Risk management can be complex and draining. Most of us don't like administration. But, like time management, it's ultimately about organisational effectiveness. RECAL will stop you hunting through lists and making manual comparisons. And the truth is that is good to be in control.
RECAL offers many business benefits, particularly compared to a spreadsheet. We cover five here, central to which is the ability to share within and outside your organisation. RECAL is the remedy to "enterprise list management" and will help you to get better, go faster and focus on what really matters.
Introducing RECAL, our online risk register
Developed after 5 years of research, dialogue and practical experience with risk registers, RECAL offers many business, conceptual and functional benefits:
- Sharing: senior managers, risk people, regulators, peer organisations.
- Best practice: pre-built with ours. Add and share your expertise.
- Ease of use: our aim was to be simpler and less intimidating than Excel.
- Control: find, update, compare and manage with speed and imagination.
RECAL is available in three versions:
- Demo This version illustrates key features e.g. add, change, sort, audit, advanced reports. But you won't be able to save anything permanently.
- Free A multi-user version in which you can analyse and save your data. But you won't get support or the many paid features.
- Paid Support, user-defined variables, bulk uploads, unlimited sharing and the ability to extend RECAL beyond risk.
Our RECAL versions article covers what's in and out of each version in more detail – we've tried to err on the side of generosity.
Enough background. What are the benefits of using RECAL?
Benefit 1: Risk management insights
Data and information are hard to process. What could be easier than the typical spreadsheet-based risk register? The problem is that multiple pieces of information are often embedded in a single spreadsheet "cell". Let's take a look at an extract from Oxford University's strategic risk register as at 15 February 2010:
This is a relatively small risk register and we allow for this in our critique. We will focus on column 1 (risks) and column 4 (controls).
Since this is only an extract from the complete risk register, only one risk – "failure to take action" – is shown. The quality (or otherwise) of this definition is beyond the scope of this article. The important thing to note is that in column 4 there are 6 controls, the objective of which is to ensure that the risk position is better than it would be in the absence of such controls.
There are two things to note which makes real risk management much harder than it need be:
- Risks, controls (and, indeed, actions) are combined in one table.
- There are 6 "key controls" under column 4, combined into one "table cell".
Now picture this. You have a risk register with 60 risks. Each risk has, on average, 4 controls. So 240 controls against 60 risks. But the difficulty is with the management not the maths. You see a control against risk 43 that looks similar to the control against risk 7. But it has a slightly different wording.
Is it the same control? If you remove one (we are speaking of the control operating rather than its appearance in the risk register) will the other control also stop? How about if we strengthen the control? What other risks are using this control? Which ones should be? Do you see the issue?
The "bunched controls" approach above is perhaps acceptable for a small risk register. But it is not scalable, nor does it lend itself to developing quality controls. Controls may instead be developed in an ad hoc manner, or even become "wish lists". You miss both efficiency and robustness.
You were also "lucky" to spot the similarity of controls from this output. In reality controls should get as much emphasis as risks, and that's where RECAL comes in. In principle spreadsheet-based risk registers could have separate tables for risks and controls. In practice they tend not to.
RECAL is much more than a list of risks. The structure is simple but dynamic:
|Risks||Everyone knows about risks, but the key insights here are about their appropriate classification: Are you picking up strategic risks? Are your risks consistent with your business plans and objectives? Is it complete? Are your risks modelled? Is one risk owner consistently mis-rating his risks? How will you know? RECAL does this and more.|
|Events||Aka incidents or "bad things that happened" and "near misses". RECAL tracks events, in relation to risks, so that lessons can be learned for risk and control assessment and effectiveness. This table is particularly pertinent to internal operational risks.|
|Controls||This table deals with the problem of lots of controls being trapped in a spreadsheet cell. Without this table you have a list of risks. With separate tables you can compare risks and controls in many ways and produced a complete list of controls.|
|Actions||Actions can arise from risks (e.g. will must change the risk owner), events (upgrade hardware after unacceptable downtime) or controls (upgrade an existing ineffective control). Separate table analysis means that RECAL can even operate as a "to do list".|
These tables fit together seamlessly. The "risks" table connects to the other 3 tables; each event and control has a corresponding risk, while actions can arise from events (e.g. put something right), controls (improve a control) or directly from a risk. No more mess and lack of control.
Even better, RECAL supplies a risk-control matrix which facilitates managing risks versus controls.
