Years ago, I worked in a bank. I‘m sure the concept of a “register” came from a banker initially. Banks had registers for everything.
One of my jobs was to keep the collateral register postings up to date. When a customer opened a line of credit, they were required to pledge something, usually marketable securities, as collateral. I posted the collateral in the register and someone else placed the securities in the vault, where they’d stay and gather dust. (I think bankers invented segregation of duties too.)
Occasionally, the bank auditors would arrive to count the securities, compare them to my register, and verify they were all there. Then the securities would go back in the vault and my register would go back in a drawer. Yes, this was before computers were introduced—those were the good old days.
I first came across the notion of a “risk register” in the Australian/New Zealand Risk Standard 4360 back in the mid 1990s. Just like bank collateral, risks were registered, and various details were recorded. Here’s an example of what I often see in practice.
What’s the problem with risk registers? I suppose if risks were tangible and stable, nothing. Maybe we could manage them by counting them every once in a while and then locking them away again.
But the Truth Is…
The only thing we can say for certain about a risk register like this is that everything in it is wrong the moment after it’s written. Risks change all the time. New ones appear and old ones disappear. Complex, constantly changing relationships exist between risk drivers, risk indicators, risks in the risk register, and risk impacts or business consequences .
Risk registers are two dimensional and suggest stability. True risks are multidimensional, dynamic, and totally unstable.
In every single case where I have seen clients prepare a risk register, they’ve placed it in a drawer (or a computer file) and forgot about it. Occasionally, it’s hauled out, dusted off, and updated. But in no case have I ever seen a risk register used as a tool for effectively managing risk. It’s a tool for forgetting risk.
Risks don’t belong in a register. They belong on a desktop. The technology to manage risks may not have existed when the first risk management frameworks were introduced—but it’s time to move into the 21st century. Ditch the risk register and actually manage the risk.
Share your thoughts on this with me. How can risk be managed better? Have you replaced your risk register?
And if this topic interests you, check out my first risk management myths post, Exposing the Flaws of Risk Heat Maps, and look for the third in the series next week, Can Risks Be Owned.