Typical Challenges in Risk registers

Challenge

Description

Risk Identification Phase

Unique Ref No

· We are always looking for Unique reference numbers.

· A Strategic Risk cannot have the same number as a Departmental risk and an Operational Risk Cannot have the same number as an Operational Risk.

· These numbers are extremely important for Analysis purposes

· Without numbers, your various risks on the various levels of the organisation are going to be contaminated with different data sets.

· Make it Unique, such as

o SO used for Strategic Objectives, numbered from 001

o Departmental Objectives could be using the following naming convention:

o Operations: OPE

o Maintenance: MAI

o Finance: FIN

o Supply Chain: SCM

o Etc.

· Usually in the Excel based Risk Registers we receive to work from, does not have unique reference numbers. I suggest the following naming convention

o SO-001-2024

No Strategic Objectives available

· This is a critical departure point of any risk register.

· If the strategic objective is not connected to the risk, why would you spend your time and everybody’s time to analyse a risk which has no impact

· The strategic objectives drive the very existence of the business for which me, you and everyone else work and earn our living

· This is a critical oversight.

No Departmental Objectives

· Yes, No Departmental Objectives.

· These Objectives are mostly documented in Performance Agreements or Output Agreements.

· And the incumbent most of the time is of the opinion that this is private between him / her and the upper echelons of the company.

· This is their performance, which has been agreed upon between the company, driving the Strategic Objectives.

· Thus, the risk registers we receive start with Risk Identified. Just there, originating from where? Affecting what in the core business of the company, or the core business of the incumbent, and how do you align your performance with the performance of the risks you have been delegated to manage?

· Even if there can be a Departmental objective allocated to the risk, the alignment with the Strategic objective is not there and no link could be correlated.

· Thus, the Department is an Island, and the incumbent is the captain of his own ship, of the Governor of his own Island.

· Never ever in business.

No Operational Objectives

· The same as the Strategic and Departmental Objectives.

· I want to state that this is not the fault of the Operational Incumbent, but the lack of Leadership, top down.

· Thus, the poor leadership that drives the non-existing Strategic, Tactical Objectives, culminate in the silo implementation of Operational Risk Management.

Risk description

· As a result of the absence of Objectives, the Risks are as wide and far apart as the gates of hell, Yes of Hell and not Heaven.

· Everything goes through it, and everyone is of the opinion that their Risk Identification is spot on. But, measured against what?

· The Objectives naturally.

· So, the risk Identification is most of the time as lot of words, which do not create an uncertainty on any level of Objective.

Causal Factor or Contributing Factor (CF)

· This is one of the most critical sections during the Risk Identification Process.

· The Golden threat must run through from Strategic Objectives to where it ends up on the specific level, whether Strategic, Tactical, Operational or Project.

· The causes will also be used as the starting point during the analysis phase of the risk implementation process.

· So, if the model used is faulty here, the outcome or result with have a number of faults.

Consequences

· Just remember, Consequence means: Outcome of an event (3.3.11) affecting objectives (3.1.2) (See ISO 31073: 2022)

· Consequences are usually documented in five (5) broad business environments namely:

o Strategic

o Financial

o Operational

o Legal

o Reputational

· Without a proper analysis of the consequences, the impact will not be realised

Estimated Monetary Value: Inherently (EMV-i)

· Wow, never heard of this.

· Many other company and Boards are also surprised.

· Everything is business is Financial and Risk Management is a step closer to providing the Risk Owner with a Business Costing analysis.

· If the Inherent (EMV-i) must be determined to ensure you know what the financial impact on the business objectives is.

· What is the Residual (EMV-r)? and how was this determined, aligned with the controls implemented and assessed.

· Then the last EMV is EMV-a. This is part of the Treatment of the risks. Remember, you as the risk owner are actually asking the management to open the company wallet. IS you don’t know what you are asking, do you think management will volunteer for you funds?

Inherent Risk Rating (IRR)

· This is in every Risk Register.

· This is usually represented of a number of the Consequence and the Likelihood.

· And this process steals the time in risk facilitation. Why is everyone so entangled in Inherent Risk Rating (IRR). It does not contribute anything to the risk profile.

· Please see the article regarding Internal Control Effectiveness (ICE) and the other article on the P2ST2 Methodology.

Risk Analysis Phase

Risk Owner

· Risk Owners are usually in a Risk Register as part of the Treatment Phase.

· This is where the Risk Owner is allocated tasks.

Management Controls

· Risk Registers usually has some kind of Management Controls incorporated into the Risk Register.

· But what we encounter so many times, is that the Management Controls are listed from 1 to a maximum 5 controls, and all of them usually Processes.

· These “controls” does not address the Causal Factors / Contributing Factors (CF) as listed during the Risk Identification phase.

· It is just a random list of perceived controls.

· This is not an analysis of a risk; this is listing of something to fill the space.

· There is no systematic process to the analysis process.

· We usually need to explain the CAA P2ST2 process, agree on using it and from there, analyse the CF one by one and systematically.

· Please see the article regarding Internal Control Effectiveness (ICE) and the other article on the P2ST2 Methodology.

Control Details

· List the specific control, with the correct name, whether it is a People Control, a Process Control, a System Control, a Tool Control or Technology Control.

· These controls will in the further analysis across the company be used as the Control Universe. Thus, if you have a different name for the control, you are going to create a huge challenge pertaining to the Data Integrity of the Control Universe.

Evidence

· This is for ever lacking.

