What is a risk report?
A risk report is a summary that describes the potential risks a company may face. They address critical risks, which have the potential for severe consequences, and emerging risks that may become problematic in the future if someone doesn’t monitor them closely.
A report also explores possibilities for addressing risks and preventing adverse outcomes. The project manager, the project team or the risk owner writes the reports.
The report may include :
How effective the company is at handling potential risks
Which policies seem insufficient
Which controls aren’t working as planned
What changes are necessary to keep risk at an acceptable level
What the updated status of corrective actions is
What the signs of trends in the incidence of risks are
Senior management, such as the project manager, project owner and client, read risk reports to take on adequate risk management and achieve expected project results
Why is a risk report important?
Risk reports are important because they help project managers, project owners and clients better understand various risks the company is taking while working on a project. Having an accurate and informative report ensures that senior management knows of existing risks.
This knowledge can help a company create a plan to avoid unwanted surprises and unauthorized actions.
What does a risk report include?
Risk reports often include the following information:
- Risk register: This identifies potential risks in an organization, their impact, probability, owner, how it ranks compared to other risks and the risk response.
- Risk corrective action plan: This is a plan for mitigating the risk if it occurs.
- Work performance data reviews: These include any data collected to use to assess risks.
- Project schedule and updates on the progress: This includes the planned project schedule and any expected changes to the program.
- Status of the project outcome: This compares the current status of a project to the expected plan.
What should the report address
Risk reports may address various types of risks, including:
- Commercial risks: These are economic or market risks, including changes in prices and demand.
- Compliance and regulatory risks: This includes the risk of violating a law or regulation, such as inadequate capacity or fraud.
- Environmental risks: These are the risk of unwanted accidents, such as a natural disaster like a flood.
- Financial risks: The possibility of losing money on a business venture, potentially due to changes in interest rates, is a financial risk.
- Health and safety risks: These include the possibility of illness or injury, potentially from infectious diseases or slipping and getting injured.
- Operational risks: These are the chances a company takes by operating normally, potentially due to employee conduct or technology risks.
- Reputational risks: The risk of damaging corporate reputation, potentially due to social media misuse or a data breach, it’s a reputational risk.
- Strategic risks: These are the risks that failed business decisions may have on the company, possibly from a merger or due to senior management turnover.
- Workforce risks: These risks are linked to employees, such as employee safety and stress.
Some of your risks may fit into multiple categories of risks. For example, risks attached to water spills could be considered both operational and safety risks.
Ensure that your report addresses how your company plans to mitigate risks and a timeline outlining when preventative measures may occur.
Assign an owner of the risk who’s responsible for carrying out the actions described in the report.
How to write a report
Follow these five steps to write a comprehensive report:
1. Identify activities that may have risks
To identify potential risks, gather your project team together and pose the question, “What could go wrong?” Your goal is to identify any potential issues that could prevent the project from achieving its desired outcome. Brainstorm as a team and document all responses in a risk list, but don’t evaluate risks yet.
Some examples of potential risks include: Working in a laboratory , Working in an area with dangerous animals , Discussing sensitive topics , Operating heavy machinery and equipment , Using hazardous materials , Working with genetically modified organisms (GMO) , Using needles , Sitting or standing for long durations in uncomfortable positions
2. Determine the negative implications
Next, consider the risks that your team thought of and organize the list by consolidating any similar risks. Once you have an organized list, take the time to consider the impact that each risk may have.
This impact may include deviations from the plan of schedule, costs or effort if the risk occurs.
For example, a private bus service may assess the risk of overbooking, leading to poor customer satisfaction.
3. Evaluate risks and plan precautions
Consider whether the risk of selling 100% of the bus tickets instead of 80% of the tickets is worth the negative impact on customer satisfaction if the company overbooks. You and your project team can rank the risks based on the magnitude of impact.
Companies may use these five categories: High , Significant , Moderate , Minor , Low.
