PRODUCT FEATURE GUIDE
Compliance activities & patrol management

Creating a Risk Register within a Critical Event Management (CEM) system for an organisation involves identifying, assessing, and managing risks that could potentially impact the organisation's operations, safety, and continuity. Here's a step-by-step guide to develop an effective Risk Register as part of your CEM system:

1. Identify Risks

The first step is to identify all possible risks that could affect the organisation. This can include natural disasters, cyber attacks, equipment failures, health and safety hazards, supply chain disruptions, and more. Use a combination of methods such as brainstorming sessions, expert consultations, and historical data analysis to compile a comprehensive list of risks.

2. Assess Risks

Once risks are identified, assess each risk based on two main factors:

• Likelihood: The probability of the risk occurring.
• Impact: The potential severity of the risk's consequences on the organisation's operations, reputation, finances, and other areas.

This assessment can be qualitative (low, medium, high) or quantitative (using specific metrics or scores).

3. Prioritise Risks

Based on the assessment, prioritise the risks by their likelihood and impact. This helps in focusing resources and efforts on managing the most critical risks. A common method is to use a risk matrix to categorise risks into different levels of priority.

4. Assign Ownership

For each risk, assign a risk owner. This individual or team is responsible for monitoring the risk and implementing measures to mitigate or respond to it. The owner should have the authority, knowledge, and resources necessary to manage the risk effectively.

5. Define Mitigation and Response Strategies

For each high-priority risk, develop mitigation strategies to prevent the risk from occurring and response plans to manage the risk if it does materialise. This includes identifying necessary resources, establishing procedures, and training relevant personnel.

6. Implement and Monitor

Implement the mitigation and response strategies. This involves allocating resources, conducting training, and integrating risk management practices into the organisation's operations. Continuously monitor the environment and the effectiveness of the risk management strategies, adjusting as necessary.

7. Review and Update

Regularly review the Risk Register to ensure it remains current and reflective of the organisation's risk profile. Update it to include new risks, remove outdated items, and revise risk assessments, priorities, and management strategies based on changing circumstances and insights from past events.

Integrating a Risk Register into your CEM system enables proactive risk management, enhances organisational resilience, and supports effective decision-making during critical events. A comprehensive Risk Register should include the following information for each risk:

• Risk Description: A detailed description of the risk and its potential impact.
• Likelihood and Impact: Assessment scores or categories.
• Priority Level: Based on the assessed likelihood and impact.
• Risk Owner: The person or team responsible for managing the risk.
• Mitigation Strategies: Steps to prevent the risk or reduce its impact.
• Response Plans: Actions to take if the risk materialises.
• Status: Current status of the risk and any ongoing management efforts.

You have complete control over the categories and types of risks you wish to record and manage. They all follow the same management process and there should be a consistent approach across the entire organisation.

A Risk Register focusing on comprehensive security aspects, including counter-terrorism, protective security, security culture and commitments, security planning, and threat & risk assessment, requires a broad approach to identifying potential risks. These encompass not only immediate physical and cyber threats but also strategic and organisational risks that could impact security posture and readiness. Here are the types of risks to consider:

Counter-Terrorism

1. Terrorist Attacks: The risk of attacks on facilities or personnel, including bombings, shootings, or other forms of violence.
2. Radicalisation: The potential for individuals within the organisation to be radicalised and pose internal threats.

Protective Security

3. Physical Breaches: Unauthorised access to secure areas, potentially endangering personnel and assets.
4. Surveillance Risks: The threat of hostile surveillance aimed at gathering information for future attacks or breaches.

Security Culture & Commitments

5. Non-Compliance with Security Policies: Risks associated with personnel not adhering to established security protocols.
6. Inadequate Security Awareness: The lack of regular security training and awareness among staff, leading to vulnerabilities.

Security Planning

7. Inadequate Crisis Management Plans: The risk of not having effective emergency and crisis response plans in place.
8. Resource Allocation Failures: Insufficient allocation of resources for security measures, impacting overall security effectiveness.

Threat & Risk Assessment

9. Misidentification of Threats: The risk of failing to correctly identify or assess potential threats and vulnerabilities.
10. Underestimation of Risks: Not accurately assessing the severity or likelihood of identified risks, leading to inadequate preparation.

