Risk register

The risk register allows you to view and manage your potential risks in one centralised place. It enables aggregations across your internal organisation and all third parties. The risk register includes all information about each identified risk, such as the nature of that risk, level of risk, who owns it and the mitigation measures in place to respond to it. In this document, we will first introduce and explain the concept and then describe how it is implemented.

One solution for all internal- and external risks
With the risk management module of 3rdRisk, you can manage all your internal- and external risks in one place. There is no longer a need for a separate risk-/GRC solution or a standalone Excel file.

Risk process concept

Within the 3rdRisk platform, you can manage all risk management activities throughout your complete supply chain. It is also closely integrated with the other risk & compliance domains. The following graphic provides a conceptual overview of the integrated 3rdRisk risk management module:

3rdRisk conceptual model risk register

1. Identification

Risk identification is the process of determining risks that could potentially prevent your organisation from achieving its objectives.

To manage risks effectively, you must know your organisation's potential risks. The risk identification process should cover all risks, regardless of whether or not such risks are within the organisation's direct control or lie within your ecosystem. An ongoing risk identification process should include mechanisms to identify new and emerging risks timeously. Within the 3rdRisk platform, different modules can provide input for identifying new risks. For example:

  • Assessment module (e.g. A third party responded in one of your assessments that they faced some serious financial issues in the past)
  • Incident management module (e.g. A competitor had a significant incident, which could also happen in one of your factories)
  • Compliance requirements module (e.g. You expect an upcoming stricter compliance requirement update - which may have an impact on your internal organisation and/or third-party landscape)

But there are also different other instruments to identify new risks:

  • Risk workshops and interviews
  • Periodic relationship updates with your third-parties
  • News bulletins
  • Scenario analysis
  • External risk monitoring sources
  • Etc.

In the 3rdRisk platform, you can quickly and securely document your identified risks.

Risk name and description

Give the risk a name and provide some contextual information about the risk.

Risk statement
A good quality risk statement is that it can answer the following questions:

  • What could happen?
  • Why could it happen?
  • Why do we care?

It is essential to have a foundational understanding of risk components and their interrelationships. Understanding key risk-related terms and their definitions and the business and its objectives will result in more impactful risk articulation.

Example of a good risk statement:

[Event that affects objectives] caused by [cause/s]. This may result in [consequence/s].
Source: ISACA

Risk category

Risk categories within the platform group risk under a common area. Available categories in the platform are:

  • Information security
  • Privacy
  • Quality
  • Compliance
  • Environmental
  • Safety
  • Environmental
  • Continuity
  • Political
  • Financial
  • Operational
  • HR
  • Reputation
  • Other

You do not have to use all these categories; the advice is only to use the relevant ones for your type of business, risk landscape and reporting needs.

Stakeholders

Per risk, you can define the following stakeholders:

  • Risk owner *
  • Involved third-party (if applicable)
  • Other external parties (e.g. regulators, society, accountants), including their expectations
  • Internal stakeholders, including their expectations

* Only the risk owner is a required field.

Risk scope

The organisation model defines the scope of the risk within your organisation.

3rdRisk Example screenshot of the organisation model integration within the risk module

2. Assessment

Risk assessment
Risk assessment is the process of assessing identified risks on their potential severity of impact and the probability of occurrence. The assessment process is an essential step as it will prioritise your risk treatment. Within the platform, you score risks by:

  • Likelihood (The chance that the risk will manifest)
  • Impact (The potential losses associated when the risk will manifest)

You can score both the likelihood and impact from 1-5:

  • Very low
  • Low
  • Medium
  • High
  • Very high

As the segmentation of these levels differs per organisation and industry, we advise you to define your risk level criteria per level:

Example of likelihood criteria

Likelihood scoreYour organisation-specific criteria
1. Very low
(Rare)
E.g. Once in 100 years or less.
2. Low
(Unlikely)
E.g. Once in 50 years up to once in 100 years.
3. Medium
(Possible)
E.g. Once in 25 years up to once in 50 years.
4. High
(Likely)
E.g. Once in 2 years up to once in 25 years.
5. Very high (Frequent)E.g. Up to once in 2 years or more.

Example of impact criteria

Impact scoreYour criteria
1. Very low
(Incidental)
E.g. potential financial impact < €100.000
2. Low
(Minor)
E.g. €100.000 - €249.999
3. Medium
(Moderate)
E.g. €250.000 - €499.999
4. High
(Major)
E.g. €500.000 - €999.999
5. Very high
(Extreme)
E.g. > €.1.000.000

Risk score

Within 3rdRisk, you will get a calculated risk score based on impact x likelihood.

Loss experience

To support the assessment of the identified risk, it is good to list similar historical incidents and events.

3. Treatment

Risk treatment involves selecting and implementing the treatment. This involves balancing the potential benefits of introducing further risk treatment (controls) against the associated cost, effort or disadvantages.

