Home > Risk > The value of a risk register

The value of a risk register

January 21, 2017 Leave a comment Go to comments

A risk register makes you feel good.

It makes you feel you have accomplished something, a list of risks that might cause harm to the organization.

It makes the executive team and the board feel that they can check the box: “do you have a risk management program? Yes.”

But, does that risk register help people formulate and then execute the right strategies for the organization to deliver optimal value?

Does it help people at all levels of the organization make informed and intelligent decisions?

In fact, does it do more harm than good? Does it give the false impression that risk to organizational objectives is managed at acceptable levels, when in fact decisions are made daily that do not give appropriate consideration to “what might happen”?

I did a small consulting project for an organization recently that wanted to improve its risk management. I pointed out that their annual filing with the SEC had 13 pages of risk factors. I asked whether they were used to enable better decision-making. The answer was a bunch of smiles. Frankly, I doubt that the executives present were even familiar with those 13 pages.

As I suggested in Risk in the Fourth Dimension, we need to consider what we are trying to achieve and why.

The purpose of risk management is not to produce or review a list of risks. It is to help the organization achieve its objectives by considering what might happen and acting to optimize outcomes.

What do the leaders and decision-makers of the organization need to be informed and successful?

Is it a list of risks?

Do risks remain static or are they dynamic?

In World-Class Risk Management I not only point out the need to manage the business at the speed of risk (I love the fact that others have adopted my phrase), which is dynamic, but that we need to consider the potential aggregate effect of risks on each corporate objective.

There are some risks that are transitory, such as those you consider when deciding which candidate to hire for an open position, and others that are continuing.

All you will see on a risk register (or for some a heat map, misleading as those charts are) are those that are expected to continue in some shape or form.

But even those continuing risks can change with surprising volatility, which is rarely indicated on a risk register.

A risk register or other form of list of risks does have some value, but it is limited.

I believe it is better to have a list of objectives and a continuing assessment of the likelihood they will be achieved.

That’s what matters. That’s why we need some form of risk management.

I ask again the question in Risk in the Fourth Dimension: are we just doing what we are told, as children, or are we figuring out how to help people make better decisions, as adults? That may be quite different from so-called traditional ERM, SRM, etc.

I welcome your comments.

  1. Rachael Denniss
    January 21, 2017 at 2:09 PM

    I think that what you are really saying is – are we practising what we preach? Like any tool, it is HOW it is used and mastered that makes it a good tool, or not. Do we assess the effectiveness of our ERM systems as we would any other control? It is very valuable to really challenge our assumptions – in fact it is part of ensuring a sound risk culture. And I like the idea of managing a list of objectives etc – but is that just the inverse of a traditional approach? Or perhaps, it would better capture the attention of the (oft ignored) end users of our ERM products? I think you could be on to something.

  2. Glenn Daly
    January 21, 2017 at 3:52 PM

    We have recently implemented a new risk management system which gave us the chance to completely overhaul our capture of risk data to facilitate better support of our reporting to management and board ie objectives with “performance status” and “objective outlook” ratings. Objectives are at the centre of everything in the new system with us now including both “value add” and “value preservation” objectives, covering “stategic” (ie those in our strategy blueprint ) and all “other” objectives with us now having objectives at Group, Division and BU/OU/Project levels. Using a combo of Tim Leech/Norman Marks methodology, I think we have moved quite a way in terms of making our old ” risk registers” turn into “objective registers” with an “Enterprise” view being gained through Objectives and Risk Categories being linked up, at the various levels. But is it useful? Rather than talk about it conceptually which is what many prefer doing, I will comment from a practical perspective. It makes the formal risk updating process more saleable to users, it potentially makes the content in our reports more comprehensive as we are now gathering content in a more stuctured way, it gets everyone focused on objectives as distinct from the risks, etc. However, where it matters most at senior mgt/board levels, am not so sure of value. If (as we have) others such as Strategy & Innovation, Finance, Sustainability, HR reporting on objectives in terms of performance and outlook, it (as i have mentioned previously to you) potentially doubles up, albeit our info is more of a consolidation. It is still early days so it may well add more value but if it does not, I am prepared to scrap it all and focus more on embedding risk into business processes, teaching logical decision making and the like. Could simply be a new coat of paint on an old rusted bike which no one really wants except for ticking a box. Rgs

