Many businesses use risk registers to help identify, and mitigate against, potential risks. A risk register is a crucial tool for any business, especially in areas such as project management.
However, few companies use risk registers effectively when considering internal control and system design. Some organisations use risk registers to fulfil regulatory compliance, which can lead to loss of earnings, increased costs, and, in some cases, can even lead to fraud.
Do I need a risk register?
To effectively manage risks in your business, you should have a risk register. It should outline all of the risks faced by the business, the likelihood of each event occurring and the impact that it would have if it were to materialise.
Things can change quickly in a business and in the wider world, bringing new risks. It is essential that a risk register is kept up to date and evolves with the strategic direction of the company. The tool should reflect the inherent risks arising from system and control changes.
Identifying risks and designing internal controls
Risk registers can identify risks and evaluate the impact and likelihood of the risk materialising, allowing you to implement controls to reduce its effects.
When designing internal controls to manage risks, businesses should ask:
• How is the control performed?
• Will the control stop something from happening or detect something that has happened?
• What is the procedure of reporting errors or failures?
• How reliant is it on information technology solutions?
• How timely is the control process?
Businesses should regularly review their risk register, ensure it is kept up to date and accurate.
How Thomas Westcott can help
Our specialist Audit and Assurance Department has a wealth of experience in assessing risk registers of both commercial and not-for-profit organisations. We can provide extensive advice on incorporating your risk register into an intrinsically-linked approach to risk-based internal controls and systems.
An increasing number of businesses are discovering that risk registers require a specific review as part of a separate engagement to avoid them becoming out-dated, which decreases their effectiveness.
Our unique approach to reviewing processes and providing insight can help to ensure that risk registers are not only a risk-assessment tool but also a key element in strategic planning for the future.
As a minimum, we would advise clients to consider the following areas in their risk register:
• Cash systems and controls
• Revenue systems and controls
• Purchases systems and controls
• Payroll systems and controls
• Inventory systems and controls
• Expenses systems and controls
• Tax considerations
• Operational effectiveness of finance function
• IT security and resilience
• Information management
• Change management
• Quality of management information
Alan Sanders, Audit and Assurance Manager