The value of a risk register
during the COVID-19 crisis

Would a risk register have made a tangible difference to how hard a business was impacted by the COVID-19 crisis? Unfortunately, it’s still too early to know – since COVID-19 will continue to pose a threat to many businesses for the foreseeable future. So let’s explore what we do know.

Why some businesses have coped better than others

Undoubtedly some businesses have navigated this difficult period better than others so far.

Organisations that had even a loose crisis plan in place have had a head start in creating a more detailed plan that outlines specific steps to protect stakeholders, including staff, clients and investors.

However, some businesses in the most severely affected industries (such as tourism and hospitality) have experienced a disaster of unprecedented proportions – one that was largely out of their hands due to government intervention.

All of this then begs the question: was an event of this type something that businesses could have predicted and planned for?

To answer this question, it’s important to understand what success looks like when organisations employ a risk register as a key tool to manage risk.

What is a risk register?

Put simply, a risk register is a tool to assist you in managing risk.

It can take many forms, the most basic of which could be an Excel spreadsheet. At the other end of the spectrum might be an auditable cloud-based dynamic tool.

To be more specific however, a risk register is the outcome of a process that challenges you to:

• Consider areas of exposure in your business
• Articulate specific risks to your business (this involves properly defining causation, that is, ‘what the risks look like’ and classifying those risks into logical groups such as strategic, financial, legal, regulatory, security, safety and supply-chain)
• Identify how your business might be affected if the risk were to come to fruition and which parts of your organisation might be affected (including staff, the board, lenders, customers, suppliers and others)
• Set a scale to measure the impact of each risk occurring in your business using defined metrics (usually captured in a 5×5 matrix premised on likelihood and consequence), which might look like this:

• Prioritise the risk for treatment (using the matrix measure, with 25 being ‘bad’, to define what your acceptable retained-risk threshold looks like)
• Consider treatment plans to manage the risk (this involves avoidance, transfer, reduction or acceptance)

You could also think of a risk register as a way to present your risk mindset in a document or spreadsheet so that another person can understand it. Without the mindset to contemplate risks that haven’t actually happened yet, it would be difficult to bring your thinking to life in a way that makes sense to someone else.

Should all businesses have a risk register?

No. But why wouldn’t you?

The ASX Corporate Governance Council – Corporate Governance Principles & Recommendations (7)[i] recommends that:

“A listed entity should establish a sound risk management framework and periodically review the effectiveness of that framework”

Most annual reports now have a section detailing the primary risks that a company has identified and their remediation plans.

Is a risk register the utopia for managing risk?

No, but it’s a big part of what utopia should look like.

Let’s assume we have a well-articulated risk register, which shows the mindset we wish to adopt and apply. Now let’s consider that we have the discipline to present it in a way that will help others understand, interpret and implement it. What’s still missing?

Accountability.

What’s the point of having a risk register if all it does is tick a box for the Audit & Risk Committee and sits in your paperless storage cabinet somewhere between resume and router maintenance?

If risk oversight is not a direct and routine function of your board, your company isn’t taking it seriously.

It is common practice for a board sub-committee to take responsibility for risk assessment and management. Typically this would be named the ‘Audit & Risk Committee’. However, risk ownership is not something boards should delegate.

Qantas, for example, validates this premise by stating their position as follows:

“Qantas maintains a strong governance structure for threats and opportunities. The board has overall responsibility for the governance of risks. Oversight is maintained through the Audit Committee and the Committee for Health, Environment, Safety and Security (CHESS)”[ii]

It’s now important to consider what matters most in this context:

• Is it committing resources and money to develop and manage a risk register?
• Is it an org-chart that clearly maps risk management in the business?
• Or is it simply willingness to discuss potential risk within your organisation?

Bringing a risk register to life

Is it plausible to think that a business would have listed ‘catastrophic global pandemic event’ on its risk register – and give it serious consideration around the board table before 2020?

For some companies, the answer is yes.

