What is the difference between a risk assessment and a Risk Register?

A risk assessment is the process of identifying, scoring and treating risks, a risk register is where you record the assessment. The assessment method should be a repeatable process that allows you to score risks with consistency allowing your defined acceptance criteria to be used to make decisions on how to treat risks. The register should log the key information garnered from the process to help make decisions.

Understanding Risk Assessment: Process and Objectives

To make your risk assessment effective, your process is key, the approach should be well defined to ensure consistent results, this allows the business to make prioritising identified risks easier and ensuring that response is appropriate.

Quantitative or Qualitative

As part of your analysis, you will use a quantitative or qualitative scoring system where possible. Quantitative should be used, but unfortunately, it is difficult to apply due to the exact nature of the process; quantitative uses numbers to define the actual value of risk; a simple example is an e-commerce platform that can be valued operationally by how much revenue it generates. Qualitative, on the other hand, is more of a finger-in-the-air type measurement, and this makes it more important to make at least one person chief finger in the air holder to maintain consistency.

The Process

These are the key steps in a risk assessment.

Identification of Risks: Risks can come from internal and external elements and are often identified through risk workshops, events, and incidents, as well as by looking at the ever-changing landscape.

Risk Analysis: Once identified, risk needs to be assessed for their likelihood and potential impact to the business, this will most likely be using qualitative scoring depending on available data.

Risk Evaluation: Once analysed you can start to prioritise them based on their risk level, allowing focus on highly impactful and highly likely risks first.

Risk Treatment: Now that you have evaluated your risks and determined the level.

Once risks have been evaluated, appropriate risk treatment measures are identified and implemented to mitigate or manage them effectively. This may include risk avoidance, risk transfer, risk reduction, or risk acceptance, depending on the organisation's risk appetite and available resources.

Monitoring and Review: Finally, the risk assessment process is an ongoing activity that requires regular monitoring and review. Risks should be reassessed periodically to ensure that mitigation measures remain effective and to identify any new or emerging risks that may require attention.

Getting Risk Assessments Right

These are the 5 key things I would do to ensure that you get the best value out of your risk assessment process.

1. Define your assets: What are you trying to protect?

2. Define stakeholders (risk owners): Involve the key people who can make decisions against risk mitigation.

3. Create a risk team or key risk person: Depending on the size of your business, have a consistent person or team to manage the risk register and risk assessment process, as this creates consistency.

4. Review often: While risks are open, you should be checking in as often as is sensible. Monthly is a good baseline, but if something is going to take 6-12 (or longer), you may want to do quarterly and reduce as the deadline gets closer.

5. Keep it simple: When you first start your risk journey you want to make the process as simple, but still effective as possible, it doesn't need to be complex to bring value.

Need a risk register???

Download a simple useable pre-populated one here.