How to Develop a Risk Register

Adapted, from PM 007 Project Risk Register, Template & Gide, Departme!t of Premier a!d
"a#i!et, Tasma!ia a!d A$%&'$ ()*0 Risk Ma!ageme!t+

,-at is a Risk Register.
The Risk Register records details of all the risks identified for the University, a budget centre or project.
Risks associated with activities and strategies and are identified then graded in terms of likelihood of
occurring and seriousness of impact. Risk registers may identify:
a unique code for each risk
a description of each risk and its potential consequences !operational and strategic"
actions and controls that currently e#ist to mitigate risks
factors that may impact upon the likelihood and consequence of the residual risk
risk grade !priority"
whether the risk grade is acceptable
early warning factors and upward reporting thresholds.
Risk registers should be maintained for all $aculties, %ivisions, key planning processes and commercial
activities. &t is e#pected that the majority of managers will document their key business processes, and
upward report emerging risk areas.
,-/ wold /o develop a Risk Register.
's a formal document, the analysis contained in a risk register can be used to document and improve
workplace practices. The register can also be used to notify senior managers of emerging risk e#posures
that warrant immediate attention.
&nvolving staff and other members of the University community in the process of compiling a risk register is
likely to encourage a high level of ownership of, and commitment to, University processes and activities.
The process of identifying and analysing risks should be a part of tactical decision making and strategic
planning. The worth of business plans can be improved significantly if the risks associated with key
business processes and proposals are analysed and where necessary, mitigated.
(efore you start you will need:
agreement from the responsible %ean or )#ecutive %irector in relation to how the risk management
framework is to be structured and supported at a $aculty or %ivisional level.
understanding of the University*s Risk +anagement ,olicy
understanding of the Risk +anagement -tandard '-./0- &-1 23444:54467 ,rinciples and
8uidelines
understanding of the key business and activity processes that may e#pose 9-U to risk.
an understanding of the positive and negative risks associated with the activities and proposals.
&dentifying risks should involve consultation with colleagues and other key stakeholders and
consider relevant conte#tual issues. 't the risk identification stage, risks need not be assessed or
prioritised.
The Risk +anagement -tandard, related documents and a variety of informational and training materials
can be accessed from the 1ffice of ,lanning and 'udit website.
Risk Registers
The risk register template consists of some headings and a table that reflects the nature of the information
that is to be addressed. The advantages of using a single template as a record of risk analysis, evaluation,
treatment and monitoring actions is brevity and clear presentation of the logic which supports the decision
making process. :here risk management treatment plans are required to be comprehensive it may be
appropriate to supplement the applicable risk register entry with a separate, supporting risk treatment plan.
The completed risk register should be brief and to the point, so it quickly conveys the essential information.
&t should be updated on a regular basis.
Risk treatment actions can include:
,lanned actions to reduce the likelihood a negative risk will occur and.or reduce the seriousness
should it occur !:hat should you do now;"
9ontingency actions 7 planned actions to reduce the immediate seriousness of a negative risk when
it does occur. !:hat should you do when;"
Recovery actions 7 planned actions taken once a negative risk has occurred to allow you to move
on. !:hat should you do after;"
Risk Transfer !eg. Through assignment of contractual responsibilities or insurance.
'ctions necessary to ensure the realisation of opportunities !positive risks"
012DG3T "3&TR3 4R "4&TR4553D 3&T6T7 4R PR483"T T6T539
Risk Register as at 0Date9
Report for: 0'ctivity or ,roject -ponsor, %ean.)#ecutive %irector, -teering 9ommittee !if applicable" >
Project Ma!ager% 1dget "e!tre Ma!ager%: </ame=
Activit/ Descriptio!: A brief description of the objectives scope of the activities to be included in the Risk Register.
5ikeli-ood Ra!ki!gs
;Positive or !egative risks<
As a Gide 4!l/ = 5ikeli-ood ra!ki!gs s-old #e cali#rated, w-ere !ecessar/ to e!sre complia!ce wit-
applica#le reglatio!s, safet/ sta!dards a!d ot-er tolera!ces t-at -ave #ee! agreed wit- ke/ activit/
spo!sors+
3 Rare 1nce in >4 years. ,robability less than 5?
5 Unlikely 1nce in 54 years . ,robability less than >?
2 ,ossible ,robability of >? to >4?
@ Aikely ,robability >4? to 64?
> 'lmost 9ertain ,robability of 64? or more
"o!se>e!ce Ra!ki!gs
;!egative risks<
Healt-, safet/ a!d e!viro!me!t As a Gide 4!l/
3 &nsignificant Bery minor injury or short term impact to the local environment.
5 +inor +inor injury likely to be restricted to and individual. Aocalised environmental impact
