Adapted, from PM 007 Project Risk Register, Template & Guide, Department of Premier and Cabinet, Tasmania and AS/NZS 4360 Risk Management.
What is a Risk Register?
The Risk Register records details of all the risks identified for the University, a budget centre or project. Risks associated with activities and strategies and are identified then graded in terms of likelihood of occurring and seriousness of impact. Risk registers may identify:
• a unique code for each risk;
• a description of each risk and its potential consequences (operational and strategic);
• actions and controls that currently exist to mitigate risks;
• factors that may impact upon the likelihood and consequence of the residual risk;
• risk grade (priority);
• whether the risk grade is acceptable;
• early warning factors and upward reporting thresholds.
Risk registers should be maintained for all Faculties, Divisions, key planning processes and commercial activities. It is expected that the majority of managers will document their key business processes, and upward report emerging risk areas.
Why would you develop a Risk Register?
As a formal document, the analysis contained in a risk register can be used to document and improve workplace practices. The register can also be used to notify senior managers of emerging risk exposures that warrant immediate attention.
Involving staff and other members of the University community in the process of compiling a risk register is likely to encourage a high level of ownership of, and commitment to, University processes and activities.
The process of identifying and analysing risks should be a part of tactical decision making and strategic planning. The worth of business plans can be improved significantly if the risks associated with key business processes and proposals are analysed and where necessary, mitigated.
Before you start you will need:
• agreement from the responsible Dean or Executive Director in relation to how the risk management framework is to be structured and supported at a Faculty or Divisional level.
• understanding of the University’s Risk Management Policy;
• understanding of the Risk Management Standard AS/NZS ISO 31000:2009- Principles and Guidelines;
• understanding of the key business and activity processes that may expose CSU to risk.
• an understanding of the positive and negative risks associated with the activities and proposals. Identifying risks should involve consultation with colleagues and other key stakeholders and consider relevant contextual issues. At the risk identification stage, risks need not be assessed or prioritised.
The Risk Management Standard, related documents and a variety of informational and training materials can be accessed from the Office of Planning and Audit website.
The risk register template consists of some headings and a table that reflects the nature of the information that is to be addressed. The advantages of using a single template as a record of risk analysis, evaluation, treatment and monitoring actions is brevity and clear presentation of the logic which supports the decision making process. Where risk management treatment plans are required to be comprehensive it may be appropriate to supplement the applicable risk register entry with a separate, supporting risk treatment plan.
The completed risk register should be brief and to the point, so it quickly conveys the essential information. It should be updated on a regular basis.
Risk treatment actions can include:
• Planned actions to reduce the likelihood a negative risk will occur and/or reduce the seriousness should it occur (What should you do now?)
• Contingency actions - planned actions to reduce the immediate...