The Fundamental Problem with Risk Registers
Risk registers fail for a simple reason: the people who populate them have incentives to report risks that are manageable rather than risks that are serious. Senior managers whose performance is evaluated partly on their ability to manage risk will naturally tend to document risks at the lower end of the severity scale, classify emerging issues as "being monitored" rather than as active risks, and avoid recording risks that reflect poorly on their own functions or decisions.
This is not dishonesty in most cases — it is a predictable response to the incentive structure in which risk owners operate. When a risk register entry is presented to the board as evidence of management's risk management capability, there is a strong institutional pressure toward a picture that demonstrates competent risk management rather than one that honestly conveys the organisation's risk exposure.
The Structural Failures That Compound the Problem
Beyond incentive misalignment, several structural failures consistently undermine risk register quality.
Bottom-up aggregation without validation: Most risk registers are built by asking business unit managers to identify and score their own risks. Without independent validation of these inputs, the aggregate picture reflects what managers choose to report rather than what risks actually exist. Internal audit, compliance functions, and the risk team itself should be providing independent challenge to self-reported risk assessments.
Static scoring that does not reflect change: Risk registers that are reviewed annually — or worse, quarterly in a perfunctory update exercise — cannot capture how quickly risk profiles change in dynamic organisations. A risk that was genuinely low last year may have become significant this year due to changes in technology, regulation, the competitive environment, or internal capability. Annual reviews miss this.
Confusion between risks and controls: Many risk registers conflate risks with controls. Entries like "failure to maintain adequate cybersecurity controls" are process descriptions rather than risk statements. A risk should describe a potential negative outcome — "significant data breach resulting in regulatory penalty and reputational damage" — not the control weakness that might allow it to occur.
Excessive granularity in low-risk areas: Risk registers that contain hundreds of entries create the appearance of comprehensive coverage while making it impossible to identify and focus on the truly significant risks. The ten most significant risks to an organisation deserve more analytical depth than a list of two hundred uniformly formatted entries provides.
Making the Risk Register Work
A risk register that actually informs governance decisions has several distinguishing characteristics. It focuses on a manageable number of significant risks — not an exhaustive inventory of every possible thing that could go wrong. It includes genuine forward-looking content about how risks are evolving, not just a static assessment of current exposure. It shows the risk position before and after controls, making it possible to understand how dependent the organisation's risk posture is on specific controls remaining effective.
The question to ask about any risk register entry is: "If this risk materialised tomorrow, would we be surprised it was not on the register?" If the answer is yes for any significant risk, the register is not doing its job.
The Internal Audit Perspective
Internal auditors approaching a risk register audit should assess it as a governance tool, not just as a document. Does the register contain the risks that internal audit, from its own work across the organisation, would identify as most significant? Are the risk ratings consistent with what audit findings suggest about the actual control environment? Are risks being updated in response to organisational changes, or sitting unchanged from the previous cycle? The gap between what the risk register says and what internal audit's own work suggests is often the most important finding in a risk management audit.