Risk registers get a bad rap…undeservedly.
The key reason, in my estimation, is the general fuzziness around rating scales.
Rating scales are often too nebulous, not precise enough. Think about it. You’re deputizing subject-matter-expert (SME) risk owners to rate and thereby prioritize risks, but you are furnishing them with unsharpened tools.
This may be your one chance a year to connect with your risk owners. They are your ERM lifeline. Every single survey needs to work, in order for all of those surveys in your universe of risks to be viewed on a consistent basis. You may have 40 different senior-level risk owners weighing in on 60 overall risks – you need to have a level playing field.
Three suggestions to contemplate:
a) risk owners should be allowed to rate severity from a menu of different perspectives on risk impact (e.g. financial, reputational, regulatory, strategic) in order to allow each risk owner the opportunity to choose a severity rating mechanism that is most pertinent to that particular risk. What especially matters for that risk and resonates with that risk owner?
b) when risk owners are asked to give their perceptions on likelihood, they should be asked to focus on the possibility of a significant event, not the chance of every fender-bender occurring. Importantly, temporal measures should be clearly defined (e.g. once a year all the way to once every 50 years) as opposed to a bunch of murky and flimsy adjectives (e.g. unlikely vs possible) that mean something different to everyone.
Believe me, I’ve made that mistake before.
If you are using a 1-5 rating scale, therefore, a likelihood rating of 3 might be a significant event occurring once every 10 years. That significant event, in turn, comes from the severity table – perhaps 3 or higher. That focused approach – significant event instead of any old event – yields a measurement methodology that a risk owner can understand.
c) lighten up on – but don’t forego – the measurement of inherent (no controls in place) risk ratings. While those inherent ratings are a nice jumping-off spot and provide interesting context and bracketing around the impact of controls, residual risk rating perceptions are the perceptions that are actually closest to real-life over the long term, with controls that are fully in-place and effective.
A few minor tweaks like these should give risk registers the love they deserve.
About the Author:
Michael Cawley is a risk management executive with a 35-year record of broad and diversified accomplishment in the strategic and tactical elements of corporate enterprise risk management (ERM). He performed day-to-day development and execution of a risk management program that covered all elements in the identification, assessment, mitigation and monitoring of all exposures within the corporate risk universe. Specific experience involved being a corporate risk manager for a service-related conglomerate (15 years) and then a biopharmaceutical manufacturer (10 years) before assuming an ERM governance and disclosure leadership role (10 years, through 2021) for a major worldwide financial entity. Currently, Mike serves as a Subject Matter Expert (SME) in an advisory role for ERM Best Practices for the advancement of DoubleCheck’s new ERM One™ application.
