In this case study, we compare two practical approaches to managing/documenting risks:
- The central risk register, which facilitates risk reporting and ensures risk visibility.
- The objective-centric risk definition, which enables risk alignment ‘by design’ and improves risk awareness in the context of objectives.
We explore if and how these practices can be combined for better risk resilience.
Method 1: Managing Risks with Risk Register
A risk register is a dedicated functional scorecard where all risks relevant to an organization are categorized in a hierarchical structure.
For example, we can have a branch of “Climate Change Risks” with sub-branches of “Business Continuity Risks” and “Supply Chain Risks.” Inside each category, we can list more specific risks.
For Business Continuity Risks:
- Power outages
- Flooding of office premises
- Infrastructure failure
- Workforce availability during extreme heatwaves
For Supply Chain Risks:
- Transportation disruptions
- Damage to inventory in warehouses
- Reduced production capacity
- Dependency on single suppliers
- Loss of raw materials
Aligning Risk Register with Strategy or Incident Log
We can align specific risks or categories of risks with:
- Relevant strategies/goals in other strategic scorecards or
- With an incident log tracked in separate functional scorecards.
To align a risk from the risk register in BSC Designer:
- Select existing risk in the risk register scorecard or add a new one
- Open the strategic or functional scorecard, select the relevant goal or internal control.
- Copy the risk in the risk register and paste it into the strategy scorecard, selecting the connection by Context.
The connection between the risk register and the specific objective will be displayed on the Context tab.
Integrating Risk Register and Incident Log
A business continuity scorecard is an example of an alternative approach where:
- Inventory of critical infrastructure
- Risk register
- Possible response scenarios
- Incident logs
are integrated into a single functional scorecard.
Advantages of the risk register approach:
- Better risk visibility and awareness.
- Easier risk reporting.
Disadvantages:
- Promotes a risk-first approach rather than an objective-first approach.
- Requires manual alignment of risks with objectives.
Risk register is best for:
- Risks that are common to various objectives.
- General risks in the analysis stage, not yet projected onto the organization’s strategy or specific objectives.
Method 2: Objective-Centric Risk Management
Objective-centric risks are defined directly on the strategy scorecard, in the context of a specific objective.
With the objective-centric approach, the risk is aligned with its parent objective “by design.”
Additionally, we can align a risk with other relevant objectives or internal controls.
To align objective-centric risks in BSC Designer:
- Select a risk.
- Use the Copy command in the Tools menu.
- Select the goal, indicator, or action plan relevant to the risk.
- Use the Paste command in the Tools menu.
Advantages of the objective-centric approach:
- Focuses on the objective-first approach.
- Provides clear visibility of the risk context.
- Aligns risk with strategy and objectives “by design.”
Disadvantages:
- The risk hierarchy/categories are not as obvious.
Best for:
- Risks relevant to specific objectives.
Requirements of ISO 27001 and ISO 31000
Both standards require proper documentation and reporting of risk management activities and highlight the contextual nature of risk (“the effect of uncertainty on objectives”).
With these general requirements in mind, both approaches to risk documentation can be considered valid.
Summary: Hybrid Approach
In practice, we observe:
- The objective-centric approach during the early stages of strategic planning.
- A combination of the central risk register approach and objective-centric risk definitions in the later stages.
In addition to scorecard-level dashboards with risk diagrams and risk heat map diagrams, the global dashboard function addresses the risk visibility challenge. This function allows risks from all strategy and functional scorecards to be visualized in the form of a heat map diagram or as a list of risks with their respective statuses.
What's next?- Sign up for a free account at BSC Designer to access the scorecard templates, including 'Risk Register' discussed in this article.
- Follow our Strategy Implementation System to align stakeholders, strategic ambitions, and business frameworks into a comprehensive strategy.
More About Strategic Planning
Alexis is the CEO of BSC Designer with over 20 years of experience in strategic planning. He has a formal education in applied mathematics and computer science. Alexis is the author of the “5 Step Strategy Deployment System”, the book “10 Step KPI System”, and “Your Guide to Balanced Scorecard”. He is a regular speaker at industry conferences and has written over 100 articles on strategy and performance measurement. His work is often cited in academic research and by industry professionals.