· People want to talk controls, but they cannot list it

· All the resources are available, but nothing can be produced.

· This cannot be the validation process the Risk Managers or Chief Risk Officers (CRO) are accepting.

· The Risk register is the starting point for a Risk Based Audit (RBA) and the evidence must be explicit and validated.

· I suggest the following to be included in the evidence column:

o Name of the P2ST2

o Reference no

o Date of Issue

o Approval

o Validity Period

· With this, Risk Management starts to be a valid tool for any manager and especially for the Internal Auditors (IA).

· As a CRO, you are the standard of the knowledgebase in your organisation.

Control Owner

· List this here for the specific risk.

· The Control Owner (CO) must know that his performance is linked and monitored on various hierarchical levels.

· This will drive performance across the business.

Risk Evaluation Phase

Internal Control Effectiveness (ICE)

· Ahh, the ICE.

· This is my favourite.

· Each control must be separately assessed against a valid and detail Internal Control Effectiveness (ICE) Criteria. (Criteria is defined as: terms of reference against which the significance of risk (3.1.1) is evaluated (ISO 31073: 2022)

· Some companies have nothing here, Others has some sort of attempt that they have started using. But it seems as if all these companies are using the ICE to cover their performance. It must be so vague that nobody can keep you accountable.

· This is wrong and against the integrity of the discipline, the Code of Conduct, the risk management intention, etc.

· According to me, as a strong believer in the Six Hat Theory of De Bono, the Black hat is Judgement. The above methodology borders on Fraud.

· The correct way to determine the ICE, is through an anonymous process such as voting, but simple that you can obtain percentages.

· Each Control are evaluated separately by the audience who has knowledge of the process, whether they are implementers or receivers of the service. This percentage score is listed against the specific Management Control (MC).

· The average of all these scores is your overall ICE, or as we call it, your Level of Assurance (LoA).

· Where a risk has been evaluated below 70%, or as determined by your overall Risk Appetite and Tolerance Statement, each of those risks must be treated.

Residual Risk (RR)

· Everyone has some form of Residual risk (RR) in their Risk registers.

· Let’s just take a step back. What is Residual Risk (RR)?: It is: risk (3.1.1) remaining after risk treatment (3.3.32)

· It is always for us a question; how you arrived at that and how can you validate it to ensure that it is verifiable, repeatable and validated.

· By using the Likelihood and Consequence process of determining IRR and the same process for RR.

· This always has to me measured against some kind of ethical model. Please refer to the Cooper's decision-making model

· As a simple test, we are using the Level of Risk (LoR) determined during the IRR. Make a calculation of the average of your ICE in the risk register. This is your LoA.

· DO the calculation, please.

o Take the LoA and multiply this with the IRR (Usually out of 25).

o Let’s say the combined LoA was 85 and the balance is 15, multiply this with 25.

o You will get 21.25, thus a 21 on the Risk Matrix.

o Minus the 21.25 from 25 and you will get 3.75 or 15%, thus 4 on the Risk Matrix.

o This is your RR or Level of Risk (LoR).

· If you are off by 5%, this is usually the norm, then your results are invalid and needs to be redone.

Estimated Monetary Value: Residually (EMV-r)

· This is not in the risk registers.

· With the LoR determined, calculate the EMV-r.

· Take the LoR and multiply the 15% with your EMV-i.

· You will get the Risk Exposure, calculated in monetary value.

· This is your EMV-r.

· And this is what the business, is defending.

Risk Treatment Phase

<70% Risks

· This is not in the Risk registers.

· Every risk must be treated to be at least 70%>

· Aligned with the underperforming Management Control complete the following which will be detailed below.

Risk Treatment Options

· Usually this is in there.

· But no specifics regarding the different choices to be made.

· There are risk treatment options which needs to be used:

o Treat

o Transfer

o Tolerate

o Terminate

o Take Opportunity

· A definite choice must be made.

Action Steps

· Usually this is in there.

· This must be an actionable task, which can be tracked and traced with a specific deliverable.

Estimated Monetary Value: Actions (EMV-a)

· Usually this is in there.

· What are the costs of the actions to improve the ICE of the underperforming Management Controls?

· This must bring the RR / LoR down.

· You can obtain immediate approval for this is you know what you are asking. We are imprinting the following statement: What is your ask?

· If you cannot quantify this, you have missed the opportunity.

Due Date

· Usually this is in there.

· This is self-explanatory

Responsible Person

· Usually this is in there.

· This is self-explanatory

Due Date failure and Escalation

· This is not in the Risk registers.

· This is the biggest frustration for consultants, and I am of the opinion from CRO’s as well.

· As the Risk Registers are done every 3 months, you see the non-compliance and the non-delivery of these tasks.

· And the new norm for the past 5-7 years, is, so when can you finalise this. And so, it repeats for 2-3 cycles.

· This is an absolute No-No.

· If the Risk Owner cannot complete the task, he needs to apply to the Risk Committee he reports to for extension, as per a normal motivational application.

· The Chairperson of that committee must apply his mind and determine, will this create uncertainty on the objectives of the company and was these really valid reasons, why should you take up time during a Risk assessment process to address this poor performance.

· If the Chairperson is not convinced, the application is denied, and full record must be kept. You are the custodian of the Companies Objectives, and this is business critical matters.

· If this is repeated, then the question is, is this risk owner a repeat offender? If so, discipline steps need to be taken.

Comments

· The only comments in a risk register is an official extension with documented evidence to support it.