A risk register is a concise, structured document listing all the identified risks for a business, project or contract, together with the result of the risk analysis (impact and likelihood), initial mitigation plans, and current status of each risk. It should be updated on a regular basis (at least monthly) in order to maintain an up-to-date risk profile.
Purpose and benefits of using a risk register
The purposes (and benefits) of using a risk register are as follows.
• To capture all analysis and decisions about identified risks in a coordinated, centralized (but accessible) data store
• To provide a template document, allowing risk information to be recorded systematically and in a standardized format supporting analysis and use. The register can easily be computerized (e.g. using spreadsheet or tailored software packages) to support access, consolidation, analysis, modification, the triggering of risk alerts and mitigating action and so on.
• To develop risk visibility throughout the organization, including immediate visibility not current risk status and exposure: relevant, accurate and up-to-date information for decision-making and problem-solving.
• To identify accountabilities for monitoring and managing risks
• To provide a framework for risk monitoring, management and review activities. The format supports use at an operational level, for individual projects and units, but the data can also IA consolidated for strategic risk management
• To provide a basis for allocating resources to risk monitoring, management and review, and for presenting a business case for risk management
• To encourage (and act as a tool for) communication about risk issues with key internal and external stakeholders: increasing risk-related learning, stakeholder involvement and, input, and so on
• To provide project sponsors, contract managers and other designated risk owners with a documented framework from which risk status can be reported.
Contents of a risk register
It will typically contain columns for the entry of data.
• A unique reference or code number identifying each risk
• Description of the type and nature of the risk
• The date on which the risk was first identified .
• The risk owner: an identified individual (or role/position) with lead responsibility for monitoring and management of the risk.
• Probability of the risk event occurring: expressed as an appropriate rating, score, percentage or category. The organization may have standard definitions for. Low (L), Medium (M) and High (H);
intermediate ratings such as M— or H+; and ranges such as L—M, where risk has not yet been fully or accurately assessed.
• Impact, cost or consequences if the risk event occurs (expressed as an appropriate Cost value, score or rating, or described briefly)
• Identified possible responses or mitigation actions, to reduce probability or impact, or both. Where-a risk is high-impact (regardless of probability), this should include contingency plans for a link or cross-reference to the relevant contingency plan). It may also include recovery plans (Waived actions to take once a risk event has occurred, in order to restore normal operations).
• The risk mitigation action chosen and its effect (if any)
• Regularly updated information on the current status of each risk (response actions put in place and
• Whether they are effective) — with the date of the latest update.
A simple -risk register for the procurement and supply function is shown in Figure below (Remember that this is only a generic example: the register will reflect the specific nature of risks, vulnerabilities and responsibilities in practice.)
Template risk register
| ID | Risk | Probabilit y
Rating |
Impact Rating | Strategy Controls | Action Taken | owner | Revie w | Updated |
| 1 | Key supplier business failure | Low | High | Treat, Evaluate/select
, multi-sourcing |
Evaluate criteria developed. Dual
sourcing |
Account manager s | date | date |
| 2 | Quality failure | Low | Medium | Treat Specification Quality
assurance |
Suppliers consulted | Quality manager | ||
| 3 | Schedule variance (lead time
extension) |
Medium | Low | Accept Monitor | Monitoring | Account manager s | ||
| 4 | Price/cost variance | High | Medium | Treat/transfer Contract terms | Prices locked in | Account
manager s |
||
| 5 | Non availability of materials | Low | Low | Accept Monitor | Monitoring | Material s manager
s |
| 6 | Purchasing fraud | Medium | High | Treat: Ethical codes Internal
controls |
Internal control in place | Finance officer | ||
| 7 | Reputation damage from supplier CSR
failure |
Medium | Medium | Treat: CSR policy
Monitoring |
Suppliers consulted | Jones | ||
| 8 | Loss /damage of goods in transit | High | Medium | Transfer Insurance Contract terms | Insurance secured Incoterms
used |
Logistics manager | ||
| 9 | Technology system | Medium | Medium | Treat Backup systems | Computer bureau investigate
d |
IT
Manager |
Source; CIPS (2012)
Maintaining the risk register
Maintaining the risk register
The risk register should be reviewed arid amended:
• As risk mitigation strategies are applied (changing the current status of risks)
• As new risks are identified, or existing risks escalate
• As required by a review and monitoring plan and timetable, which should be defined for each registered risk.