Build your risk register based on events

For many, once a risk register is defined, it often remains largely unchanged; however, this is a mistake. Many firms operate in an environment of continuous turbulence; therefore, we believe that firms should seek to actively build their risk registers based on events that occur within their firms or externally within their industry.

After any significant event, firms should conduct a root-cause analysis exercise to understand the event entirely, learn from it and embed those learning into the risk management process and firms’ culture.

A crucial part of the risk management process should be continuously reviewing events and identifying risks that materialised but were not already on the risk register. Firms should also use events to trigger the closing of risks that may no longer be relevant.

In a firm that we work with the operations team have embedded a continuous improvement process that calls for all event of a certain severity to be formally reviewed. As part of this review process, there is an expectation that every event should link to at least one operational process, technology (systems and digital assets), risks and controls.

They specifically seek to identify, and report on, operational risks that materialised but were not in the risk register at the time of the event.

This process is also used by one of the most famous and innovative firms out there.

If you look at the various reasons why we blew up starships, and you looked at the risk list, none of the reasons they blow up was on the risk list. Elon Musk, CEO of SpaceX, August 2021

To ensure your resources are focused on the right things, use events to drive a continuous improvement process around your risk register, add new risks as they are identified, and close existing ones that may no longer be relevant.