Would a risk register have made a tangible difference to how hard a business was impacted by the COVID-19 crisis? Unfortunately, it’s still too early to know – since COVID-19 will continue to pose a threat to many businesses for the foreseeable future. So let’s explore what we do know.
Why some businesses have coped better than others
Undoubtedly some businesses have navigated this difficult period better than others so far.
Organisations that had even a loose crisis plan in place have had a head start in creating a more detailed plan that outlines specific steps to protect stakeholders, including staff, clients and investors.
However, some businesses in the most severely affected industries (such as tourism and hospitality) have experienced a disaster of unprecedented proportions – one that was largely out of their hands due to government intervention.
All of this then begs the question: was an event of this type something that businesses could have predicted and planned for?
To answer this question, it’s important to understand what success looks like when organisations employ a risk register as a key tool to manage risk.
What is a risk register?
Put simply, a risk register is a tool to assist you in managing risk.
It can take many forms, the most basic of which could be an Excel spreadsheet. At the other end of the spectrum might be an auditable cloud-based dynamic tool.
To be more specific however, a risk register is the outcome of a process that challenges you to:
You could also think of a risk register as a way to present your risk mindset in a document or spreadsheet so that another person can understand it. Without the mindset to contemplate risks that haven’t actually happened yet, it would be difficult to bring your thinking to life in a way that makes sense to someone else.
Should all businesses have a risk register?
No. But why wouldn’t you?
The ASX Corporate Governance Council – Corporate Governance Principles & Recommendations (7)[i] recommends that:
“A listed entity should establish a sound risk management framework and periodically review the effectiveness of that framework”
Most annual reports now have a section detailing the primary risks that a company has identified and their remediation plans.
Is a risk register the utopia for managing risk?
No, but it’s a big part of what utopia should look like.
Let’s assume we have a well-articulated risk register, which shows the mindset we wish to adopt and apply. Now let’s consider that we have the discipline to present it in a way that will help others understand, interpret and implement it. What’s still missing?
What’s the point of having a risk register if all it does is tick a box for the Audit & Risk Committee and sits in your paperless storage cabinet somewhere between resume and router maintenance?
If risk oversight is not a direct and routine function of your board, your company isn’t taking it seriously.
It is common practice for a board sub-committee to take responsibility for risk assessment and management. Typically this would be named the ‘Audit & Risk Committee’. However, risk ownership is not something boards should delegate.
Qantas, for example, validates this premise by stating their position as follows:
“Qantas maintains a strong governance structure for threats and opportunities. The board has overall responsibility for the governance of risks. Oversight is maintained through the Audit Committee and the Committee for Health, Environment, Safety and Security (CHESS)”[ii]
It’s now important to consider what matters most in this context:
Bringing a risk register to life
Is it plausible to think that a business would have listed ‘catastrophic global pandemic event’ on its risk register – and give it serious consideration around the board table before 2020?
For some companies, the answer is yes.
Airlines would have thought about it. Pharmaceutical companies would have thought about it. Major hotel chains would have thought about it. And it should certainly appear on the risk register of any business in the healthcare sector.
But what about other entities, such as transport companies, media organisations, manufacturers or major retailers? The answer is probably no.
Does this mean these types of industries should be forgiven for not having contemplated a significant disruption to their business or supply chain? This time, the answer is a resounding no.
That said, is it reasonable to expect business to have ‘unforeseen event that has a major impact on our ability to operate/trade’ listed on its risk register. While a global pandemic may not have been explicitly articulated, many businesses do contemplate an ‘undefined’ catastrophic event. This acts as a catch-all for all types of hypothetical scenarios.
The difference between the two
Does it matter whether a company’s risk register specifically listed ‘catastrophic global pandemic event’ versus the more general option, ‘unforeseen event that has a major impact on our ability to operate/trade’?
|Type of risk||Stakeholders|
Furthermore, it would have:
|Stakeholders||Existing mitigation strategy|
So, when you look at the process that would have been adopted for two risks articulated in different ways, the outcome may in fact, be similar, because:
What’s more, whether the lens for consideration is a well-defined global pandemic event or unforeseen Armageddon, the risk register should encourage the business to consider all stakeholders, including:
All of these have been prominent in every business throughout the COVID-19 crisis.
Let’s ask the question again – what really matters in this context?
So what’s the consensus?
We have considered the merits of having a risk register. So let’s assume the consensus is that it’s better to have one than not.
It follows sound logic that businesses with a risk register are more likely to be navigating COVID-19 in a structured fashion. It also seems likely they will exit the crisis better than those that never contemplated, let alone planned for, a major disruption to its operations.
Consensus aside, we would like to challenge conventional thinking that a risk register would be the universal ‘fix’ for every business.
Businesses that respond well to crisis are in fact the ones that are open to discussing potential future events – however unlikely they seem. They consider how these scenarios may impact operations, then map out how they could or should respond.
This ‘process’ can easily be illustrated in a risk register.
However, a risk register in itself is only useful if businesses are willing to invest the time and resources into maintaining it and keeping it dynamic. We would argue this is more about mindset.
Austbrokers Corporate has considerable experience developing risk registers for corporate Australia.
This includes project managing workshops at both executive and functional levels within an organisation to deliver a dynamic tool that looks at your risks from several perspectives, including:
If you want to learn more about this, please contact the authors of this article:
Kris Ekeberg John Mutton
Client Service Director Chief Executive Officer
Financial Lines & Private Equity
5 June 2020