Cardinus CEO Andy Hawkes explains how one document can be the foundation of risk management best practice throughout a company.
Most business managers have an instinctive understanding of the more common risks they face, and will have taken mitigating action, often without even realising it. This ad-hoc approach may give some practical protection against problems and disaster but it can still leave a business exposed.
The first step towards a planned professional approach to business risk management can start with one document, a risk register. A risk register formalises the consideration of risk and opportunities, in a way that enables wider consideration and discussion within management or at board level. This in turn helps to ensure that all significant risks have been suitably identified, assessed and managed.
A risk register can be particularly valuable to non-executive directors, whose prime role is governance, and practice shows that it often throws up unexpected issues that need to be addressed. It is not, and should not be allowed to become, a bureaucratic exercise. Although a risk register tends to focus on negative risks, if used sensibly it should also address the opportunities which face the business.
Large PLCs will have dedicated staff creating, monitoring and updating risk registers, and will often have complex methods of risk evaluation. Within the majority of mid-sized companies, creation of a risk register will be a task for the financial director or the accountant and will only be a modest part of their overall responsibilities. The purpose of this paper is to help these individuals and their companies devise something that’s not too onerous, but which has real, long-term value.
Large businesses will regularly review and update their registers as part of a board process, this may not be practical for many mid-sized companies. However, an appropriate system is likely to include at least a quarterly review formally at board meetings or senior executive sessions. An ideal time for this is either just before or during the budget process, or during a review of insurances.
Apart from the benefit to the board, many insurers and regulators now ask to see risk registers, and a well-presented document that illustrates how risks are addressed can have a positive influence on the company’s reputation. Similarly, a risk register can be useful as part of the documentation for a company sale, because although it may not answer all the questions a buyer may ask, it gives some useful leads and indicates how well or badly risk has been covered in the past. It should be evidence that the company is well run.
For the full article, including best practices for compiling risk registers and identifying risks, click here…