Linking risk to decision making and a risk register
All matters for decision which are considered by a Board should include a review of the potential risk implications and impacts. It is useful for Boards to be clear about what the risks are in the decision, where these risks feature in a risk register, what area of the strategic plan the risks link to and where the impact of the risks in the decision lies within the organisation.
Risk appetite can also be referenced. This should link where the decision lies in terms of the organisation’s risk appetite in the given area.
The board should discuss the risks, understand their implication, consider trade-offs, and accept inherent risks prior to making a decision. Equally, an effective risk assessment can equally be used to decide not to do something.
A risk register sets out the approach used to manage and control events that could have a negative impact on the organisation. It will usually involve at a basic level, a table with three columns:
- Risk identified
- Risk assessment
- Risk mitigation
Risk identified sets out any exposures to uncertainty and can be identified through dedicated planning sessions, planning for particular activity, external sources (learning from others, good practice guidance, audits, customer feedback etc.).
Risk assessment covers the likelihood (or probability) that a risk will occur and the impact it would have.
The risk register usually scores risks in terms of a likelihood and impact baseline score – where there are no controls in place and a target score – where the score would be expected to be with controls and mitigation in place. These are usually around a scale of 1 (very low risk of occurrence – extremely unlikely) up to 5 (very high risk of occurrence – almost certain).
Examples are set out below:
An impact score is calculated on a scale of 1(insignificant impact) to 5 (catastrophic impact).
Risk mitigation is defined as taking steps to reduce adverse effects. Examples include:
- Terminate (avoid/eliminate): A level of risk that should be avoided and if possible should be eliminated. Some risks will only be dealt with to acceptable levels by terminating the activity
- Treat (control/reduce): This refers to the level of cost-effective (corrective) controls put in place to manage the risk to an acceptable level. The majority of risks will be managed in this way
- Transfer (insurance / contract): Where the decision is taken to transfer the risk to a third party usually by means of insurance or contractual transfer such as paying a third party to take the risk
- Tolerate (accept/retain): The risk here is considered acceptable to the organisation or the ability to do anything about the risk is limited, or the cost of taking action may be disproportionate to the potential benefit gained. A tolerated risk should be monitored and re-evaluated in the future.
It is also important that risk management is ongoing and that the Board consider risk in every decision that it takes. There should be plans in place to review the risk register, risk appetite and the wider risk management framework to ensure that it is up-to-date and relevant as an organisation grows and changes.
This resource has been written by Angela Lomax from David Tolson Partnership, Chair of the Co-operative Governance Expert Reference Panel.