the risk register

a key building block of efficient and effective enterprise risk management


This post describes how to structure and populate a good risk register. I will describe the key components, how they interlink and the recommended information requirements.

the risk register – what is it?

When you internet-search the term “risk register”, plenty of examples and tutorials will yield. Often, these samples are very well presented, easy to comprehend and relatively simple to adapt to your organisation’s specific circumstances. Having said that, at closer inspection many of them don’t pass muster even for the smallest and minimally complex organisations.

The image below represents a sample of what you will find with an internet search:

an example of an incomplete risk register
sample of a risk register found on the www

The example

  • has a clear structure
  • outlines a risk of possibly loosing key employees
  • assigns a medium impact to it
  • allocates responsibility to the HR department
  • and leaves room for more risks

So you might wonder what is missing. After all, a risk is identified, its potential impact is being considered, and somebody is assigned to the risk. All sounds good, or doesn’t it?

The good news is that risk identification has taken place in this imaginary organisation. Furthermore, all three statements shown in this example are valid statements. However, they need to be brought into proper context and quantified. Additionally, some key ingredients need to be added. Hence, it is highly likely that this organisation needs to upgrade the register to reap the benefits of good ERM.

The risk of “loosing key staff” – as shown in the table above – is a real issue for many organisations. However, the statement needs context and explanation.

  • what does “key” really mean?
  • how does the “medium” fit into the strategy/priorities of the organisation. In other words, what would “low” or “high” signify?
  • and finally, what is the duty of the HR-department?

The model risk register

Let’s leave this example aside and move on to the build-up of a comprehensive, clear and more tangible risk register. How does a good risk register look like? I focus on content and the key building blocks. IT-considerations and data analytics are the subject of a different conversation.

High Level Structure
six building blocks of a good risk register
6 building blocks
The header describes the risk at sufficient level of detail. I call this the “ID” block.
Right underneath the ID-block we draw three vertical blocks. They encompass quantification, risk treatment undertakings and the respective outcomes. This is the “quant/mod” block.  
In the blocks at the bottom we record and store important additional information, such as follow-up actions and access rights. I call one of them the “add-on” block and the other one the “gov” block.
Building Blocks
“ID” block
risk identification building block

Key components are:

  1. A unique risk identification. This can be a number or an alphanumeric code; you can decide to use existing internal codes or just a plain integer. Both approaches have advantages and disadvantages.
  2. classification: risks need to be grouped following a pre-determined nomenclature and structure. You can use your own one or you can follow the guidance of the respective regulatory body or any other system that is suitable. Important is to cover ALL activities that your company is undertaking! The classification should span 2-3 levels for easy grouping and identification. Going back to our example, level 1 could be “operational risk”; level 2 “human resource risks” and level 3 “staff”.
  3. description: provide a basic description of the risk in free text form.
  4. impact: qualitative comments pertaining to expected impact should the risk materialise.
  5. And importantly, who is responsible for managing this risk.
quant & mod” blocks
quant block 1

The block on the very left displays estimates of likelihood and corresponding severity should the risk under consideration materialise. These values – as the name implies – should be numeric. Best practice and knowledge must be applied when determining them. Preferably, a solid probabilistic model is used. Alternatively, deterministic scenarios might be used or past experience is taken as a reference.

Generic statements like “often” or “expensive” are easy to come up with. However, they are very vague. Hence, try to use quantitative statements as often as possible.

Having said that, it is crucial to be cognisant and explicitly note uncertainties associated with any projections (regardless of method) made in this section.

In a next step, benchmark the outcome against your organisation’s risk appetite to determine whether any treatment is necessary. This benchmarking is important to ensure that treatment efforts are spent on risks that really matter.

mod block

The middle block describes the chosen treatment actions in detail; furthermore, treatment costs are elaborated on.

quant block 2

The block to the right contains similar information as the one on the very left. However, all values and conclusions are recorded POST the mitigation/treatment efforts have taken place. Again, scale the values against the risk appetite. Furthermore, compare the outcomes to the actual cost of treatment. And lastly, note the the effectiveness and efficiency of the treatment.

These latter points are crucial. One needs to determine and decide whether the treatment(s) achieve their objectives and what the cost/benefit of the treatment is. For instance, if the treatment of a certain risk costs “1.25” to cure a non-recurring impact of “1”, then it is likely not worth the effort!

In our example we would have specified what we mean by “key staff”. Henceforth, it will be easier to assign a probability and an impact should that individual or team leave. As a mitigant, you can think about development opportunities, flexible work arrangements, incentives and other measures.

