If you have come this far in our Lean Risk Management series, you are ready to create your nonprofit’s first risk register – one of the simplest and most powerful tools for nonprofit risk management. This post will explain how.
What the Risk Register Is
A risk register is a dynamic list of your organization’s top threats and opportunities. It is the foundational accountability tool for nonprofit risk management. It provides an up-to-date description of how each risk is defined, who is responsible, what’s the next step, and when that step should be completed.
A risk register is critical for effective lean risk management because it is both an overview of your risk profile and a tool for managing those risks. Without a risk register, the various risks you identified in the risk inventory exercise may get lost or ignored. With a risk register, you have one, consolidated punch list of high-value activities within your organization. You know what is going on with each risk, and you understand how each compares with other threats and opportunities facing the organization.
How to Build Your First Risk Register
Develop a risk task force.
If you have completed a risk inventory, you likely have identified potential participants in an ad hoc group that would focus on risk within your organization. Now is a good time to formalize that group as a risk task force (RTF). The RTF’s duties will not be onerous: it will simply meet periodically to ensure that the risk register is being used and to suggest improvements to the process.
Appoint a risk register keeper.
One person within your organization should be accountable as the keeper of the register. The keeper may allow other people to edit the document, but one person within your organization needs to be responsible for keeping the risk register current and accurate.
Smaller organizations may be tempted to appoint the Executive Director or CEO as keeper. We advise, however, that someone besides the Executive Director serve as keeper, so that the head of the organization can be in dialogue with at least one other person about this document.
In larger organizations, a chief operating officer, director of risk management or compliance, or even inside legal counsel may be an appropriate risk register keeper.
Create a basic Excel or other electronic spreadsheet.
Click here to download a free, editable Excel template that you can use as the skeleton framework for your document. The spreadsheet should have seven columns: Priority, Issue, Functional Area, Description, Owner, Next Response, and Check-In Date, in that order.
Populate the spreadsheet.
In filling out the spreadsheet, draw directly from the results of your risk inventory exercise and subsequent prioritization exercise we described in prior posts in this series. Generally, any risk that received votes should land on the initial risk register, though we advise that a risk register should be limited to no more than 30 or 40 active entries. (In FAQs below, we tell you what to do with risks that did not make it to the risk register.)
Priority. At the end of the prioritization exercise, the Executive Director or CEO changed the numerical votes from that exercise into a set of priority groupings. When we work with clients, we usually advise they use five rankings, but that is arbitrary. You can choose any number of levels. In our experience, the results of the prioritization exercise tend to shake out fairly naturally into a small set of high ranking items, a number of middle range items, and a large number of items that received a few but relatively insignificant number of votes.
Issue. Provide a brief label for the threat or opportunity. Try to make that label short but descriptive. The idea behind this column is to have a common shorthand reference for the risk within your nonprofit.
Functional Area. In this cell, note the functional area in which this risk arises. (This refers directly back to the risk inventory exercise, in which your team identified threats and opportunities across eleven different functional areas, plus “external” risks) This column is designed to allow your team to readily see where various risks are grouped within your organization.
Description. Here, provide a brief description of the threat or opportunity as you currently understand it. The initial description will come from your risk inventory exercise, modified by any group discussion coming out of that exercise. Over time, the description of the risk will likely change as you gain additional information about the risk.
Owner. In this cell, assign an owner for the particular risk. The owner of that risk is responsible for taking action with respect to that threat or opportunity and reporting back with respect to those steps. Sometimes a risk owner will be the head of the functional area in which a risk arises. Sometimes the owner will be someone who is a subordinate within that function. Occasionally someone outside the function will be responsible for a risk.
Small organizations may be tempted to list the Executive Director or CEO as responsible for many risks. Resist this temptation. It is always preferable for someone subordinate to the Executive Director or CEO be responsible for a risk, since the leader of the organization should be in dialogue with at least one other person on staff.
Sometimes a risk will require board involvement. The risk register is an operational document, however, and boards of directors should not be directly involved in operational activities. In cases where a board task force may be involved, assign as risk owner someone who will serve as liaison to the task force.
Next Response. In this cell, list the next reportable response, according to the risk owner. The “next response” item will change regularly as the owner take steps to address the risk.
Check-In Date. In this cell, the risk register keeper lists the date by which the risk owner will report back with respect to this threat or opportunity. Of course, check-in dates will change periodically as the responses themselves change.
Future posts will describe the risk register in operation in some detail, but the potential benefits of the risk register should be evident upon its initial completion. The document provides a brief reference list of the top threats and opportunities facing your nonprofit. Because it is in spreadsheet format, you can sort the document to see when you should expect responses (check-in date), identify who is working on what and whether anyone is overburdened with their risk responsibilities (owner), or highlight organizational risk hotspots (functional area).
FAQs About Your Risk Register
Should I share the risk register with my entire staff? Reasonable minds may differ, but we advise that the risk register initially be shared only with the risk task force. Later, as risk management becomes more deeply embedded in the organization, you may choose to share the risk register more broadly.
Should I share the risk register with my board? We will address board responsibilities with respect to risk management in a later post. The brief answer is that your first risk register is primarily an operational document that should reside with your staff rather than your board. You should, however, advise your board that you have created a risk register. Furthermore, you should inform the board about the top risks identified in that risk register so that the board can weigh in on the most important threats and opportunities facing the organization.
Should I share the risk register with anyone else? You should share your risk register (confidentially, of course) with the professionals you rely on for advice, including your attorney, your accountants, your insurance brokers, and your banker (if you have a consultative relationship with that person). Those professionals may be able to provide important input about these issues.
How often should our risk task force meet to review the risk register? The answer will vary with the size and complexity of the organization. Initially, we advise the risk task force to meet monthly. Later, as the process matures and more employees throughout the organization begin implementing risk management in their daily activities, the risk task force may meet every other month or even quarterly.
What should we do on the check-in date for a particular risk? A check-in date is a due date for a response. When a check-in date arrives, the risk owner should be held accountable for reporting out the status of that risk, the steps taken to address it, and any modification of the risk description to account for current circumstances.
How should risk owners update the risks for which they are responsible? Risk owners will update their risks on check-in dates. For interim changes (on fast-moving items or issues where new information becomes available), the risk owner should send an email to the risk register keeper describing how the risk register should be changed.
What should I do about threats and opportunities that did not make it to the risk register? As noted above, not all of the threats and opportunities identified during your risk inventory exercise will make it to the risk register. Competent management involves the exercise of reasonable business judgment, which includes deciding to focus on some issues and not others. Still, the potential issues identified in the risk inventory exercise that did not make it to the risk register should not be wholly dismissed. Instead, create a “parking lot” document listing the risks that did not make the cut. At a reasonable time after the initial risk register is created, the risk task force should review that parking lot document to consider whether any of those risks (or entirely new risks) should be added to the risk register.
How else will we use the risk register? As we will describe in future posts, you will also use the risk register as a basis for discussion of risks at senior staff meetings and, eventually, meetings with mid-level and line personnel. The risk register can serve as a dynamic accountability device throughout the organization, stimulating ongoing discussion of organizational priorities and activities.