflect the current environment. Therefore, it is a good time to look at your risk register and evaluate whether it accurately captures your portfolio of potential risks.

What is a risk?

A risk is any event that can introduce uncertainty in your ability to meet your business objectives.

On the surface, risk identification may seem to be a relatively simple exercise. However, you may encounter these common missteps.

Not linking risks to your business objectives.
Not using your risk taxonomy as a guide.
Identifying causes of and impacts from a risk, rather than the risk itself.

Starting With Your Business Objectives

It is hard to justify having risks in your register that cannot be linked to a strategic or business objective. The risks in your register should be borne from the strategic initiatives and processes put in place to meet your business objectives. Otherwise, the risks captured in your register may be possible, but just not relevant for your business at this juncture. Therefore, you should purge or archive these! There is no need to clutter your register with risks that do not apply or are no longer applicable to your business.

Using Your Risk Taxonomy

Your risk taxonomy can be a helpful tool because it helps you understand your risk landscape at a high level before you start describing the risks that fall within these categories. This will help your organization perform a sanity check on whether they have identified all relevant risks. Without this, you may neglect to think about the risks that aren’t necessarily top of mind but matter nonetheless.

Watch this video for more information on developing risk taxonomies.

Risks Only, Please

Identifying causes and impacts as risks in your risk register make it difficult to accurately assess the impact to your business and take proper corrective action.

We identify risks so that we can assess the likelihood and the impact of it occurring. When we know this, we can compare it to our desired likelihood and impact rating (i.e., our appetite) and take corrective action if needed. The risk management process becomes muddled when your risks get grouped together with your risk causes or impacts.

Example 1

For example, let’s say you identified not performing your four-eye check on your process as a risk, instead of identifying it as an internal control performance failure. You would then attempt to assess the likelihood and impact of the control not being performed. However, the impact assessment would be difficult to measure because controls are put in place to prevent, detect, or correct a risk from occurring. Therefore, the control failure might not be the direct result of a loss. Rather, not performing the control would lead to the real risk materializing into an impact that can be more accurately measured. In this example, not performing the control is the cause of the risk.

Example 2

Here is another example. Let’s say you identified a deterioration of your relationship with a key supplier as a risk in your risk register. You would then try to assess the likelihood and the impact of the deterioration. Again, measuring the impact becomes tricky because this is the impact! You likely try to identify risks to ensure that you do not end in a situation where you jeopardize your key relationships – whether they are your customers, suppliers, employees, or other important stakeholders.

In both examples above, you may be putting in place corrective actions that do not address the heart of the issue. This is not optimized risk management!

Tips for Capturing Only Risks

Be diligent when describing your risk. When you think of a risk, list the reasons this risk could occur, such as improper limits, IT failures, manual errors, external events, etc. Then think about the impact, such as a direct loss, regulatory breach, stakeholder loss, etc. Consider the who, what, where, and when. It helps if you express your risks like this: the risk of […] due to […] leading to […].

With these guidelines in place, you can compare the description of your risks in your risk register against these standards. Also, ensure each risk can be linked to a category in your taxonomy.

If an entry cannot be described in the above fashion or fit nicely within your risk taxonomy, it is probably not a risk but a cause of a risk or an impact from a risk. Consider whether you should rephrase the risk, archive or purge it altogether.

Congratulations! You have a decluttered risk register. You are on your way to starting your risk management process on the right footing in 2022! Well done.