You can also consider the likelihood of occurrence, which is the probability of the risk occurring. The number is typically a percentage. For example, suppose there’s only a 4% chance that the private bus company overbooks their busses and their customer satisfaction decreases.
In that case, they may likely continue with the process regardless of risk. Once you’ve evaluated risks, plan precautions that can mitigate the probability of the risk occurring.
For example, the bus company may consider using an automated system to prevent overbooking.
4. Document your findings in a report
Now that you have the necessary information, it’s time to write the report. Remember that the report may contain a lot of information, so it’s best to write in a way that’s easy to read. Begin with an executive summary, which explains each risk and your reasoning for including it in the report. It’s best if each risk is tied directly to a business objective, as this informs the reader why the risk is important.
After the summary, begin the analysis, which is a detailed discussion of each risk. Include supporting data, case histories, cost projections and audit reports. Conclude with a plan of action for how to avoid adverse outcomes. If you’re uncertain of the company’s preventative measures, you can pose questions in the report that senior management may answer.
5. Review your report and update when necessary
After you have completed your report, consider reviewing it monthly to see if it requires updating. Monitoring incident rates and the control measures closely can help you determine if your actions are effective. You can add any significant findings to your report when necessary.
Tips for writing a report
Here are some tips to consider if you’re writing a report:
- Avoid including too much information, as it may leave the reader overwhelmed.
- You can format your electronic version of your report so it’s easy to navigate quickly between topics mentioned in the executive summary and their detailed descriptions further on in the report.
- Think about how changes in your company may bring about new risks.
- Give your report a clear title, so your reader knows what the risks are discussing.
- Provide a target resolution date, which is when risk may be accepted or addressed.
A Guide to Risk Management Self Assessment
1. Risk management framework
Consideration Points
Integrated risk management is about embedding risk into the agency’s existing governance, planning, reporting & decision-making processes by developing a robust risk management framework.
| Question |
| Has the accountable officer or statutory body developed and implemented a robust risk management framework appropriate to the size of their agency? • Does the organization have the necessary policies and procedures in place to support risk management? • Does the agency ensure all staff are informed of the risk management framework? • Does the agency have an explicitly stated risk management policy that complements their vision and strategic objectives? • Is there a designated risk management champion or unit to oversee the implementation of integrated risk management? • Does risk management have the demonstrated support and ongoing attention of executive management? • Does the agency have a risk management committee, or similar? • Is risk management communicated, understood, and applied throughout agency processes? • Is risk management integrated into existing governance and decision-making structures and performance reporting systems? • Have control and accountability systems been adapted to account for risk management processes? • Have key performance indicators and critical success factors been identified and included in agency reports? • Does reporting on risk and risk management take place through existing management processes (e.g. performance reporting, ongoing monitoring, appraisals, internal auditing)? • Has the agency put in place effective initiatives to build risk management awareness? • Is written guidance (framework, policy, or operating principles) communicated throughout the agency to support individual units in building risk management into day-to-day operations? Is the risk management process integrated into strategic and operational planning? • Does the agency identify and encourage education, training and development in risk management? • Is the risk management framework reviewed at least annually? |
2. Establishing the context
Establishing the context involves setting the parameters within which risks are identified, assessed and managed.
| Questions To consider |
| • Has the agency implemented appropriate processes to identify both the internal and external context within which the agency operates (for example, use of environmental scanning)? • Has the risk been established with reference to the agency’s objectives and strategic planning? • In determining the context, has the agency considered both challenges and opportunities? • Does the agency’s environmental scanning process include a wide range of influences, trends and time horizons? • Does the agency consider both its external and internal contexts in relation to risk management? • Has the agency determined and documented its risk tolerances for the various components of its environment? • Is the context regularly reviewed to ensure it remains correct/appropriate to the agency’s systems or controls? • Has the agency determined appropriate risk criteria that align with its objectives? Agency-level risks • Have the objectives of individual projects been considered as part of the risk management context? • Has the agency considered its capabilities and capacities (for example, funding, staff and technology)? Cross-agency risks • Does the agency consider the risk management practices of other agencies with which it delivers services? • Does the agency consider cross-agency risks and communicate these risks with relevant agencies? Whole-of-Government risks • Does the agency consider the wider political and public sector environment? • Does the agency consider strategic risk issues (for example, climate change) that require coordination with other relevant agencies? • Does the agency consider the potential impact of risks on industry and the community? |
3. Risk identification
Risk identification is the process of identifying an agency’s challenges and opportunities.
