Primary navigation:

QFINANCE Quick Links
QFINANCE Reference
Add the QFINANCE search widget to your website

Home > Auditing Checklists > Key Components of a Corporate Risk Register

Auditing Checklists

Key Components of a Corporate Risk Register

Checklist Description

This checklist outlines the key components and processes of a corporate risk register.

Back to top


Most large enterprises have a procedure for managing corporate risks. The procedure is intended to identify, record, and communicate risks in terms of their comparative importance to the company. The corporate risk register also forms the basis for reporting risk issues in the annual report. The information is usually stored in a central register, catalog, or inventory of risks. This should contain information suitably sorted, standardized, and merged for relevance to the appropriate level of management. Its key function is to provide management, the board, and key stakeholders with significant information on the main risks faced by the business. Every risk in the register should have the following features: opening date, title, short description, probability, and importance. A risk might also have a dedicated manager responsible for its resolution.

A risk register should help management to:

  • understand the nature of the risks the business faces;

  • be aware of the extent of those risks;

  • identify the level of risk that they are willing to accept;

  • recognize its ability to control and reduce risk.

However, a risk register is often out of date, incomplete, or inconsistent when selecting the appropriate controls and countermeasures for each risk. Many companies, therefore, use outside risk consultants. These consultants, working in conjunction with company staff, are better able to take an objective view of risks, assess their relative importance, and assign priorities.

Back to top


  • A corporate risk register provides management and the board with important information on the main risks faced by the business.

  • The register allows management to identify and prioritize risks, ensuring that risks with the greatest probability or the greatest potential loss are handled first.

Back to top


  • If risks are improperly assessed and prioritized, they can divert resources that could be used more profitably.

  • Unless it is competently maintained and updated, the risk register may not be comprehensive or consistent, leading to unrecognized risks.

  • The risk information may not be presented in a logical and unbiased form and, as such, can unintentionally mislead.

Back to top

Action Checklist

  • Thoroughly check the risk register against any potential business risk you might foresee and compare similar companies’ risk registers.

  • Research your market and make sure that you have analyzed the consequences of any risks upon your own business.

  • Encourage an atmosphere of openness about the kinds of risks facing the organization. Some risks are obvious, but managers of individual business units may sometimes know more about hidden risks. Only by fully understanding risks can you attempt to counteract them.

Back to top

Dos and Don’ts


  • Seek the advice of specialist strategic risk advisers. Risk management is very complex. Experts from specialist risk management companies can help devise customized risk registers to protect against potential problems.

  • Keep in mind the distinction between risk and uncertainty. Risk can be measured by using the formula: Impact × Probability.

  • Quantify and differentiate between risks that are merely the cost of doing business and those that might have an impact on objectives.


  • Don’t make the error of failing to check the risk register thoroughly for inconsistencies.

  • Don’t believe that you can totally cover every risk your business could face.

  • Don’t rely on single controls and countermeasures for each risk.

Back to top

Further reading


  • Baxter, Keith. Risk Management: Fast Track to Success. Harlow, UK: FT Prentice Hall, 2010.
  • Leitch, Matthew. Intelligent Internal Control and Risk Management: Designing High-Performance Risk Control Systems. Aldershot, UK: Gower, 2008.


  • American Institute of Certified Public Accountants (AICPA):

Back to top

Share this page

  • Facebook
  • Twitter
  • LinkedIn
  • Bookmark and Share