Home > Risk > Are risk registers a useful tool or a trap?

Are risk registers a useful tool or a trap?

One of the thought leaders with whom I frequently debate/argue is Tim Leech. Tim has a passion that is usually divergent from mine, so it is always refreshing to see situations where we agree.

This is how Tim replied to a recent post by me on a study by KPMG on risk management (reproduced in full with his approval).

Norman: Thanks for drawing attention to the KPMG survey results. My primary concern with the survey is that it has not recognized that the “risk centric” approach to ERM, an approach [with] a heavy focus on creating and maintaining a “risk register” and assigning “risk owners” used by a large percentage of organizations in the world today who claim they are practising ERM is in fact “risky”. This approach has diverted people’s attention and focus from the real purpose of risk management – increasing certainty [that] important value creation (e.g. Increase market share by X%) and potentially value eroding objectives (e.g. publish reliable financial statements) will be achieved operating with a tolerable level of retained risk.

The “risk register” approach has been promoted and implemented in tens of thousands of organizations by consultancy and software firms and the IIA has promoted it in a number of its guidance publications. I believe that many of the points noted above from the survey are linked to the dysfunctional consequences of using “risk centric/risk register” type approaches to risk management. It’s ironic that risk consultants and software vendors are now part of the world’s risk problems.

Regulators in each country who are increasing their focus and requirements in this area also need to ensure they are not part of the global regulatory wave forcing companies to implement risk centric approaches to risk management diverting attention to the true power of formal risk assessment as a business tool.

We are promoting “board driven/objective centric” approaches to improve the way organizations manage risk. It starts with boards that want reliable information on the state of residual risk linked to key value creation and potentially value eroding objectives. For those interested simply Google “THE HIGH COST OF ERM HERD MENTALITY” and/or our newest presentation on the approach we are recommending to address key failings noted in the KPMG survey results. It can be downloaded at:


If we want senior management to truly embrace risk management they need to see it as another tool in their arsenal to manage their organizations within a level of retained risk acceptable to them, their board, regulators, credit rating agencies, investors and other key stakeholders. This won’t happen using “risk registers” as a primary foundation building block.

Before explaining why I agree on the core points of Tim’s comment, let me address a few minor points of disagreement. First, I don’t use the expression ‘residual risk’ anymore; the adjective ‘residual’ is assumed and is only useful when comparing current state to the level of risk should controls fail (which some refer to as ‘inherent risk’). Then, rather than limit myself to a “tolerable level of retained risk”, I prefer to use the terminology of ISO 31000:2009 and talk about risk criteria. Another point of disagreement is that I believe every risk should have an owner – the person responsible for achieving the affected objective. Finally, while providing the board and executive management with reliable reports on risk is important, I believe the more significant need is enabling managers across the organization to make risk-aware and intelligent business decisions every day.

So, where and why do Tim’s and my opinion converge?

It is that if used without due care and attention, risk registers are a trap.

There is a belief among many that organizations need to manage a defined list of risks. Some have as few as 10 or 25 because that is the limit of their management’s and board’s attention. Others have far more, recognizing that all risks to the achievement of objectives need to be understood and managed where significant.

Some consultants love to provide guidance on the risks that should be included in a risk register, with studies of the top risks of the moment.

But, by creating a risk register, they are creating the impression that risks are static. They are not.

Just as business conditions change all the time and decisions have to be made every day, new risks emerge and old risks change all the time.

Running the business with a static (and it is essentially static if it only changes once each quarter when the business changes much faster) risk register is Enterprise List Management (a phrase coined by my friend, Jim DeLoach of Protiviti).

So I join with Tim, although I don’t use precisely the same words, in urging organizations to ensure they have the capability to manage risks to value creation and the surpassing of objectives every day – in setting and modifying strategy, in monitoring and managing performance, and in daily decision-making across the enterprise.

I also urge internal audit departments to assess and report on whether management has that capability.

I welcome your views and comments.


  1. July 14, 2013 at 6:45 PM

    Hello Norman,

    Agreed! The extension of this trap is the line pushed by some software vendors that risk should be assessed at a pre-set frequency – quarterly for severe, six-monthly for moderate, etc. This approach usually comes from people who approach risk from a compliance background rather than seeing risk management as a business-enabler.

    Our view is that risk needs to be assessed with every business decision and that a decision taken without an assessment of risk is a flawed decision – even if it fortuitously turns out profitably later on!