| Questions To Consider |
| Are risks identified with reference to the agency’s strategic plan, that is, the objectives and deliverables of the agency? • Are risks identified with reference to the agency’s operational plans? • Are risks identified with reference to the agency’s program and project plans? • Is risk identification linked to whole-of-Government policy and stakeholders? • Does the agency consider risks at the agency, cross agency and whole-of-Government levels? • Does the agency identify both challenges and opportunities? • Does the agency consider both internal and external risks? • Does the agency have ongoing, comprehensive and systematic processes for identifying risks? • Are identified risks recorded in a risk register? • Are the staff involved in risk identification knowledgeable about the process or activity being reviewed and about the risks that must be managed as part of that activity? • Does risk identification involve appropriate stakeholders? Are strategic risks sourced from/reflected in the agency’s strategic plan? Agency-level risks • When identifying risks, does the agency consider the findings from past audits, evaluations and other assessments? • Does the agency review relevant corporate records to determine if a pattern exists (for example, financial or property losses, data/record losses, workplace health and safety reports)? • Does the agency consider risks identified from past learning? • Does the agency undertake a gap analysis (that is the difference between existing practice and strategic plans, policies and practices)? Cross-agency risks • Does the agency consider how risks within the agency may affect other agencies? • Does a cross-agency committee assess risks associated with joint projects? • Is there a process for notifying relevant stakeholders of cross-agency risks? |
4. Risk analysis
Risk analysis involves analysing the impact of a potential challenge or opportunity for the agency.
| Questions To Consider |
| Does the agency have documented procedures to analyse the likelihood and consequence of each risk? • Does the agency conduct appropriate analysis of the nature and extent of the causes and impacts of the risks? • Are all risks analysed using a consistent methodology? • Are risk analyses adequately documented? • Has the agency examined and evaluated existing controls for the identified risks in terms of their strengths and weaknesses? • Are risk management controls regularly monitored? • Are appropriate levels of management and employees involved in the risk analysis process? • Does risk analysis include ensuring that the agency is not ‘over-controlled’ for the risks it faces? |
5. Risk evaluation
Risk evaluation involves determining which risks should be treated, and the priority for treatment implementation.
| Questions To Consider |
| • Are risks found during the analysis process compared with the risk profile, risk appetite and risk tolerance established when the agency context was considered? • Has the agency fully integrated risks into their strategic and operational plans or established risk treatment plans for the management of risks, where necessary? • Are all risks within the agency evaluated using a consistent methodology? • Are evaluated risks prioritised to ensure treatment of the highest risks is considered first? • Are evaluated risks reviewed by an independent person to ensure risks are treated consistently? • Are risks re-evaluated over time to determine if priorities need to change? • Are risks reviewed or evaluated as part of the agency’s own strategic and operational planning processes? |
6. Risk treatment
Risk treatment is the action, if any, taken to manage or mitigate a risk.