  3. Norman Marks
    January 21, 2017 at 5:16 PM

    Congrats on the progress, Glenn

  4. Kaiser Naseem
    January 21, 2017 at 9:36 PM

    Like anything else, managing risk is also useless unless you are doing it in the “spirit” and not only in the “letter”.

  5. Edward Clark
    January 22, 2017 at 5:43 AM

    The Risk Register is merely a tool for determining relative risk among assets across the organization. If not properly used, yes, it can have a range of effects from worthless to misleading.

    The Risk Register in and of itself is merely a list of the organization’s assets, the threats, hazards and barriers that pose the risk to those assets and the effectiveness of the current protective measures. This document should be maintained via quantitative analysis that is relative to the organizations assets and can serve as the basis of an operational risk management program. The key to leveraging the risk register is to determine how the numbers from the quantitative analysis equate to Risk Appetite and Risk Tolerance. This allows you to identify operational risk that rises to a level where it should be considered by the Enterprise Risk Management process. The key here is how does the organization translate the quantitative analysis into the anecdotal standards of risk appetite and tolerance? (Provided they have developed these standards)

  6. January 22, 2017 at 5:57 AM

    Norman, I agree with the thrust of your argument. A risk register which is just a list of risks is as useless as a list of ingredients without a recipe. We need a recipe (i.e. objectives) in order to use the ingredients to full effect and assess their relative importance (do I really have to add this much sugar?).
    My preferred approach (www.internalaudit.biz) is to use an ‘objectives, risks and controls’ register. I think this methodology partially overcomes your objections (provided it is updated ‘at the speed of risk’) and is similar to Glenn’s approach. I have reached this conclusion by coming from the direction of a CAE who has to fulfil reporting commitments to the Audit Committee and keep internal audit staff fully occupied in a structured environment. It has the advantage of: linking risks to the organisation’s objectives; establishing controls to manage those risks; requiring audit tests that check the existence and proper operation of these controls. Thus any audit test can be linked to the objective on which it is to provide a conclusion (about the likely achievement of that objective). There is an ‘audit trail’ from audit test to objective and vice-versa, useful if the CAE is to demonstrate the relevance of IA to the organisation’s decision making.
    We can’t ignore the need for some sort of ‘risk list’. The UK Corporate Governance Code requires, ‘The directors should confirm in the annual report that they have carried out a robust assessment of the principal risks facing the company, including those that would threaten its business model, future performance, solvency or liquidity. The directors should describe those risks and explain how they are being managed or mitigated.’(C.2.1). This implies that there must be some sort of list from which to extract the principal risks and that this list shows how they are being managed.
    You make the comment, Norman, ‘There are some risks that are transitory, such as those you consider when deciding which candidate to hire for an open position, and others that are continuing’ and ‘but even those continuing risks can change with surprising volatility, which is rarely indicated on a risk register.’ I would argue that actions to manage the risk of hiring someone who can’t do the job (Losses result from incorrect personnel actions) and other transitory risks, must always be ready to enact, and therefore able to be audited. For example one would expect to see training in interview techniques, defined personnel procedures and probationary periods. Such transitory risks and those continuing volatile risks, have to be noted down somewhere. If not in a ‘register’, where?
    I would say in the circumstances that you mention, it’s not the risk register at fault but the failure to ensure its completeness (i.e. not including objectives and ‘controls’) and its maintenance.

