Comparison of two approaches to registering risk: central risk register for better risk visibility vs. objective-centric risk definition for better alignment.
Risk management is one of the strategic planning trends we expect to gain more focus in 2024 and 2025. In this case study, we compare two practical approaches to managing/documenting risks:
- The central risk register, which facilitates risk reporting and ensures risk visibility.
- The objective-centric risk definition, which enables risk alignment ‘by design’ and improves risk awareness in the context of objectives.
We explore if and how these practices can be combined for better risk resilience.
Method 1: Managing Risks with Risk Register
A risk register is a dedicated functional scorecard where all risks relevant to an organization are categorized in a hierarchical structure.
For example, we can have a branch of “Climate Change Risks” with sub-branches of “Business Continuity Risks” and “Supply Chain Risks.” Inside each category, we can list more specific risks.
For Business Continuity Risks:
- Power outages
- Flooding of office premises
- Infrastructure failure
- Workforce availability during extreme heatwaves
For Supply Chain Risks:
- Transportation disruptions
- Damage to inventory in warehouses
- Reduced production capacity
- Dependency on single suppliers
- Loss of raw materials
Aligning Risk Register with Strategy
We can align specific risks or categories of risks with:
- Relevant strategies/goals in other strategic scorecards or
- With an incident log tracked in separate functional scorecards.
To align a risk from the risk register in BSC Designer:
- Select existing risk in the risk register scorecard or add a new one
- Open the strategic or functional scorecard, select the relevant goal or internal control.
- Copy the risk in the risk register and paste it into the strategy scorecard, selecting the connection by Context.
The connection between the risk register and the specific objective will be displayed on the Context tab.
If you need to reference a specific risk outside of the platform, use the link button tool:
Advantages of the risk register approach:
- Better risk visibility and awareness.
- Easier risk reporting.
Disadvantages:
- Promotes a risk-first approach rather than an objective-first approach.
- Requires manual alignment of risks with objectives.
Risk register is best for:
- Risks that are common to various objectives.
- General risks in the analysis stage, not yet projected onto the organization’s strategy or specific objectives.
Method 2: Objective-Centric Risk Management
Objective-centric risks are defined directly on the strategy scorecard, in the context of a specific objective.
With the objective-centric approach, the risk is aligned with its parent objective “by design.”
Additionally, we can align a risk with other relevant objectives or internal controls.
To align objective-centric risks in BSC Designer:
- Select a risk.
- Use the Copy command in the Tools menu.
- Select the goal, indicator, or action plan relevant to the risk.
- Use the Paste command in the Tools menu.
Advantages of the objective-centric approach:
- Focuses on the objective-first approach.
- Provides clear visibility of the risk context.
- Aligns risk with strategy and objectives “by design.”
Disadvantages:
- The risk hierarchy/categories are not as obvious.
Best for:
- Risks relevant to specific objectives.
Alternative: Integrating Risk Register and Incident Log
A business continuity scorecard is an example of an alternative approach where a single function scorecard integrates:
- Inventory of critical infrastructure,
- Risk register,
- Possible response scenarios,
- Incident logs.
Training session: 'Risk Management with BSC Designer' is offered as part of our ongoing learning program and included with a BSC Designer subscription.
Training sessions are delivered weekly via Zoom, providing practical insights and personalized guidance. Upon completion, participants receive an attendance certification. Explore all available training sessions here.
Requirements of ISO 27001 and ISO 31000
Both standards require proper documentation and reporting of risk management activities and highlight the contextual nature of risk (“the effect of uncertainty on objectives”).
With these general requirements in mind, both approaches to risk documentation can be considered valid.
What’s Better for Risk Resilience? Hybrid Approach
To improve risk resilience, organizations can combine the strengths of both a risk register and goal-aligned risk management.
- The risk register provides a comprehensive overview of potential threats, ensuring documentation and preparedness.
- By aligning risks with specific strategic goals, organizations can prioritize those that have the greatest impact on key objectives.
In practice, we observe:
- The objective-centric approach during the early stages of strategic planning.
- A combination of the central risk register approach and objective-centric risk definitions in the later stages.
Use Risk Register Template
BSC Designer helps organizations implement their complex strategies:
- Sign up for a free plan on the platform.
- Use the Risk Register template as a starting point. You will find it in New > New Scorecard > More Templates.
- Follow our Strategy Implementation System to align stakeholders and strategic ambitions into a comprehensive strategy.
Get started today and see how BSC Designer can simplify your strategy implementation!
Alexis is a Senior Strategy Consultant and CEO at BSC Designer, with over 20 years of experience in strategic planning. Alexis developed the “5 Step Strategy Implementation System” that helps companies with the practical implementation of their strategies. He is a regular speaker at industry conferences and has published over 100 articles on strategy and performance management, including the book “10 Step KPI System”. His work is frequently cited in academic research.