RISK REGISTERS - Internal Audit Agency



RISK REGISTERS - Internal Audit Agency
Internal Audit Agency
3RD Annual Internal Audit Forum
Theme: Risk Management in the Public Sector:
The Role of Internal Auditing
Outline of Presentation:
y Introduction
y Risk Register
y Why Develop a Risk Register?
y Risk Register Template
y Risk Measurement
Likelihood Measurement
Impact/ Consequence Measurement
y Combined Effect of Likelihood and Impact
y Conclusion
y For effective management of risk, each step of the RM Process should be supported with appropriate tools and the output well documented.
y A system for reporting risk helps to ensure the consistency, completeness, and timeliness of risk control decisions.
y Database management systems are the most effective way to document and communicate risk information. y The primary database for documenting risk is the Risk Register.
The Risk Register
y The Risk Register is a management tool that enables an organization to understand its comprehensive risk profile. y It is simply a repository for all risk information. y The Risk Register records details of all the risks identified for an organization, a budget centre or project. 4
The Risk Register (ctd)
The RR is described as “a log of risks of all kinds that threaten an organization’s success in achieving its declared aims and objectives. It is a dynamic living document, which is populated through the organization’s risk assessment and evaluation process. This enables risk to be quantified and ranked. It provides a structure for collating information about risks that helps both in analysis of risks and in decisions about whether or how those risks should be treated.”
– [The Risk Register Working Group of the UK NHS (2002) ]
The Risk Register (ctd) y The RR is the hub of the internal control system, given that it contains the objectives, risks and controls for the organization or operation.
y Risks associated with activities and strategies are identified then graded in terms of likelihood of occurrence and seriousness of impact. y It is an important component of an organization’s risk management framework. y The Risk Register can be put together by members of the organizations, but must be owned and agreed by the Senior Management Team or the ARIC.
Why develop a Risk Register?
y Analysis contained in a risk register can be used to document and improve workplace practices. y Can be used to notify senior managers of emerging risk exposures that warrant immediate attention. y encourage a high level of ownership of, and commitment to, the organization’s processes and activities when all staff are involved in the process of compiling a risk register y Gives assurance to Management on the status of risks they face.
The Risk Register Template
y The Risk Register is a template to work through the risk management process.
y Working from left to right across the template, one is prompted to consider all elements of the risk management process.
y The risk register template consists of some headings in a table that reflects the nature of the risk that is to be addressed. y These headings are shown in the following table: (Click)
The Risk Register Template y The advantage of using a single template as a record of risk analysis, evaluation, treatment and monitoring actions is the clear presentation of the logic which supports the decision making process. y The completed risk register should be brief and to the point, so it quickly conveys the essential information. y It should be updated on a regular basis.
As a guide, a brief description of the objectives and scope of the activities to be included in the Risk Register are as follows: i) Likehood Rankings:
Likelihood Likelihood rankings should be calibrated, Rankings
where necessary to ensure compliance with applicable regulations, safety standards and other tolerances that have been agreed with key activity sponsors.
1 Low
Probability less than 5% (Has not/unlikely to occur)
2 Medium Probability less than 25% (Any history of occurrence?)
3 High
Probability of over 25% (has occurred recently)
Impact Rankings
Impact rankings should be calibrated to reflect the severity of consequence, should a risk crystallize.
Low impact on the organization’s strategy 1 Minor
or operational activities. Low stakeholder concern
Moderate impact on the organization’s 2 Moderate strategy or operational activities. Moderate stakeholder concern
High impact on the organization’s strategy 3 Significant or operational activities. Significant stakeholder concern
Grade: Combined effect of Likelihood/Impact Likelihood
High (3)
B. Medium (2)
C. Low (1)
1. Minor
2. Moderate
3. Significant
Consequence/ Impact Rating
A guide of actions to Manage Risks (E.g.)
An Example of a Risk Register is: (RR)
y Using the Risk Register to document risk provides a clear understanding of the risk management process and helps in the identification of inherent risk as well as appropriate strategies to mitigate these risks.