In an increasingly complex business environment, complicated even more by constantly changing compliance laws and regulations, every business decision must account for a huge array of risks — compliance, financial, legal, reputational, and more. How can executives remain in control of all these risks? Answer: By using tools like risk registers.
But what do risk registers contain? How are they used in risk management practices? And most importantly, how can you use them effectively? In this article, we answer all these questions in depth.
What Is a Compliance Risk Register?
A risk register, or risk log, is a central repository with comprehensive information on the risks related to a certain business area.
For example, risk registers are used in:
- Enterprise risk management to record enterprise-wide risks
- Project management for project planning and managing project risks
Similarly, a compliance risk register is a risk register for risks related to regulatory compliance. It's typically maintained by the governance, risk, and compliance (GRC) department to track risks emerging from regulatory requirements like:
- Environment, social, and governance (ESG) regulations
- Sanctions compliance
- Corruption and money laundering laws
- Cybersecurity laws
Since risk registers are not specific to any risk management methodology, you can use them with any approach.
Next, we delve into what makes up a typical risk register.
Risk Register Contents
To understand a risk register's contents, here's a refresher on some basic concepts:
- A risk is a situation with potentially adverse outcomes. However, it may also have positive or neutral secondary outcomes. For example, economic sanctions are a risk because you may lose the revenue you were getting from clients in sanctioned nations. At the same time, a secondary outcome may be positive, like the opportunity to acquire those clients who lost their providers in the sanctioned nations.
- A risk event is one that eventually causes the outcomes of some risk. For example, the imposition of sanctions through regulation is a risk event.
The typical risk information that goes into a risk register includes:
- Identification number: Each risk gets a unique identifier to help track and reference it.
- Risk priority: It tells you how urgently you should address this risk. It's expressed either as a number (typically one to five) or on a nominal scale (like critical, high, medium, or low).
- Risk description: This is a brief description, often with a cause and event format.
- Risk owner: Risk ownership involves assigning the responsibility for a risk and the response to it to an individual, team, or reporting hierarchy.
- Risk category: The category points to the nature of the risk and also helps to group all the risks of the same nature. For example, external risks, cyber risks, and supply chain risks are potential categories.
- Risk event: A risk event is an action or a natural occurrence that results in the risk's outcomes.
- Likelihood: This metric captures the probability of a risk event occurring.
- Risk impacts: These are the outcomes, adverse or otherwise, associated with the risk.
- Risk impact rating: This rating measures the severity of the risk impacts.
- Risk score: This is a measure of the level of risk, obtained by multiplying the likelihood of the risk occurring and the risk impact rating.
- Risk response: The risk response is an approach to adopt for that risk. For example, you may decide to accept, transfer, mitigate, or avoid a specific risk. Detailed response descriptions are often included.
In addition, some risk registers may show the risk breakdown structure for convenient management. A risk breakdown structure is an organization of many risks under a hierarchy of categories instead of a single risk category.
Let's explore how and where risk registers are used in a typical risk management process.
How to Use Risk Registers in Your Risk Management Program
In the sections below, we explain the use of risk registers in risk analysis conducted as part of regulatory compliance programs.
Every business line, department, or project may conduct a risk assessment at its level. That means multiple risk registers can exist in the scope of a risk management program. For example, a project risk management program can maintain its own project risk register.
Risk assessment is the first stage in any compliance risk management program. The stage consists of steps like:
- Risk identification: Compliance teams identify risks relevant to the compliance activities of a business line, department, or project. All potential risks are identified and added to the relevant risk register.
- Risk analysis: Department or project team members and those from the compliance department jointly analyze the identified risks. They determine the risk events, outcomes, likelihoods, and risk impacts. All that information goes into the relevant risk registers.
- Risk scoring: Qualitative and quantitative measures for the impacts are included in the risk registers, along with relevant risk scores. Thresholds for the impacts are also defined.
- Risk prioritization: In this step, risks are prioritized based on their potential impacts and risk scores. This helps teams decide which risks must be addressed first.
All the information from the risk assessment stage goes into the relevant risk registers. By combining multiple risk registers from some level in the organizational hierarchy, you can create risk profiles for the next level in that hierarchy.
Risks must be monitored and adjusted throughout their life cycle to adapt to changing business and regulatory landscapes. For example, risk events and impacts often change over time and must be updated regularly in the risk registers.
In some cases, internal audit teams may use the information in the risk registers for decision making on some aspects of their assigned projects or departments.
Each risk is accompanied by an appropriate risk response plan. A response plan explains, in detail, the strategy for responding to a risk. It often defines the thresholds to accept, transfer, mitigate, or avoid a risk.
Risk mitigation means applying appropriate controls to reduce the likelihood or severity of a risk. These are laid out in a risk mitigation plan. For example, appropriate controls are defined for the mitigation of new risks that may arise from changes in the compliance framework of a specific country.
Your compliance teams must regularly review and improve the risk management plans and their use of risk registers. The next section gives some recommendations for how to do so.
Best Practices for Risk Registers
Based on the experiences of compliance teams that implement risk management plans, here are some best practices for the use of risk registers.
- Maintain the concept definitions and guidelines needed to understand your risk registers: The information included in risk registers can get quite complex because of the inherently complex nature of risk management. When team members change, new teams may not know how to update and maintain them. So your risk framework needs to maintain up-to-date guidelines and definitions for all your risk registers.
- Avoid spreadsheets and use automated workflows for risk registers: As the information in risk registers becomes more complex, spreadsheets become increasingly unwieldy. They just reduce the usefulness of risk registers in your overall risk management strategy. Automated tools and workflows are better suited for complex risk management plans.
- Plan for risk interdependencies: Risk registers may give the impression that each risk is independent and can be addressed in isolation. But this is rarely the case. Risks, response plans, and stakeholder impacts are often interdependent. One risk's response plan may increase the risk score of another risk. Therefore, risks must be managed as groups of related risks using risk profiles and risk breakdown structures.