7 reasons why risk registers might be doing more harm than good
Updated: May 6
Risk registers are everywhere. Organisations invest considerable time, effort, and resources creating them, updating them, and reporting them. But if you actually think about them for a moment, you’ll quickly start challenging them. Here are a few reasons why you might want to change the way you do things.
Every organisation faces multiple risks - tens, hundreds, if not thousands. Trying to keep a spreadsheet updated with all that information is impossible.
Risk should be expressed in ranges. Spreadsheets almost invariably use single values or qualitative descriptors which are arbitrary and subjective.
Distilling the hundreds or thousands of risks down to a ‘top 20’ or something equally arbitrary will lose a lot of detail and masks much of the information.
Chasing people for updates is a never-ending task which takes time and effort for no noticeable benefit. People would rather be running their departments than updating your file.
Risk needs to be related to the organisation’s objectives, a standalone document probably removes this association.
Risk registers are unlikely to contain information about different options available to decision makers.
There is nothing which says organisations are required to use risk registers - it’s just always been done that way.