Risk Register

Having a risk register is a critical part of a non-profit’s toolkit for managing risks. If your organisation regularly plans large, long, or complex projects, collects personal information, or works with vulnerable people, it can become difficult to manage the risks as they grow.

Developing internal resources to manage important risk areas like cyber security, climate, protecting vulnerable people, avoiding financial abuse, and ethically working with partners becomes critical.

What is a Risk Register?

A risk register is a qualitative analysis tool used to track and monitor the risks that could impact the work of your not-for-profit organisation. It is normally used together with a risk action plan. Also called a risk log, the risk register is an important part of the risk management process. Risk Registers can help you record all the risks you identify and the likelihood that they will occur. It documents the potential consequences of each risk and assists organisational leaders in develop strategies that respond to risk priorities.

The register becomes a living document that is revised regularly as circumstances change. It should be integrated into a formal risk management planning process and the overall project plan. A similar tool is the risk matrix. Both documents assess the level of risk and are an important visual tool for measuring the seriousness and probability of a risk. However, risk registers are usually in the form of a spreadsheet with no graphics and are much more detailed. A risk matrix, on the other hand, is more visual and is presented as a grid with colour elements.

What is the Purpose of a Risk Register?

The purpose of a risk register is to identify, record, and track potential risks related to your work and help you plan a strategy for responding to something unexpected. The register allows individuals and teams to assess the level of risk and act when needed. With the help of a risk register, you can brainstorm individual and group risks, develop ways of addressing potential problems before they arise, and quickly manage issues as they occur.

The objective of developing a risk register is to encourage directors, managers and staff to think about the risks that may arise because of the decision they make and projects they develop and implement. The knowledge you gain from your register can inform decisions about which project to approve, and how they should be designed to reduce potential negative impact. This work should be done before the project team begins its work and should be integrated (and tested) in all aspects of operations. The environment, services, and systems of each non-profit with help determine the risk areas that are most likely to create potential issues.

Risk Categories for a Risk Register

Risk Categories can help you list and monitor potential problems and build a strategy for reducing risk and the negative impact. The aim is to choose categories that reflect your organisation’s projects and activities so that you can tailor your risk management program to the needs of your staff and clients. Some of the more common risk areas can involve data security, non-compliance or law breaches, and catastrophic events or natural disasters.

In the non-profit sector, other risk areas such as protecting vulnerable people and their data, avoiding financial abuse or misconduct, and working with partners become important. On a practical level these categories will involve the day-to-day work your staff are responsible for doing such as equipment purchases and maintenance, ground conditions and upkeep, confidentiality, and privacy, building security, exposure to dangerous situations or physical harm, and fire safety and emergency exits. Your risk categories will become your register headings.

What to Include in a Risk Register

Risk registers are essentially a usable spreadsheet, table, or form intended as a decision-making tool for boards and management. When creating the register, ask yourself if existing controls are adequate or a new approach is needed. Make a list of each risk and briefly describe it. Then, identify who is responsible to acting during an incident. Your register should have some sort of scale for evaluating the level of risk (Low, Medium, High) and the user can assign a risk rating to each item as they are evaluated. This will help you assess the potential impact of each risk.

The Register should include a proposed action plan. First, decide what are the organisations’s priorities and preferred options for avoiding or managing risks. Then add concrete strategies to the register such as implementing training, verifying the qualifications of new staff, liaising with media, or using communication strategies to build public trust. As you develop the register, you can add headings like Risk, Description, Impact, Risk Level (1 to 5), Mitigation Plan, and Person Responsible.

Related Terms

Straw Poll

Quorum

Board Portal

Further Resources

Integrating ESG into Not-for-Profits: Managing Risks and Opportunities

Strengthening Risk Management at the Board Table

Volunteering Australia’s Guide Running the Risk: Risk Management Tool For Volunteer Involving Organisations

How ASIC Handles Whistleblower Reports and How Reforms Will Apply to Your Organisation

The Board and Risk Management