Benefit 2: Focus your attention on the task in hand
Based on our experience, we've split work into 6 modes, which correspond to tasks and likely audience. This streamlining helps you work faster.
|Analysis||All those interested||Basic views with sorting and filtering. Like Excel, but easier. Produce basic lists of risks / controls, ranked etc.|
|AddChangeDelete||Front line staff and assessors||A real "doing" mode: add, update and delete items. Can be restricted using administration mode.|
|AnalysisPlus||All those interested||Automated exploratory data analysis, two-dimensional investigations – "crosstabs" – and trends over time.|
|Audit||Central risk team||Reproduce any past result. Examine changes between two "snapshots", or a full audit trail between two dates.|
|Administration||Overall risk administrator||Set the content and appearance of reports, including user-defined fields. Set permissions and security.|
|AppSpecific||Central risk team||Produce powerful and flexible summaries, consistency and health checks.|
AppSpecific mode: risk and other flavours
The AppSpecific mode is where we move away from generic database and analytics capabilities, to domain-specific functionality and content.
The RECAL risk functionality includes:
- Risks versus controls matrix. Useful for consistency and completeness; individual and grouped results.
- Counts of # actions, controls and events for each risk. This extends the Risks table with punchy summaries of these three related areas.
- General risk register health checks. Examples include risks without controls (and vice versa), items past due dates.
- Bespoke functionality. We have written debt management, insurance quote and recruitment scoring systems. We can write bespoke material for you.
- Default functionality. For an uploaded non-risk database without bespoke functionality AppSpecific mode provides exploratory data analysis.
RECAL is built for explorers. More "risk-creativity" flows from rapid insights: risks versus controls, comparisons between risk types and assessors, changes over time. Before long you will spot risks that were unidentified, under-played, over-emphasized. You will have shone a light on risk management.
To be specific let's give one practical example. The "advanced" mode above has a lot of practical functionality, including tracking over time. The following screenshot shows us tracking the rather artificial total of all probabilities, grouped by risk owner (results can be produced at the individual risk / control level).
- User sets tracking dates, starting with 1 Jan 2013 here.
- User sets the variable to track; here it's "probability" in the risks table.
- User sets any grouping; here it's risks owner – without grouping it would have been at the individual risk level.
Naturally user-defined variables such as "risk score = probability * impact" can also be tracked – as can all other variables.
Benefit 3: Share expertise and experience
The centrality of sharing
The ability to share expertise and experience is perhaps the most important benefit of RECAL. There are lots of ways in which RECAL can promote practical and valuable sharing. Here are some.
Senior management: If a person can load a web page they can check up on risk management progress. Particular concerns – which may not have been developed in a risk management report – can be investigated and followed up. The senior manager gets a window on the world of his firm's risk management.
Aside: some senior managers seem averse to admitting a technical interest or competence, a little like some people boast of their mathematical ineptitude. There is nothing to recommend this stance, but the web route does provide a "face saving" way for a senior executive to engage, showing an interest in whatever he likes.
Risk owners: A risk owner is a senior manager with a particular risk responsibility, often for the overall management of one risk type (e.g. operational risk, insurance risk, credit risk etc). RECAL can compare results between risk owners; how often are they updating risk or control assessments, for example? Such reviews can be carried out by the risk owner himself or by the central risk function on behalf of risk owners, generating positive peer pressure.
Business units: There may be some degree of overlap in the responsibilities or interests of different business units. For example, various business units might have a responsibility to set prices, participate in tenders or enter into contracts. Most business units will have operational responsibilities. RECAL enables sharing of good ideas and practice. This is not just about stopping bad things happening, but (e.g.) about the practice of good controls: what works to make things better?
Subsidiaries: As well as the business units points above there may be additional factors specific to subsidiary companies (or equivalents):
- Location: Naturally some subsidiaries are located in different countries. Web-based systems such as RECAL are ideal for sharing in such circumstances.
- Consistency: A group company may buy similar smaller companies to grow. It may want each company to manage common risks in a consistent way.
Advisers and regulators: Organisations may save time and money and gain credibility by sharing information with third parties such as these.
Peer organisations: Where these are no overriding competitive concerns, organisations may share risk-related and other information with their peers. The most obvious examples are in the public and voluntary sectors (government departments, schools, hospitals, small charities, churches etc).
