Managing risk is not a one-off event, it is an ongoing process, as illustrated:
This Practice Note provides guidance on evaluating and recording risks by way of a risk register—see Precedent: Risk register.
What is risk?
There is a widely accepted definition of risk, ie:
Risk = probability x impact
So, for any given risk faced by your business, there are two questions:
- •
how likely is it that the risk will materialise, ie what’s the probability?
- •
if the risk does materialise, how bad will it be, ie what’s the impact?
A risk register is a tool for scoring and recording individual risks using this formula—see section Scoring each risk. It is also used to record your response to each risk, ie reject or accept and, if the latter, steps taken or planned to control or mitigate the risk.
Identifying risks
To formulate an effective risk register, you must first identify the risks your business faces. It is also helpful to understand your organisation's appetite for risk—see Practice Note: Identifying and