The typical traditional ERM method uses Risk Registers, which simply involve recording all risks present or anticipated. Each Risk Element (i.e., each risk item that is recorded in the Risk Register) may include information on the name of the risk; the category or type of the risk; who reported it; who is responsible or is assigned the risk; what, if any, risk mitigation or risk control is required; the contact person; documentation; and so forth. Sometimes additional information such as frequency, or Likelihood, and severity, or Impact, that risk may have on the organization is included. These Likelihood and Impact measures are usually qualitative estimates (high, medium, low) or can be assigned numerical values (1 to 5 or 1 to 10, where the higher the frequency or severity, the higher the value assigned). Alternate methods of using Vulnerability (or the inverse of the amount of risk mitigation completed) with multiple risk controls are also supported.
Clearly, the amount of information and detail required varies depending on the organization. One way to think of Risk Registers is akin to a check register. For example, if you have a checking account, you can write a check to pay a specific bill; on that single check, you write the recipient’s name, date, and amount. You can, of course, write multiple checks to different recipients. And every time a check is written, you would record said checks in a check register (whether electronically in an accounting software or manually in a physical check register). Continuing with this analogy, each check represents a different risk element, and multiple risk elements make up the Risk Register. You may also own multiple bank accounts, each with its own check register, or, in other words, an organization may have multiple Risk Registers set up, one for each division or business unit or project, and so forth.
However, the use of only Risk Registers by themselves often leads to ritualistic decision making, an illusion of control, and the fallacy of misplaced concreteness and reliance on purely qualitative risk assessments. While the use of Risk Registers is a good starting point, Integrated Risk Management takes this qualitative assessment to the next level with more powerful quantitative risk management approaches.