For the public sector specifically, or where there are public safety issues, the public now expects such sharing; newspapers runs stories when public sector bodies behave inconsistently or fail to alert their peers. A 2013 Ofsted report Pupils missing out on education says, among many comments on sharing, that:
All schools, including academies, free schools and independent schools, have a responsibility to share information with the local authority about any child or young person who is out of school for 15 days or more. However, the survey showed that schools and professionals from other services were not sharing information well enough with one another and some children were being missed completely or having their learning seriously disrupted. Pupils missing out on education – Ofsted 2013
Now let's give some specific examples of how RECAL can help share within and outside an organisation.
Sharing: within and between organisations
Our "within an organisation" example sets up how RECAL can aggregate and share information between different risk owners and departments. Going much further, the "between organisations" example shows how RECAL enables organisations to benefit from others' expertise and experience – and to predict effects.
 Within an organisation
First we consider an insurance company with a number of risks and controls. These are divided up among five risk owners (A-E) as follows:
|A||Strategic risk. Delegated Board responsibility.|
|B||Insurance risk. Mortality, longevity, morbidity and lapse risk. Additionally solvency, reserving and pricing risks.|
|C||Investment risk. Specifically the various forms of credit risk. Additionally liquidity risk.|
|D||Market risks. e.g. interest rate, inflation and exchange rate risks|
|E||Operational risk. i.e. the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events|
The insurance company is forward-looking, having put in place a formal control framework. Some of the control types are shown in the first column of the graphic below. Risk owners choose to deploy specific instances of the generic controls, as shown in the following risk-control matrix:
How can we use this risk-control matrix?
An individual risk owner can see his use of controls across his risks; the main body of the table show how many times a particular control (type) has been deployed by the risk owner. Do gaps make sense, given the risk owner's responsibilities? Has something been missed? Are there opportunities for better use of controls? The "normal" presentation of controls in a single column – as shown in "Risk management insights" above – makes this analysis almost impossible.
The RECAL approach enables different people to share their expertise and experience. Different risk owners benefit from each other another.
Other useful risk-control matrices
- Individual risks versus controls: The change here is that instead of showing A-E the first row shows the individual risks. This is most useful when restricting to a single risk owner, who can see if the way he is deploying controls makes sense.
- Risk types versus controls: this is as above, but the split by risk type can be helpful; only a small selection of controls will be relevant e.g. to liquidity risk.
- Aims: is risk owners' use of controls consistent or as expected?
 Between organisations
Now suppose you are the CEO of a UK hospital. You have read US surgeon Atul Gawande's book The Checklist manifesto: how to get things right which suggests that hospitals can guard again mishaps (e.g. sewing a scalpel into a patient!) by using simple checklists. You want to implement this and, indeed, to review other operational (pardon the pun) controls within your hospital. But that's a huge job. Depending on the size of your hospital and the specificity of the "mishaps" you may not have enough data. You, like Gawande, may experience surgeon resistance. Can sharing between hospitals help? Can a web-based system such as RECAL help?
Please note that "between organisations" sharing and analytics is only available within the paid version of RECAL.
Yes and yes. Consider the hospitals equivalent of the material above, and a little more:
- Risks: these describe the bad operational events you are trying to prevent.
- Events: the occurrences – when the bad things happened.
- Actions: the plans you have for improvements.
- Controls: the controls in place to prevent events – and mitigations to limit the effect of events which do happen.
- Hospitals: the organisations who have agreed to share data.
The actual events are relatively straightforward. As with other items in RECAL they are automatically assigned a code. There is also a hospital code, corresponding to the risk owner field above. This enables results to be aggregated over or split by hospital. There are two adjustments, the first essential and the second useful:
- Adjustment for hospital size: Larger hospitals tend to have more events (e.g. mistakes). We need to calculate error rates, not just number of errors.
- Expected events: this is useful if we want to measure performance against internal expectations. This is a follow-on from other risk assessment techniques.
What we now have is a set of error rates (corresponding to each risk) split by hospital. What's more. each hospital will have a number of controls against each risk, including the use of checklists. Here's the interesting question: across all those controls, which ones were useful in bringing down errors?
Here's where risk management combines with analytics and standard statistical techniques to produce value. Clearly a certain amount of work can be done "by hand" – this is sometimes called exploratory data analysis; it enables us to get a feel for what is going on and perhaps to formulate initial hypotheses. But the "big win" comes when we bring out the statistical power tools of multivariate regression. The challenge is that we have a range of controls, some deployed by one hospital and some not. How do we analyses that mess? We have a paid RECAL service that enables us to run regressions and determine the value of controls. Controls which are valuable in other hospitals are candidates for inclusion in your. Other controls may have no beneficial effect and time should be spent elsewhere.