    Does opening a new warehouse reduce my risk of supply chain disruption? Does taking on a business partner increase my exposure to privacy-related breaches? Will my new, low-cost, supplier recognise human rights of its employees or will I be exposed to reputational damage and negative social media campaigns? These are the true stuff of risk management and the true entry of risk managers to the executive suite.

    We also are of the firm view that upside risk needs evaluation as mouch as downside – what are the things that I’d like to go right and what controls and performance indicators can I institute to assist this to happen? Again, relevant more when the deicision is being taken, with a later regular assessment of controls and review of indicators.

    A key distinction is that reviewing controls and indicators is not risk assessment in the same sense as a full assessment of the risk of a decision at the time of that decision. The other key time for assessing risk, of course, is when an incident has occurred, but that’s perhaps for another discussion on another day.

    Properly-designed software tools can support and record these discussions / decisions – as they happen and by ensuring that decision makers have the information they need for better decision making, when and where they need it.

    Cheers – Ross Millar, Protecht Risk Advisory

  2. Tom McLeod
    July 14, 2013 at 6:50 PM

    Norman / Tim – far be it for a mind as limited as mine to seek to contribute to the debate of giants other than to say I thoroughly enjoyed reading your respective views.

    I look forward to Tim and you agreeing and diverging in future posts!

    Kind regards


  3. Ehtisham Syed
    July 14, 2013 at 6:51 PM


    I would like to highlight couple of your points of interest to me:

    You wrote: Another point of disagreement is that I believe every risk should have an owner – the person responsible for achieving the affected objective

    Response: I agree but there is another approach advocated by Drs. Kaplan and Norton in their Balanced Scorecard based Strategic Management System which I raised as a discussion topic in my group titled ‘Management by Themes or Management by Objectives?’ which is accessible here: http://lnkd.in/YwBAV4

    Your wrote: So I join with Tim, although I don’t use precisely the same words, in urging organizations to ensure they have the capability to manage risks to value creation and the surpassing of objectives every day

    Response A: The interesting point is, traditionally, it is the strategy that is meant to create ‘value’ while the risk management is to protect it (value). I have also raised this interesting point as a discussion topic in my group titled ‘Value is Created by Strategy OR Risk Management?’ accessible here: http://lnkd.in/C24-yb

    Response B: Re ‘surpassing of objectives every day’, I am not sure what you mean here? I have discussed this point wrt both qualitative and quantitative sides of objectives in a discussion titled ‘Definition of “objective” by ISO/CD 9001’ accessible here: http://lnkd.in/q8PumR (btw you are also part of this discussion).


  4. Gary Lim
    July 14, 2013 at 7:08 PM

    “THE HIGH COST OF ERM HERD MENTALITY”, this is an excellent phrase, each time a Risk Management Consultant comes out with new perspective of Risk Management, the company has to realigned to the new version, therefore ERM is perceived as high cost!
    Personally, IF all the risks listed in the Risk Register is under control (actively worked upon even though it is static), there will be no surprises in a company’s operation, the problem I notice is that these are done for the sake of meeting the compliance aspects on a quarterly basis before the IA arrives, nothing else.
    One of the very large corporation which I had some involvement would insist on 3×3 risk matrix rather than the 5×5, for reason that it has to be as simple as possible.

  5. Ehtisham Syed
    July 14, 2013 at 10:05 PM

    A couple more points of interest Norman,

    You wrote: First, I don’t use the expression ‘residual risk’ anymore; the adjective ‘residual’ is assumed and is only useful when comparing current state to the level of risk should controls fail (which some refer to as ‘inherent risk’).

    Response: In Enterprise Risk Management – Integrated Framework (2004), COSO defines inherent risk as the risk to an entity in the absence of any actions management might take to alter either the risk’s likelihood or impact. Residual or retained risk is the risk remaining after management’s response to the risk.

    From above, we conclude that Inherent risk = level of risk without any treatment / response.

    Now the understanding of inherent risk makes sense from two aspects:

    1- Resources in an organization are finite so risk treatment / response must be proportionate to the overall exposure to guard against over control.

