Sample Risk Register
Sample Risk Register
Sample Risk Register
Contents
Worksheet RMF process Description
Context & Objectives Establish the Context Use this template to list your Process/Practice objectives, scope the context for risk management in your group.
Interested Parties Identify the Interested Parties Use this template to list all your interested parties or stakeholders.
Register Document Use this template to document the identification, analysis & evaluation, treatment and monitoring of risks for your group.
Identification Identify Risks Provides examples of risks that are typical to small to midsize firms.
Assessment_Likelihood Analyse & Evaluate Risks Lists assessment criteria for rating the likelihood, or probability, of a risk event occurring.
Assessment_Consequence Analyse & Evaluate Risks Lists the assessment criteria for rating the consequence, or impact, if a risk event occurs.
Rating Matrix Analyse & Evaluate Risks Lists risk ratings based on the assessed likelihood and consequence.
Assessment_Controls Analyse & Evaluate Risks Lists the assessment criteria to rate the effectiveness of existing controls within your group.
Treatment Treat Risks Lists the options available for treating risks.
c. CPAR closure
QMS MANAGEMENT d. CPAR findings category Review QMS implementation and
2 REVIEW REPORT
e. Voice of the external customer compliance to ISO QMS standard.
PREPARATION result
f. Site surveillance activities
Follow-up of previous action
items to be addressed
Recommendation of
improvement action
2
CUSTOMER SERVICE
SATISFACTION SURVEY
3
MANAGEMENT REVIEW
REPORT
Prepared by:
SWOT
INTERNAL CONTEXT EXTERNAL CONTEXT
ISO 9001:2008 Certification S Transition to ISO 9001:2015
Table of Organization (HO & Projects) W Changes in legal/regulatory/statutory
Auditors competency S requirements
Other offices & project locations W Weather & geography
Communication system (connectivity) W Availability & attitudes of auditees
Legal, regulatory, statutory compliance W Ethical and religious norms in proj. sites
Budget S Knowledge of customers & subcons
Safety and security on project sites
network connection
1 EMPLOYEES
4 Client
4 Client
Prepared by:
_____________________ _____________________
Name & Signature Date
RESTED PARTIES
Group/Dept: ABCD
Document #: F-CIM-XXX
Revision: 00
Effective Date: XX/YY/ZZ
___________________________ _____________________
Name & Signature Date
RM 11 PRINCIPLES
RISK IN 3 VIEW
POSITIVE 1. creates and protects value
NEGATIVE 2. integral part of all organizational process
AND NEUTRAL 3. RM is part of decision making
4. explicitly addresses uncertainty
5. Systematic, structured and timely
RISK FORMULA 6. is based on the best availlable information
7. Tailored
LIKELYHOOD X OCCURRENCE 8. takes human and cultural factors into accoun
OCCURRENCE IMPACT 9. Transparent and inclusive
10. RM is dynamic, iterative and responsive to c
11. facilitates continual improvement of the org
ganizational process
d and timely
availlable information
RISK ASSESSMENT CONTROL ASSESSMENT RISK TREATMENT RISK MONITORING & REVIEW RISK RE- ASSESSMENT
Inherent Risk Analysis Residual Risk Analysis
Risk Control Implement New Control
Risk ID Date Raised Raised by Raised during Inherent Risk Cause Consequence Existing Control Action Plan Risk Owner Method Key Risk Indicator (KRI) Status
Category Effectiveness Date Effectiveness
Likelihood Consequence Risk Rating Likelihood Consequence Risk Rating
Enter a Enter the date Name the State the Identify the Capture the potential event with Describe the potential Describe the main impact(s) of Assess the Assess the Rate the risk Describe the existing or current Assess the Describe the State the planned action to address or treat risk Assign a Enter the date by List the methods for List all possible KRIs or trigger Update status Assess the Assess the Assess the Rate the risk
unique when risk first person who event/activity or relevant risk enough detail to be understood in cause(s) or source(s) of risk event probability of risk plausible impact based on control(s) or management effectiveness of treatment to be Planned Action which action to monitoring action plan(s) alarm for the idenitifed risk effectiveness of probability of risk plausible impact based on
reference raised raised risk reference where category isolation event occurring event occurring of risk event likelihood and activities in placed existing or current applied to risk Owner be implemented and review points the action(s) done event occurring of risk event likelihood and
the risk is raised occurring consequence control(s) or new control(s) occurring consequence
in placed
PROCESS 1
Procurement Sequence and Specification Lacking ALMOST Verification and Clarification of Construction Materials
3 16-Aug-19 ENJ
Meeting
Strategic
of needed Materials/Request
Urgent Request Late Issuance of PO re
CERTAIN
CATASTROPHIC VERY HIGH
Request to End User
ADEQUATE TREAT Assess Completeness of Purchase Request Procurement Sept. 1, 2019
Familiarity
Cycle Time Efficiency CLOSED ADEQUATE POSSIBLE MINOR TOLERABLE
OSH Monthly No. of safety Officer for High Risk Provide advance training for OSH Ensure that all OSH personnel is competent have 2 year
4 16-Aug-19 GMC
Training
Compliance
level
lack of advance OSH training Penalties and Violation LIKELY CATASTROPHIC VERY HIGH
personnel
ADEQUATE TREAT
experience and Osh advance training before hiring
OSH Sept. 1, 2019 CLOSED STRONG RARE MODERATE LOW
Prepared by: Noted by: (Dept. Head) Approved by: (Group Head)
____________
Signature over Printed Name Date Signature over Printed Name Date Signature over Printed Name Date
Example of Risks
Context/
Risk Cause Consequence
Category
Reputational damage
Damage relationship with clients
Lack of staff training Increase in client complaints
Business Failure to deliver quality product or service Ineffective quality control and engagement review
Service not delivered in a timely manner Increased scrutiny from regulators
Increased likelihood of
claims
Accident, illness, retirement or lack of opportunity for Loss of key business intelligence, loss of clients
Business Loss of key staff member
progression Lack of continuity of client service
Business Negative comment on social media Failure to communicate effectively with client/s Significant loss of reputation and client fees
Cost to business
Damage to property not covered under policy, e.g.