Certainly, the “ID” and the “quant/mod” blocks are the most challenging and interesting components of the risk register. Populating those blocks often leads to in-depth discussions and sometimes heated arguments amongst all the contributors. But it’s always interesting and often fun to travel this segment of the ERM-journey. Having said that, a risk register without the remaining two blocks is almost like a house without basement! Hence, I strongly recommend completing the bottom two blocks as well.

“add-on” block

You need to determine how often you will review each entry. Some risks change very rapidly. Take Cyber, where the risk landscape evolves constantly. Hence, Cyber-related risks need to be reviewed very frequently. At the other end of the spectrum, certain operational risks (under most circumstances) evolve much slower. Hence, your organisation can review these less frequently.

The second component of the add-on block are considerations are about additional classifications. Whilst we have grouped risks already in the “ID” block, it is advisable to do some more classification at this stage. Highly recommended is to classify or rank risks according to impact on strategy and materiality. Importantly, you should generate a “top 10” list of the risks that really really matter to your organisation. I borrow a term from a global consulting company: McKinsey make explicit reference to “the company’s big bets”.

senior mgmt and the BoD focus their attention on the organisation’s KEY risks.

And last but absolutely not least: you need to establish linkages between individual risks should they correlate. This is key, even if the correlation at first sight appears marginal only.

“gov” block
the governance building block

And finally, some important “housekeeping” matters complete the register:

  1. assign an “owner” of the entire risk register. This person/function is the overall owner of the risk register. Note though, that the owner of the register is (in most cases) different from the risk owner!
  2. state the author of the current register (in smaller organisations, this might be the same person/function as the “owner)
  3. add a version number, and a date(s) for upcoming general revisions
  4. make reference to the register’s exact storage location
    AND, crucially
  5. determine “access rights” and “confidentiality”; the challenge is to find the right balance between being transparent and inclusive, whilst keeping some key strategic matters confidential. For instance, in the case of a key strategic risk, most information, especially the treatment and the impact, might be kept strictly confidential.

the gist of it

In this blogpost, I describe the set-up and design of a functional and comprehensive risk register. Six interlinked core components make up a complete register. If you have questions, kindly contact us via the social media buttons below.



Megrow Podcast: Episode 5

“The Making Of”

Several listeners have asked me to talk about the technicalities of podcasting. This blogpost summaries my approach of preparing, recording, editing and publishing the Megrow podcast. As a general rule, I strive to combine a decent quality outcome with the use of relatively modest hard- and software. Note though: many roads lead to Rome!

This blogpost is the (almost) verbatim script of the recently released Megrow Podcast Episode 5. If you prefer listening to it, click on this link or the image just below. Otherwise enjoy the reading.


You do NOT need to spend thousands of dollars on high-tech equipment or rent a professional studio to record a podcast at decent quality. However, some good equipment is needed to produce professional podcasts. Nothing worse than high quality content that loses its impact due to poor recording and shoddy processing!

A decent quality microphone is the single most important investment to make. Almost any external microphone is better than the built-in microphones in your laptop / tablet / PC / mobile phone.

I purchased a Yeti Blue, for around USD 130, because

  • all the reviews I read, attested the Yeti a very good sound quality
  • the price, whilst not cheap, felt reasonable
  • it connects via USB to any computer
  • no additional hardware, like sound mixers, needed
  • simple plug-in and record, no need to install apps or software
  • both the microphone and the stand feel very robust
  • micro can be adjusted for solo podcasting or interview-type conversations
  • and, I do like the design and the colors
The Yeti microphone is ideal for podcasting
the YETI microphone..

The detailed technical description of the microphone and the color choice is available on the Yeti website. The Yeti is NOT a light-weight!

I also invested 20 USD into a pop-screen. When buying one, make sure it is big enough to cover the entire microphone. Make sure the lock comes with mounting clamps or screws to fix the screen on your mic or the table/stand that you put your recording gear on.

the pop blocker screen
recording studio set-up


Both iOS and W10 have built-in voice recorders. They work perfectly well for podcasting purpose.

Important: regardless of the device/app you use, make sure it can record with at least 44.1 kHz sampling rate. Most apps have a “setting” or “preference” option where you can adjust audio quality to “maximum” or whatever the terminology of your preferred OS is. 44.1 kHz records sound at excellent quality whilst keeping the audio files at a manageable size.

