Instructions

Contents
Worksheet RMF process Description
Context & Objectives Establish the Context Use this template to list your Process/Practice objectives, scope the context for risk management in your group.
Interested Parties Identify the Interested Parties Use this template to list all your interested parties or stakeholders.
Register Document Use this template to document the identification, analysis & evaluation, treatment and monitoring of risks for your group.
Identification Identify Risks Provides examples of risks that are typical to small to midsize firms.
Assessment_Likelihood Analyse & Evaluate Risks Lists assessment criteria for rating the likelihood, or probability, of a risk event occurring.
Assessment_Consequence Analyse & Evaluate Risks Lists the assessment criteria for rating the consequence, or impact, if a risk event occurs.
Rating Matrix Analyse & Evaluate Risks Lists risk ratings based on the assessed likelihood and consequence.
Assessment_Controls Analyse & Evaluate Risks Lists the assessment criteria to rate the effectiveness of existing controls within your group.
Treatment Treat Risks Lists the options available for treating risks.

Using the Risk Register

 Descriptions about what needs to be documented in each column of the Risk Register can be found in the first row after the column headings.
To display or hide this information click +/- on the left of the worksheet to expand or collapse this row.
 Entries for the following columns can be selected from the drop-down list available:
Risk Category Financial
Likelihood Operational
Consequence Compliance
Control Effectiveness Strategic
Action
Status
New Control Effectiveness
 The entry in the Risk Rating column will display automatically once the assessment criteria for Likelihood and Consequence have been selected.
 Conditional formatting has been used in the Risk Register to display traffic light colours for all assessment criteria and risk ratings.
 CONTEXT & OBJECT
PROCESS/ACTIVITY SCOPE OBJECTIVE
Planning
Audit schedule
Audit activity notification
Generation of Audit plan To provide information on
whether the existing QMS
Opening Meeting conforms to MIESCOR and ISO
1 INTERNAL AUDIT 9001 QMS requirements, and is
Conduct of the audit
effectively implemented and
Closing Meeting maintained.
Releasing of Audit Report
Issuance of C/PARs

Data consolidation of the ff:

a. Internal audit result

b. CPAR response time

c. CPAR closure
QMS MANAGEMENT d. CPAR findings category Review QMS implementation and
2 REVIEW REPORT
e. Voice of the external customer compliance to ISO QMS standard.
PREPARATION result
f. Site surveillance activities
Follow-up of previous action
items to be addressed
Recommendation of
improvement action

2
CUSTOMER SERVICE
SATISFACTION SURVEY
3
MANAGEMENT REVIEW
REPORT

Prepared by:

Name & Signature Date


XT & OBJECTIVES
SWOT
INTERNAL CONTEXT
ISO 9001:2008 Certification
Table of Organization (HO & Projects)
Auditors competency
Other offices & project locations
Communication system (connectivity)
Legal, regulatory, statutory compliance
Budget
Reports updating frequency
control in CAPA implementation
Insufficient Knowledge of employees on the W Budget of project audited to implement
implementation of the standard
Group/Dept: ABCD
Document #: F-CIM-XXX
Revision: 00
Effective Date: XX/YY/ZZ
EXTERNAL CONTEXT
S Transition to ISO 9001:2015
W Changes in legal/regulatory/statutory
S requirements
W Weather & geography
W Availability & attitudes of auditees
W Ethical and religious norms in proj. sites
S Knowledge of customers & subcons
Safety and security on project sites
S Knowledge and skill of CPAR owner to
present rootcause analysis
W Inavailability of office equipments and tools
preventive/corrective action
network connection
high manpower turn-over (attrition)
Insufficient Knowledge of employees on the
implementation of the standard
Reviewed & Approved by:

Name & Signature Date

 INTERESTED PA
INTERESTED PARTIES IMPACT TO QMS
Service provision
Product provision
Auditee

1 EMPLOYEES

Strategic corporate direction

Strong implementation of QMS-Leadership
Support in QMS implementation in terms
of the following:
- provide trainings
2 Top Management - resources adequacy
- future development plan

3 3rd Party - Certifying body

4 Client
4 Client

Prepared by:

_____________________ _____________________
Name & Signature Date
RESTED PARTIES
Group/Dept: ABCD
Document #: F-CIM-XXX
Revision: 00
Effective Date: XX/YY/ZZ