  7. Norman Marks
    January 22, 2017 at 6:12 AM

    David, I agree that there is some value in a list of risks. But the key question to answer is what the risk management activity (not only internal audit) can do that best enables management to lead the organization to success. What will help them set, change as necessary, and then execute on strategy?

    • January 23, 2017 at 6:21 AM

      Norman, in answer to your questions I would say: clear objectives; an understanding of the factors which will assist (benefits), and hinder (risks) the achievement of those objectives, constantly monitored; identified methodologies to manage the benefits and risks, also constantly monitored; clear responsibilities for reporting to the board (and investors) about the likely achievement of the objectives.
      My argument is that the above responsibilities cannot be effectively discharged without the recording of objectives, the benefits and risks to their achievement, and the management methodology for managing those benefits and risks.

      • Edward Clark
        February 18, 2017 at 11:33 AM

        David, Would you say that those objectives should be found in the Risk Appetite? I agree there has to be a way to tie the register to the enterprise level, by placing those objectives in the Risk Appetite allows for that transition.

        • February 18, 2017 at 5:40 PM


          What on earth is the “Risk Appetite”? This whacky concept is out of control.

          • Edward Clark
            February 18, 2017 at 8:00 PM

            With lack of a national standard, I guess it can have many meanings. We define the Risk Appetite as an executive statement as to the the amount and type of risk the organization will accept to accomplish certain objectives. If viewed as a list of strategic objectives, it lets you transfer the register from an operational level to the enterprise level. (Provided the risk is significant enough) An objective register at the operational level is just another document to maintain. The key is determining which risks are worthy of the enterprise level and providing evidence (risk register level analysis) to support the transfer.

            • February 18, 2017 at 9:48 PM


              I’m still not clear. Risk is the effect of uncertainty on objectives. Its the effect of the uncertainty that matters.

              I can understand your organisation might have some rules that enable you to judge how much uncertainty is acceptable, but I cannot see how why you would want to classify risks as either “operational” or “enterprise”, whatever those terms mean. Risk is risk and risks are just hypothetical scenarios that we conjure up to characterise and explain risk. We use then to examine the implications of decisions we are facing.

              Also, what do you mean by type of risk? Risk is risk.

              The concept of risk appetite has been hovering around for many years, mostly promoted by regulators and the big consultancy firms. Mostly it seems to be about an aversion to particular types of consequences not risks, per se.

              When we prepared ISO 31000 we deliberately left it our because we could not make sense of the concept. Just because lots of people talk about it does not mean that it make sense.

              • February 19, 2017 at 1:39 PM

                I don’t understand this aversion to the term ‘risk appetite’. We all have a certain level beyond which we won’t tolerate a risk but will instigate a response to it. For example, I have the objective of getting to the other side of a busy road. I face the risk of being knocked over. I could respond to this risk by looking both ways and running across the road but it’s too busy and over my ‘risk appetite’. So I respond to the risk by walking to a pedestrian crossing and bring the risk to below my appetite.

              • Edward Clark
                February 19, 2017 at 8:25 PM

                Maybe its an American thing, but they have very clear meaning in the US. Your risk register should be comprised of a calculated analysis of all of your assets, the perils they face and the current level of effectiveness of the existing mitigation. The risk to some of those assets is obviously greater than others. As risk managers, we must ensure that if that risk rises to a level that exceeds that which is described in the risk appetite statement that we inform the executive decision makers. The Risk Tolerance for each objective is the “Hard Stop” at the end of each risk appetite statement developed for each strategic objective. It appears to me that some of you here have trouble getting buy in from your executives and when that occurs, you are willing to abandon or invent a new one a technique rather than refine it. I admit that the precept of Risk Appetite is not well addressed in any national standard, that does not stop us from using it effectively with our clients. Operational risk analysis, as performed in the risk register allows us to conduct relative, quantitative risk analysis for all assets and based on established levels, transition to an enterprise level that has executive oversight and is more anecdotal in its interpretation as in a risk appetite statement for a given objective. It is this transition from quantitative analysis to qualitative mitigation strategies that facilitates executive buy- in.