Additional Considerations

11. Cybersecurity Threats: Including ransomware, data breaches, and cyber espionage that could compromise sensitive information.
12. Information Leakage: Risks of sensitive information being inadvertently or maliciously leaked to unauthorised individuals.
13. Supply Chain Vulnerabilities: Threats arising from compromised security practices within the supply chain.
14. Legal and Regulatory Non-Compliance: The risk of failing to comply with laws and regulations governing security and privacy, resulting in fines and reputational damage.

Mitigating these risks involves a multi-faceted approach, including establishing robust security frameworks, regular training and awareness programs, comprehensive threat assessments, and continuous monitoring and improvement of security practices. Collaboration across departments and with external agencies is also crucial to effectively address and manage these risks.

Can I use the risk register to record Cyber Risks?

Yes!  Here are key types of security risks to consider:

1. Cyber Attacks: Threats from hackers attempting to gain unauthorised access to systems, steal data, or deploy malware, ransomware, or other harmful software.
2. Data Breaches: The risk of sensitive or confidential information being exposed, stolen, or lost due to inadequate data protection measures.
3. Physical Security Breaches: Unauthorised access to facilities, leading to theft, vandalism, or harm to personnel.
4. Insider Threats: Risks posed by employees or contractors who intentionally or accidentally compromise security through their actions.
5. Phishing and Social Engineering: Techniques used by attackers to deceive individuals into revealing sensitive information or performing actions that compromise security.
6. Supply Chain Vulnerabilities: Risks arising from third-party vendors or suppliers whose security measures are inadequate, potentially compromising your organisation's security.
7. Compliance Violations: The risk of failing to adhere to regulatory and legal requirements related to security, leading to fines, penalties, or reputational damage.
8. Loss or Theft of Devices: Risks associated with the loss or theft of mobile devices or laptops containing sensitive information.
9. Network Intrusions: Unauthorised access to an organisation's network, potentially allowing attackers to monitor activities, extract data, or disrupt operations.
10. Denial of Service (DoS) Attacks: Attacks designed to overload systems or networks, rendering them unavailable to legitimate users.
11. Unsecured Interfaces and APIs: Risks related to the use of unsecured application programming interfaces (APIs) and interfaces that could be exploited to access systems or data.
12. Outdated or Unpatched Systems: Vulnerabilities arising from failing to apply security patches or updates to software and systems, leaving them open to exploitation.

Mitigating these risks requires a comprehensive security strategy that includes technical controls, policy and compliance management, employee training and awareness programs, and regular security assessments to identify and address vulnerabilities.

In the field of engineering, whether it involves civil, mechanical, electrical, or software engineering, managing risks is crucial to project success and safety. Addressing these risks involves thorough planning, risk assessment, and implementing risk mitigation strategies to ensure project success, safety, and compliance.

A Risk Register for engineering projects typically includes:

1. Project Delays: Risks associated with exceeding timelines due to unforeseen circumstances, such as supplier delays, resource shortages, or technical challenges.
2. Cost Overruns: The risk of projects going over budget due to inaccurate estimates, scope creep, or unexpected increases in material or labor costs.
3. Quality Issues: Risks related to not meeting the required standards or specifications, leading to rework, project delays, and increased costs.
4. Safety Hazards: Potential for accidents and injuries on the project site due to inadequate safety measures, equipment failure, or hazardous working conditions.
5. Environmental Impact: Risks associated with causing environmental damage, including pollution, habitat destruction, and non-compliance with environmental regulations.
6. Technological Failures: The risk of relying on unproven or complex technology that may not perform as expected, leading to project failures or delays.
7. Supply Chain Disruptions: Risks related to the unavailability of critical materials or components, affecting project timelines and costs.
8. Regulatory and Compliance Risks: The potential for failing to comply with local, national, or industry-specific regulations, leading to fines, legal action, or project shutdowns.
9. Stakeholder Engagement: Risks associated with inadequate communication or engagement with stakeholders, leading to opposition, delays, or additional project requirements.
10. Intellectual Property Issues: Risks of infringement on patents or other intellectual property, leading to legal challenges and project delays.
11. Cybersecurity Threats: For projects involving digital systems or software, the risk of data breaches, hacking, or other cybersecurity threats affecting project integrity and confidentiality.
12. Natural Disasters: Risks associated with natural events like earthquakes, floods, or hurricanes impacting project sites, resources, or timelines.

