In our prior post, we discussed why you should perform a risk inventory no matter what size your organization is. Here, we will talk about how to use that inventory to make a practical operational decision tool.
Step One. Creating a Risk Register – Your Prioritized Action Punchlist
Once you have surveyed your team for threats and opportunities in key functional areas (operations, finance, compliance, HR/talent management, marketing/reputation management, sales, and risk management), it’s time to work with the data.
- Gather the results in a document, separated by functional area.
- Supplement this information with industry data regarding key risks facing organizations like yours.
- Further expand the information by talking to your professionals – your lawyer, accountant, and banker. Ask them to rank threats and opportunities in order of priority, just as you did with your team.
- When someone on your team has identified something unusual or has attached a ranking to a threat or opportunity that’s vastly different than how others have ranked it, ask for more information.
- Gather the results in a single document. For smaller organizations, we suggest a simple Excel spreadsheet. Sort risks by the weighted 1-5 priorities.
This document now becomes your risk register. It’s your prioritized punch list of threats and opportunities, force-ranked according to how important they are to the organization.
Step Two. Reflection.
A risk register can provide substantial insight. Consider the following:
- Did your process identify lots of risks, or relatively few?
- If there are a lot of threats and opportunities identified, what patterns emerge? Do a few stand out?
- Did your organization identify more threats or opportunities? What, if anything, does that tell you about your team and what it is facing?
- In what functional area do most threats reside? What about opportunities?
- Did the professionals you consulted identify different risks than your team? If so, does this suggest the need for more regular input by professionals? Or does it suggest your professionals are not sufficiently aware of your operations and industry segment?
- What surprised you about the threats and opportunities identified? What surprised you about the rankings assigned?
Step Three. Action.
As good as your risk register may be, it’s nothing if there’s no action plan behind it.
- Add a few more columns to the Excel spreadsheet — include the next steps for each risk, who is responsible for the risk, and when to check back.
- Senior personnel should not focus on every risk. Instead, top personnel should focus on the three-to-five most important threats and opportunities.
- Of the remaining risks, assign some of the higher priority risks to various staff members within your organization. Other risks may be at low enough risk levels to ignore for now.
- Modify the ranking assigned as you see fit. In doing so, however, keep in mind that you may be substituting your own limited judgment for the informed judgment of your team.
- As threats and opportunities are mitigated or developed, change their rankings to reflect their changed significance. Always resort the register to bring your greatest risks to the top.
- Make your risk register a routine part of your operations. Bring it up at staff meetings. Hold people accountable for items on the register. Ask for regular reports.
- As a risk is addressed, downgrade its priority. When a risk becomes more significant, raise its standing in the register.
- As the team identifies new threats and opportunities, add those too. By making the risk register a living document, you are creating a culture of active risk management. And you’re engaging people across the organization in management of risks.
Short Cuts and Cautions
Is all that too much? If so, here are some shortcuts for you to consider:
- If it is too much to recirculate the threats and opportunities, use the results of the initial answers by your team to make a single list. Then use that list to identify priorities to work on. Even this limited exercise can bring enormous clarity to a small organization and can serve as a beginning of a more comprehensive risk register that you build later.
- Always include input from your attorney, accountant, and banker. Too often we seek advice from these professionals only after things go wrong.
- Don’t be overwhelmed by the results of this exercise. No organization can tackle every threat and opportunity at the ame time. Senior management, as mentioned above, should focus on the big issues and delegate or defer the smaller issues to others.
- Bring in assistance. Don’t try to do it all yourself. Risk Alternatives and other organizations like ours can help you take these steps without burdening leadership. Remember, we’ve addressed these risks successfully for others, and we can help you identify and deal with the true risks to your operations.
As I’ve said before, small steps can create a significant impact in your company’s operations. The worst plan is no plan. If you find yourself unsure at any point in your process, give us a call.
Does your company currently have a risk register?
Whose input do you seek when you’re creating your risk register list?
Please share this post if you found it useful.