  8. Glenn Daly
    January 22, 2017 at 5:13 PM

    An objectives register (just like a risk register) is only useful to the extent those in a position to make some change arising from the data coming out of it, proceed to make the change. We have reported on people risk in one of our divisions for years. The level of risk has remained high for years with limited if any impact by management actions. The low turnover of staff was used in our reports to continue to highlight the risk (ie a division aspiring to uplift talent would have had much higher turnover). Recently the performance of the division has declined (due to softening market) fully exposing the division’s weaknesses. And now everyone is going on about “people” with everyone recognising the need to turn over staff and clean out dead wood. What is my point?. Whether you have an objectives or risk register, what matters even more is whether there are people prepared to act on what is coming out of it. Otherwise, it is a waste of time. Would reporting on the people risk in the context of an overall objective of helped?. Probably not as we had been doing this for the last 12 months anyway. What triggered action was the downturn in the market exposing the division. Lesson for me. Objectives or risk register information being given to those without the appropriate risk mindset, is going to end up being non value adding. My job is not over by any stretch simply by producing a register out of a fancy “system” supported by a “process”. I need to get those who view the info coming out of the process/system to see the implications going forward and to then act ie get them into the right risk mindset. For whatever reason, quite clearly I failed in the example above. Rgs

  9. lopiola
    January 23, 2017 at 1:06 AM

    I find risk assessment similar to budgeting. It should be done from “zero-base” every year or else it becomes a “copy-and-paste” of little (if any) usefulness.

    • Norman Marks
      January 23, 2017 at 7:35 AM

      Once a year? Sorry, no

    • February 19, 2017 at 1:09 PM

      Sorry but I don´t agree with that, specially if you want to keep track and measure mitigating actions from previous assessments, that would be a flat analysis every time.

  10. Gary Lim
    January 23, 2017 at 2:27 AM

    For the learned ADDING another term like Objective Register is a piece of cake, whilst the client’s staff in my opinion is now even more confused and need to explain the difference between Risk Register and Objective Register. As to objective, I believe it is something taken for granted, each department has its own OBJECTIVE and combined together achieves the Company’s objectives. The subordinates within each department would also know of their respective objective which is normally a tangible OUTPUT. If one’s output is not longer part of the objective, the position is redundant like secretary’s role, lesser and lesser being employed except the CEO only, at least in Malaysia.
    I still maintain that Risk Register is a good start, even then not many is able to cope with this, ensuring the controls listed are IMPLEMENTED effectively, often just a sentence without implementation. How deep to drill down the Risk Register depends on the available resources of an organization.

    • January 25, 2017 at 2:09 PM

      I agree, Gary. There is little value in introducing another register to the risk management world. There is, however, great value in explicitly basing the risk register on objectives.

  11. Steven Brassem
    January 23, 2017 at 3:09 AM

    I see some good points being made here but the problem with objectives is that they come in various forms and sizes and the list may grow as endlessly as can be the case with some of these risk registers. I agree these are not effective.

    For example, a key objective might be to grow your market share by x% in 6 months time. You can then monitor and asses how successful management is dealing with the operational challenges and risks and you may be able to make fair assessments of the likelihood of achieving this objective along the way (with increasing certainty as the period passes). I think this results in valuable information for those tasked with the achievement of the objective and those tasked with oversight. It becomes more difficult when you think about understanding and stating operational and financial objectives, or, even more difficult, compliance type objectives. I think few CEO’s or exec teams in the world will start thinking about – and being able to list – the objectives that target ‘preservation of value’: most will focus on strategic objectives intended to drive value growth and associated ‘rewarded risks’. This is all right as long as the approach of departing from objectives rather than risks doesn’t make you forget about the many other implicit objectives and the (‘non-rewarded’) risks associated with these. For instance if you ask executives, remaining compliant with specific tax regulations or health and safety standards usually do not appear on top of their list of objectives. However, they do understand that these may create huge risk exposures. Data protection and cyber security risks are becoming increasingly understood and very topical: these may form an exception.