One thing to note: when using a good quality microphone at 44.1 kHz settings, be absolutely sure that you record in a quiet environment to avoid picking up background noise. Our brains are excellent at filtering out low level noise emanating from air conditioners or cooling fans of computers. However, a good microphone will register fan noise, which will distort your recording. Hence be wary of “silent” noise when recording.

One additional point to note, especially when your recording device runs a different OS than your post-processing device(s). You need to record your audio in a format that the “receiving” OS and software can open and process. 


Once you have recorded your ramblings, you may want to do some post-processing to enhance the messaging of your podcast.

Depending on the operating system you use, different options (at no extra cost) are available for editing your recordings. I mostly edit on a W10 machine using DaVinci Resolve 16 from Blackmagic. This editor is extremely feature rich, requires a journey along a steep learning curve and is available as a free download from the Blackmagic website. I use DaVinci because I grew reasonably familiar with it during the early days of my personal YouTube channel.

On the side: iMovie on your Mac will do the job just as nicely. 

A voice-only editor is insufficient for me, because I add images, titles, lay-over text, video snippets and music to the voice recording.


content creation

Thus far, I’ve had a smooth journey in terms of finding content. I do a lot of Enterprise Risk Management consulting work, hence ERM is a given topic. Let’s hope the creative vibes stay with me for a long time!

I could easily record an entire podcast episode without preparation. However, I prefer to script each episode at great level of detail. Putting my thoughts on paper (aka MS Word) forces some discipline into my thought process. In addition, a script eases content management and instills more focus on the actual delivery. Reading off a script also makes recording quite straight forward. 

And lastly, I release an accompanying blogpost on the Megrow website concomitantly to the podcast. The blog is a very close copy of the actual podcast script, so very little work is needed to cover two communication channels in one go.

Episodes usually last for about 10 minutes. I believe that 10 minutes provide enough time to get some detailed content across without “hand-cuffing” listeners for too long.

quality control

Once I have an almost final version of the script, I choose the “read-aloud” function in MS Word for proofing. Listening to the computer voice whilst following the text is such an efficient way of spotting mistakes and errors. Additionally, I also record the time needed for MS word to read the entire text – just to make sure I stay within the ten minutes target duration.

I’m obviously not a native English-speaker, so spell- and grammar check is a given.

the studio

Once I’m OK with the script, I set up the recording hardware. Mostly, I just put the laptop on top of a cardboard box, place the microphone next to it and fit the pop-blocker in front of the Yeti. It might not look very professional, but this set-up is fast and practical. For best sound quality, the Yeti needs to stand vertical and you need to talk into the microphone from the front. 

The Making Of: a simple, highly mobile and flexible recording studio set-up
the recording studio

I record each episode in chapters. Recording in slices makes the process much easier. When I stumble over my own words, I can simply discard the current chapter and re-record it. In addition, bite-sized audio slices also speed up my editing workflow.


My editing process is relatively straight-forward:

  • set the editor – DaVinci Resolve in my case – to 1920×1080 Full HD resolution. This is currently the best choice when considering file size and quality
  • match quality setting of the audio track in your editing software to the high-quality settings used for voice recording
  • add opening screen, the intro and the outro from my templates stock. The intro and outro form the boundaries of the podcast in the editing software’s story line
  • mark chapters in the podcast with distinct titles for easy navigation
  • add images, URLs and video snippets when needed
  • pre-view the episode a few times for final quality control
  • export the project at full HD and upload to YouTube

going live

Recorded and edited, how will the world find your podcast and listen to it?

The state-of-the-art publishing process encompasses publication on one of the well-known Podcast feeders, such as Apple Podcasts or “Podcast Addict” for Android (to name just two). I was initially considering going down that route as well, but after a bit of thinking and tinkering, I decided to simply publish the Megrow podcast on YouTube. 

YouTube has a very distinctive set of advantages

  • it is a very well-known, easily accessible and omnipresent platform
  • tagging and onwards distribution/linking to other Social Media channels is easy
  • I’m familiar with the platform
  • listeners can subscribe to my channel and post comments
  • show notes can be added easily
  • device and platform independent, only needs a browser

My current method of reaching out to my audience is a five-pronged approach:

  • post on YouTube
  • announce the Episode on my Megrow Twitter account
  • put the link on Megrow’s LinkedIn page
  • post link on “my” LinkedIn page
  • publish the (almost) verbatim podcast on Megrow website as a blogpost.


I hope my thoughts will be helpful to some of you who are current or aspiring podcasters! Thank you very much for reading this blogpost. Other blogposts are here. You can contact me via the buttons at the bottom of the page.