| Questions To Consider |
| • Are risks treated in accordance with the pre-determined risk criteria established by the agency? • Do proposed risk treatment plans include cost/benefit analyses of alternative courses or action? • Is the managing of risks and associated controls assigned to particular officers within the agency? Agency-level risks • Does the agency have formal, documented contingency plans for disaster recovery and business continuity? • Does the agency regularly review and test risk controls and contingency plans? • Are internal controls developed and documented to treat identified risks? Cross-agency risks • Does the agency have contractual agreements in place to manage cross-agency projects and their related risks? • Is there collaboration between agencies to agree risk treatments attached to identified cross-agency risks? • Are processes in place to ensure cross-agency risks and risk treatments are monitored over time? • Are Treasury and DPC informed of risk treatments, particularly if there are budget or policy implications? Whole-of-Government risks • Is there collaboration between agencies to agree on risk treatments attached to whole-of-Government risks? • Are processes in place to ensure whole-of-Government risks and risk treatments are monitored over time? • Are Treasury and DPC informed of risk treatments, particularly if there are budget or policy implications? • Have strategic risks been assigned specific risk treatments and are these shared with other agencies? |
7. Monitoring and review
Risk monitoring and review is about determining whether risks still exist, whether new risks have arisen, whether the
likelihood or impact of risks have changed, and to reassess the risk priorities.
| Questions To Consider |
| • Does the agency have a regular monitoring and review process to evaluate the: o relevance of the risks to the achievement of the agency’s objectives? o effectiveness of existing governance controls? o application of risk treatment plans in practice? o continuing relevance of the risk treatment plans to the agency’s strategic and operational objectives? • Does the agency have policies and procedures in place for the reassessment of its risk profile and the opportunities provided by changes to the agency’s internal and/or external environments? • Are adequate management information systems in place to facilitate risk monitoring and review requirements? • Is risk appetite assessed in light of changing circumstances (for example, at regular intervals, as well as at trigger points such as a State election)? • Are higher rated risks and associated current controls, and new controls/treatments reviewed regularly? Agency-level risks • Is there regular reporting of the status of risks (for example, to senior or executive management, risk management committee)? • Does the Head of Internal Audit (where established) provide assistance in risk management and identifying deficiencies in risk management? • Does the internal audit unit undertake regular reviews of the risk management process? Cross-agency risks • Do processes exist to ensure ongoing monitoring and reporting of cross-agency risks? Whole-of-Government risks • Do processes exist to ensure ongoing monitoring and reporting of whole-of-Government risks? • Are strategic risks reviewed and evaluated through engaging appropriate processes such as environmental scanning? • Are the results of any strategic risk review process shared with other agencies facing similar risks? |
8.Communication and consultation
Stakeholders, both internal and external to the agency, should be consulted in the identification and management of
risk.
| Questions To Consider |
| • Are all staff aware of their responsibilities with respect to risk identification, treatment and management? • Does the agency’s risk management framework promote continuous improvement through learning and innovation? • Within the risk management framework, is there a process to ensure all stakeholders are identified? • Where appropriate, is a communication plan developed (for example, where a large number of stakeholders are involved)? • Are all key stakeholders consulted throughout the risk management cycle? • Are stakeholder perceptions of risk addressed? • Does the agency have processes to obtain input from Ministers and/or Cabinet on risks, their treatment and the Government’s appetite for risk? • Are the agency’s risks discussed regularly with Department of the Premier and Cabinet and Treasury? Agency-level risks • Is there regular communication between the Head of Internal Audit and the risk management committee (or equivalent)? • Does the risk management champion have direct access to the risk management committee (or equivalent) to raise concerns? • Is there a risk management reporting system in place that ensures all relevant parties are kept informed of the risks faced by the agency? Cross-agency risks • Are effective communication strategies implemented for cross-agency risks (for example, multi-agency committees, and regular executive management forums)? • Do risk management champions communicate with their counterparts in other agencies? • Does the lead agency advise the appropriate risk analysis matrix to be followed for the cross-agency risk, and establish clear lines of communication and consultation? Whole-of-Government risks • Does the agency have processes to ensure Ministers and/or Cabinet are informed of high-risk or whole-of Government risks? • Are effective communication strategies implemented for whole-of-Government risks (for example, multi-agency committees, and regular executive management forums)? • Do risk management champions communicate with their counterparts in other agencies? |