I recently presented at a Zoom meeting of IIA Qatar on the topic of “Risk Management for Success”. At one point, I shared an example of a risk register I had found on the web. I explained how it was removed from the context of achieving objectives (i.e., risk to what?) and that periodically managing a list of risks is not sufficient. Far more is needed for effective risk management as I see it (enabling an acceptable likelihood of achieving objectives[1]).
In the Q&A session, somebody asked how the risk register could be improved.
xx
There are multiple problems that need to be overcome, including:
- As mentioned above, it is a static list of risks, updated occasionally. Managing a list of what could go wrong is not the same as considering how best to achieve objectives. That requires understanding what might happen as part of every decision and that changes often – requiring more than a periodic discussion. However, there is a measure of value in the periodic review of those sources of potential harm that need to be addressed, typically monitored, on a continuing basis. I will come back to that.
- Also as noted above, these are risks to what and what the devil does a “high” rating mean? It doesn’t help us understand how an adverse event would affect the objectives of the organization. That is not…