NEEDS & EXPECTATIONS MEASURES/OUTPUT

Compensation and benefits Job description (JD)
Operational procedures & guidelines Process implementation (w/ process flow)
Organizational policies Trainings
Safe, healthy, and secured working environment Work schedule
Communication
Performance Monitoring System (PMS)
Audit findings and/or C/PARs

Achievement of corporate goals and objectives Management Review result

Compliance to corporate policy and set procedures
Compliance to regulatory, statutory and standards
Adherence to corporate values
Reduced annual cost and expense
Efficient utilization of resources
Continous improvement plan
High customer survey satisfaction rating
Number of received memos, notice of deficiency and
violation
Amount of penalties payed/project closure due to
noncompliance
Target budget and income attained
Reviewed & Approved by:

___________________________ _____________________
Name & Signature Date
 RM 11 PRINCIPLES
RISK IN 3 VIEW
POSITIVE 1. creates and protects value
NEGATIVE 2. integral part of all organizational process
AND NEUTRAL 3. RM is part of decision making
4. explicitly addresses uncertainty
5. Systematic, structured and timely
RISK FORMULA 6. is based on the best availlable information
7. Tailored
LIKELYHOOD X OCCURRENCE 8. takes human and cultural factors into accoun
OCCURRENCE IMPACT 9. Transparent and inclusive
10. RM is dynamic, iterative and responsive to c
11. facilitates continual improvement of the org
ganizational process

d and timely
availlable information

tural factors into account

ative and responsive to change

improvement of the organization
 Group/Deparment:

PROCESS RISK REGISTER

Update as of:
LOGO Document #: AA-BB-CCCC
Doc. Rev. #: 0
Doc. Effective Date: XX/YY/ZZ

RISK ASSESSMENT CONTROL ASSESSMENT RISK TREATMENT RISK MONITORING & REVIEW RISK RE- ASSESSMENT
Inherent Risk Analysis Residual Risk Analysis
Risk Control Implement New Control
Risk ID Date Raised Raised by Raised during Inherent Risk Cause Consequence Existing Control Action Plan Risk Owner Method Key Risk Indicator (KRI) Status
Category Effectiveness Date Effectiveness
Likelihood Consequence Risk Rating Likelihood Consequence Risk Rating
Enter a Enter the date Name the State the Identify the Capture the potential event with Describe the potential Describe the main impact(s) of Assess the Assess the Rate the risk Describe the existing or current Assess the Describe the State the planned action to address or treat risk Assign a Enter the date by List the methods for List all possible KRIs or trigger Update status Assess the Assess the Assess the Rate the risk
unique when risk first person who event/activity or relevant risk enough detail to be understood in cause(s) or source(s) of risk event probability of risk plausible impact based on control(s) or management effectiveness of treatment to be Planned Action which action to monitoring action plan(s) alarm for the idenitifed risk effectiveness of probability of risk plausible impact based on
reference raised raised risk reference where category isolation event occurring event occurring of risk event likelihood and activities in placed existing or current applied to risk Owner be implemented and review points the action(s) done event occurring of risk event likelihood and
the risk is raised occurring consequence control(s) or new control(s) occurring consequence
in placed

PROCESS 1

Procurement Sequence and Specification Lacking ALMOST Verification and Clarification of Construction Materials
3 16-Aug-19 ENJ
Meeting
Strategic
of needed Materials/Request
Urgent Request Late Issuance of PO re
CERTAIN
CATASTROPHIC VERY HIGH
Request to End User
ADEQUATE TREAT Assess Completeness of Purchase Request Procurement Sept. 1, 2019
Familiarity
Cycle Time Efficiency CLOSED ADEQUATE POSSIBLE MINOR TOLERABLE

OSH Monthly No. of safety Officer for High Risk Provide advance training for OSH Ensure that all OSH personnel is competent have 2 year
4 16-Aug-19 GMC
Training
Compliance
level
lack of advance OSH training Penalties and Violation LIKELY CATASTROPHIC VERY HIGH
personnel
ADEQUATE TREAT
experience and Osh advance training before hiring
OSH Sept. 1, 2019 CLOSED STRONG RARE MODERATE LOW

Prepared by: Noted by: (Dept. Head) Approved by: (Group Head)

____________
Signature over Printed Name Date Signature over Printed Name Date Signature over Printed Name Date
Example of Risks

