• First Reference
  • About us
  • Contact us
  • Blog Signup 📨

First Reference Talks

Discussions on Human Resources, Employment Law, Payroll and Internal Controls

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies
You are here: Home / Business / The value of a risk register

By Norman D. Marks, CPA, CRMA | 2 Minutes Read April 5, 2017

The value of a risk register

risk registerA risk register makes you feel good.
It makes you feel you have accomplished something, a list of risks that might cause harm to the organization.
It makes the executive team and the board feel that they can check the box: “do you have a risk management program? Yes.”
But, does that risk register help people formulate and then execute the right strategies for the organization to deliver optimal value?
Does it help people at all levels of the organization make informed and intelligent decisions?
In fact, does it do more harm than good? Does it give the false impression that risk to organizational objectives is managed at acceptable levels, when in fact decisions are made daily that do not give appropriate consideration to “what might happen”?
I did a small consulting project for an organization recently that wanted to improve its risk management. I pointed out that their annual filing with the SEC had 13 pages of risk factors. I asked whether they were used to enable better decision–making. The answer was a bunch of smiles. Frankly, I doubt that the executives present were even familiar with those 13 pages.
As I suggested in Risk in the Fourth Dimension, we need to consider what we are trying to achieve and why.
The purpose of risk management is not to produce or review a list of risks. It is to help the organization achieve its objectives by considering what might happen and acting to optimize outcomes.
What do the leaders and decision–makers of the organization need to be informed and successful?
Is it a list of risks?
Do risks remain static or are they dynamic?
In World-Class Risk Management I not only point out the need to manage the business at the speed of risk (I love the fact that others have adopted my phrase), which is dynamic, but that we need to consider the potential aggregate effect of risks on each corporate objective.
There are some risks that are transitory, such as those you consider when deciding which candidate to hire for an open position, and others that are continuing.
All you will see on a risk register (or for some a heat map, misleading as those charts are) are those that are expected to continue in some shape or form.
But even those continuing risks can change with surprising volatility, which is rarely indicated on a risk register.
A risk register or other form of list of risks does have some value, but it is limited.
I believe it is better to have a list of objectives and a continuing assessment of the likelihood they will be achieved.
That’s what matters. That’s why we need some form of risk management.
I ask again the question in Risk in the Fourth Dimension: are we just doing what we are told, as children, or are we figuring out how to help people make better decisions, as adults? That may be quite different from so–called traditional ERM, SRM, etc.
I welcome your comments.

  • About
  • Latest Posts
Norman D. Marks, CPA, CRMA
Norman has led large and small internal audit departments, been the Chief Risk Officer and Chief Compliance Officer, and managed IT security and governance functions.

He retired in early 2013. However,he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.
Latest posts by Norman D. Marks, CPA, CRMA (see all)
  • Twitter and risk - January 18, 2023
  • When the board insists on a list of the top risks - December 9, 2022
  • The greatest risk and the greatest asset - November 25, 2022

Article by Norman D. Marks, CPA, CRMA / Business, Finance and Accounting / risk, risk management, risk management program, risk register, risks

Share with a friend or colleague

Get the Latest Posts in your Inbox for Free!

Electronic monitoring

About Norman D. Marks, CPA, CRMA

Norman has led large and small internal audit departments, been the Chief Risk Officer and Chief Compliance Officer, and managed IT security and governance functions.

He retired in early 2013. However, he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.

Footer

About us

Established in 1995, First Reference is the leading publisher of up to date, practical and authoritative HR compliance and policy databases that are essential to ensure organizations meet their due diligence and duty of care requirements.

First Reference Talks

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies

Main Menu

  • About First Reference
  • Resources
  • Contact us
  • 1 800 750 8175

Stay Connected

  • Facebook
  • LinkedIn
  • Twitter
  • YouTube

We welcome your comments on our blog articles. However, we do not respond to specific legal questions in this space.
We do not provide any form of legal advice or legal opinion. Please consult a lawyer in your jurisdiction or try one of our products.


Copyright © 2009 - 2023 · First Reference Inc. · All Rights Reserved
Legal and Copyright Notices · Publisher's Disclaimer · Privacy Policy · Accessibility Policy