Risk register
The risk register allows you to view and manage your potential risks in one centralised place. It enables aggregations across your internal organisation and all third parties. The risk register includes all information about each identified risk, such as the nature of that risk, level of risk, who owns it and the mitigation measures in place to respond to it. In this document, we will first introduce and explain the concept and then describe how it is implemented.
One solution for all internal- and external risks
With the risk management module of 3rdRisk, you can manage all your internal- and external risks in one place. There is no longer a need for a separate risk-/GRC solution or a standalone Excel file.
Risk process concept
Within the 3rdRisk platform, you can manage all risk management activities throughout your complete supply chain. It is also closely integrated with the other risk & compliance domains. The following graphic provides a conceptual overview of the integrated 3rdRisk risk management module:
1. Identification
Risk identification is the process of determining risks that could potentially prevent your organisation from achieving its objectives.
To manage risks effectively, you must know your organisation's potential risks. The risk identification process should cover all risks, regardless of whether or not such risks are within the organisation's direct control or lie within your ecosystem. An ongoing risk identification process should include mechanisms to identify new and emerging risks timeously. Within the 3rdRisk platform, different modules can provide input for identifying new risks. For example:
- Assessment module (e.g. A third party responded in one of your assessments that they faced some serious financial issues in the past)
- Incident management module (e.g. A competitor had a significant incident, which could also happen in one of your factories)
- Compliance requirements module (e.g. You expect an upcoming stricter compliance requirement update - which may have an impact on your internal organisation and/or third-party landscape)
But there are also different other instruments to identify new risks:
- Risk workshops and interviews
- Periodic relationship updates with your third-parties
- News bulletins
- Scenario analysis
- External risk monitoring sources
- Etc.
In the 3rdRisk platform, you can quickly and securely document your identified risks.
Risk name and description
Give the risk a name and provide some contextual information about the risk.
Risk statement
A good quality risk statement is that it can answer the following questions:
- What could happen?
- Why could it happen?
- Why do we care?
It is essential to have a foundational understanding of risk components and their interrelationships. Understanding key risk-related terms and their definitions and the business and its objectives will result in more impactful risk articulation.
Example of a good risk statement:
[Event that affects objectives] caused by [cause/s]. This may result in [consequence/s].
Source: ISACA
Risk category
Risk categories within the platform group risk under a common area. Available categories in the platform are:
- Information security
- Privacy
- Quality
- Compliance
- Environmental
- Safety
- Environmental
- Continuity
- Political
- Financial
- Operational
- HR
- Reputation
- Other
You do not have to use all these categories; the advice is only to use the relevant ones for your type of business, risk landscape and reporting needs.
Stakeholders
Per risk, you can define the following stakeholders:
- Risk owner *
- Involved third-party (if applicable)
- Other external parties (e.g. regulators, society, accountants), including their expectations
- Internal stakeholders, including their expectations
* Only the risk owner is a required field.
Risk scope
The organisation model defines the scope of the risk within your organisation.
2. Assessment
Risk assessment
Risk assessment is the process of assessing identified risks on their potential severity of impact and the probability of occurrence. The assessment process is an essential step as it will prioritise your risk treatment. Within the platform, you score risks by:
- Likelihood (The chance that the risk will manifest)
- Impact (The potential losses associated when the risk will manifest)
You can score both the likelihood and impact from 1-5:
- Very low
- Low
- Medium
- High
- Very high
As the segmentation of these levels differs per organisation and industry, we advise you to define your risk level criteria per level:
Example of likelihood criteria
| Likelihood score | Your organisation-specific criteria |
| 1. Very low (Rare) | E.g. Once in 100 years or less. |
| 2. Low (Unlikely) | E.g. Once in 50 years up to once in 100 years. |
| 3. Medium (Possible) | E.g. Once in 25 years up to once in 50 years. |
| 4. High (Likely) | E.g. Once in 2 years up to once in 25 years. |
| 5. Very high (Frequent) | E.g. Up to once in 2 years or more. |
Example of impact criteria
| Impact score | Your criteria |
| 1. Very low (Incidental) | E.g. potential financial impact < €100.000 |
| 2. Low (Minor) | E.g. €100.000 - €249.999 |
| 3. Medium (Moderate) | E.g. €250.000 - €499.999 |
| 4. High (Major) | E.g. €500.000 - €999.999 |
| 5. Very high (Extreme) | E.g. > €.1.000.000 |
Risk score
Within 3rdRisk, you will get a calculated risk score based on impact x likelihood.
Loss experience
To support the assessment of the identified risk, it is good to list similar historical incidents and events.
3. Treatment
Risk treatment involves selecting and implementing the treatment. This involves balancing the potential benefits of introducing further risk treatment (controls) against the associated cost, effort or disadvantages.
