Risk Register Guide: How to Document and Monitor Risks

In business, risk lurks around every corner—some so subtle they barely register. As you plan, consider unexpected disruptions, such as a regional conflict affecting supply chains or a natural disaster, like a sinkhole swallowing key infrastructure. These events, often unforeseen and outside daily concerns, may be overlooked in a broad risk management plan.

The aptly named risk register serves as a critical tool for capturing and preparing for unforeseen risks. It ensures businesses can proactively mitigate their impact and maintain operational continuity with risk information in advance.

How Does a Risk Register Fit Into Risk Management?

While the terms “risk register” and “risk management” are often used interchangeably, they’re two distinct components of an overall strategy.

What is a risk register?

The risk register serves as a specific tool for recording and tracking identified risks, focusing on documenting individual risks and associated details.

Risk register vs. risk management

In contrast, risk management entails a comprehensive approach to risk analysis, identification, and response. It involves strategic planning and ongoing monitoring, with responsibilities shared among various stakeholders. Documentation within risk management encompasses risk assessments, risk mitigation strategies, and monitoring reports. Below are a few differences between risk registers and management strategies.

A risk register is a central component in your management strategy, but a lot of organizations don’t keep one. Without a detailed record of identified risks and their characteristics, it becomes difficult to effectively prioritize, monitor, and respond to potential threats. They also have benefits beyond risk management.

How Will a Risk Log Benefit Your Organization?

Typically, a risk register includes details such as the nature of possible risks, likelihood, and potential impact, mitigation strategies, responsible parties, and status. By maintaining a comprehensive risk record, organizations can proactively address challenges and capitalize on opportunities to achieve their goals effectively. In fact, there are multiple ways leaders can use these registers.

Integrating a Register Into Your Risk Management Strategy

A risk register can be either organization-wide or project-based. A project risk register is a document specifically tailored to a particular project. A key component in project management, a register identifies, assesses, and manages risks that could impact successful delivery. This register typically includes risks related to project scope, schedule, budget, resources, and stakeholders. For example, if a project involves implementing a new software system, risks might include technical challenges, resource constraints, or changes in user requirements.

On the other hand, an organizational risk register is a broader document that encompasses risks across the entire organization. It identifies risks that could affect the organization’s achievement of its strategic objectives. These risks may include market conditions, regulatory changes, financial stability, cybersecurity threats, and reputational risks. Unlike a project risk register, which is temporary and specific to a project, an organizational risk register is ongoing and addresses risks that could impact the organization as a whole.

To illustrate how to create and maintain an organizational risk register, we’ll integrate insights from Lukas Quanstrom, CEO and Co-Founder of Ontic, who shared during his appearance on The Employee Safety Podcast.

As the leader of a security technology company that provides a protective intelligence platform, Quanstrom emphasizes the importance of using advanced methodologies, such as risk management tools, workflows, and mitigation strategies, to comprehensively identify and address risks across an organization. This approach ensures that all identified risks, whether related to cybersecurity, market fluctuations, or operational challenges, are meticulously documented, including their risk status, mitigation plans, and ongoing tracking mechanisms.

Identify risks across sources

The first step in creating a risk register is identifying possible threats. These aren’t just the threats found in the business’s SWOT analysis or the known threats from historical data and previous experience. Most risks related to natural disasters, workplace violence, regulatory changes, and cybersecurity threats are known and documented.

But what about emerging threats? Small pieces of information can help make organizations aware of new risks.

In the AlertMedia podcast, Lukas Quanstrom describes these as “pre-incident threat indicators.” This involves gathering information from both internal and external sources. As Quanstrom noted, threats can manifest in numerous ways, such as “a threatening letter, a dark web post, or an employee tip.” This diversity of sources underscores the need for a broad, thorough approach to risk identification.

Here are some examples of pre-incident threat indicators that can help organizations monitor for emerging risks.