The power of such an approach is that smaller organisations whose data would not be credible can benefit from larger organisations. The individual can benefit from the group. Instead of simply relying on a risk owner's judgement about "probability and impact" we can model the individual error/event rates as a function of controls. This is familiar territory e.g. to an actuary who has worked in general insurance. It really is time to deploy big data techniques more widely.
Benefit 4: Bundled items to get you on the fast track
Much more than software, RECAL comes with bundled tools to get you started quickly. Four of these are:
- Enhanced risk type checklist. RECAL comes with a common risk classification system for the actuarial profession. Particularly relevant to the financial services sector, this 2011 3-level classification forms a useful check on the completeness of risk assessment for such companies.
- Multi-dimensional risk classification systems. As with many things (chemicals, animals, music, football etc) risk is multi-dimensional; it can be classified in many ways. For the purposes of action / management, some are more helpful than risk type. So RECAL comes with IAA's multidimensional CARE and more.
- 60 Intelligent Controls. Too often controls are merely financial controls. Matthew Leitch's 60 intelligent controls come bundled with RECAL. They expand the focus away from financial statements in two ways:
- Operational controls: Some traditional checks such as separation of duties can be applied to operations, though may not be optimal.
- Non-traditional controls: Where the power of "intelligent" controls is really brought into play. See our earlier articles Less risk, more management
- Improvements to probability-impact risk assessment. The paid version of RECAL comes bundled with 6 alternatives (usually improvements) to this method. Are they necessary? Let's hear some risk management experts:
The most popular risk management methodologies today are developed in complete isolation from more sophisticated risk management methods known to actuaries, engineers and financial analysts. ... the methods developed by the management consultants are the least supported by any theoretical or empirical analysis. The structured risk management methods that management consultants have developed are much more likely, no matter how elaborate and detailed the methodology, to be based on simple scoring schemes. Douglas Hubbard, author of The failure of risk management
One key weakness of deterministic assessments is that they are not readily comparable across risks ... comparisons between deterministic scenarios will not be on a consistent basis as both the likelihood and impact for scenarios will vary. However in practice risk managers routinely compare several deterministic scenarios and make decisions on that basis. Blackett review: High impact low probability risks
Heatmaps don't really work at the strategic level. They try to get you to allocate a likelihood and impact to each risk. But for every risk there's a whole range of impacts. Let's take rain affecting cricket matches. The impact and likelihood of occasional drizzle is different to a thunderstorm which differs again from a summer monsoon. So which do you choose? Anyone using a heat map in this way is taking a view on which type of rain matters and very rarely are they transparent in doing so. We need to have a simpler analysis which can be quantified. Source: Source: Trevor Llanwarne, former Government Actuary: Risk registers that work at board level
Benefit 5: Material methodology improvements
The average risk register is conceptually and practically flawed. In a "debugging" process we've removed these as follows:
|Average risk register flaw||RECAL online risk register|
|Even large registers often omit key risks. "I looked for the top 7 risks and 3 were missing."
Source: Risk registers that work at Board level – government chief actuary, 2013
|Checklist includes strategic uncertainty and other risk types. Speaks "non-actuary" to board members.|
|Risk descriptions are often poor: "Omitting cause and measures."
Source: Causal links within and between risk register items Leitch, 2008
|Optionally include causes (for management) and metrics (for assessment and triggers).|
|Risk assessments are inconsistent and incomplete.
Source: Risk-registers: promise, pitfalls, payoffs and alternatives and "Board level" speech above
|Covers all the risk types. Can use full risk distributions, rather than just probability-impact.||Risk management via controls can almost appear an afterthought.
They often appear bunched in the last column of a risk register, getting much less focus than risks.
|Multi-dimensional classifications and intelligent controls facilitate action rather than just analysis.|
|Sharing with colleagues can be difficult.
e.g. with front line staff, senior management, risk team – each with appropriate permissions.
|Web technology makes it easy to share in and out of the office, between countries and time zones etc.|
|Updating can be difficult.
A central risk team may receive/collate 10+ monthly spreadsheets. Front line staff may forget what to do.
|Web interface, database back end. Front line staff do the updating and simple analyses. Saves time.|
RECAL avoids the flaws and much more:
- Highlights inconsistencies: e.g. risk ratings which exceed targets, risks without controls, and controls without risks(!)
- Goes beyond checks and balances: e.g. summary comparisons between "risk owner" assessments and using risk-control matrices.
- Benchmarking and external insights: Has a peer got a different list or assessment of risks? Have you missed something that matters?