    If from a governance and risk management perspective you do want to depart from objectives, which I think is sensible, I recommend starting of a generic framework of holistic strategic, financial and compliance driven objectives based on value growth and value preservation. This is less of a challenge than it may seem and not that long of a list as for most organisations such a model responds to the principles of good business and governance and looks similar. Once established and agreed, you can then link to specific or explicit, current, objectives and this will help understanding your risk management challenges (as well as assurance needs) better.

  12. John
    January 23, 2017 at 4:12 AM

    likelihood of those objectives, but with consideration of their importance (i.e. impact)…or is that implied within the objective itself?

  13. Andy jackson
    January 23, 2017 at 7:14 AM

    A risk register’s value is in its usage, both internally and externally. A risk register that is couched in terms of the business model and the language of the business can be used at the decision making level, in any business, on a regular basis as long as they are pertinent to the businesses ability to execute on strategy. Strangely enough…you then find that the monthly exec meetings actually spend some time discussing risk, mitigation and acceptance as part of their normal commercial discussions.

    For external parties, it is evidence that the exec have some grasp of the business they run.

  14. Mike
    January 23, 2017 at 5:02 PM

    A good perspective and question. A question we should ask on an periodic basis to continually improve risk management practices is “how we going to use the objective and/or risk register to better improve the organization’s governance and decision making”. From my experience it is how you use the risk register to drive important discussions in the organization and subsequent actions implemented that is key.

  15. Norman Marks
    January 23, 2017 at 5:42 PM

    Mike, is a risk or objective register sufficient?

  16. Michael Parkinson
    January 24, 2017 at 12:26 PM

    There is a rather nice discussion of tallying debts in ch 34 of “Great Expectations” (Charles Dickens) that parallels the use many organisations make of their risk registers. Risk Registers seem to be used to describe what can go wrong without any thought that they might be used to make decisions about how best to achieve objectives.

    A risk register does not in itself achieve anything. It is about the use made of it – tracking, analysis, and trends & changes as a consequence of decisions or external events. In some ways a risk register is like a general ledger – useful for management, but not without the application of some skill.

  17. Kseniya
    January 24, 2017 at 5:51 PM

    It depends. If your risk map is static and renewed onlt yearly by your consultant in headquarters, that makes you zero effect. But if it is reviewed on monthly basis and in case of necessity, that is your map how to overcome actual risks connected with your acrual business activities based on currect situation in business and legal requirements

    • Norman Marks
      January 24, 2017 at 6:24 PM

      But risk is modified with every business decision. I truly believe that a periodic review of a list of risks is not helping the business succeed.

      • January 26, 2017 at 5:20 PM

        But a periodic review around the board table, and a demand for regular status reports on the progress of new mitigation strategies at least keeps attention focused on the need for continual management, monitoring and review. It also communicates executives’ commitment to risk management and the accountability of managers to stay on top of their risks.

  18. Anu
    January 24, 2017 at 9:08 PM

    who reads the register – action taken – when and why and how – record
    second your increased risk and or mitigated risk – either employment or change or cross training and in latter case record of changes will stop now.

  19. Alan
    January 26, 2017 at 7:45 AM

    I agree. Even in Tier 1 Banks the majority of intellectual capital, resources (time and spend) and focus is on risk framework administration. It’s largely a passive and reactive discipline that mirrors the limitations of the 2nd and 1st line personell in he field. If we’re genuinely honest the label ‘SME’ in any risk discipline these days seems to be awarded with little evidence of real examples where the information ingested by risk frameworks actually drive strategic initiatives, cultural change. In my experience there are legions of people wearing the SME label in both 2nd and 1st line roles that don’t have sufficient mastery of the business operations they face off against. Where this is the case what we have is an expensive letter box.