    2- It will help recognize the contribution of certain controls to overall risk mitigation by understanding what the full exposure could be if controls fail. See http://lnkd.in/pV7Xnh

    You wrote: Then, rather than limit myself to a “tolerable level of retained risk”, I prefer to use the terminology of ISO 31000:2009 and talk about risk criteria

    The level of risk is evaluated against criteria to see if it is acceptable or tolerable. This acceptable or tolerable level of risk can also be called “tolerable level of retained risk”. On the other hand, residual risk is more akin to risk after treatment / response, IMO

  6. Daniel Roberts
    July 15, 2013 at 4:00 AM


    While the Risk Register may be imperfect, it does represent the current best-understood mechanism to the recording and monitoring of risks by non-risk professionals. And as the vast majority of CxOs and board members are not risk professionals (or internal auditors), then there will remain significant benefit in producing and monitoring the Risk Registers.

    At the same time, it is important to remind producers and users of Risk Registers that not all major risks will appear on the register, simply because those are the risks that cannot be stated. When the board (or individual member) are a risk, that cannot go onto a Risk Register. Likewise specific individuals. Likewise certain legal situations that must be managed via counsel (internal or external).

    I think it is well within the remit of Internal Audit to assess the effectiveness of the risk management process, the quality and completeness of content and review of risks in the risk register, and the processes for communication of risks and raising / resolving (where appropriate) the entries in the risk register.

    To say that you are “urging organizations to ensure they have the capability to manage risks to value creation and the surpassing of objectives every day…” without a framework for the records and monitoring of those risks is to deprive management of a (albeit imperfect) tool to accomplish exactly that management of risks.

    • Norman Marks
      July 15, 2013 at 5:14 AM

      Daniel, I agree that risk registers can be a valuable tool. My point is that they can also trap you into considering a static list of risks

  7. July 15, 2013 at 5:44 AM

    Interesting! I like the idea of objectives registers. The real issue here is that risk is hugely complex and difficult to understand assess and deal with. Most organisations that have attempted it have done so through process (like risk registers) not culture. Humans are not good at risk managing, they prefer to issue manage. So too of management in particular. It is tangible, easy to grab hold of, and in the here and now. Concepts such as future events and uncertainty are difficult to deal with.

    Also in our digital, here and now, instantaneous world we all want resolutions and simply understood answers. Risks are not simply managed with one control, they are managed through many complex webs of processes, people, cultures and controls.

    Perhaps then the real issue is not the conceptual validity of risk registers, rather the practical reality that most organisations do not really buy into or do it.

  8. Mary
    July 15, 2013 at 5:49 AM

    Norman, I agree with you that “without due care and diligence, risk registers are a trap”. However, I will continue to use it. There does not appear to be an alternative “tool” for audit to utilize to keep a pulse on the emerging risks as the business systems and operations continuously evolve at such rapid speed. The level of diligence one puts into “maintaining” the risk register, along with the sound professional judgment, are what make this approach work. After all, like most tools, risk registers will only deliver effective results and assist in achieving the objectives, if they are applied correctly by the indivudal who utilizes and maintains it. Professional and experienced decision making will always be a factor.

  9. July 15, 2013 at 6:49 AM

    Tom: Thanks for the positive “giant” reference. I would like to note however that I have lost five pounds over the last month and am now down to svelte 215 pounds.

    To All: It is important to note that I believe risk registers have had some positive impact and elevated the importance of considering “risks”. My concerns with “risk registers” and traditional internal audit methods are outlined in my white paper “THE HIGH COST OF ERM HERD MENTALITY”. It is easily sourced with a Google search for those that want to better understand my concerns.

    What I am suggesting is that organizations would get significantly more overall business benefits and value by shifting to an “Objectives Register” as the central foundation and building block for formal risk management and internal audit efforts. Informal risk management happens in all organizations everyday. A presentation I taped in the UK in April that I have been asked to present as a presentation at the IIA Canada national conference in September and the pre-conference workshop at the IIA All Stars Conference in New Orleans in October is available for those that want to really understand what I am proposing and the business case for moving away from “risk registers” and use “objectives registers” as a core foundation. A key goal is, as Norman suggests, to get Objective “OWNER/SPONSORS” to see themselves as also having responsibility for managing and overseeing risks. We agree on this point.


