Risk Register for Supply Chain Function

Procurement and Audit notes revision

A risk register is a concise, structured document listing all the identified risks for a business, project or contract, together with the result of the risk analysis (impact and likelihood), initial mitigation plans, and current status of each risk. It should be updated on a regular basis (at least monthly) in order to maintain an up-to-date risk profile.

Purpose and benefits of using a risk register
The purposes (and benefits) of using a risk register are as follows.
• To capture all analysis and decisions about identified risks in a coordinated, centralized (but accessible) data store
• To provide a template document, allowing risk information to be recorded systematically and in a standardized format supporting analysis and use. The register can easily be computerized (e.g. using spreadsheet or tailored software packages) to support access, consolidation, analysis, modification, the triggering of risk alerts and mitigating action and so on.
• To develop risk visibility throughout the organization, including immediate visibility not current risk status and exposure: relevant, accurate and up-to-date information for decision-making and problem-solving.
• To identify accountabilities for monitoring and managing risks
• To provide a framework for risk monitoring, management and review activities. The format supports use at an operational level, for individual projects and units, but the data can also IA consolidated for strategic risk management
• To provide a basis for allocating resources to risk monitoring, management and review, and for presenting a business case for risk management
• To encourage (and act as a tool for) communication about risk issues with key internal and external stakeholders: increasing risk-related learning, stakeholder involvement and, input, and so on
• To provide project sponsors, contract managers and other designated risk owners with a documented framework from which risk status can be reported.
Contents of a risk register
It will typically contain columns for the entry of data.
• A unique reference or code number identifying each risk
• Description of the type and nature of the risk
• The date on which the risk was first identified .
• The risk owner: an identified individual (or role/position) with lead responsibility for monitoring and management of the risk.
• Probability of the risk event occurring: expressed as an appropriate rating, score, percentage or category. The organization may have standard definitions for. Low (L), Medium (M) and High (H);

intermediate ratings such as M— or H+; and ranges such as L—M, where risk has not yet been fully or accurately assessed.
• Impact, cost or consequences if the risk event occurs (expressed as an appropriate Cost value, score or rating, or described briefly)
• Identified possible responses or mitigation actions, to reduce probability or impact, or both. Where-a risk is high-impact (regardless of probability), this should include contingency plans for a link or cross-reference to the relevant contingency plan). It may also include recovery plans (Waived actions to take once a risk event has occurred, in order to restore normal operations).
• The risk mitigation action chosen and its effect (if any)
• Regularly updated information on the current status of each risk (response actions put in place and
• Whether they are effective) — with the date of the latest update.

A simple -risk register for the procurement and supply function is shown in Figure below (Remember that this is only a generic example: the register will reflect the specific nature of risks, vulnerabilities and responsibilities in practice.)

Template risk register

ID Risk Probabilit y


Impact Rating Strategy Controls Action Taken owner Revie w Updated
1 Key    supplier business failure Low High Treat, Evaluate/select



Evaluate criteria developed. Dual


Account manager s date date
2 Quality failure Low Medium Treat Specification Quality


Suppliers consulted Quality manager    
3 Schedule variance (lead time


Medium Low Accept Monitor Monitoring Account manager s    
4 Price/cost variance High Medium Treat/transfer Contract terms Prices locked in Account

manager s

5 Non availability of materials Low Low Accept Monitor Monitoring Material s manager




6 Purchasing fraud Medium High Treat: Ethical codes Internal


Internal control    in place Finance officer    
7 Reputation damage from supplier CSR


Medium Medium Treat: CSR policy


Suppliers consulted Jones    
8 Loss /damage of goods in transit High Medium Transfer Insurance Contract terms Insurance secured Incoterms


Logistics manager    
9 Technology system Medium Medium Treat Backup systems Computer bureau investigate





Source; CIPS (2012)

Maintaining the risk register

Maintaining the risk register
The risk register should be reviewed arid amended:
• As risk mitigation strategies are applied (changing the current status of risks)
• As new risks are identified, or existing risks escalate
• As required by a review and monitoring plan and timetable, which should be defined for each registered risk.

Leave a Reply

Your email address will not be published. Required fields are marked *