Risk Identification and the Risk Register

Systematic risk identification uses multiple techniques to ensure comprehensive coverage. Historical analysis: review loss runs, claims history, maintenance records, and financial variances from prior periods or comparable properties. Physical inspection: regular property inspections identify emerging physical risks (roof deterioration, plumbing issues, structural concerns). Market analysis: track local employment, population trends, new construction pipeline, and comparable property performance. Regulatory monitoring: track pending legislation, zoning changes, and building code updates. Stakeholder interviews: property managers, maintenance staff, and tenants often identify risks that data alone misses. Scenario analysis: systematically ask "what if" questions about market, operational, and financial scenarios. Checklist review: use standardized risk checklists by property type and market to ensure no category is overlooked.

The risk register documents each identified risk with standardized fields. Required fields: Risk ID (unique identifier), Risk Description (clear statement of the risk event), Category (market, credit, operational, financial, regulatory, physical), Probability Score (1-5), Impact Score (1-5), Risk Score (P × I), Mitigation Strategy (specific actions to reduce probability or impact), Risk Owner (person responsible for monitoring and mitigation), Status (active, mitigated, closed), and Review Date (next scheduled review). The risk register should be reviewed quarterly at minimum and updated whenever a significant change occurs—new property acquisition, major tenant turnover, regulatory change, or market shift. Maintain risk registers at both the property level and the portfolio level to capture both asset-specific and systemic risks.

Not all risks warrant the same level of attention. The risk heat map (probability on one axis, impact on the other) visually identifies critical risks requiring immediate action (high probability and high impact, top-right quadrant), significant risks requiring monitoring and contingency plans (high probability/low impact or low probability/high impact), and acceptable risks requiring only standard controls (low probability and low impact, bottom-left quadrant). Focus mitigation resources on the top 5-10 risks by risk score. For each high-priority risk, define: specific mitigation actions with deadlines, the person responsible for each action, the residual risk score after mitigation, and triggers that indicate the risk is materializing and contingency plans should be activated.