Airlines would have thought about it. Pharmaceutical companies would have thought about it. Major hotel chains would have thought about it. And it should certainly appear on the risk register of any business in the healthcare sector.

But what about other entities, such as transport companies, media organisations, manufacturers or major retailers? The answer is probably no.

Does this mean these types of industries should be forgiven for not having contemplated a significant disruption to their business or supply chain? This time, the answer is a resounding no.

That said, is it reasonable to expect business to have ‘unforeseen event that has a major impact on our ability to operate/trade’ listed on its risk register. While a global pandemic may not have been explicitly articulated, many businesses do contemplate an ‘undefined’ catastrophic event. This acts as a catch-all for all types of hypothetical scenarios.

The difference between the two

Does it matter whether a company’s risk register specifically listed ‘catastrophic global pandemic event’ versus the more general option, ‘unforeseen event that has a major impact on our ability to operate/trade’?

If we put these two risks side-by-side, the risk register would have assessed cause-and-effect through a lens that considers:

Furthermore, it would have:

• Contextualised the rating of each risk, considering both likelihood and consequence
• Prioritised those risks against other potential scenarios
• Considered how to address those risks; avoidance, transfer, reduction or acceptance
• Developed a mitigation or action plan for risks the business chose to reduce or accept, such as the following example:

So, when you look at the process that would have been adopted for two risks articulated in different ways, the outcome may in fact, be similar, because:

• The logic is the same
• Decisions around the board table would determine how the business would respond if the risk manifested
• The process will guide (rather than narrowly pre-determine) the action to be taken to a risk once it arises

What’s more, whether the lens for consideration is a well-defined global pandemic event or unforeseen Armageddon, the risk register should encourage the business to consider all stakeholders, including:

• Staff
• Customers
• Suppliers
• Lenders
• Regulators

All of these have been prominent in every business throughout the COVID-19 crisis.

Let’s ask the question again – what really matters in this context?

• Is it the risk register with the perfectly articulated risk?
• Is it the Audit & Risk Committee that forced its line-managers to come up with 20 risks each to tick the risk register box?
• Or is it that willingness to discuss and prepare an action plan for potential risk within your organisation?

So what’s the consensus?

We have considered the merits of having a risk register. So let’s assume the consensus is that it’s better to have one than not.

It follows sound logic that businesses with a risk register are more likely to be navigating COVID-19 in a structured fashion. It also seems likely they will exit the crisis better than those that never contemplated, let alone planned for, a major disruption to its operations.

Consensus aside, we would like to challenge conventional thinking that a risk register would be the universal ‘fix’ for every business.

Businesses that respond well to crisis are in fact the ones that are open to discussing potential future events – however unlikely they seem. They consider how these scenarios may impact operations, then map out how they could or should respond.

This ‘process’ can easily be illustrated in a risk register.

However, a risk register in itself is only useful if businesses are willing to invest the time and resources into maintaining it and keeping it dynamic. We would argue this is more about mindset.

Next steps

Austbrokers Corporate has considerable experience developing risk registers for corporate Australia.

This includes project managing workshops at both executive and functional levels within an organisation to deliver a dynamic tool that looks at your risks from several perspectives, including:

• Inherent Risk: the value of your ‘raw’ risk, untreated
• Residual Risk: values the risk as it exists today and provides clarity on the strengths and flaws in your current mitigation strategies
• Potential Risk: we take it one step further and help you visualise the cost-benefit of future mitigation strategies (if you’re considering changing behaviours or capex, this critical step will support your decision-making)

If you want to learn more about this, please contact the authors of this article:

Kris Ekeberg                                                             John Mutton

Client Service Director                                             Chief Executive Officer
Financial Lines & Private Equity
5 June 2020

[i] https://www.asx.com.au/documents/regulation/cgc-principles-and-recommendations-fourth-edn.pdf

[ii] https://www.qantas.com/au/en/qantas-group/acting-responsibly/our-governance.html#risk-management