

RISK MANAGEMENT TOOLS – RISK BACK

REGISTER
Time and again I get asked about my template for a risk register. Most people know that my approach is
somewhat different to those that have traditionally been used. Don’t get me wrong – I am not talking
about a register that is completely different to those that are commonly used, however, there are a few
aspects about my register that I have developed that you might nd useful.

I’m going to unpack it below so that you can build it your way for your brand, knowing the categories and
information that you need for each column, or you can download your very own ready-made Paladin
Risk Management risk register.

2019-Operational-Risk-Register-Template Download

Risk # This is the unique identi er or number you apply to the risk using the
organisation’s own conventions.

Risk The owner of the risk will be by name or by position. My Risk Tip #7 explains
Owner more about this.

Risk The risk description needs to be a short statement of the event/incident that we
Description are trying to prevent from happening. What we don’t want to see are essays like
(What is the this: Insuf ciently detailed or targeted management procedures limit access to
event/incident nancial management information at key decision points. The inability to access
we are trying speci c nancial information about reasons for expenditure in the context of
to prevent budget from the nancial information system (FIMS) … and it goes on and on and
from happen- on. My Risk Tip # 8 discusses capturing the right risks in your risk register.
ing?)
Risk It is critical after identifying the risk to then identify those factors that could po-
Causes tentially cause the risk event to occur. Causes tend to fall into categories, for eg:
People: training, skills, experience, fatigue
Systems: IT, mechanical
Infrastructure: Buildings, utilities
External: Weather events, external behaviours
Once causes have been identi ed, the next step – the identi cation of controls
aligned to the causes – becomes a lot simpler.

Controls In most risk registers I have seen, current controls are captured as a block, usually
aligned in a free-text eld. In my view, this does not allow for the alignment of the con-
to trols to a speci c cause. I have found, however, that directly aligning controls to
causes causes allows me to identify where there may be control gaps. When developing
controls, they need to be speci c so there can be no confusion. Describing con-
trols in a manner such as: Training; Policies and procedures; Induction; Physical
security; and Processes is not helpful in terms of the next step, which is to de-
termine their effectiveness. To that end, controls should be described as follows:
Annual fraud control training programSeparation of duties Fraud component of
induction packageUnauthorised external device auditsPenetration testing
program

Control The person nominated as responsible and accountable for the implementation
Owner and ongoing review of the control for the organisation

Control Effect- This is one of the most important columns in that it provides an assessment of
iveness the effectiveness of the controls linked to the causes of the risk. This is then
used to determine the likelihood of the risk. Measuring control effectiveness is
explored in detail in Risk Tip #2.

Control Critic- Control criticality accounts for the fact that not every control will have the same
ality impact in terms of managing the risk. The table I use to determine criticality is
shown below:

Risk In this column, I provide a descriptive overview of the consequences that may
Consequence/s arise if the risk was to materialise. This gives a view of the range of con-
(What is the sequences as opposed to the level of consequence. Examples include: Potential
impact on negative impact on XYZ’s reputationPotential legal action against the com-
X,Y,Z Organ- panyPotential scrutiny by regulatorsCould lead to business disruptionCould lead
isation should to death/injuryPotential for additional costs to rectify issue
this risk even-
tuate)

Controls Controls aligned to Consequences. In this column we are detailing the controls
aligned to that are speci cally aimed at reducing the consequence should the risk material-
Consequences ise. In my experience, in the majority of cases, organisations cannot do anything
to reduce the consequence level of a risk i.e. if it happens, it is going to be that
bad. The controls that are available to reduce consequence are as follows: Neg-
ative impact to reputationCrisis Management PlanFinancial impactInsurance (list
speci c policy)Disruption to operationsBusiness Continuity PlanDisaster Recovery
Plan Crisis Management Plan

Control The person nominated as responsible and accountable for the implementation
Owner and ongoing review of the control for the organisation.
 Control Effect- This is one of the most important columns in that it provides an assessment of
iveness the effectiveness of the controls linked to the causes of the risk. This is then
used to determine the likelihood of the risk. To learn more about measuring con-
trol effectiveness head to my Risk Tip #2.

Control Critic- This requires the use of the same criticality matrix.
ality

Risk Assess- Likelihood. This is an evaluation of the likelihood of the incident/event occurring
ment with cur- based on control effectiveness of the controls against the causes. This is a sig-
rent controls ni cant departure from the traditional method of basing likelihood on time, fre-
– Likelihood – quency and/or probability. There’s plenty more on this at my Risk Tip #1. Con-
Consequences sequences. These columns are where we record the consequence level for the
– Risk Rating risk, derived from out consequence matrix. It is critical that we capture the con-
sequence against all impact categories which will assist us in making decisions in
relation to whether further treatments may be required and also to conduct a
cost-bene t analysis on those proposed treatments. Risk Rating. The risk rating
will be derived from the likelihood rating and the highest consequence rating of
the ratings against each of the impact categories.

Additional After assessing whether the risk is acceptable or not against the organisation’s
Treatments pre-determined criteria, decisions are taken as to whether further treatments are
required. These will the be subject to a cost-bene t analysis. Guidance on the
wording of risk treatments can be found here at Risk Tip #9.

Treatment A person accountable for the development and implementation of the

Owner treatment/s is identi ed in this column.

Treatment The timeframes for the treatment to be completed are captured in this column.
Timeframes

Residual (tar- In this column we are determining what the level of risk will be when all our cur-
get) Risk Level rent controls are effective, and treatments have been implemented and are also
effective. Post mitigation assessments of likelihood, consequence and risk level
(residual risk).

Risk and treat- This column will be a free-text eld that allows for status updates to be recor-
ment ded. It can also be used to capture details of any change to the level of risk and
status the reasons behind it. This forms an important part of the audit trail for the risk.

So, below is the compilation of all of those elements for the risk register format I use when I am develop-
ing risks into an organisation. Next month I will provide an example of the Control Summary Sheet that I
use.

2019-Operational-Risk-Register-Template Download

COPYRIGHT © PALADIN RISK MANAGEMENT SERVICES 2017 PRIVACY POLICY | REFUND POLICY |
STATEMENT OF OWNERSHIP
RELATED COURSES
Advanced Diploma in Governance and Risk Compliance
Diploma of Risk Managment and Business Continuity
Certi cate IV in Risk Management Essentials

RECENT BLOG
Risk Tip 16 – Let us start at the very end

One of the areas that organisations nd dif cult is determining the effectiveness of controls, something I
have written about previously on how we measure effectiveness. The most signi cant challenge I have
noted is the development of performance measures for controls in order for effectiveness to be meas-
ured. The methodology I have developed to assist organisations […]

READ MORE

RECENT BLOG
Risk Tip # 9 – Describing Risk Treatments

I love reading risks treatments in risk registers – they are always so descriptive. Some of the treatments I
have taken from risk registers over time are shown below: better communication; training in contract
management; rolling fraud audit program; additional physical security; more management oversight and
action; better change management; and/or recruit additional staff. increased […]

READ MORE

Risk Tip # 8 – Capturing the right risks in your risk register

Lack of quali ed staff would have to be one of the risks that I see most often in risk registers. You may
even have it in yours. Other risks that I see on a regular basis in risk registers include: lack of funding;
failure to meet the Government’s reform agenda; project does not meet its […]
READ MORE

Quali cations issued by McMillan Staff Development

ASQA - 45173
