A risk register is what it says it is: a document that lists the risks that can affect an organisation. It also typically includes information on the potential impact of the risk and the probability of the risk materialising. Depending on how you make the risk register for your own enterprise, it can be linked and leveraged in different ways for added business advantage. However, not everybody agrees on the value of a risk register. Critics claim that it can lead to problems owing to illusions of controlling the situation and of self-sufficiency – the idea that having a risk register makes organisations erroneously believe that this is already enough in terms of risk management.
The secret of making good use of a risk register is in the way it is linked to the rest of risk management and to business continuity in general. On its own, a risk register even when it lists solutions for mitigation of risks and contingency actions remains a tool. A tool is only as valuable as the use that is made of it. When a risk register is a) correctly and completely filled in, b) communicated to all those who need to know about it, and c) correctly monitored for action when required, then it acquires value. Relevant input to the register comes from internal assessment of risk (remember to involve your auditors) and comparison with publicly accessible risk registers: the London Risk Register is one example. Relevant output or actions are helped by keeping the risk register handy, possibly on mobile computing devices including tablet PCs and smartphones.
Leveraging a risk register is the next stage. Depending on how it is documented, the entries in a risk register can be fed into a risk management model that simulates outcomes. Spread-sheet applications such as Excel are a popular medium for this, although not the only one and arguably not the best either. Pros and cons notwithstanding, spread-sheets allow risk registers to be changed to generate updated models for risk management. Where individual impacts and probabilities of risk can be quantified, overall risk exposure can be recalculated and ‘what-if’ scenarios run with new data to evaluate new outcomes.