2 +oderate &njury of more than a minor nature to a few individuals, likely to result in some absence from work. +easurable
local environmental impact is not considered long term.
@ +ajor Risk event may lead to serious injury and incapacitation. Aocal environmental impact would be very long term. '
wider environmental impact may be pronounced.
> 9atastrophic Risk event may lead to a death or total and permanent disablement to one or more individuals. )nvironmental
impact may be wide spread and possibly permanent.
"o!se>e!ce Ra!ki!gs
;!egative risks<
?ales, et-ics a!d reptatio!
As a Gide 4!l/
3 &nsignificant Risk event has some short term, or contributory impact on the reputation of some individuals. The risk event
should not, by itself, impact the long term reputation of individuals or the University.
5 +inor Risk event has a measurable, though not insurmountable impact on the reputation of individuals or a budget
centre. &mpact on the University, if any, is likely to be short term.
2 +oderate Risk event may have a longer term reputation impact. /egative systemic findings by e#ternal review agencies
may fall into this category if they are unlikely to have a major impact on the University*s reputation as a whole.
@ +ajor Risk event may seriously impact upon the reputation of the University as a whole.
> 9atastrophic Reputation impact is sufficient to result in a curtailment of major activities and.or a decision by large numbers of
students not to study at 9-U. Aoss of accreditation leading to loss of most sponsor funding and students.
"o!se>e!ce Ra!ki!gs
;!egative risks<
@alit/
As a Gide 4!l/
3 &nsignificant Risk event has some short term, or contributory impact on the quality of service delivery, educational outcomes
and research integrity. The risk event should not, by itself, impact the long term outcomes or reputation of
individuals or the University.
5 +inor Risk event has a measurable, though not insurmountable impact on the quality of service delivery, educational
outcomes or research integrity. &mpact on the University, if any, is likely to be short term.
2 +oderate Risk event may have a longer term impact on the quality of service delivery, educational outcomes and research
integrity. Cuality weaknesses impact on 9-U*s general reputation and standing. +oderate funding impact.
@ +ajor Risk event may seriously impact upon the quality of service delivery, educational outcomes and.or research
integrity. -ignificant impact on 9-U*s general reputation and standing. +ajor funding impact.
> 9atastrophic Cuality failure is sufficient to result in a curtailment of major activities and.or a decision by large numbers of
students not to study at 9-U. Aoss of future research opportunities. Aoss of accreditation leading to loss of most
sponsor funding and students.
"o!se>e!ce Ra!ki!gs
;!egative risks<
1si!ess "o!ti!it/
As a Gide 4!l/
3 &nsignificant Risk event is undesirable but does not, in itself, impact the continuity of an activity, project of key business
process. %isruption of services to internal and e#ternal customers is negligible.
5 +inor Risk event may disrupt the timely delivery of a small project or activity. %isruption of institution wide services
would not impact significantly on other budget centres.
2 +oderate Risk event causes significant disruption to the operation of a large activity or budget centre. Dey institutional
deadlines may not be met. Risk event materially disrupts the operation of other budget centre. $ailure to ensure
succession plans for key individuals of failure record important processes and decisions would increase the
likelihood of risk events at this level. %issatisfaction of internal and e#ternal customers is likely.
@ +ajor ' risk event at this level may prevent a budget centre from delivering most of its core functions and strategic
objectives. 't a whole of institution level, disruption to activities would impact adversely on learning, research
and.or overall business outcomes.
> 9atastrophic Risk event may have a longer term impact on the ability of the University to continue operating. +ajor level risk
events occur may become catastrophic if backup and recovery plans fail.
"o!se>e!ce Ra!ki!gs
;&egative Risks<
Ai!a!ce
As a Gide 4!l/
3 &nsignificant Risk event is undesirable but has no serious impact on the on the activity, project or budget centre.
5 +inor Risk event has some impact on the ability of the budget centre to deliver some strategic objectives.
2 +oderate Risk event has a measurable impact on the ability of budget centre to deliver on its stated objectives or continue
services. The overall financial wellbeing of the University is not impacted materially. ,otential loss of E>44,444 or
more.
@ +ajor Risk event significantly impairs the ability of the University to pursue its mission, goals and strategic initiatives.
,otential loss of E5,444,444 or more.
> 9atastrophic Risk event has potential to bankrupt the wider operations of the University. ,otential loss of E3>,444,444 or more.
"o!se>e!ce Ra!ki!gs
;&egative Risks<
"omplia!ce
As a Gide 4!l/
3 &nsignificant (reach occurs but has no significant impact on other risk categories. Unlikely to result in fines or action for