    In terms of points of disagreement with Norman, I have made a change to our methodology to address points of confusion with what I call “Residual Risk Status” information linked to one or more objectives which Norman continues to reduce to “residual risk”. Residual risk has been interpreted by the majority of people because of risk registers and in part ISO guidance as the net risk that remains after considering risk treatments. The distinction is that this is interpreted by many to be the “residual risk” for a single risk. Most objectives in my experience have 10 or more significant risks that create uncertainty they will be achieved with a tolerable level of retained risk. We have asked objective “OWNER/SPONSORS” in the past to assign a “Residual Risk Rating” to the objective being assessed after considering a rich set of “Residual Risk Status” information linked to the objective(s) being assessed. This is key information that allowed a universe of objectives to be sorted in to those that management perceived as currently have a composite risk status within appetite/tolerance and those that weren’t, and the potential danger of those objectives currently outside of risk appetite/tolerance. Last week at my daughter Lauren’s urging, we changed the name of the “RESIDUAL RISK RATING” to “COMPOSITE RESIDUAL RISK RATING” to emphasize that it considers a range of information linked key value creation and potential value erosion objectives to arrive at a composite rating that specifically reports whether the overall status is within the organization’s risk appetite/tolerance. We hope this will emphasize that we are referencing a collection of information designed to help senior management and boards make better decisions on the acceptability of the current retained risk positions linked to key value creation and potentially value eroding objectives.

    In any event, I continue to enjoy debates with Norman and appreciate Norman elevating some of my ideas through his truly impressive network of social media channels.

  10. July 16, 2013 at 6:16 AM

    Hi Norman,

    Very valid put – and at the same time I have to say I like the risk register and I think it is extremely helpful for risk managers. The risk register is for me rather a concept than a tool. And when you take a concept like the risk register and turn it into a simple tool, this does not work.

    Best regards, Stefan

  11. July 31, 2013 at 8:32 PM

    This is a great discussion. I think the importance of risk registers in general is that they avoid the problem of overloading risk managers with hundreds of similarly sounding risks from throughout an enterprise. I don’t mean to say however, that a risk register should be a concrete, unmodifiable list. As organization get a clearer understanding of their risk picture, risk managers should absolutely customize and adjust their registry to touch on critical risks. Ideally, a registry will allows organization to capture systemic risks that appear in multiple business areas, and very refined systems might allows for business areas to express risks in their own terminology (or in outcomes), and a risk manager will be able to map their concern back to the appropriate risk from the register.

    I also agree with Tim on the role of a “Board” or “Strategic Objective” approach to risk management, but I do not believe this approach is incompatible with risk registers. If your organization has predefined strategic or executive level goals, the ability to map your risk register up is equally as important as assigning them for assessment. For an example of this, this blog post addresses how to tackle a strategic goal, Reputation Risk, with a risk register: http://info.logicmanager.com/bid/100008/How-to-Tackle-Reputation-Risk-with-a-Risk-Taxonomy

  12. August 1, 2013 at 5:45 AM

    I encourage all those interested in this post to read the summary of the second meeting of the NACD (National Association of Corporate Directors) committee set-up to study how to enhance board risk oversight. A key theme emerging is the need for boards to focus on the really important risks impacting key strategic objectives. Although risk registers can pick-up some individual risks to key strategic objectives my argument is why not just start by getting some agreement on what the really key value creation objectives and objectives with high “value erosion potential” are and then apply formal risk management to identify the full range of significant risks that create uncertainty re their achievement. Details on the NACD deliberations, deliberations that are being done by directors not solely risk and audit specialists, can be found at:


    Another point worth considering is the overall effectiveness of risk registers at identifying escalating the really big entity level issues. A large number of companies that have suffered debilitating events have had risk registers and processes to annually update them. Effort should be made to study why they were ineffective at focusing senior management and board attention where it was needed. This should include companies at the heart of the 2008 global financial crisis, companies like Siemen and SNC Lavalin and the negative impacts of FCPA fines, companies that have “missed the boat” like Blockbuster and Kodak, major banks that have had to pay massive AML fines, companies that continue to be pummelled by competitors that aren’t responding effectively like Blackberry.

    The question isn’t whether risk registers have value in isolation but whether using an objectives register would produce better overall value and better demonstrate the power of formal risk management. I don’t believe using both risk and objectives registers is practical or fair to work units already overburden with demands from multiple specialist assurance silos. Another benefit would be to see if the risk and internal audits actually know what the companies top value creation and top potential value erosion objectives are. If the answer is they really don’t (and I fear that is true in all too many organizations) you have identified a key hole in the corporate risk management processes.

  13. August 3, 2013 at 5:17 AM

    This review format works. It is an effective tool for identifying risks, creating a common understanding of risks by all responsible individuals and for the initiation of an integrated and complete risk management approach for the proposal.

  14. arestiastup
    August 10, 2013 at 8:47 AM


  1. July 14, 2013 at 4:06 PM
  2. July 14, 2013 at 6:26 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: