Over the past few months, I’ve had several conversations on the role of risk registers in Enterprise Risk Management. A common trend seems to treat these as a final outcome. With all that data it’s easy to sort and extract the information you want. Drop those into a PowerPoint deck and you’re all set. The result, of course, is a list with lots of information and little insight.
Is it time to view risk registers just as an interim step?
Risk registers contain a wealth of information. Looking at that data with an inquisitive mind allows us to see:
- Risks by objective – what insight can you gain into objectives most likely to be achieved or missed?
- Timings on risk mitigations – is there a lot that you are trying to accomplish overall and does your organization have the resources to accomplish that?
- Concentrations amongst the management team – who are you relying on most to shift your risk landscape?
These are just a few. I’m sure you can find more. The point is that thinking this way can offer new insight but also takes effort by the ERM team. It forces the team to develop its own view. No longer are you able to just repeat back what others told you. This may require evolving skills in your team.
I’ve long said that getting the data into your risk register should be 50% of the effort of an ERM team – the rest devoted to this kind of thinking.
The question is whether organizations are willing to abandon a view of risk registers as something we produce and report and start to view registers as an interim source of information in the ERM process. Not the outcome.