What’s the point of a risk register?

Most of us have little experience of risk registers. If you’re not in the public sector or involved in project management with methodologies like Princ2 you rarely come across them.

I first came across a risk register when I became a county councillor. The county council has its risk register and this is maintained assiduously. It addresses what might happen, within and outside the council’s control, which would result in it not operating within budget or experiencing some form of reputational damage. And more recently as a non-executive director for a public sector health care delivery organisation I have become hands-on involved in its risk register, the so-called Board Assurance Framework or BAF.

The BAF is principally no different from the county council’s risk register although it is also concerned with its potential failure to meet its regulatory requirements in addition to the financial and reputational concerns. But I have struggled with the concept of the BAF primarily because this organisation is expected to more active in the ‘real world’ and to compete.

In the real world companies develop strategies which they intend will determine their futures. They often have aggressive growth plans and these are underpinned by the identification of ‘critical success factors’ (CSFs). These CSFs describe the limited number of areas in which superior results will ensure successful competitive performance. The point is that the CSFs collectively are ‘necessary and sufficient’. And if any one CSF is deficient then the organisation will have a plan to sort it out. That’s how it works.

I realise that many of the risks in the BAF are in fact the inverse of CSFs. Where as a CSF begins ‘we will be successful if …’ the risks in the BAF begin ‘we will fail if ….’. There’s a difference in mindset here. Whereas the CSF is pro-active and positive the risk in the BAF is reactive. And if this organisation is going to compete in the real world with private sector organisations it needs to think in terms of making things happen and not just of ensuring that bad things don’t. It needs to complement its BAF with CSFs and then to manage according to the latter when it can regard the BAF as necessary insurance because it’s still a public sector organisation.

However the traffic need not be all one way. How many corporate strategies have we seen that have a set of (critical) assumptions which are then accepted as being facts and used to frame the plans that are a part of it? Rarely is any attention paid to the possibility that the assumption may not be correct and what should be done if it isn’t. There is the underlying theory that if the world is less favourable than we assumed we will simply work harder to compensate.

This is where the BAF scores. Those risks in the BAF which are not inverse CSFs are in fact inverse critical assumptions and because they have been identified mitigating contingency plans get developed which swing into action when the assumption comes unstuck. A classic example of this is an epidemic. You don’t expect to operate on an epidemic footing but if one arises you’ve got a plan to swing into action. Would it be better if companies had contingency plans to turn to if the assumed double-digit market growth suddenly went into reverse?

So: what is the point of a risk register? To some extent it’s typical public sector conservatism. Let’s worry about what might go wrong and make sure we can live with it. If that’s all that it is then it will limit public sector organisations’ ability to be more commercial. However because it’s public sector money and not risk-tolerant equity capital that’s at stake the pendulum can’t be allowed to swing all the way. And as noted above the attention to factors outside the organisation’s control makes good sense and there’s no way that this should be abandoned in favour of the ‘we’ll cope if it happens’ of the private sector. In fact, as noted above, a little more overt risk reality where critical assumptions are concerned would well be of value in the latter.