The fourth stage of the risk assessment process is concerned with recording your actions.
Risk recording should document your decision-making around the risk management process as a whole. This includes the decisions you make within your assessment and how you choose to undertake your assessment i.e. the approaches and techniques you select.
An accurate and up-to-date risk assessment acts as documented evidence of action having been performed by your organisation in line with a particular schedule or in the event of significant change. This is essential in helping you communicate the level of risk facing your organisation to your stakeholders and any other interested parties.
The decisions you make around your risk assessment process should also be recorded. This will help you establish a consistent way of assessing risk and help others understand the activities of the risk assessment process and its outcomes.
Recording Processes
Your commitment to managing risk in your organisation should be captured as part of a policy or statement. This policy should be accompanied by documented information that outlines key information about your risk management process. This should include the methods and techniques you have selected to analyse and evaluate risk, your risk criteria, and your approach for prioritising risks and determining controls.
Recording Results
If you have utilised the ProtectUK Approach and ProtectUK templates to undertake your risk assessment, it is likely that you have already fulfilled the requirements of recording your risk assessment results. This is because the ProtectUK guidance and templates have required you to record your decision-making and actions with each step of the risk assessment process.
If you have used an alternative approach to the risk assessment that does not involve the use of the ProtectUK templates, you will need to ensure that your process and outcomes are accurately captured as part of a dedicated risk register. This should include:
- the risks you have identified and their impact and likelihood
- the results of applying the risk acceptance criteria
- the priority for risk treatment
- the risk treatment options selected
- the identification of necessary controls
- a dedicated risk owner for each risk
Your organisation may utilise its own risk registers or templates for recording and treating risk. Any form of template or register may be used so long as this captures your risk assessment process and your decision-making in full.
Your risk assessment should be an accurate and up-to-date record of your outcomes and your overall decision-making. This is a living document. You should ensure that your assessment is kept up to date following any risk reviews, changes or developments.