In the logistics sector, managing risks effectively is crucial for smooth operations. Addressing these risks requires comprehensive planning, including the implementation of safety protocols, insurance coverage, cybersecurity measures, and efficient supply chain management practices to ensure resilience and continuity in logistics operations.

Here's a list of common types of risks encountered in a logistics Risk Register:

1. Transportation Risks: Delays, accidents, and damages during transportation due to weather, traffic, or mechanical failures.
2. Supply Chain Disruptions: Interruptions in the supply chain caused by natural disasters, geopolitical tensions, supplier failures, or global pandemics.
3. Regulatory Compliance Risks: Fines and penalties resulting from failure to comply with local, national, or international regulations.
4. Theft and Vandalism: Loss of goods due to theft, hijacking, or vandalism during storage or transit.
5. Technological Risks: Cybersecurity threats, data breaches, and system failures affecting operational efficiency and security.
6. Inventory Management Risks: Overstocking, stock-outs, or inventory obsolescence due to poor demand forecasting or inventory mismanagement.
7. Contractual and Legal Risks: Disputes with clients, suppliers, or partners due to contract misunderstandings or non-compliance.
8. Financial Risks: Fluctuations in currency exchange rates, fuel prices, or unexpected increases in operation costs affecting profitability.
9. Environmental Risks: Spills and accidents causing environmental damage and leading to cleanup costs and reputational damage.
10. Health and Safety Risks: Injuries to employees or the public related to warehousing operations, equipment use, or hazardous materials handling.

"Soft Landings" typically refers to a strategy used in the construction and building sector to ensure a smooth transition from project completion to operation, focusing on the building's performance and the occupants' satisfaction. The approach aims to avoid common pitfalls that occur when handing over a building to its operators and users.

Mitigating these risks involves early and ongoing engagement with all stakeholders, thorough planning and documentation, comprehensive commissioning activities, and continuous monitoring and optimisation of building performance post-occupancy.

Here are key types of risks associated with Soft Landings:

1. Performance Gap: The risk that the building does not perform as expected or intended, leading to increased energy use, higher operational costs, or occupant discomfort.
2. Operational Readiness: Risks associated with the building’s operational team not being fully prepared or trained to manage and maintain the new facility effectively.
3. User Satisfaction: The potential for low occupant satisfaction due to issues with the building’s design, indoor environment quality, or usability that were not adequately addressed during the design and construction phases.
4. Commissioning Oversights: Risks related to incomplete or inadequate commissioning, resulting in systems that do not operate optimally or as designed.
5. Information Handover: The risk of insufficient or poorly organized handover documentation, making it difficult for the operational team to manage the building effectively.
6. Post-Occupancy Evaluation (POE) Neglect: The risk of failing to conduct thorough post-occupancy evaluations, missing opportunities to identify and rectify issues affecting building performance and user satisfaction.
7. Maintenance Challenges: Risks associated with unexpected maintenance issues or higher than anticipated maintenance costs due to design complexities or system integration problems.
8. Stakeholder Communication: The potential for inadequate communication and engagement with stakeholders, including building users, during the transition phase, leading to misunderstandings and unmet expectations.
9. Budget and Time Overruns: The risk of the soft landings process requiring more time and resources than initially planned, impacting overall project budgets and schedules.
10. Sustainability Targets: The potential for failing to meet sustainability and environmental performance targets due to gaps between design intentions and actual building operation.

Creating a Risk Register for Housekeeping involves identifying various risks associated with cleaning and maintaining premises. Each of these risks requires specific mitigation and response strategies to ensure the safety and well-being of housekeeping staff and the effectiveness of cleaning operations.

