A risk register, sometimes called a risk log, is a database of risks used to identify, assess and manage risks, particularly operational risks (losses caused by human error, failed processes, fraud, etc.). It is also typically used to fulfill regulatory compliance by documenting and reporting identified risks.
A risk register will list the risks that are considered the most threatening to the organization. The risks often have some potential financial impact, but they can also include other dimensions like injury, environmental impact, and loss of reputation.
Identifying all the operational risks that are faced by an organization, and then assessing their likelihood and potential impact, enables the organization to rank risks and focus mitigation efforts on managing the most important risks. Listing all the control and mitigation efforts, along with who is responsible for ensuring those efforts are implemented and maintained, makes it possible for an internal audit function to check whether the processes are being followed.
A risk register mostly addresses event-driven operational risks like accidents, failures to comply with a law, fraud, errors in business processes, etc. It is unsuitable for assessing commercial risks that threaten the strategic objectives of an organization, like the effects of competition, changes in market size, inflation, supply chain uncertainty, cost overruns, or delays in launching key products. Other analytic tools like ModelRisk and Tamara are used for assessing these risks.
Qualitative risk registers, although common, do not provide the necessary information for effective risk management. Pelican’s risk register is fully quantitative. Risk quantification provides numerous benefits that are not possible with qualitative methods:
Kate
Kate is able to save money each quarter by investing in the most cost-effective risk treatments and insurance
George
George uses bowties to clearly describe complex risk scenarios and develop effective risk management strategies
Rachel
Pelican is connected to Rachel's calendar to remind her in good time of the risk treatment tasks she is responsible for
User identifies a possible risk issueand submits it for assessment
The Pelican Risk Register is not a Governance, Risk and Compliance (GRC) system. GRC systems offer flexible workflow configurations designed to operationalize business processes and ensure that people follow them. GRC systems manage strict and complex regulatory and industry requirements across corporate environments and may involve thousands of users. A by-product of such systems is the evaluation of the risk of failing to meet such requirements.
The Pelican Risk Register can be integrated with a GRC system to import the risk evaluations into its register and thus incorporate GRC risks into the broader picture provided the GRC system uses quantitative evaluations in their risk assessment. One such example is Archer, the largest GRC system vendor. Archer Insight is Archer’s risk quantification offering. A version of Pelican, rebranded as Archer Insight Workbench, offers Archer clients the full suite of Pelican tools that incorporate Archer data.
The following prices are indicative, based on the number of Pelican users we typically see for different company sizes. Organisations with a larger than usual fraction of employees involved in manual labour, lower regulatory restrictions or operating in a low risk environment will have fewer Pelican users relative to its size, and vice versa. The actual cost will depend on the number of registered users, technical aspects associated with installation, and any customized configurations. Training and consulting are available and priced separately.
The control and mitigation strategies for these risks are coordinated across the enterprise and seek to protect and enhance the value of the enterprise, not just one element of the business.
The evaluation of these risks is based on a methodology that is consistent throughout the enterprise and allows the portfolio of risks to be aggregated up through the entity structure of the enterprise.
The responsibility for executing the risk management plan is shared appropriately amongst the employees of the enterprise. In essence, employees work as a team. Risk (and opportunity) identification, assessment, management and communication is a shared responsibility and an integral part of the enterprise’s culture.