Context/
Risk Cause Consequence
Category

Failure to diversify client base, i.e. a single client or Loss of revenue

Business client group accounts for significant portion of practice Loss of key client Failure of
fees practice

Reputational damage
Damage relationship with clients
Lack of staff training Increase in client complaints
Business Failure to deliver quality product or service Ineffective quality control and engagement review
Service not delivered in a timely manner Increased scrutiny from regulators
Increased likelihood of
claims

Accident, illness, retirement or lack of opportunity for Loss of key business intelligence, loss of clients
Business Loss of key staff member
progression Lack of continuity of client service

Market conditions negatively impact client business,

Concentration of services provided in an area of
Business
advice/compliance or to a particular industry
Loss of significant portion of client work
e.g. if majority of clients are agriculture-based and
there is a drought.
Failure of practice
Change in compliance framework

Business Negative comment on social media Failure to communicate effectively with client/s Significant loss of reputation and client fees

Failure to understand the market and the Loss of revenue

Business Failure to identify new service offerings requirements or market desire for new service Failure of
offerings practice

Failure to understand the market and demand for

services
Business Incorrect Pricing strategy for the market Failure to connect with clients to understand capacity Significant loss of reputation and client fees
to spend
Failure to understand competitors and their pricing

Failure to put in place processes which clearly outline

Loss of reputation and supporting funds to grow and
Business Increased risk of fraud roles and responsibilities and identify risks and
sustain the business
mitigating controls

Cost to business
Damage to property not covered under policy, e.g.
Serious disruption
Business Uninsured loss due to flood or fire policy covers fire but not water damage from fighting
to service
fire in adjacent office.
Possible failure of business

Cost to business
A major dispute between clients, e.g. divorce, family Serious disruption
Business Failure to manage conflict of interest
dispute, business owners to service
Possible failure of business

Loss of key business intelligence, inability to service

Business Inadequate training, inadequate compensation, death,
Loss or serious impairment of key Partner/Practitioner clients (e.g. where partner is only RCA or RTA)
Continuity mental illness, substance abuse.
Lack of continuity of client service

Serious disruption to service

Business Loss or damage to office premises, office equipment
Natural catastrophe, e.g. fire, flood, earthquake Possible failure of
Continuity and/or client records
business

Loss of revenue
Financial Failure to fully recognise revenue Inaccurate recording of time spent on client work Failure of
practice

Change in market conditions Partnership profitability reduced

Financial Significant unexpected change in practice overheads Failure to monitor and/or negotiate supplier Failure of
agreements practice

Poor cashflow
Slow payment from debtors
Financial Failure to collect receivables in a timely manner Outstanding debts become uncollectable
Lack of monitoring of outstanding debtors
Loss of revenue

Over estimating value of goodwill and borrowing

Significant loan commitment not supported by based on estimate Inability to service loan
Financial
business model Use inflated goodwill calculation when paying our Reduction in value of goodwill
departing Partners

Serious disruption to service

Dispute between partners regarding contribution to
Financial Failure to monitor partnership distribution agreements Possible failure of
the firm revenues and/or distribution of profits
business

Failure to plan for changing market conditions

Business strategy does not accommodate changing Loss of clients
Governance Activities of competitor
market conditions Reduction in market share
Insufficient research and/or understanding of key
markets

Ineffective execution of strategy by leadership

Loss of market share
Lack of accountability
Failure to make or execute strategic decisions in a Failure to capitalise on opportunities
Governance Objectives of practice not clearly documented
timely manner
Lack of communication throughout the practice of
Poor partner/staff retention
strategies and objectives
Partners acting in self-interest over Firm strategy

Partner(s) leaving Firm

Governance Disengagement of Partners over change strategy Partner(s) not identifying with Firm's strategy Loss of client
fees
Pressures on fixed overheads

Technical expertise not fully utilised

Increased likelihood of
Remuneration model encourages excessive internal claims
Governance Lack of cooperation between service areas
competition Poor partner retention

Loss of client fees

Damage relationship with client through sub-standard

Budget and time pressures reduce opportunity for service delivery
Human Failure to provide appropriate training and skill
necessary training Poor staff retention
Resources development for staff
Not effectively identifying training requirements
Increased likelihood of claims

