Companies’ risk profiles are changing ever more quickly owing to industry, regulatory and geographic change – documenting these changing risks is therefore vital.
Whether a company stays static, evolves, grows or declines, its risk profile will change over time.
External pressures from competitors, regulators and legislation will combine with internal pressures such as new products, services, markets or territories to generate different scales of existing and new risks.
Maintaining and managing a risk register – the detailed record of a company’s known risks – is therefore more important than ever to protect shareholders’ investments and other stakeholders’ interests.
From the top
Understanding a company’s risks is ultimately a leadership issue. Yet without a risk register it is easy for risks to slip under their radar, increasing the chance of risks being insufficiently managed, mitigated and/or insured.
Keeping a risk register enables a company to report risks to investors or shareholders and, crucially, make better-informed decisions about strategic business changes.
A common approach to creating a risk register is to map out the company’s risks in each strategic area of the business according to their:
a) severity and
b) the probability of them occurring.
A scale of 1–5 for a) and b) generates a total score per risk and enables the top 10 to 20 risks to be mapped (often on what is called a heat map).
Each risk can be tagged with an arrow to show the anticipating changes to the risk profile direction of that risk going forward. Importantly, each risk needs to be owned by a director who should manage that risk and report the status to the board at agreed regular intervals.
This gives a company a better-informed overview of the risks and they can then judge whether:
- They have adequate risk mitigation and insurance arrangements in place
- They might be spending far too much money on risk mitigation and/or insurance
- They might need to apply more resource
- They should exit certain businesses to avoid risks that could threaten a company’s viability.
Consensus and ownership
It is usually best to formulate risk registers in a workshop environment involving key decision-makers, so that a consensus is developed on the company’s risks. This also makes it easier to assign responsibility for mitigating or transferring larger risks to specific senior executives.
Risk registers should be refreshed at least once a year, ideally with quarterly updates. Any immediate material changes to a company’s risks should be documented in the risk register and reported on an exceptional basis.
A company often gets a good sense of whether their risk register is adequate by asking themselves the following question: ‘Have we got a risk register that we are proud of and would share (confidentially) with key business partners?’
Download Whiteboard article
For further information, please contact Tim Cracknell, Head of Risk Consulting on +44 (0)20 7558 3941