Here are the types of risks typically considered:

1. Chemical Hazards: Exposure to cleaning chemicals that can cause health issues, such as skin irritation, respiratory problems, or poisoning.
2. Biological Hazards: Exposure to biological contaminants, including molds, bacteria, and viruses, which can affect health.
3. Physical Hazards: Injuries from slips, trips, and falls due to wet floors, misplaced equipment, or cluttered workspaces.
4. Ergonomic Hazards: Strain and injuries from repetitive motions, heavy lifting, or awkward postures during cleaning tasks.
5. Electrical Hazards: Risk of electric shock or electrocution from using faulty electrical equipment or working near power sources.
6. Fire Hazards: Risks of fires due to the improper storage of flammable materials or misuse of electrical appliances.
7. Equipment-Related Hazards: Injuries from improper use or malfunction of cleaning equipment like vacuum cleaners, floor buffers, or pressure washers.
8. Psychosocial Hazards: Stress and burnout from high workloads, tight schedules, or challenging work environments.
9. Environmental Hazards: Improper disposal of hazardous waste or chemicals leading to environmental contamination.
10. Security Risks: Threats to personal safety or security, especially when working in isolated areas or during odd hours.

Creating a Risk Register for a lobby area, often the first point of interaction for visitors in a building, involves identifying risks that could impact safety, security, and operations. Addressing these risks requires a combination of physical security measures, maintenance protocols, staff training, and emergency preparedness planning to ensure the lobby remains a safe, welcoming, and efficient space for all users.

Here are the types of risks typically associated with lobby areas:

1. Security Risks: Unauthorised access or breaches, potentially leading to theft, vandalism, or harm to individuals within the premises.
2. Slip, Trip, and Fall Hazards: Wet floors, clutter, or uneven surfaces that could cause accidents and injuries to visitors or staff.
3. Fire Hazards: Risks of fire outbreaks due to electrical faults, overcrowding, or improper storage of flammable materials.
4. Health Risks: Spread of infectious diseases due to high people traffic, inadequate ventilation, or poor hygiene practices.
5. Environmental Hazards: Poor air quality or exposure to harmful substances, affecting the health and well-being of occupants.
6. Crowding and Evacuation Risks: Inefficient evacuation procedures or overcrowding, especially during emergencies, leading to potential injuries or bottlenecks.
7. Information Security Risks: Potential for information theft or loss, particularly concerning visitor logs or access control systems.
8. Damage to Property: Accidental or intentional damage to lobby furnishings, artworks, or equipment, impacting aesthetics and function.
9. Equipment Failure: Malfunctioning security equipment, lighting, or information displays, leading to operational disruptions or safety concerns.
10. Compliance Risks: Non-compliance with legal or regulatory standards related to accessibility, safety, or emergency preparedness.

Creating a Risk Register for "Culture" within an organisation or community context involves identifying potential risks that could negatively impact the cultural environment or cultural initiatives. Addressing these risks requires a strategic approach to culture management, including fostering open communication, promoting diversity and inclusivity, preserving cultural heritage, and ensuring alignment between culture and organisational objectives.

Here are key types of risks to consider:

1. Erosion of Organisational Culture: The risk that core values, norms, and practices that define the organisational culture become diluted or negatively altered due to rapid growth, mergers, or leadership changes.
2. Cultural Misalignment: The potential for a misalignment between the organisation's culture and its strategies, goals, or practices, leading to decreased engagement, productivity, and morale.
3. Cultural Insensitivity: Risks associated with offending or alienating individuals or groups due to lack of cultural awareness or inclusivity in policies, communications, and practices.
4. Resistance to Change: The risk that cultural resistance to new initiatives, technologies, or changes in direction hampers innovation, adaptability, and progress.
5. Loss of Cultural Heritage: In a broader societal context, the risk that cultural traditions, languages, and heritage are lost due to globalisation, modernisation, or lack of preservation efforts.
6. Ineffective Diversity and Inclusion: The potential for diversity and inclusion efforts to be ineffective or superficial, leading to a lack of true representation, equity, and belonging among all members.
7. Miscommunication and Conflict: Risks arising from cultural misunderstandings or differences in communication styles, leading to conflict, decreased collaboration, and inefficiencies.
8. Talent Retention and Attraction: The risk that an unappealing or toxic culture makes it difficult to retain and attract top talent, impacting competitiveness and innovation.
9. Legal and Ethical Non-compliance: Risks related to violating legal, ethical, or social norms due to cultural ignorance or negligence, potentially leading to legal action and reputational damage.
10. Cultural Homogenisation: The risk of losing unique cultural identities within the organisation or community as a result of conforming to dominant or mainstream cultures.