Treatment options

You select the following risk treatment options within the platform:

TreatmentDescription
ReviewCurrently assessing the risk treatment strategy.
AcceptAcknowledge the risk and choose not to resolve, transfer or mitigate.
MitigateReduce the likelihood or impact of the risk
TransferAssign or move the risk to a 3rd party
AvoidEliminate or forego the risk

Residual risk

The residual risk score is the amount of risk remaining after implementing the risk treatment. This score cannot be higher than the risk score.

4. Monitor

This process ensures that the risk treatment activities and evolvement of the risk are monitored. In the platform, you can record the procedure(s) for:

  • Treatment activities - Are activities timely and correctly performed
  • Risk evolvement - A risk can be influenced by different factors, which can result in an increased or decreased risk exposure over time

Add a risk

To add a new risk to your risk register:

  1. Navigate to: Left side menu: Risks
  2. Click on [+ Add risk]
  3. Provide the risk details:
PhaseFieldExplanation
1. IdentificationRisk Title *The title of the risk
 Risk description *Risk description

Please refer to the concept section of this page for a reasonable risk statement.
 Risk category *Select the most relevant category of this risk. Risk categories within the platform group risks under a common area.
 Risk owner *Every risk needs to have an internal owner that is responsible for managing and monitoring this risk.

You can select all users that are registered on the platform.
 Risk officer *The risk officer that is associated with this risk.

Only platform users with risk officer or risk manager roles can be selected.
 External stakeholdersIn this section, you can select an involved third-party (if applicable), including the relevant scope where the third party is active.

You also have the option to list any other external parties related to the identified risk, including their expectations and requirements.
 Location within the organisation *Your organisation model defines the scope of the risk within your organisation.
 Internal stakeholdersList all the internal stakeholders (e.g. Legal, HR, Procurement), including their expectations and requirements.

Use the tab key on your keyboard to add multiple internal stakeholders.
2. AssessmentLoss experienceList the experience of any incidents or events related and/or similar to this risk.
 Likelihood *

What is the probability that this risk occurring?

Likelihood

Please refer to the concept section of this page for an explanation of the likelihood and the scoring mechanism.

 Reasoning on the likelihood scoreDefine the reasoning behind the defined score
 Impact *

What is the impact when these risks manifest?

Impact

Please refer to the concept section of this page for an explanation of impact and the scoring mechanism.

 Reasoning on the impact scoreDefine the reasoning behind the defined score
3. TreatmentTreatment decision *

Select your treatment strategy:

  • Review
  • Accept
  • Mitigate
  • Transfer
  • Avoid

Treatment strategies

Please refer to the concept section of this page for an explanation of the different treatment strategies.

 Reasoning on the treatment decisionDefine the reasoning behind the defined score
 Risk scoreAuto-calculated field, the result of likelihood score x impact score
 Residual risk *

The residual risk score is the amount of risk remaining after implementing the risk treatment.

This score cannot be higher than the risk score.

 Reasoning on the treatment decisionDefine the reasoning behind the defined score
4. MonitorProcedure for monitoring risk evolvement and treatment activitiesFree-format text field to define the procedures for monitoring the risk evolvement and treatment activities.
 TagsYou can use the tags-functionality to assign your own specific/internal labels to a risk record. You can search, filter, and create specific reports based on these tags. E.g. if you want to register all business continuity-related risks, you can add a tag named “BCM” to these records. At a later stage, you can effortlessly search and export these risks.

Use the tab key on your keyboard to add multiple tags.

Required field *

4. Click on the green coloured 'Save icon', and the risk is added to your risk register.

Update a risk

To update a risk in your risk register:

  1. Navigate to: Left side menu: Risks
  2. Search for the applicable risk you would like to update
  3. Click on the sub-menu in the 'Actions column' and click 'Edit risk'
  4. Update the risk and click on the green coloured 'Save icon'

Close a risk

If you do not have any risk exposure (e.g. an event that contained specific risks is passed), you want to close these risks.

To close a risk in your risk register:

  1. Navigate to: Left side menu: Risks
  2. Search for the applicable risk you would like to close
  3. Click on the sub-menu in the 'Actions column' and click 'Edit risk'
  4. Navigate to 4. Monitoring and set the 'Risk status'-field to closed
  5. Click on the green coloured 'Save icon'

Remove a risk

To remove a risk in your risk register:

  1. Navigate to: Left side menu: Risks
  2. Search for the applicable risk you would like to remove
  3. Click on the sub-menu in the 'Actions column' and click 'Edit risk'
  4. Click on the red coloured 'Recycle bin'

View audit log

Data integrity is critical for your risk register; that is why the risk management module comes with a protected audit log that registers all mutations in your risk register. It records:

  • Timestamp
  • Data adjustment (old value and new value)
  • The user account that was used for this update

 

Example: Screenshot of the protected audit log

None of the platform roles (including the platform administrator) can delete or make mutations to this audit log.

To view the audit log of a risk in your risk register:

  1. Navigate to: Left side menu: Risks
  2. Search for the applicable risk
  3. Click on the sub-menu in the 'Actions column' and click 'View audit log'

Known module limitations

Known limitations of the risk management module

  • Currently, the module only supports a qualitative pre-defined risk assessment methodology.
  • Please contact Support@3rdRisk.com to discuss options for mass upload of your current risk register.