  20. January 26, 2017 at 7:55 PM

    You nailed the issue within your question. Why do risk management at all — if the purpose is not to influence and improve decision-making? Bingo! That is what I learned in my last role …our risk program should not only help us manage the potential down side, but enable us to take informed decisions to move the business forward with greater confidence that we will achieve our objectives around product quality, brand strategy, International market plans, joint venture viability, etc. So risk management is not about producing a list so much as producing insight which gives my board better assurance that our strategic objectives will likely be realized.

  21. Luis
    January 28, 2017 at 11:40 AM

    Completely agree!
    The key success factor, in my opinion, is to have a roster of tier one risks for the board, define an action plan and make a follow up. Those risks on the roster have to be very few and with a very high impact on the organization.
    Listing a big amount of risks only means that your organization complies with in force regulation but is not taking action.
    Risks change continuously and only very few are static (strategic risks basically). A risk register is only worthy if is able to tell the board which risks threatens the company.

  22. Greg Suddards
    January 30, 2017 at 4:33 AM

    I have sympathy with your views give the usual tick-box process of maintaining a risk register but I would have thought that at a minimum it is essential in order to gather data for slotting into risk category boxes for eventual use in loss distribution constructions.
    More important though is that the register should record carefully analysed root causes. The last-mentioned is critical for assessing whether the underlying event was ever on the radar or,if it was, why did the existing controls not work and what changes to the controls are necessary.

  23. Gary Lim
    January 30, 2017 at 5:09 AM

    From my working experience as a Risk Engineer and retired as a Risk Manager from a MNC insurance company, I would like to categorize into 2 types of risk which has been mentioned above. Passive and Active risk. Personally I would record the Passive risk into a register with controls in place, audited say 6 monthly that these controls are effective and relevant, for example Fire incident, IT system hacked or virus attack, IT authorization Fraud, etc. The consequences usually is catastrophic like Baring Bank sold for one euro, probably combination of IT authorization unlimited amount of money drawn off for a business transaction.
    Active risk need not be registered it will be too bureaucratic like 6 months growth of X% or meeting the budget of the year. Then the CEO working hand in hand with the CFO, prepare a creative accounts like the few global retail stores, jacked up the closing stock to reflect a lower cost of sales hence profit to meet the shareholders expectations. When it comes to fraud of this nature, nothing can be done, it only takes time to discover.
    By the way, Risk definition already has the element of objective why another term?

  24. Norman Marks
    January 30, 2017 at 6:28 AM

    All, if risk is the effect of uncertainty on objectives, why are we not telling leaders of the organization what the AGGREGATE effect is on each of their objectives?

    Are leaders responding to risk reports out of DUTY or because they can see how it helps them SUCCEED?

    • Gary Lim
      January 30, 2017 at 6:25 PM

      I see it as personal interest, meet compliance otherwise it becomes an issue which no CEO would like to have. It also shows that everything is under control at least on paper hence there is no room to find faults on the leadership. Their stay is short term and based on RESULTS, there is no time to due on things which are likely, possible, etc but on paper these have been addressed. Conclusion DUTY only!

  25. January 30, 2017 at 3:43 PM


    I think we should ask ourselves: “if a risk register is the answer, what is the question?”

    The genesis of the risk register shows how this Frankenstein has morphed into such a monster. Under the 1961 UK Factories Act (and in many previous versions going back 150 years) the occupier of a factory had to hold and compile a General Register. This was a standard booklet purchased from HMSO and contained details about lifting tackle, wall painting, air receivers and steam boilers. In the 1970’s some bright spark (not me) in the UK HSE thought it would be a good idea to append a list of ‘hazards’ to the General Register. This, in time morphed to a list of risks – because risks were sexier than plane old hazards.

