A risk register is a collection of risks, each described as a pathway from an uncertainty to an outcome.
The collection of risk descriptions is called a register because it aims to ensure that no risks are overlooked after initial identification.
Confidence comes from looking at the register as a practically complete collection of risks.
When you register a risk, that registration does not, by itself, do anything to build confidence or to change outcomes. Confidence and better outcomes follow from understanding the real world and making changes in the real world. Registering a risk is not a real-world action, and it does nothing to change your risk exposures.
Despite the obvious truth of these statements, it has been common for ‘management’ of a risk to stop at putting it into a register, as though the risk were then ‘dealt with’.
A typical risk register has each risk as a row in a matrix. The risk description is one or two columns, perhaps four or five if the description is broken into components.
The other columns contain other fields that are useful in the risk management process, such as the relevant controls, likelihood and consequence code, risk treatment options, and so on. Many risk registers have columns duplicated, showing risk ‘levels’ before and after proposed actions to address each risk.
Ideally the register will recognise multiple outcomes that may arise from one event. Each potential outcome is a separate risk.
It often happens that a single type of event or wrong assumption may lead to one or more unplanned outcomes, with varying directness and likelihood. You might describe that type of event just once, and then list with that one description all the outcomes that might follow from that event.
Each of those different outcomes represents a different risk, because the effect of the uncertainty on your objectives is different in each case.
You may be thinking of a single type of event with multiple possible effects as one ‘risk’. If that’s you, you are seeing ‘risk’ as ‘uncertainty’ and ‘the risk’ as an uncertain event. Risk is not uncertainty alone, and ‘a risk’ is not ‘a potential event’. Risk is the effect of uncertainty on the objectives [ISO 31000]. The risk is only worth considering in relation to its effects on the outcomes that matter.
In free text, you can easily describe the event type once, with multiple effects described alongside the event description. That structure may be incompatible with your established matrix or database format, especially because each described effect has as different likelihood. (You will come to likelihoods later.)
Your risk register can be very different from the Clear Lines model risk register.
If you have been given a risk register template to use, it probably aligns closely enough with the process suggested in this guide. Fixed consequence and likelihood codes could be a problem.
It is useful to have a short summary of each risk, separate from its full description as a chain. If your formal risk register has room for only a few words describing each risk, you can put the summary in the register, and capture the full description in a linked document that has room for unlimited words.
If you are stuck with a type of register that cannot show the links between one event (or discovery) and multiple outcome effects, use a separate risk record for each of the outcome effects. The common event description can be referenced, or copied verbatim, across the risk records.
Your register can look any way that works for you. The important thing is the thinking that goes into the risks. The Clear Lines model for a risk register is designed to reveal the thinking. It does not claim to be the most effective format for you.
The Clear Lines model risk register may look reassuringly conventional, on the surface. It is ideologically loaded to emphasise the features of each risk that keep your mind focused on real-world assurance of business plan outcomes. It is closely linked to ISO HB 436 in a way that most risk registers are not.
The model register has a minimum of administrative clutter, and unlimited space for answering decisive questions. It does not show risks both before and after proposed treatments. There is only one likelihood column, not duplicated columns for current and residual ‘levels’ of risk. The model assumes that differences resulting from risk treatments are represented by successive versions of the same register. Treatments are not listed. A treatment actually implemented is a control, while a treatment that remains a future intention has no effect on risk. The model register does not have a field for risk ‘acceptance’ or ‘status’, because in the Clear Lines, risk is accepted at the level of overall outcome likelihood, and not at the level of individual risks.
If your ‘template’ is actually a fixed electronic form, it may have a mandatory or calculated field for ‘level of risk’, as a number, letter, or code word. Colours are also popular. The Clear Lines do not use or recommend a ‘level of risk’ scale of any kind for business planning risk. ISO 31000 defines ‘level of risk’ as a combination of likelihood and consequence. ISO 31000 does not force those combinations onto a linear scale, and neither do the Clear Lines.
You can fudge and kludge past this inconsistency if you have no choice. The kludge is to:
create, or adopt, a scale for ‘level of risk’
create, or adopt, a look-up table for ‘level of risk’, where the ‘level of risk’ is determined by the combination of the ‘consequence level’ and the ‘likelihood level’.
You used the levels of success and failure when constructing your collection of outcome pictures.
Like ISO 31000, the Clear Lines do not define either consequence ‘levels’ or likelihood ‘levels’. The Clear Lines leave likelihoods as simple percentages.
For the purpose of fudging a look-up table:
You can classify likelihood percentages within ranges, and those ranges can be called ‘levels’ of likelihood.
You can mis-use the outcome success and failure levels as ‘consequence levels’. Doing so will lead you to show outcomes on different objectives as somehow equivalent and interchangeable, which they are not.
There can be separate look-up tables for ‘level of risk’, one for each objective. The Clear Lines once invented a clever one-page format to hold the multiple look-ups. Separate look-ups per objective are not part of common practice, so they may not help you solve your problem.
Most of these ‘levels’ and ‘lookups’ are widespread practice, but it is bad practice. It is one of the reasons that ‘risk management’ has a poor image. It is the wrong idea because it hides the actual effects of uncertainty on your objectives – that is, risk – behind numbers and code words that live in an imaginary world, not the world you live in. You then start to wonder why those numbers and words matter. No wonder, really.
|New to this||Version 3. Beta|