Risk registers are part of an effective risk program and used by companies to help communicate and manage risk. Spreadsheets are often the primary database for risk registers to store and track risks that need to be: assessed, treated, and monitored. While the use of spreadsheets can help initially support a risk program they can, without additional support, result in:
Inconsistent practices using the risk spreadsheet templates
Confusion resulting from using different definitions for risk (i.e. hazard, effect, uncertainty, etc.)
Application of incorrect risk assessments and treatments due to confusion caused by using different risk frameworks
Increased exposure as unmitigated residual risks may not be evaluated and treated
An incomplete picture of risk which can lead to an understated or overstated risk profile leading to increased vulnerability or over investment in risk mitigation.
Not learning from prior risks analyses and treatments
To counter these effects, companies can benefit by advancing their risk programs beyond using simple risk register spreadsheets.
Here are 6 steps to an effective risk management program:
Use a common risk framework across the organization
Capture all risks in a central database
Manage entire risk life-cycle with actionable and accountable tasks
Monitor and control risks within the management accountability structure
Provide visibility to the entire risk profile with periodic review
Preserve and learn from prior risk analyses and treatments
It is important to start with asking the question, "have we captured all the risk? " This requires having a consistent definition of risk that a risk framework provides such as ISO 31000 and others. Without a common framework each department, discipline, or person will likely have their own idea of what they mean by risk. This can lead to confusion and incomplete risk identification. For many organizations, a significant advancement will come by managing risks that are already contained within the risk registers. Turning risk register spreadsheets into accountable actions is an important step to better risk management. There is little value to having risks assessed and treatments defined if they are not being looked at regularly. Having appropriate controls and monitors in place to elevate risks that require attention is crucial to support management accountability and oversight. Managing all risks in one place makes it easier to learn from prior risk analyses and treatments. Establishing a learning culture will help improve risk management competency and help reduce future risk.
Moving beyond the use of risk registers and establishing a consistent risk management system will help to counter the previous effects and produce better risk outcomes.
Plan-Do-Check-Act Questions:
Which improvement step would help produce better risk outcomes for your organization?
What obstacles are hindering the improvement of your risk program?
What steps can be taken to remove or reduce these obstacles?
What would it look like if risk was managed more effectively?