    Now, of course, while a list of hazards might show that a factory owner knew something about the things that could injure his employees, a short set of risks could never properly describe all the ways they could actually get injured.

    Now we have the situation in too many organisations that the completion of a risk register becomes the central and probably only systematic activity concerned with risk management. These ‘tablets of stone’ are revered and are subject to an annual blessing and review – a painful exercise that most managers try to avoid attending because they unconsciously recognise that the occasion is worthless.

    Many of these registers, taking advantage of the power of Excel, now have dozen of columns all of which have to be completed with information which no one really understands or uses for anything else. I know of companies where the 70+ fields take risk managers days to complete after every risk assessment. Certainly, no one I’ve ever talked to has found that a risk register completed at some distant time in the past has any real value in informing a decision now.

    What is curious to me is that the most useful documents generated as part of a risk assessment don’t seem to be preserved at all. That is: the list of factors and assumptions that reveal the risks sources developed when ‘establishing the context’ before the risk assessment occurs and the risk modification (treatment) plans of actions, the control monitoring and review plans and the risk source monitoring plans (KRIs) generated afterwards.

    At best the risk register is just a record of a conversation that has been held in relation to a decision so that we appreciate how uncertain are our desired outcomes. It contains some example, scenarios (risks) that were postulated at the time which are purely ‘for illustrative purposes only’ and which provide the audit trail that leads to the modification, control monitoring and review and risk source monitoring plans. As such, it has no magic qualities and was probably out of date the moment it was created.

    Many boards still receive these sterile and out of date ‘minutes of a meeting’ and some even still request them. Lord knows what they think they can do with them, especially as some organisations still expect their boards to endorse and accept them as though the members have special insights and are closer to God than the rest of us.

    When people ask me what they should do with risk registers I normally respond that they should shred them. I find the paper makes good bedding for small furry animals and is useful to light fires. However, they then normally respond that they have to keep them so that their auditors are happy!!

    • Norman Marks
      January 30, 2017 at 5:38 PM


    • January 31, 2017 at 9:23 AM

      Grant, while many risk registers may only be suitable for small furry animal bedding, that’s no reason to shred them. It is a reason to get back to the real purpose of understanding risks – to achieve objectives by improving decision making (Norman’s original point).

      Does this need a formal risk register? Not if it gets in the way of incorporating risks into the decision-making of the organisation.

      However, we must not ‘throw the baby out with the bath water’. A simple list of risks, derived from objectives and linked to processes managing those risks is essential for the proper operation of an internal audit function (as I have argued above). Without this list, I don’t think that it is possible to prioritise audits and relate them back to objectives.

      • January 31, 2017 at 3:54 PM


        I’m struggling here to understand what a “simple list of risk derived from an objectives” means. Risk (NB, not risks) is the effect that uncertainty has on the highest level objectives of an organisation. In that controls are enablers for objectives, i can’t see why you can’t link those directly.

        Risks are just example scenarios we postulate that help us challenge assumptions when we are faced with a decision. They are not real, just imaginary illustrations and I would worry if an audit plan was just based on these.

        I’d rather see a control register than a risk register, with each control linked to a particular high level objective or objectives. The rule then is, if your control can’t be shown to modify uncertainty associated with an objective, its not a control! Chuck it out as its just clogging up your business processes.

        At a practical level, I though audit planning did not necessarily focus on individual risks and controls. Rather that, periodically (i did it twice a year), the person who kept an eye on all the risk assessments taking place (lets call them the Risk Manager) pulled together an overview and met with the person planning the audits. Between them, and informed as much by the Potential Exposure (and NB, not the level of risk), they developed some focus areas or general topics for audits which become part of the plan.

        Of course, when the auditors begin their work, its important they access any information about recent risk assessments and the assumptions made in them about the effect of existing controls. They would also want to know what modification plans management have (to create or amend existing controls) and how they are progressing.

