There is no ‘magic art’ involved in creating a risk register, and like most risk tools, it will only be as good as the thought that goes into it. A real danger is that it is either reactive, focussing on risks that have already occurred, or inadequate attention given to the most significant risks.

Although unable to help you predict the future - i.e. what new risks lie around the corner - at their best, a risk register can help you to prepare for a range of major risk types and improve your business’ resilience to such risks.

Categories of risk

Most risks typically fall into the following categories, and this can provide a structured way of thinking about what risks exist within your firm:

• Governance
• Regulatory
• Strategic
• Operational
• Financial

You could also use a risk map format, such as this.

Try to avoid confusing the category of risk with the consequence. Most risks have a financial consequence, ultimately.

Whilst the above categories can act as a starting point, many firms may find it more useful to use more specific categories, such as:

• Regulatory breaches (SRA, ICO)
• Business continuity/disaster planning risks
• Fraud risks, cyber & information security - this could be internal, or more likely, external factors
• Resourcing risks (the term resourcing has been used rather than staffing, as it is to avoid confusion with many of the E&O risks that arise from operational matters) - this is more about having and retaining the right talent, the risk of teams leaving, keeping staff trained up to meet emerging needs, etc.
• Matter management risks - each department should consider the most significant risks from the perspective of the lifecycle of a matter, taking into account claims, complaints, system and process vulnerabilities and gaps
• Supplier risks (reliance on third party services, etc.)
• Financial resilience
• Business strategy risks - does your strategy make you highly exposed to radical market changes? Are you particularly reliant on one sector or client(s)? Are you at a stage in your strategic lifecycle where you are financially vulnerable? Are you keeping an eye on the competitive environment? Is your succession plan robust?

Quantifying risk

Risk has both direct and indirect consequences. A regulatory breach will likely have a resource cost, a potential reputational impact, and possible fine. Indirectly it may also lead to a withdrawal of business by certain clients, and in an extreme case, could lead to solicitors being struck off (which could then impact your ability to undertake certain work) or the firm being closed down.

Risk is normally quantified by assessing the likelihood of it occurring, on a scale of 1-5 where 1 is very unlikely and 5 is highly likely; and the potential severity if it did occur, usually measured in financial impact, or the inability to continue to operate key functions for a period of time. The longer or more severe the outage, the higher the impact rating (again on a scale of 1-5). The two scores are multiplied for each risk to generate an overall risk score.

For a risk register to be of any use, you must be rigorous on how you quantify the risk. Pre 2020, although it was well known in academic circles as one of the most significant risks, pandemic risk did not feature highly on most business risk registers. There is an argument about to what extent firms can really prepare for catastrophic events – and while the Covid-19 pandemic was far from catastrophic for most firms, particularly given government support schemes – there is no doubt that some were much better prepared than others.

Take a robustly commercial view of the real risk exposures you face as a business. This is often best done in a small group training session, facilitated by an external expert provider.

Risk controls and gap identification

Many risks will already have a variety of controls in place. These can range from:

• workflow systems and reporting channels that proactively identify and help manage risk outliers
• awareness training
• in-built checks and supervision
• process testing
• feedback and continuous improvement loops
• policies and procedures that exclude the taking of certain risks
• insurance.

Where there is a high-risk item that does not have a robust risk control or mitigation in place, that should be a trigger for action, which should be allocated to one named person, and a time for resolution set. This should be managed for the top 10-20 risk issues, and followed up at regular intervals. 

While it is fine – indeed positive – for individual departments to have their own risk register subset, neither the master risk register nor any subset should have more than 10-15 priority risks on it, otherwise it becomes meaningless or unmanageable. 

If you would like to discuss any points covered in this article, or anything connected to your PII policy, please get in touch.