The path to a risk register that reflects credible and up-to-date- state of risks is a long and demanding one. However, it usually begins with an awareness of the presence of risks and their possible impact on the profit or loss, or the reason for it is an unpleasant event that left significant consequences on the business, as happened in the case of the COVID-19 pandemic.
How long is the risk register useful?
The risk register contains useful information that is the result of the previously described efforts and represents an important milestone on this route. For many organizations, a properly and transparently arranged risk register is also the ultimate goal, as it gives them a strong sense of security. Think about it: you have a complete list of risks, the risks are assessed and categorized so that everyone can immediately see which ones are the most dangerous if they materialize. You also have risk assessments marked with nicely chosen colours. The management is seemingly pleased, as you have prepared a forty-two-page report for them, and none have had any comments. Great, isn’t it?
Whether and for how long the risk register is actually useful, of course, is another question. If you leave it as it is, it is probably only reliable for a short period of time, and only if the business has not changed much.
At a time when rapid change has become the only constant, however, a one-year-old risk register is probably worth very little. For that, good risk management practices and virtually all standards uphold the principle that regular and extraordinary reviews of our risks must be carried out.
When and how often should risk register be revised?
As a rule, we determine the frequency of regular inspections ourselves according to the specifics of our business. In doing so, we take into account the industry in which we are, our business and social environment, and all other factors that could have an impact on the ‘obsolescence’ of our information on identified risks.
In practice, many organizations choose to review risks once a year. For some, this is probably the right decision, while for others, a one-year review period can be absolutely too long.
What is more interesting is the requirement for an extraordinary review of the risk register. In which cases should you carry out an extraordinary inspection? Good practice says something like this: we need to review risks in the event of a major change in the scope or form of business, business environment, regulations, major adverse events (risks that have materialized or have materialized) and other situations that could change our perception of risks.
List of reasons for an extraordinary review of the risk register
Let me list a few typical cases where risks need to be scrutinized.
Changes in the scope of the organization
The business world has been quite dynamic for some time; companies merge and disintegrate. In the event that we expand, for example, merge a company, the scope of our risks may also increase. With new people, locations, processes, and products, new and often unknown risks usually come along. Therefore, the review of the risk register is one of the most important steps, in many cases already at the time of planning a change in scope.
Changes in performance
When introducing new products or services, introducing new processes and processes, launching new projects, entering new markets or emerging competition, we need to ask ourselves at the right time what new risks will come with these changes.
We cannot directly influence legislation. Major changes in the laws are probably announced in time, but some can happen ‘overnight’. Experience tells us that even long-announced changes in laws can come as a ‘surprise’ when they come into force. Namely, people tend to postpone obligations until they are close enough to the deadline.
Examples of changes in legislation that have significantly affected the risk register of a large number of companies are:
• Change in value-added tax, where there were some unknowns in the field of financial risks due to the magnitude and complexity of impacts
• Enforcement of the EU General Data Protection Regulation (GDPR), where a number of new risks related to the processing of personal data have emerged
• Adoption of laws and regulations in the field of critical infrastructure, which impose new responsibilities on some organizations and thus introduce new risks, which we already wrote about.
The emergence of a pandemic
The recent outbreak of the pandemic has affected business in almost every corner of the world and still has extremely strong consequences for most organizations today. New risks which we may not have been able to imagine previously, may have materialized.
This extraordinary situation certainly dictates an extraordinary review of the risk register. New and almost unimaginable risks need to be considered, such as the unavailability of staff due to mandatory quarantine, staff shortages due to inactive public transport, and black scenarios such as the loss of staff due to death.
New risks also require completely new measures, with which we often have no experience, such as the purchase of protective equipment, the reorganization of business premises, the introduction of teleworking and the like.
Purpose of the risk register review
The main objectives of the risk review are:
• Identify which existing risks remain unchanged.
• Identify which existing risks have changed and need to be re-evaluated.
• Identifying new risks, for example, those that we do not have in the register, but which are relevant given the new circumstances. We also need to bring these risks through the whole process of evaluation and classification to get their proper place in the register.
• Eliminate risks that may no longer be relevant.
• Reduce the impact of any new and unacceptable changed risks to an acceptable level or take other action.
Real-time risk monitoring
The risk register is most useful when it contains current and up-to-date information on risks and when you monitor all risks at all times, meaning all expected changes are reflected in the risk register in a very short time. Risk information is alive, and we can say that we monitor risks in real-time.
This reduces the need for periodic inspections, as almost all changes are captured on an ongoing basis. Potential extraordinary inspections are also much more effective because the risk register does not contain ballast in the form of outdated and invalid information.
Monitoring risks in this way is, of course, harder to achieve. Certainly, the preconditions are a highly developed risk management culture and a high degree of integration of risk management into the business processes themselves. But a lot also depends on using the right tools to support risk management.
The SBR platform focuses on meeting the key requirement of monitoring risks at all times. It achieves this by being able to easily involve a wide range of people who know the specific risks and have the authority to deal with them. For risks in the register, it enables optional management of risk parameters, such as their inherent assessment, current assessment, target assessment, management efficiency, institutions, tasks and important deadlines. For each risk, an unlimited number of indicators (key risk indicators) can be monitored, which graphically show trends and warn of possible unexpected or undesirable situations. In this way, the need for an extraordinary review of the risk register is significantly reduced. However, when an extraordinary examination occurs, it is extremely effective.
Božo is an experienced consultant with a proven history of working in the fields of information technology, communication and service industry. His expertise lies in information security management, and software architecture design and development, and is successfully converted into Silver Bullet Platform.