(Published: 19 October 2024)

Signs Your Risk Register Has Become a Tick Box 

1.       Risks are rated on undefined Consequence/Likelihood Criteria.

Organizations may have a Risk Matrix where risks are rated according to Consequence and Likelihood criteria but what does Major or Severe consequence really mean to specific areas to the business?  For Example, consequences in the Health & Safety category will mean very different compared to the Reputation category.  What does Unlikely and Possible mean?  Are timeframes set appropriately according to the risk tolerances of the business?  Clear specific definitions are needed for risks to be assessed and rated correctly.

2.       Risks are downplayed and rated lower.

This is done by risk owners to downplay the prominence and importance of the risk, so they do not get the scrutiny, monitoring, reporting and escalation required.  The assessment of all risks, not just the High ones, needs to be open and subject to scrutiny and challenge by the Risk Manager and other peers.

3.       Risks are unchanged over a period

If the management and Board risk reports show no movement or change in the status of risks, it may indicate a lack of attention and focus on managing the risks.  It is not enough that there is an established process to update risks by the risk owners.  Frequent deep dives are necessary by the Risk Manager with the executive team and CEO to have an overall fresh look at the risks due to the ever-changeable risk environment.

4.       Risk mitigations are undefined and unclear with constantly extended timeframes.

If risk mitigations are not managed rigorously with clearly specified, trackable action steps and clear due dates, the risks may sit on the risk register for a longtime.  This becomes very unhealthy and “risky” for the business especially if the risk is one that the business has defined as not tolerated within its set risk appetite.