Risks are a part of everyday life – whether that be for individuals, businesses or councils. But the question isn’t about when – or if – risks occur. It’s about how we manage them when they do.
Here’s where risk registers come in.
But not all risk registers are created equal. So, let’s explore exactly what separates the good risk registers from the bad – and why an effective risk register is such a vital cog in your council’s machinery.
Keeping everyone on the same page
At its most basic level, a risk register is a way that councils – and other organisations – record risks.
‘Risks’ are unexpected events that, should they occur, can affect the course of a project – or worse, your council’s reputation. But they’re not always bad. Risks can have both positive and negative effects. So it’s important to understand them.
A risk register, then, is a document that outlines how councils manage risk, including:
- What those risks are
- The causes and potential effects of each risk
- Who’s responsible for them
- And what’s mitigating them
Think of your risk register as a tool to give your key stakeholders (including risk auditors) crucial insight into your council’s holistic risk profile – for quicker, more effective decision making.
It can also help your council to comply with regulations and allocate funds strategically.
Whether building parks, running libraries, or maintaining complex IT networks, councils have a wide remit – but so do their risks. The unexpected events or threats your council might face run the gamut: from issues of engineering and operations, to cybersecurity and healthcare.
That’s why a good risk register is so vital. But what constitutes a good risk register, exactly – and how can your council avoid putting together a bad one?
Defining an effective risk register
The key to creating an effective risk register is, itself, surprisingly simple: keep it simple.
A risk register needs to tell a story. What is the risk – and what threat does it pose to an operation, its objectives or the organisation at large?
Like all the best narratives, good risk registers are clear, concise and compelling. They list the risks, causes and controls – succinctly and successfully.
Conversely, a poor risk register is one that fails to clearly articulate the risks, or their relationship to the right controls. Similarly, risk registers that use too many words – or that rely on jargon or overly complex language – aren’t effective.
Risk registers should paint a vivid picture. Not a verbose one.
However, a risk register shouldn’t simply list your council’s risks and controls. It must also draw lines of cause and effect – to understand how effective those controls are in mitigating each risk.
In other words, effective risk registers need not only to explain, but to analyse.
From principle to practice – how to create and populate a risk register
Once upon a time, spreadsheets were the gold standard for creating risk registers.
And in 2022, they’re still the simplest tool – but no longer the most effective.
Today, using an integrated ERM (Enterprise Risk Management) system is the most efficient way of managing your council’s risk profile.
Once properly configured, all you need to do is enter your council’s risk information into an ERM system, and you’ll facilitate improved visibility of all your projects’ risks and controls. This enables richer analysis, more granular data control, and more accurate reporting.
ERM systems also integrate across governance, compliance, work health and safety, and BCP (business continuity planning). By drawing upon data from all those sources, your council can cultivate a truly holistic understanding of its risk profile.
With an ERM system, populating your risk register is simply a matter of answering the central questions around those risks, including:
- What is the risk?
- Which area of council does it pertain to?
- What are the causes and effects of each risk?
- Which controls are in place to mitigate the instigators and impacts of these risks?
- Who, within council, owns each risk and each control?
Again, simplicity is the goal. If people can’t understand your risk register, they won’t understand the risks – or how to address them.
Want to learn more about risk registers and how to populate them? Your friendly Regional Risk Manager is here to help.