Serious disruption
Business Uninsured loss due to flood or fire policy covers fire but not water damage from fighting
to service
fire in adjacent office.
Possible failure of business
Cost to business
A major dispute between clients, e.g. divorce, family Serious disruption
Business Failure to manage conflict of interest
dispute, business owners to service
Possible failure of business
Loss of revenue
Financial Failure to fully recognise revenue Inaccurate recording of time spent on client work Failure of
practice
Poor cashflow
Slow payment from debtors
Financial Failure to collect receivables in a timely manner Outstanding debts become uncollectable
Lack of monitoring of outstanding debtors
Loss of revenue
Cost to practice
Human Failure of HR/firm policy to meet legislative Lower staff morale
Unfair dismissal or sexual harassment claim
Resources requirements
Cost to practice
Technology service interruption Poor client service
Technology Disruption to provision of services
No or inadequate disaster recovery plan
Loss of clients
Cost to practice
Lack of maintenance to office premises or improper Water damage to IT equipment e.g. overflow from the
Technology Disruption to
usage of facilities floor above
client service
Assessment Criteria − Likelihood
Enterprise/company wide
Could shut down process/practice/part of
company. Fiscal/ Management Indictments Potential acquisition or
Inability to continue normal Loss of confidence in all Potentially irrecoverable (i.e.
CATASTROPHIC >50% >50% Calendar Year Large Scale Class Actions bankruptcy
business operations across stakeholder groups 24-36 months)
Business/process objectives not Restatement Regulatory Sanctions Dissolution of the group/dept.
all business units, the whole
achieved.
process, or all functions
Management unaffected
1 Business Units, processes,
Minimal liabilities
or functions
Regulatory attention
Refinements or adjustments
Control Potential NC during CB audits Loss of confidence by 1 or Short term recovery (i.e. <6
MINOR With some impact that is easily remedied. 5%-15% <10% Significant interruptions to to operating plans and
weakness Acceptable level of more stakeholder groups months)
business operations with 1 or execution
nonconformance to
more business units, the
requirements or expected
processes, or functions
output
Depending on the type and nature of the risk, the following options are available:
OPTION TREATMENT
"AVOID" - Deciding not to proceed with the activity that introduced the unacceptable risk, choosing an
TERMINATE alternative more acceptable activity that meets business objectives, or choosing an alternative less risky
approach or process.
"REDUCE" - Implementing a strategy that is designed to reduce the likelihood or consequence of the risk to an
TREAT
acceptable level, where elimination is considered to be excessive in terms of time or expense.
"SHARE" - Implementing a strategy that shares or transfers the risk to another party or parties, such as
TRANSFER outsourcing the management of physical assets, developing contracts with service providers or insuring against
the risk. The third-party accepting the risk should be aware of and agree to accept this obligation.
"ACCEPT" - Making an informed decision that the risk rating is at an acceptable level or that the cost of the
treatment outweighs the benefit. This option may also be relevant in situations where a residual risk remains
TOLERATE
after other treatment options have been put in place. No further action is taken to treat the risk, however,
ongoing monitoring is recommended.
Lists used in the Risk Register
Risk Categories
Under APES 325, at minimum risks should be considered within the following categories. If you add categories to the list below that may be relevant to your firm, you will need to update the cell
naming defined as Risk_Category to ensure the any additions display in the drop-down lists on the Risk Register.
Governance
Business continuity
Business
Financial
Regulatory
Technology
Human resources
Stakeholder
Treatment
To change the wording used for the treatment options, make the edit to the list below and then the remainder of the spreadsheet will automatically update.
Treatment
AVOID
REDUCE
SHARE
TRANSFER
ACCEPT
Status
To change the wording used for the status of risks, make the edit to the list below and then the remainder of the spreadsheet will automatically update.
Treatment
OPEN
CLOSED