Treatment options
You select the following risk treatment options within the platform:
| Treatment | Description |
| Review | Currently assessing the risk treatment strategy. |
| Accept | Acknowledge the risk and choose not to resolve, transfer or mitigate. |
| Mitigate | Reduce the likelihood or impact of the risk |
| Transfer | Assign or move the risk to a 3rd party |
| Avoid | Eliminate or forego the risk |
Residual risk
The residual risk score is the amount of risk remaining after implementing the risk treatment. This score cannot be higher than the risk score.
4. Monitor
This process ensures that the risk treatment activities and evolvement of the risk are monitored. In the platform, you can record the procedure(s) for:
- Treatment activities - Are activities timely and correctly performed
- Risk evolvement - A risk can be influenced by different factors, which can result in an increased or decreased risk exposure over time
Add a risk
To add a new risk to your risk register:
- Navigate to: Left side menu: Risks
- Click on [+ Add risk]
- Provide the risk details:
| Phase | Field | Explanation |
| 1. Identification | Risk Title * | The title of the risk |
| Risk description * | Risk description Please refer to the concept section of this page for a reasonable risk statement. | |
| Risk category * | Select the most relevant category of this risk. Risk categories within the platform group risks under a common area. | |
| Risk owner * | Every risk needs to have an internal owner that is responsible for managing and monitoring this risk. You can select all users that are registered on the platform. | |
| Risk officer * | The risk officer that is associated with this risk. Only platform users with risk officer or risk manager roles can be selected. | |
| External stakeholders | In this section, you can select an involved third-party (if applicable), including the relevant scope where the third party is active. You also have the option to list any other external parties related to the identified risk, including their expectations and requirements. | |
| Location within the organisation * | Your organisation model defines the scope of the risk within your organisation. | |
| Internal stakeholders | List all the internal stakeholders (e.g. Legal, HR, Procurement), including their expectations and requirements. Use the tab key on your keyboard to add multiple internal stakeholders. | |
| 2. Assessment | Loss experience | List the experience of any incidents or events related and/or similar to this risk. |
| Likelihood * | What is the probability that this risk occurring? Likelihood Please refer to the concept section of this page for an explanation of the likelihood and the scoring mechanism. | |
| Reasoning on the likelihood score | Define the reasoning behind the defined score | |
| Impact * | What is the impact when these risks manifest? Impact Please refer to the concept section of this page for an explanation of impact and the scoring mechanism. | |
| Reasoning on the impact score | Define the reasoning behind the defined score | |
| 3. Treatment | Treatment decision * | Select your treatment strategy:
Treatment strategies Please refer to the concept section of this page for an explanation of the different treatment strategies. |
| Reasoning on the treatment decision | Define the reasoning behind the defined score | |
| Risk score | Auto-calculated field, the result of likelihood score x impact score | |
| Residual risk * | The residual risk score is the amount of risk remaining after implementing the risk treatment. This score cannot be higher than the risk score. | |
| Reasoning on the treatment decision | Define the reasoning behind the defined score | |
| 4. Monitor | Procedure for monitoring risk evolvement and treatment activities | Free-format text field to define the procedures for monitoring the risk evolvement and treatment activities. |
| Tags | You can use the tags-functionality to assign your own specific/internal labels to a risk record. You can search, filter, and create specific reports based on these tags. E.g. if you want to register all business continuity-related risks, you can add a tag named “BCM” to these records. At a later stage, you can effortlessly search and export these risks. Use the tab key on your keyboard to add multiple tags. |
Required field *
4. Click on the green coloured 'Save icon', and the risk is added to your risk register.
Update a risk
To update a risk in your risk register:
- Navigate to: Left side menu: Risks
- Search for the applicable risk you would like to update
- Click on the sub-menu in the 'Actions column' and click 'Edit risk'
- Update the risk and click on the green coloured 'Save icon'
Close a risk
If you do not have any risk exposure (e.g. an event that contained specific risks is passed), you want to close these risks.
To close a risk in your risk register:
- Navigate to: Left side menu: Risks
- Search for the applicable risk you would like to close
- Click on the sub-menu in the 'Actions column' and click 'Edit risk'
- Navigate to 4. Monitoring and set the 'Risk status'-field to closed
- Click on the green coloured 'Save icon'
Remove a risk
To remove a risk in your risk register:
- Navigate to: Left side menu: Risks
- Search for the applicable risk you would like to remove
- Click on the sub-menu in the 'Actions column' and click 'Edit risk'
- Click on the red coloured 'Recycle bin'
View audit log
Data integrity is critical for your risk register; that is why the risk management module comes with a protected audit log that registers all mutations in your risk register. It records:
- Timestamp
- Data adjustment (old value and new value)
- The user account that was used for this update
Example: Screenshot of the protected audit log
None of the platform roles (including the platform administrator) can delete or make mutations to this audit log.
To view the audit log of a risk in your risk register:
- Navigate to: Left side menu: Risks
- Search for the applicable risk
- Click on the sub-menu in the 'Actions column' and click 'View audit log'
Known module limitations
Known limitations of the risk management module
- Currently, the module only supports a qualitative pre-defined risk assessment methodology.
- Please contact Support@3rdRisk.com to discuss options for mass upload of your current risk register.