damages.
5 +inor (reach has a minor impact on some other risk categories.
2 +oderate (reach has a moderate impact on some other risk categories. +ay relate to a key compliance requirement.
,otential liability of E>44,444 or more.
@ +ajor (reach has a major impact on some other risk categories. ,otential for significant fines, loss if accreditations and
high value damages may be high. ,otential liability of E5,444,444 or more.
> 9atastrophic (reach has a catastrophic impact on some other risk categories. 9ontinuity of operations may be questionable.
,otential liability of E3>,444,444 or more
"o!se>e!ce Ra!ki!gs
;&egative Risks<
$tde!t 3Bperie!ce 3Bamples ;optio!al categor/<
As a Gide 4!l/
3 &nsignificant Risk event a minor irritation to a small number of students. &nstitutional standing and reputation not impacted.
5 +inor Risk event is a concern to a small number of students or, perhaps, a minor irritation to a larger number of
students. Unlikely to impact total study e#perience or overall attitude towards 9-U. &nstitutional standing and
reputation not impacted.
2 +oderate Risk event would be a serious concern to a small number of students, or a moderate concern to the student
population. Risk events at this level would tend to diminish 9-U*s wider reputation as a centre of leaning and
research.
@ +ajor Risk event may cause a significant of students to leave 9-U or not commence study at 9-U. Risk events at this
level may result in 9-U being widely viewed as a second rate institution. -ignificant numbers of completing
students are angry about much of the 9-U learning e#perience.
> 9atastrophic +ajority of students or potential students elect not to commence or continue study at 9-U. Aoss of accreditation
in a number of areas. )mployers assign little value to 9-U qualifications. +ajority of completing students are very
angry about their learning e#perience at 9-U.
/ote that risk events are not e#clusive to any particular category. Dey risk events may need to be considered within the conte#t of 5 or
more risk categories.
Grade: "om#i!ed effect of 5ikeli-ood%$erios!ess As a Gide 4!l/
9onsequence Rating
Aikelihood 3. &nsignificant 5. +inor 2. +oderate @. +ajor >. 9atastrophic
'.. 'lmost 9ertain A + F ) )
(. Aikely A + F ) )
9. ,ossible A A + F )
%. Unlikely A A + F F
). Rare A A A + F
!'dapted from '-./0- &-1 23444:5446, Risk +anagement. Under the 9-U risk management approach the colour of the risk grade will
be contingent on likelihood, consequence and risk grade calibrations that are agreed with the activity sponsors."
Recomme!ded actio!s for grades of !egative risk
Grade Risk mitigatio! actio!s
A 54,: These risks should be recorded, monitored and controlled by the responsible manager. 'ctivities with unmitigated )nvironment,
Fealth and -afety risks that are graded above this level should be avoided.
+ M3D62M: +itigation actions to reduce the likelihood and seriousness to be identified and appropriate actions to be identified endorsed by
at a $aculty or %ivisional level..
F H6GH: &f uncontrolled, a risk event at this level may have a significant impact on the operation of a budget centre or the University as a
whole. +itigating actions need to be very reliable and should be approved and monitored in an ongoing manner by the responsible %ean
or )#ecutive %irector. The Bice79hancellor should be advised of identified or emerging strategic risks which have been graded at this
level.
) 3CTR3M3: 'ctivities and projects with unmitigated risks at this level should be avoided or terminated. This is because risk events graded
at this level have the potential to cause serious and ongoing damage to the University, the community or the environment. Reporting
emerging or continuing risks e#posures at this level to the Bice79hancellor and to the University 9ouncil is mandatory.
-tandard Template
Aaclt/%Divisio!%4ffice of Di!sert teBt -ereE
Risk Register D7earE
Risk &d Risk )vent 9onsequence ,roposed mitigating
actions
're current
actions
effective .
efficient;
!Ges./o"
Residual
Aikelihood
Rating
!given
current
actions"
Residual
9onsequence
Rating
Risk
8rade
&s this Risk
8rade
'cceptable;
)arly :arning and upward
reporting triggers
Healt- $afet/ a!d 3!viro!me!t






?ales, 3t-ics a!d Reptatio!






1si!ess "o!ti!it/






@alit/
Risk &d Risk )vent 9onsequence ,roposed mitigating
actions
're current
actions
effective .
efficient;
!Ges./o"
Residual
Aikelihood
Rating
!given
current
actions"
Residual
9onsequence
Rating
Risk
8rade
&s this Risk
8rade
'cceptable;
)arly :arning and upward
reporting triggers






Ai!a!ce






"omplia!ce






4t-er



'bbreviated Template
Aaclt/%Divisio!%4ffice of Di!sert teBt -ereE
Risk Register D7earE
Risk )vent and 9onsequence +itigating action!s"
Residual risk
rating !given
mitigating actions"
)#treme 7 Figh7
+edium7Aow
)arly warning and reporting triggers
Healt-, $afet/ & 3!viro!me!t
?ales, 3t-ics a!d Reptatio!
1si!ess "o!ti!it/
@alit/
Risk )vent and 9onsequence +itigating action!s"
Residual risk
rating !given
mitigating actions"
)#treme 7 Figh7
+edium7Aow
)arly warning and reporting triggers
Ai!a!ce
"omplia!ce
4t-er