        Another input to the audit plan should be requests from management. I certainly like to see one of the primary deliverables from a risk assessment is a plan on how important controls (to ensure the desired outcomes from a decision remain certain) can be monitored by management and periodically reviewed through a combination of management led control self assessment reviews and independent audits. This should lead to requests from the risk/decision owner to the audit department for these independent reviews – to provide him with the assurance that those controls have the affect assumed when the initial decision was made and the risk assessment conducted.

        On a practical note, I’ve yet to find a risk register that contain sufficient information on the controls that are assumed to be in place and their expected effect. Invariably there is no information on control design and on how its effect is currently being assured. Most risk assessment seem to just guess at this and I would not like my audit plan to be based on such unreliable information.

        • Norman Marks
          January 31, 2017 at 3:58 PM

          Grant, the auditor should, IMHO, assess whether the controls provide reasonable assurance that risk is at acceptable/desired levels. I see the logic as objectives => risk => controls

          • January 31, 2017 at 4:09 PM


            I’ve never found an auditor that does this in any systematic way. What is acceptable is always based on the costs and disadvantages of further modification vs the benefits (CBA).

            As you know, in most industries there are no explicit quantitative criteria and all acceptance decisions must be based on CBA. Even where such criteria exist its almost impossible to quantify the effect a control has on the level of risk.

            Now, auditors (and their professional bodies) might say that they “provide reasonable assurance that risk is at acceptable/desired levels” – but I don’t know how they can do this except by just expressing an ‘opinion’ based on custom and practice.

            I think it would be highly desirable if we became very clear on what were the most important controls for our organisations (because they were directly linked to the achievement of our highest level objectives) and compiled a ‘register’ of these. Controls, after all, are tangible, while risks are not.

            As with decisions, risk assessment are merely stepping stones and the information that informs them and their products are much more valuable than the intermediate document produced, the risk register. A control assurance plan should be a mandatory output from a risk assessment as should the modification plan

            • Norman Marks
              January 31, 2017 at 4:12 PM

              I think I said they “should”. Most see a risk in everything and its “high” if its more than the value of their car.

              • January 31, 2017 at 4:59 PM


                Indeed, they should! But we have to ask, however, why they are not.

                Without wishing to spark an extended debate, I would suggest that professional bodies like the IIA ought to be taking a greater lead here. After all, this is pretty central to what auditors do and why we have them. Or am I confused?

                • Norman Marks
                  January 31, 2017 at 5:00 PM

                  That’s why I write about internal auditing and the IIA guidance. 🙂

  26. January 31, 2017 at 1:40 AM

    how do we start to use the risk register and can we design a suitable one for insurance company that takes cover for others companies and individuals.

    • January 31, 2017 at 1:44 AM

      Dear Shoiya,

      My advice is don’t. Don’t start to use one. Just record the important inputs to the risk conversions and the outputs.

    • Gary Lim
      January 31, 2017 at 1:51 AM

      Insurance companies would have their underwriting guidelines, it would be clearly spelled out what risks are acceptable, referral and decline. The industry is very well established, only those who venture into the declined risks will face the music later on.

  27. February 1, 2017 at 2:17 AM

    Hi Norman,
    I think you’ve raised two key issues when discussing the need and usefulness of using Risk Registers:

    1. Board must tie the firm’s potential risks to its business objectives. In my opinion, this is what brings these risks into context and make them meaningful, encouraging the right controls and mitigating actions to be put in place
    2. As you put it: “Do risks remain static or are they dynamic?”: in my opinion, this is intimately related to the previous point and with another very important aspect which is “Risk Culture”. It’s crucial for a Board of directors to live, breath and make decisions every day with a Risk mindset, facing undoubtedly very dynamic risks.

    Thanks for another great contribution.


  1. January 26, 2017 at 5:21 AM
  2. February 17, 2017 at 8:10 AM
  3. September 23, 2017 at 4:34 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: