Accountants for Business

The Basic Principles of Compiling a Risk Register

for Smaller Companies
About ACCA Introduction

ACCA (the Association of Chartered Certified This document is a simple guide to compiling a risk
Accountants) is the global body for professional register for smaller companies with a functioning board. It
accountants. We support our 131,500 members is intended principally for the finance director or company
and 362,000 students throughout their careers, accountant, who would often be best placed to carry out
providing services through a network of 80 offices such a formal risk assessment process.
and centres. Our focus is on professional values,
ethics, and governance, and we deliver value- Most business managers have an instinctive understanding
added services through 50 global accountancy of the more common risks they face, and will have taken
partnerships, working closely with multinational mitigating action, often without even realising it. Although
and small entities to promote global standards this emergent, ad-hoc approach may give some practical
and support. We use our expertise and protection against problems and disaster it can still leave a
experience to work with governments, donor business exposed. A risk register formalises the
agencies and professional bodies to develop the consideration of risk, and opportunities, in a way that
global accountancy profession and to advance enables wider consideration and discussion within
the public interest. management or at board level. This in turn helps to ensure
that all significant risks have been suitably identified,
About the Author assessed and managed. A risk register can be particularly
valuable to non-executive directors, and practice shows
Tony Morton's experience is wide and diverse, that it often throws up unexpected issues which need to be
having worked for four FTSE companies, in the addressed. It is not, and should not be allowed to become,
UK, continental Europe, and overseas, in both a bureaucratic exercise. Although a risk register tends to
head offices and within focus on negative risks, if used sensibly it should also
operating subsidiaries, address the opportunities which face the business.
from line functions such
as works accounting and Large PLCs will have dedicated staff creating, monitoring,
financial accounting, and up-dating risk registers, and will often have complex
through a succession of methods of risk evaluation. Within the majority of smaller
management roles to companies, creation of a risk register will be a task for the
finance director of five financial director or the accountant, and will be only a
companies, two with small part of their overall responsibilities. The purpose of
public listing. Product this paper is to help such financial directors and their
areas included companies devise something not too onerous, but which
components for the motor has real value. Although many large businesses regularly
and aerospace industries, sports goods, building update their registers, this is not practical for many
products, defence electronics, North Sea oil smaller companies; however, an appropriate system is
support, and steel stockholding. He then spent 12 likely to include at least an annual review, when the risk
years in a large private company, where his register is presented formally to the board. An ideal time
responsibilities covered both finance and for this is either just before or during the budget process,
executive responsibility for a group of subsidiary or during a review of insurances.
companies in media, property, leisure and health.
He is a non-executive director of an electronic Apart from the benefit to the board, many insurers now
publishing company, and is a member of both the ask to see risk registers, and a well-presented document
ACCA Corporate Governance and Risk that illustrates how risks are addressed can have a positive
Management Committee and ACCA Financial influence on insurance premiums. Similarly a risk register
Reporting Committee. Although the companies can be useful as part of the documentation for a company
he has worked for have been completely different, sale, because although it may not answer all the questions
he has found common threads in all, particularly a buyer may ask, it gives some useful leads, and indicates
in how to approach their financial health. He has how well or badly risk has been covered in the past. It
created systems of internal control appropriately should be evidence that the company is well run.
suited to the individual businesses, where
identifying the risks faced is essential to that The principles are equally worthy of consideration by
process. owner/directors of small businesses. While the paper
should be readily adaptable, their owner/directors may
Contact find it helpful to discuss the paper with their professional
accountant. The accountant should be well placed to help
Paul Moxey, Head of Corporate Governance and in the preparation of a risk register and to act as a useful
Risk Management, ACCA sounding board for considering risks. Even the world's
[email protected] largest companies can face serious loss of profit,
reputation or even failure simply by not having contingency
plans to guard against essentially foreseeable risks.

© The Association of Chartered Certified Accountants,

March 2010
Compiling a risk register Identifying risks

The process of compiling the register will probably start off A first attempt to identify risks will often be made by an
by identifying a wide variety of risks, but these should then appropriate senior person such as the financial director or
be filtered to allow the company to concentrate on those company accountant. Following that, it is sensible to have
with the greatest potential impact, so that what is a brainstorming session or sessions with others in the
presented to the board will be refined to perhaps no more business, to tease out what risks may be relevant, to
than twenty key risks/opportunities. An appropriate filter is assess these, to identify what control measures may be or
one related to the potential financial impact, perhaps being should be in place, and to assess whether the residual risk
set as risks/opportunities with an impact of more than 5% is likely to be acceptable or not. The process may suggest
of budget profit. risk areas which are not adequately covered, and these will
be addressed to determine what control measures might
How a risk register is compiled will depend on the be implemented. Similarly, opportunities available to the
complexity of the business, but it is usually sensible to company, which are perhaps not being fully capitalised on,
start from the ground up, either with departments, sites or will be assessed and programmes put in place to take
business entities within the organisation. This information advantage of these.
will be based on what is important to each one, but the
documents are consolidated as they move up through the Quantifying risk
organisation and filters are applied, so that what is
presented to the board will cover only those risks/ As noted above, the quantitative assessments of Impact
opportunities which will have the filtered impact on the and Probability will be largely subjective, but the very act
company as a whole. If the exercise is carried out of attempting the quantification gives others an
appropriately it will, however, give management throughout opportunity to challenge the assessments, perhaps leading
the organisation the opportunity to take a formal look at to the development of programmes which might otherwise
the specific risks they face and how they deal with them. It have never been envisaged.
is also important to emphasise that this is not a scientific
exercise, and that although one attempts to quantify risks, In the example shown on page 7, each element has been
to a great extent this is done on a subjective basis. given degrees of importance from 1 to 3, whereas in
practice it may be that a range of 1 to 5 is thought more
Even more important than putting the register together appropriate. Initially the Risk Rating is assessed by
– which must, however, be done diligently – is the use to calculating the product of Impact and Probability. This
which it is put. It should not be viewed simply as another shows the internal measurement of importance. This
box ticked, but as something that will help management number is then multiplied by an assessment of the quality
and the board to ensure that their risk policies are of Control (which may be from internal or external factors),
appropriate. It will rarely identify every risk that a business where a low number suggests good control and a high
faces; for example, document shredding was quite clearly number poor or inadequate control. This gives a numerical
not foreseen as a risk by the accountants Arthur assessment of residual risk, where the company can set
Andersen’s following the Enron debacle, and one assumes the level with which it is happy, and at what point it is not.
that banks had not foreseen the drying up of wholesale Any risks with a residual level in excess of this limit will
funds as a secondary effect of toxic loans in the US. require attention, although there may be nothing further
that can be done; should this be the case, then the board
Undertaking a risk analysis will have to determine whether the business can actually
accept the risk, or whether it should withdraw from that
A suggested format for a first risk register is shown on area of business. As noted above, potential opportunities
page 7. This can be tweaked to suit each individual should be assessed in a similar way, and where these have the
organisation, but although the elements may be given potential to add significantly to profitability, programmes
different weights it reflects the general principles which should be considered to actively harness these.
will be found in all risk registers. The two elements of
each risk to be assessed are Impact, should the risk Materiality
occur, and Probability. On the one hand, there will be
risks which could be truly catastrophic, but which are In preparing the risk analysis materiality must be
very unlikely to occur, either because of the nature of the considered within the individual departments and/or
risks themselves, or because of the mitigating strategies divisions, and finally at the company level. As already
(Controls) in place; while on the other there will be risks suggested, one way to set this is by using the measure of a
with far lower potential impact, but which are much more proportion of profits, another by using a simple monetary
likely to occur. The treatment of each of these will be very sum. Such measurements need to be set at such a level
different. Having created a ‘raw’ Risk Rating the Controls that the risk registers presented either to the board, or to
against this will be considered. Having assessed Impact, lower levels of the organisation, will not be so extensive as
Probability and Controls, the result will be an assessment to make them unsuitable as a management tool. As noted
of residual risk. earlier, for top-level control the aim should probably be to
concentrate on no more than twenty risks.

The Basic Principles of Compiling a risk register for Smaller Companies 3

TYPES OF POTENTIAL RISK Business strategy
This is a very wide heading, and many specific issues are
covered separately below. Perhaps the first question to be
The portfolio of risks facing each asked should be: how often is the business strategy
business is unique to that business. reviewed in a formal way by the board?

Some businesses will face severe Catastrophe

risks of a nature that are of no For example, fire or earthquake; but smaller catastrophes
could also have a significant impact. For example,
significance to another. For companies that are highly IT-dependent, or that are
example, to a manufacturing dependent upon online ordering, need to assess whether
their power and phone connections are up to their task.
business energy costs may be (See also IT below.)
critical, whereas to an advertising Competition
agency these probably won’t appear Competition covers both the market as a whole and
on the radar. Some potential risks individual players and products/services. A competitor
developing a completely new product or method of serving
to be considered, are listed here. a need could kill a traditional business. Consider the
extraordinary effects that the Internet has had on so many
business models. However, the effect may be limited, as it
has been in retail, where it is unlikely that we will ever
reach a point where everything is bought online. Just as
competitors may create a potentially negative risk,
outflanking the competition could be an opportunity.

Customer base
A business needs to consider whether it is over-reliant on a
small number of customers, or on a particular market or
business segment.

Erosion of prices
This can be caused either through market pressures, or
through the pressures exerted by key customers.

Exchange rates
These can be significant to revenue, costs and to funding
issues.

Fraud
Fraud can be both financially serious, and lead to
reputational risk. Internally, systems and procedures
should attempt to minimise fraud, with careful attention to
schedules of authority (see below), and as far as possible
making sure that no one individual has the ability to take
actions on their own. Internal fraud can, however, be
carried out by employees at the highest level in an
organisation, and in assessing risk it is essential to
consider what opportunities could be available to these
people, even to chief executives. External fraud often
requires collusion with members of staff, and an
examination of transactions or contracts of a significant
level of materiality should be part of the risk register
process.

4
Funding Raw materials, energy, services, or other ‘bought-in’ items
How secure are facilities for financing? Over-dependency Do suppliers have a stranglehold? Is procurement spread
on one lender may lead to trouble if they withdraw their sufficiently widely across a range of suppliers? Where a
support. Dangerous levels of gearing are also risks that supplier is providing a key component, what happens if
need assessment. How important is additional funding to they fail to deliver? The example of microprocessor chips
the company’s future plans? some years ago is relevant.

IT Regulatory, environmental, and taxation

This is a whole area in itself; but suffice it to note here that Are there any changes afoot? In what ways may they affect
companies that are highly dependent on specific servers the company’s operations?
for the delivery of product, or perhaps for the retrieval of
critical information need to give this area of risk a Reputational risk
thorough analysis. For example, what critical software does Reputation in the market place and credibility with
the company possess, and what are the dangers customers, banks and others can take years to build, but
connected with its support? can be lost overnight. It is essential to identify where the
company might be vulnerable and be prepared to deal
People with the unexpected. For example, who should deal with
Is there a danger of loss of key staff? This can happen for a outside agencies such as the press? Who needs to be
variety of reasons. Is there adequate second-line support involved (eg lawyers)? In recent years both Virgin Atlantic
and succession planning? Are salaries/bonuses and and BA have been able to make PR capital from aircraft
employee benefits appropriate? Are training programmes crashes, by concentrating on the heroic actions of their
appropriate? Are there sickness/absence problems? Are pilots. A slow response almost always indicates something
there any ‘loose canon’ managers needing to be held in sinister, and always damages reputation.
check?
Schedules of authority
Political risk Are there adequate checks and balances, with clear limits
This is particularly relevant for international activities, but on the authority of individuals, for example, to bind the
attention also needs to be paid to the increasing legislative company contractually, or to levels of spending? Operating
pressures on matters such as health and safety and issues also need clear lines of authority. (See also Fraud)
climate change.
Technological changes
Product How are the company’s products/services defined, and
Is the business over-reliant on one product or product line? what might replace them? How might they be made or
delivered differently?
Projects
These include building projects, large capital projects,
major changes within the organisation, and acquisitions/
divestments. All involve unusual levels of cost and effort. It
is easy to underestimate the impact of a particular project
on the day-to-day running of the business.

Quality of service
The decision about what quality of service the organisation
should offer will in part depend upon the product or
service being provided; but the higher up the quality scale
the company operates, the more serious a weakness in
service can become; this can quickly lead to reputational
risk (see below). Where service is outsourced to third
parties, or where dealers or agents are involved it is worth
looking carefully at these arrangements, to ensure that the
expected standards are being met.

The Basic Principles of Compiling a risk register for Smaller Companies 5

Creating a scale of risk RESPONSIBILITY FOR MONITORING RISKS

Turning to the example of a risk register format illustrated Many risks will be controlled by internal monitoring or
on page 7, the scale of risk may be as follows. actions. Others may require hedging or insurance,
accepting that they cannot be avoided. The risk register
• Under Risk Impact: it may be helpful to think of 3 will have identified those risks where the controls are
representing critical, 2 serious, and 1 significant. If the sufficient; however, simply having insurance, even if it
risk is not significant then it shouldn’t be registering. covers interruption of business, will not cover a major
disruption; customers will look elsewhere, and may well
• Under Probability, 3 represents frequent (at least once/ have established other sources of supply by the time the
twice a year), 2 probable (within 5 years/more than company is back in business. Disaster recovery planning is
once in 5 years), with 1 representing remote (not more an essential part of any risk management programme. It
than once in 5 years/more than 5 years away). does not necessarily require an enormous expenditure,
but it does require a plan that specifies who does what,
• Under Control Rating, 3 represents poor controls or and how critical processes are dealt with after a
inability to control, while 1 represents fully under catastrophe. There are also companies that can provide an
control. insurance ‘service’ of office accommodation and IT for a
reasonable premium.
This can easily be turned into a five-point scale rather than
a three-point one, if it is considered that a little more As with any other management issue, clear identification of
sensitivity can realistically be assessed. The basic format responsibilities is important. Each risk needs to be the
can be adjusted to suit individual circumstances, and responsibility of a specific individual for monitoring and
clearly will not fit into the size of boxes shown in the control. At board level this should mean board members; if
example format. It is important to consider and note a risk is sufficiently serious to make it to the risk register
control measures, actions required, and to have a Control the responsibility should not be borne by a manager below
Owner. The Control Owner is at each level within the board level; although he or she may be the person most
company the person who has responsibility for the risk at intimately involved, a board member must shoulder final
his/her level, but as noted below where a risk is sufficiently responsibility.
serious to show at a higher level within the organisation
then a manager at that higher level must be shown to have CONCLUSION
responsibility.
It is hoped that this short paper will help those embarking
With a three-point scoring arrangement the maximum on a risk register exercise to construct something useful,
frightening ‘score’ would be 27 (3 × 3 × 3), or for the with effort commensurate with the potential benefits, in a
five-point system 125 (5 × 5 × 5). As a suggested guide, practical and easily understood way. For anyone wishing to
the ‘red alert’ might be triggered at around 12 in a three- produce something more detailed, or where this relatively
point scheme, or around 45 in a five-point one. It is simple methodology may be considered too superficial,
valuable to note the risk score from the previous period, there are many examples which can be found on the
since clearly an increase in the assessment of risk may Internet, or by reference to other companies.
also warrant attention.

If this paper does no more than

help a business to recognise the
potential effect of one or two risks
that could be better managed, it will
have achieved its aim.

6
 RISK REGISTER
Date Modified: Created by:

Risk Risk Impact Probability Risk Rating Control Level of Prior Year Movement Notes Control Further Completion Comments Control
No. Rating Residual Residual Year on Measure Action Date Owner
Risk Risk Year Required

The Basic Principles of Compiling a risk register for Smaller Companies

NOTES
1. Measurements on a 1, 2, 3 scale where under impact and probability, 3 is the most serious, but where under Control Rating, 3 represents poor controls. Under Risk Impact it may be helpful
to think of 3 representing critical, 2 major and 1 significant. Under probability, 3 represents frequent (more than once pa), 2 probable (within 5 years/more than once in 5 years), and 1 remote
(not more than once in 5/more than 5 years away).
2. Risk Impact x Probability = Risk Rating. Risk Rating x Control Rating = Residual Risk. Residual Risk - Prior Year Residual Risk = Movement Year on Year
3. Residual Risk ratings in excess of 6 require regular Board review, and of 12 or above should lead to clear plans. Probability ratings of 3 also suggest regular review.
4. Materiality set at £xm

7
TECH-AFB-TRR

ACCA 29 Lincoln’s Inn Fields London WC2A 3EE United Kingdom / +44 (0)20 7059 5784 / www.accaglobal.com