The risk register is a great tool to help organisations identify, assess and mitigate risks. However for it to be an effective tool, it must be used and not just reviewed. It surprises us in our board support work how much good effort is put into creating risk registers and how little is delivered from them.

The most common mistakes we find in working with risk registers are:
  • reviewing the risks together as a topic, rather than reviewing risks as a part of critical agenda items
  • reviewing a huge number of risks, many of which are really remote and may never occur
  • not removing or lowering the priority of risks when mitigation plans have been implemented
  • adding a new project and then immediately placing a risk that the project may not be achieved
  • allowing risks to remain highly rated with no realistic mitigation
The role of board members is to seek assurance that the organisation has identified substantial risks, rated them effectively and has placed mitigation controls on the most likely with mitigation plan outlines for the less likely. A quick review of the risk register highlights and trends should provide this, together with an occasional deep dive into a specific risk.

The monthly review should focus on what risks were added, those that have escalated in priority, those that remain high risk without mitigation and those that are recommended for dropping from the register. Supporting documentation for these conditions should be provided to the board members to be read before the meeting. Board members should then ratify the register at the board meeting.

Let's look at these issues in a little more detail:
  • Reviewing the risks together as a topic. This occurs when the risk register becomes an agenda item on its own, disconnected from the critical issues on the board agenda. For example, if revenue is a problem, then risks associated with it should be reviewed at the same time as the income streams and forecasts are reviewed. If new projects are added, project risk should be reviewed with the project. The result of not doing this is that the board member loses the context within which the risk has been raised. It is not an effective use of the board members time.
  • Reviewing a huge number of risks. Overload is an obvious flaw in any management process. In a complex organisation there may be a large number of risks at any one time, however those that require board focus are limited to the most critical. We find that strong boards review many risks when there is no assurance that the management team has control of them. Otherwise the review of many risks takes focus away from the most critical. Again, this is not an effective use of board member time and indicates strengthening of management skill is necessary.
  • Not removing or lowering the priority of risks. Once a risk has been identified and rated as critical, then mitigation plans must be implemented by management. However once these plans are in place, the risk rating must have reduced by definition. The board can choose to maintain a list of critical risks that have mitigating plans in place, but this should be separate from the active register. Board members need to focus on risks that are changing.
  • Adding projects with risk of non achievement. This is a sign of management allowing imcomplete or poorly developed project plans being put in place. When a project is started, it should be assumed that risks have been identified and that mitigation activities are already built into the plan. There is always a risk that the market may move during a project plans duration and that a change becomes necessary, but this should be being managed by the project manager. The risk register should never be used to excuse poor performance or missed targets.
  • Allowing risks to remain highly rated. This is usually a sign of superficial problem solving. A common risk we see is that an IT system or a piece of equipment is becoming obsolete and there is no funding to replace it. Mitigating actions should include work arounds in the event the system or equipment fails, or other financial tradeoffs that could be made to fund replacement. Leaving the risk categorised high, with the assumption that nothing can be done but replace, does not give the board assurance that the organisational continuity is real.
The board members also have a role in contributing to the register. They represent the eyes and ears of the organisation outside and are often better placed to identify external risks than anyone else. Beyond that, there is always the risk that nobody sees coming until it hits. No matter how good the risk register, it will not help in that situation and management must be ready to adapt quickly to the new situation.

For a good discussion on four good practices to document risk, using an IT project example, see this article by Lokesh Aggarwal. The concepts remain applicable outside IT.

Also useful is this download from actuaries.org.uk discussing the level of trust we can have with risk registers.

Risk registers are powerful tools and really assist board members get assurance that risk is being monitored and actively mitigated in an organisation, but like most tools, it must be used effectively.

We would like to hear your ideas on how to make risk registers more effective too. Please comment.
Published in Fundamental Management