• Threatening communications: Instances where the organization receives letters, emails, or social media posts containing threats or aggressive language.
• Unusual employee behavior: Observations of sudden changes in behavior, increased absenteeism, or signs of distress or agitation among employees.
• Suspicious activity: Instances of unexplained presence of unknown individuals around the workplace or employees accessing sensitive areas without valid reasons.
• Dark web activity: Discovery of information related to the organization or its employees appearing on dark web forums or platforms.
• Increased security incidents: An uptick in security breaches or attempts, such as unauthorized access or hacking incidents.
• Vandalism or sabotage: Damage to property or equipment that appears deliberate in nature.
• Anonymous tips: Information provided anonymously by employees or third parties regarding potential threats or concerning behaviors.
• Changes in the external environment: Events such as political or social unrest, nearby incidents of violence, or shifts in regulatory environments that may impact organizational security.
• Social media monitoring: Tracking posts or discussions on social media platforms that indicate discontent or plans for disruptive actions.

Any of these events may indicate it’s time to add another risk to your register. The next step is to determine its likelihood.

Conduct a thorough risk assessment and analysis

The next stage in building a risk register is analyzing the severity of potential threats and their impact on the organization. This step is crucial for understanding the scope and severity of each risk, allowing organizations to prioritize mitigation efforts effectively by establishing risk categories. By employing professional threat assessment methodologies, organizations can systematically evaluate risks across various domains, ensuring thorough analysis and informed decision-making.

Some common risk analysis methodologies include:

• WAVR-21: Workplace Assessment of Violence Risk – 21; assesses workplace violence risk across 21 key domains.
• HCR-20: Historical, Clinical, Risk Management – 20; evaluates violence risk using historical, clinical, and risk management factors.
• MOSAIC Threat Assessment System: Identifies and manages threats through analysis of fixation, communications, and behavior patterns.
• J-SOAP-II: Joint Services Operational Assessment of Personality – II; assesses potential for violence based on personality traits and behaviors.
• CARVER Matrix: Assesses criticality, accessibility, recoverability, vulnerability, effect, and recognizability of targets or threats.
• VASt: Violence Risk Appraisal Guide; provides a structured assessment of violence risk factors and protective factors.
• Sigma Threat Management Associates: Offers comprehensive threat assessment and management services focusing on violent or disruptive behaviors.
• SWOT Analysis: Strengths, Weaknesses, Opportunities, Threats; a strategic planning tool to assess internal and external factors impacting an organization.
• Bowtie Risk Assessment: Visualizes hazards, threats, and controls in relation to risk exposure and mitigation strategies.
• Failure Modes and Effects Analysis (FMEA): Identifies potential failures in systems or processes and assesses their impact and likelihood.
• Probabilistic Risk Assessment (PRA): Quantitatively assesses risks by analyzing scenarios, probabilities, and potential consequences.

Incorporating professional threat assessment methodologies provides a structured approach to risk analysis. As Lukas Quanstrom emphasizes, “Using these methodologies allows us to rigorously analyze risks and prioritize mitigation efforts effectively.” This structured analysis not only enhances the accuracy of risk assessments but also enables organizations to proactively develop targeted strategies to mitigate identified risks.

Document identified risks

Clear risk descriptions will help you understand the threat and plan accordingly. Using a risk register template can facilitate this process by incorporating specific details. This includes documenting the nature of the risk, its likelihood, potential impact, mitigation strategies, responsible parties, and current status. Detailed documentation ensures that all relevant stakeholders have access to a centralized repository of identified risks.

Quanstrom highlighted the role of technology in managing and analyzing large volumes of data related to these risks. Modern tools such as threat intelligence platforms and risk management software offer robust capabilities for analyzing and managing large volumes of data related to identified risks. These technologies enable organizations to efficiently gather and assess information from various sources, facilitating proactive monitoring and mitigation strategies. By leveraging such tools, businesses can enhance their ability to identify emerging threats, allocate resources effectively, and maintain comprehensive documentation of risk management efforts. This systematic approach supports informed decision-making and fosters a culture of continuous improvement in organizational resilience.

Develop an accompanying response plan

The primary objective of a risk register is to systematically track various risks across an organization or project. However, it also serves as a foundational tool for creating proactive risk response strategies.

Each risk identified in the register, whether it pertains to team members, risk management processes, or specific events such as security risks or market fluctuations, requires a meticulously tailored response plan. These plans delineate both qualitative and quantitative approaches to mitigate potential impacts. For instance, qualitative strategies may involve enhancing team training or implementing stricter access controls, while quantitative measures could include allocating additional resources to address the potential threat.

Assigning risk owners responsible for overseeing these response actions is critical for accountability and timely implementation. This ensures that actions are well coordinated and aligned with organizational goals.