Poor client services

Human Inadequate staff numbers to provide high quality Loss of clients
Unavailability of experienced qualified employees
Resources services Increased likelihood of
claims

Cost to practice
Human Failure of HR/firm policy to meet legislative Lower staff morale
Unfair dismissal or sexual harassment claim
Resources requirements

Penalties and fines

Human
Increase in Workers' Compensation claims Inadequate training and monitoring of OH & S policies Increased scrutiny
Resources
from regulators

Human Increase in staff turnover and therefore loss of

Inadequate training, inadequate compensation Loss of key clients, Loss of knowledge of key clients
Resources knowledge

Penalties and fines

Failure to comply with regulatory, legal and policy Lack of monitoring/understanding of legislative Increased scrutiny
Regulatory
obligations obligations from regulators
Reputational damage

Loss of client records

Technology Failure to backup client data and records No or inadequate data backup plan in place Poor client service
Loss of clients

Loss of client records

Target of criminal hacker
Technology Security of data compromised Poor client service
Insider threat for business
Loss of clients

Cost to practice
Technology service interruption Poor client service
Technology Disruption to provision of services
No or inadequate disaster recovery plan
Loss of clients

Poor client service

No IT strategy which is aligned and considers the
Technology Failure of IT systems to meet the needs of the business
requirements of the business
Loss of clients

Cost to practice
Lack of maintenance to office premises or improper Water damage to IT equipment e.g. overflow from the
Technology Disruption to
usage of facilities floor above
client service
Assessment Criteria − Likelihood

RATING POTENTIAL FOR RISK TO OCCUR PROBABILITY

ALMOST CERTAIN Likely to occur several times a year >90%

LIKELY Likely to occur once a year 50%-90%

POSSIBLE Possibly occur once every few years 10%-50%

UNLIKELY Maybe occur once in 5 years 5%-10%

RARE Might occur once in 10 years <5%

Assessment Criteria − Consequence

FINANCIAL OPERATIONAL COMPLIANCE STRATEGIC

RATING IMPACT Loss of market Legal/Regulatory/
EBIT Disclosure Scope Reputational Market Share Strategy
value Standards/Systems/Policies

Enterprise/company wide
Could shut down process/practice/part of
company. Fiscal/ Management Indictments Potential acquisition or
Inability to continue normal Loss of confidence in all Potentially irrecoverable (i.e.
CATASTROPHIC >50% >50% Calendar Year Large Scale Class Actions bankruptcy
business operations across stakeholder groups 24-36 months)
Business/process objectives not Restatement Regulatory Sanctions Dissolution of the group/dept.
all business units, the whole
achieved.
process, or all functions

3 Business Units, processes, Management challenges

2 or more changes in senior
Major impact on or functions Large legal liability
Fiscal/ leadership or management
process/practice/company. Significant regulatory fines
Calendar Loss of confidence by 3 or Long term recovery (i.e. 12-
MAJOR 30%-50% <50% Significant interruptions to Removal of ISO certifications
Quarter more stakeholder groups 24 months) Major financial restructuring
Key business/process objectives not business operations with 3 or Major nonconformance to
Restatement Significant changes to
achieved. more business units, requirements or expected
strategic plan
processes, or functions output

2 Business Units, processes, Minimal Regulatory fines 1 or more changes in senior

Noticeable impact on
process/practice/company.
MODERATE
Some business objectives not achieved.
or functions Legal reserve established leadership or management
Regulatory investigation
Significant Loss of confidence by 2 or Mid term recovery (i.e. 6-12
15%-30% <25% Significant interruptions to ISO certificate suspension Minimal financial
deficiency more stakeholder groups months)
business operations with 2 or Minimal nonconformance to restructuring
more business units, the requirements or expected Slight changes to strategic
processes, or functions output plan

Management unaffected
1 Business Units, processes,
Minimal liabilities
or functions
Regulatory attention
Refinements or adjustments
Control Potential NC during CB audits Loss of confidence by 1 or Short term recovery (i.e. <6
MINOR With some impact that is easily remedied. 5%-15% <10% Significant interruptions to to operating plans and
weakness Acceptable level of more stakeholder groups months)
business operations with 1 or execution
nonconformance to
more business units, the
requirements or expected
processes, or functions
output

