One of the few challenges that new internal auditors face is in the area of writing a complete risk register. In this article, I will provide a practical guide on how to write a risk register like a pro.
According to ISO 31000 – 2009, Risk is intrinsic to doing business and empirical evidence shows that 50% of small and medium-sized enterprise (SME) closes down before completing their fifth year. Risk can come in different flavour (Economic, Professional, Environmental, Health and Safety, Political and Social) and can be internal or external, direct or indirect.
What is a risk register?
A risk register is a living document purposefully built to capture the risk landscape of a business entity, quantify the risks, comment on the impact of the risk on an entity and acts as a pointer to what needs to be done to ameliorate the impact of the risks. Every risk factor must be assigned to a responsible individual called the ‘process owner’. Having a risk register is a prerequisite to performing a risk based audit.
In as much as business environment is uncertain, it is possible to predict risks and to set in place systems and design actions geared towards minimizing negative consequences and increasing positive impacts of events.
Risk management is more than taking or avoiding risk. Risk management is the development of a clear understanding of the risks that are important to the enterprise and managing them as the organization evolves and the operating environment (Physical, Environmental, Financial and Social) changes through time.
Components of a risk register (in tabular form)
This section of this article on how to write a risk register deals on those critical components of a risk register without which it will no longer be called a risk register but something else.
- Risk factors: this can also be called ‘risk event’. It is the event or occurrence that may pose a threat to the smooth running of a business. This could be anything depending on the nature of the business. An entity in the financial sector may have the followings as her risk factors; (a) Cyber Security risk, (b) Regulatory risk, (c) Data breach risk, etc.
- Brief description of risk: this is the section that briefly describes the nature of the identified risk in a simple language devoid of technical terms. This is not a place to flex technical muscles. Lol!
- Probability of the risk materializing: the mere fact that there is a remote possibility of an ugly event happening does not mean it will happen. So the possibility of an unwanted event happening needs to be carefully considered in order to determine our next course of action. Statistics has it that Hippos have killed more people than Elephant (please don’t ask me where I got the stats from – just made that up, but it worked well for our example) but the chances of Hippo killing someone in the city of London for example is rare.
- Impact of the risk should it occur: here, the business impact of an unwanted situation happening is briefly mentioned. Be sure to highlight both financial and non-financial impact of the occurrence. The information here combined with the one in the probability section will guide the preparer of the periodic internal audit plan.
- Possible mitigating factor or action: efforts should be made to list all existing mitigating factors for any identified risks. This is an opportunity to reflect on the effectiveness of the existing internal controls.
- Risk owner: to ensure accountability and promote the spirit of ownership.
Steps involved in writing a risk register
Understand the business environment of the entity: Every business has its unique peculiarities that must be adequately understood in the bid to build a risk register for the business. The business model of the entity must be sufficiently understood. This includes consulting with relevant stakeholders for invaluable insights.
Study the Mission and Vision statement of the business: careful study of mission and vision statements of an organization will not only help you understand the business better but will broaden your horizons on what could possibly go wrong. An overriding question in your mind while doing this should be; are there risks (existing or perceived) that can work against this organization attaining its goals as subtly captured in the mission and vision statements?
Review existing risk register if there is: it is best practice to always consult existing documents when working on related tasks.
Importance of a risk register
- Focused attention
- Reference document
- Highlight risks that could have easily been missed
When should a risk register be prepared?
Risk register should be prepared at the beginning of every period and reviewed every quarter to ensure that it still serves the current realities.
Who should prepare a risk register?
Ideal, risk registers should be prepared by group of business process owners. However, common practice which in my opinion is great is that the internal auditor in consultation with the business owners prepares the risk register.