Risks are not just a threat to organisations but to the entire country, a fact recognised by the government through the publication of the first ever National Risk Register.
Registering your concerns
What’s the best way of quantifying, communicating and practically applying solutions to identified corporate risk? This is one of the most important questions any organisation will ask itself; any organisation with an appetite for risk can, following practical steps, apply a consistent approach to the effective management of risk, provide consistency in the decision making processes, take well calculated actions should an opportunity arise and, conversely, allow a more cautious yet informed approach to be taken to mitigate any threats.
Risks are not just a threat to organisations, the UK itself is susceptible to risk and this is something that has recently been recognised by the government, with the Cabinet Office publishing the first ever UK-wide National Risk Register in August 2008, setting out the government’s “assessment of the likelihood and potential impact of a range of different risks that may directly affect the UK”.
Inevitably the register has been drafted largely as a consequence of the very real security threats which face the country, but also with regard to other potential national threats such as a bird flu pandemic. The register provides a national risk assessment of the most significant crises and emergencies which the UK, its citizens and key organisations could face over the next 5 years.
1. Definition
So what is a risk register? In simple terms, the register is a management tool that enables an organisation to understand its comprehensive risk profile, a repository (a central storage area) for all risk information. The register is the hub of the internal control system; containing the objectives (including assets, premises and personnel) and risks to and controls for the whole organisation. This document should be written and managed by a risk manager, or similar designated officer, but owned by the organisation as a whole since every department will play a real part in identifying potential risks at both operational and strategic levels (and therefore all department heads should contribute towards the overall risk register.)
2. Identification
It is essential when compiling the register that the risk identification process if both wide ranging and comprehensive, covering both external and internal threats, from the threat if an arson attack on your premises to the simple failure of the heating system within your head office facility. The assessment process should not be limited to depth and breadth of and organisation and both reactive and proactive sources should be considered. Your organisation will have many sources of risk identification readily available to them, for instance incident and accident reports, audit reports, customer complaints etc, although these sources are not an exhaustive list of the risk identification process.
3. Assessment
The key to producing a meaningful and effective corporate risk register is the initial risk assessment process. The starting point is to confirm the overall purpose and critical corporate objectives of the business. From this first step, every potential threat and risk to the achievement of those objectives and the effective functioning of the organisation should be brainstormed and recorded – no matter how improbable or remote. This process really does require ‘open thinking’, devoid of any prejudices, restrictions or self imposed barriers.
4. Ownership
Successful and effective management of corporate risk will also need to ensure that a full risk assessment framework is in place, this will include ownership of the overall risk, strategy and leadership by senior management. Every organisation should have a clear risk strategy with associated policies, fully equipped staff expected to contribute to the process, and the processes of the organisation should incorporate effective risk management – can this be said of your own organisation?
So, given this, does facilities management feed into your organisations risk register (if it has one at all)? In simple terms, yes. Effective facilities management is critical to the successful delivery of any organisation’s services and is actively involved in the management of many aspects of risk.
5. Conclusions
While the following areas are by no means a full assessment of the areas covered by the facilities remit, these areas are an indication of the considerations which should be accounted for when completing any risk assessment:
- Generic risks for general hazards, such as asbestos or working with portable tools
- Dealing with emergency evacuation
- Gas leaks or electrical failures
- Threat if terrorism or a full system failure
Specific risks, such as clearing gutterings; establishing safe systems of working such as contact with an untreated water supply; dealing with disabled staff or customers; using solvents or adhesives; working in hot or cold environments or working at height, - all of these areas need to be considered as part of the assessment. As noted above, the risk assessment process should cover both external and internal threats and open thinking should be applied and documented – however remote the threat.
Risk Checklist
The Treasury recommends that the following areas should be included when documenting the risk areas:
- Strategic risk
- Description of the risk
- Risk ranking
- Lead person/department
- Action/treatment plans
- Action dates
- Sources of assurance
- Existing controls
- Location etc
- Cost/benefit analysis
- Acceptance/completion
- Comments