A risk register brings together the output of its risk identification process and that reflects the size and complexity of the business and its risk policy. An effective risk register typically:
- Gathers together risk information to enable effective sharing and communication of that information.
- Focuses attention on the key risks and therefore drives action.
- Is linked to the capital requirements of the organisation.
- Assists in developing a portfolio view of risk.
- Forms the core of an organisation's risk knowledge database and is the basis for risk analysis and reporting.
- Facilitates monitoring and review.
- Evidences a systematic and comprehensive approach to risk identification.
- Is subject to regular review and update.
With respect to significant risks, a risk register typically captures:
- A description of the risk.
- The assessment of risk and control.
- Causes and influencing factors, both internal and external.
- Effects and outcomes, financial, reputational and other.
- Controls and actions currently in place to manage elements of the risk.