Limited interruptions within 1

Additional risk Limited/insignificant liabilities or Limited impact to 1 Limited recovery (i.e. <3 Limited adjustment
INSIGNIFICANT Impact not visible/insignificant. <5% <5% business unit, a process, or
disclosure regulatory impact stakeholder group months) necessary
function
Risk Rating Matrix
NOTE: HIGH & VERY HIGH Ratings - Treatment Required (need to decrease the rating to at least "Tolerable" level)
VERY LOW, LOW, & TOLERABLE - Treatment NOT Required

Catastrophic TOLERABLE HIGH VERY HIGH VERY HIGH VERY HIGH

Major LOW TOLERABLE HIGH VERY HIGH VERY HIGH

CONSEQUENCE

Moderate LOW LOW TOLERABLE HIGH HIGH

Minor VERY LOW LOW TOLERABLE TOLERABLE HIGH

Insignificant VERY LOW VERY LOW LOW TOLERABLE TOLERABLE

Rare Unlikely Possible Likely Almost Certain

LIKELIHOOD
Assessment Criteria − Control Activity

RATING ACTION DESCRIPTION

Controls and/or management activities are non-

Critical improvement
NONE existent or have major deficiencies and don’t operate
opportunity
as intended. - need treatment

Significant improvement Limited controls and/or management activities are in

NEEDS IMPROVEMENT
opportunity place, still high level of risk remains. - need treatment

Controls and/or management activities are in place,

Moderate improvement
ADEQUATE with opportunities for improvement identified. - need
opportunity
treatment

Controls and/or management activities are properly

Limited improvement designed and operating, with no or limited
STRONG
opportunity opportunities for improvement identified. - may or may
not need treatment

Controls and/or management activities are properly

EFFECTIVE Effective designed and operating as intended. - no need for
treatment
Risk Treatment Options

Depending on the type and nature of the risk, the following options are available:

OPTION TREATMENT

"AVOID" - Deciding not to proceed with the activity that introduced the unacceptable risk, choosing an
TERMINATE alternative more acceptable activity that meets business objectives, or choosing an alternative less risky
approach or process.

"REDUCE" - Implementing a strategy that is designed to reduce the likelihood or consequence of the risk to an
TREAT
acceptable level, where elimination is considered to be excessive in terms of time or expense.

"SHARE" - Implementing a strategy that shares or transfers the risk to another party or parties, such as
TRANSFER outsourcing the management of physical assets, developing contracts with service providers or insuring against
the risk. The third-party accepting the risk should be aware of and agree to accept this obligation.

"ACCEPT" - Making an informed decision that the risk rating is at an acceptable level or that the cost of the
treatment outweighs the benefit. This option may also be relevant in situations where a residual risk remains
TOLERATE
after other treatment options have been put in place. No further action is taken to treat the risk, however,
ongoing monitoring is recommended.
 Lists used in the Risk Register

Changing List Values

The Risk Register contains drop-down lists for the following entries:
Risk Category
Likelihood
Consequence
Control Effectiveness
Action
Status
To change the content of any drop-down list, refer to the information below.
If you do change a value in any drop-down list, remember to update the selections on the Risk Register for any risks already assessed.

Risk Categories
Under APES 325, at minimum risks should be considered within the following categories. If you add categories to the list below that may be relevant to your firm, you will need to update the cell
naming defined as Risk_Category to ensure the any additions display in the drop-down lists on the Risk Register.

Governance
Business continuity
Business
Financial
Regulatory
Technology
Human resources
Stakeholder

Assessment Criteria & Ratings

To change the terminology for any of the criteria or ratings, make the edit to the lists below and then the remainder of the spreadsheet will automatically update.

Likelihood Consequence Risk Rating Controls

ALMOST CERTAIN CATASTROPHIC VERY HIGH NONE

LIKELY MAJOR HIGH NEEDS IMPROVEMENT

POSSIBLE MODERATE TOLERABLE ADEQUATE

UNLIKELY MINOR LOW STRONG

RARE INSIGNIFICANT VERY LOW EFFECTIVE

Treatment
To change the wording used for the treatment options, make the edit to the list below and then the remainder of the spreadsheet will automatically update.

Treatment

AVOID

REDUCE

SHARE

TRANSFER

ACCEPT

Status
To change the wording used for the status of risks, make the edit to the list below and then the remainder of the spreadsheet will automatically update.

Treatment

OPEN

CLOSED