Formulating a risk register
Formulating a risk register

The following Risk & Compliance guidance note provides comprehensive and up to date legal information covering:

  • Formulating a risk register
  • What is risk?
  • Identifying risks
  • Categorise each risk
  • Scoring each risk
  • Key elements of a risk register
  • Design
  • Monitoring and updating your risk register

Managing risk is not a one-off event, it is an ongoing process, as illustrated below:

$1

This Practice Note provides guidance on evaluating and recording risks by way of a Risk register.

What is risk?

There is a widely accepted definition of risk, ie:

Risk = probability x impact

So, for any given risk faced by your business, there are two questions:

  1. how likely is it that the risk will materialise, ie what’s the probability?

  2. if the risk does materialise, how bad will it be, ie what’s the impact?

A Risk register is a tool for scoring and recording individual risks using this formula—see Scoring each risk below. It is also used to record your response to each risk, ie reject or accept and, if the latter, steps to control or mitigate the risk.

Identifying risks

To formulate an effective risk register, you must first identify the risks your business faces. It is also helpful to have an understanding of your organisation's appetite for risk—see Practice Note: Identifying and evaluating risk across the business and Precedents:

  1. Risk appetite statement—this can be used to record your organisation's overall tolerance for risk and its appetite for different categories of risk

  2. Risk questionnaire—this should be completed for each department (including legal), by a subject matter expert for that department

  3. Risk audit—this provides a structure for analysing the