For many, once a risk register is defined, it often remains largely unchanged. Unfortunately, this can be a major mistake. Firms that operate in an environment of continuous turbulence should seek to actively build their risk registers based on events that occur within their firm or industry.
After any significant risk event, firms should conduct a root-cause analysis exercise to understand the event entirely, learn from it and embed the learning into the risk management process and firm-wide culture.
A crucial part of the risk management process should be continuously reviewing events and identifying risks that occurred but were not already on the risk register. Firms should also use events to trigger the closing of risks that may no longer be relevant.
One KRM22 client has an operations team that have embedded a continuous improvement process that calls for each event of a certain severity to be formally reviewed. They specifically seek to identify, and report on, operational risks that occurred but were not in the risk register at the time of the event.
This process is also used by one of the most famous and innovative firms, SpaceX:
If you look at the various reasons why we blew up star ships, and you looked at the risk list, none of the reasons they blow up was on the risk list. Elon Musk, CEO of SpaceX, August 2021
To ensure your resources are focused on the right things, use events to drive a continuous improvement process around your risk register, add new risks as they are identified, and close existing ones that may no longer be relevant.
To read more blogs from Andrew Smart you can visit: Risk-Based Performance Management (rbpmframework.com)