Risk registers - how to prepare one?

A community clinic article - an initiative for you and by you.

Building and maintaining risk registers is key to any risk management programme.

Commonly Legal teams work with compliance functions and the wider business areas to do this. It is also a common approach for Legal teams to take on some compliance functions.  

It is worth starting out by thinking what the risk register is for as this will dictate what is recorded in the register. 

Commonly risk registers help organisations decide on the key risks facing the organisation based on impact and likelihood, and how to resource and prioritise risk management. 

Risk registers have some common requirements: 

  • Common definitions to ensure that people are talking about the same risks in the same way when they are assessing how they apply to the business's operations. 
  • Definitions of which laws and regulations apply to business operations.
  • Understanding of what technical security controls, protocols, policies, third party contractual restrictions and liability flow downs apply to manage risks and liability. 
  • Training to communicate what staff need to do, such as reporting risks and making changes to manage the likelihood & impact of risks from arising.
  • Regular updates to keep assessments accurate, and testing, monitoring, and auditing to check whether policies and mitigations measures are being implemented in practice.

Tips for success

Risk registers need to be communicated to senior stakeholders as a regular item so that their requirements are implemented in practice. Involve a wide range of stakeholders to ensure that the risk register reflects what is happening in practice and that the mitigations are realistic and implemented in practice. 

I have found that ensuring that common language is used can be a key factor. The same word used by IT and Legal teams can have different meanings, such as "Accuracy" which can mean that it is “true” from a data protection team perspective and means that it “operating as expected” from an IT team perspective.  

A risk register that is well prepared by a diverse set of teams can be a powerful tool in identifying, assessing, and prioritising risks and making sure that they are managed in practice. 

Jonathan Friend - Senior Lawyer, Information Rights, BBC


A quick “rough and ready” approach 

  1. Get Board buy in from each functional leader to own risks from their area. This should not be hard – it’s part of their job! Anything without a clear owner is the CEO’s.
  2. Get one person to own the register document, building it and chasing to maintain it- at least monthly – good software is available but it is best to start with something simple like a common format excel in a shared drive with a tab/page per owner and then evolve.
  3. Provide a framework of 2 tables: 
    Table 1 has a list of, say, 1-5 on probability of occurrence (where 1 is very unlikely and 5 is certain to happen within the next year); and 
    Table 2 has a list of consequences again scored, say, 1-5 where 1 is negligible and 5 is business threatening.
    The consequence table should have a column for each of your functional leaders illustrating examples at each level from 1-5 of the consequences of things that could happen in their area e.g.:

HR: a company behaviour that will result in: 1: a limited number of unhappy employees, up to: 5: a strike affecting most of the company or major employment law fine, 

CIO: an IT investment decision that will result in 1: Intermittent slow IT up to: 5: most company systems inoperable for 24 hours+, 

CFO: a financial planning assumption or decision that could result in 1: losses of 1% of profit, up to 5: losses 10% of profit (the upper number for finance can often sensibly be set at the number that your accounts use as the “accounting materiality level” for your company/group’s annual statutory accounts, 

Legal and Regulatory: company activity which results in a 1: minor complaint lodged with regulator which is unlikely to be upheld, up to 5: the company or responsible managers receiving criminal sanctions, being barred from office or a regulatory role and/or fined for the conduct of their work; 
etc
You work out a score by taking the probability from table 1 and multiplying It by the consequence in table 2

e.g. the probability that a poor professional indemnity insurance contract review by your in-house legal team, will lead to a loss that your company suffers as a result of being professionally negligent,  in the provision of services to a client and causes losses to that client, with these losses being recoverable against your firm but, with them not being within the scope of your insurance policy, with the consequence that there is an uninsured exposure to your company. 

This might be a:

2 on probability, as your In-House Team is ace but, you have new starters who are trained on the job so a mistake is remote but possible (hence scoring 2 not 1); and 
4 on consequence, as the liability for professional negligence is capped in your service provision contracts at £3m. 

So the firm could be exposed to negligence liabilities of up to £3m if a mistake happens in your professional service provision, and your insurer declines to cover the liability that results because your team failed to spot the exclusion clause in the insurance contract and renegotiate it. 

If you were to try to mitigate this risk, you might do it by providing specific insurance policy wording   training to your team, and by getting peer review of work to reduce the risk of errors by the first reviewer slipping through. 

However, this risk scores 2x4 = 8 so it is not a high priority on your risk register, and you should not do this, unless there are no higher scoring risks on your register that can be mitigated, because you should be focusing on those higher scored risks instead. 

Ask each leader to get their team to assess each strand of activity in their areas of responsibility against these scores, review them, document them in the register, and then report back to the Board on any which score [15] or over (i.e. things that score 3x5, 5x3, 4x4, 5x4, 4x5 or 5x5). 

It is sensible for the document owner to act as a neutral and non-partisan reviewer of the content submitted, and test what has been submitted for proper understanding of the task and of the process and for consistency of scoring, – and that what has been written down is clear, accurate, makes sense to a non-expert reviewer and is updated regularly.

The leader of each area should then seek the buy in from their fellow directors for those items scoring over [15], that either the Board will “tolerate” a risk at that level which is above their “appetite” for risk of [15] for a good reason, i.e. the IT fix for this issue has been delayed by 1 month and there is no alternative way to fix the issue, (and actively monitor it to see if it stays the same, goes up or down); or that they approve (and will support with resource, prioritisation of activities and budget etc) a proposed mitigation plan, that will reduce the score of the risk from its “raw” score to a “mitigated” score of less than [15].

Put all of this into your register

Having got this established, board reports should then follow [quarterly] where each leader has to report on new risks, current risks, risks that are fading away and the effectiveness of mitigation actions that is keeping, otherwise intolerable risks, at an tolerable level and agree appropriate decisions in response to this.

Put all of this into your register so that the register remains complete, current and accurate
Repeat regularly on an ongoing basis.

Bruce Macmillan - General Counsel at Irwin Mitchell


On a practical level first of all, instead of reinventing the wheel, check if the business has one in-stock already. For example, your Finance or Ops Teams might have one in place or from the past which can be used as a basis for yours.

Similarly, if you’ve recently had an audit which focused on risk, the auditor may have suggested a template or provided a steer as to what should be included.

Otherwise, I think the main thing to do is to clearly work out and set the scope and parameters of the register. Consider factors such as:

  • How broad/ limited should it be?
  • What’s the business’ risk appetite? 
  • Should it cover particular business units only?
  • Who is responsible for maintaining it?
  • How should it be formatted? For example, in colour-coded table form, covering (1) a summary of the applicable risk, (2) the assessment of occurrence, (3) the potential consequences, (4) any mitigating actions/ plans, and (5) the monitoring and review requirements?
  • How often should it be reviewed?
  • Should training be delivered on it – both in terms of its content for awareness, and how to use and report on it?

On the first point, a challenge (but a necessity) will be to ensure you don’t try to cover every single risk possible – in other words, be focused in your scoping, and limit the remit to the key risks facing your organisation only.

Similarly, consider whether it’s worth, budget-permitting, getting an outsider to assess the business’ risks and record them accordingly – after all, an external assessor (with industry knowledge) may flag risks, actions and mitigations which you and the business might not have considered. 

Above all, there’s no one-size-fits-all for risk registers, and much will depend on the nature of the business and how it approaches the idea of risk – being a constantly evolving one as the business adapts and acclimatises to market changes overtime . 

Gethin Bennett - Assistant Legal Counsel - The Royal Mint