Risk Management is about taking action (doing something) to reduce an identified risk! Recording a risk on a risk register is a key part of this process, but there’s more…
In my risk engagement sessions with Organisations, one of the most frequently asked questions from staff is “What happens to risks after they have been recorded on risk registers?” Does someone take them away to ‘resolve’ them? Please read my summarised response below;
“Risk Management is the process of identifying, assessing and controlling threats to which an organisation is exposed.”
Identifying a risk is the start of the risk management process. Once the identified risk is approved by the relevant Board, Committee, Group, Management meeting etc., the risk is then recorded on the relevant risk register. The Risk Owner is responsible for managing the risk and ensuring the risk is reduced to an acceptable level.
The Risk Owner must identify the existing control measures (mitigation) in place to reduce the risk (if any) and assess (score) the risk. If the risk remains high or moderate, the Risk Owner must identify other actions required to further reduce the risk. ACTIONS!
The Risk Owner is responsible for reviewing and reporting on the progress of the risk to the relevant Board, Committee, Group, Management meeting etc.
Once all the actions recorded against the risk are implemented and the risk mitigated, the risk can then be said to have been properly managed and may then be approved for closure.
An effective approach to risk management goes beyond having a list of risks on risk registers, but encouraging a culture where risk registers are live documents that evidence that actions are being taken to proactively reduce identified risks.
To help you think about risk management, we can work with you and your Organisation to put together a practical solution tailor made to suit your requirements.