Enterprise risk registers are a target for derision among many in the risk management profession and those forced to take part in populating them. They are often viewed as imposing time-consuming exercises with questionable value that directs attention and resources toward risks themselves rather than an organization’s primary objectives.

However, risk registers can fill a vital role when considering risks in the flow of business decision making processes and will become even more critical as the speed of decision making accelerates. You will just not recognize them as they exist today.

What is a Risk Register?

A risk register is a database of known risks a company would like to address as it pursues its objectives. Accompanying each risk are facts such as its description, category, causes, probability of occurrence, consequences, proposed responses, stakeholders, risk owners, controls, and a record of past events, responses, and loss experiences. Organizations may use risk registers for projects, within a business unit, and/or at an enterprise level.

To consider the debate over the value of a risk management register, it is useful to separately analyze (1) the information as a database, (2) the process that populates it, and (3) software platforms used to develop and manage it.

The Pros of Risk Registers

Risk register information databases can:

• Provide a go-to reference when initiating decision processes.
• Identify both threats and opportunities.
• Help inform risk-reward tradeoff analysis.
• Feed predictive analytics that help assess decision outcomes.
• Help optimize enterprise-wide risk mitigation strategies and insurance policy coverage.
• Present evidence of compliance with regulatory requirements.
• Highlight facts for risk statements in SEC filings, including annual reports.
• Support positive ratings from credit agencies.
• Document governance, roles, and responsibilities.
• Help set and confirm risk controls.
• Support audit analysis and reporting.

Processes used to populate risk registers today can:

• Make employees consider risks relevant to their roles.
• Help build a risk-aware culture across an organization.
• Create a sense of personal accountability for risk management.
• Facilitate creative thought about new and emerging risks.

Risk register software platforms can:

• Enable a structured approach to risk identification and assessment.
• Help set standards for assessing the likelihood and consequences of potential risks.
• Help integrate analysis across an organization to inform C-level decisions.
• Facilitate integrated risk analysis for enterprise mitigation and insurance coverage strategies.
• Help automate data collection and analysis.
• Support project team, business unit, and cross-enterprise communication.
• Facilitate reporting to boards, shareholders, regulatory entities, ratings agencies, auditors, and other stakeholders.

The Cons of Risk Registers

Risk register information databases can:

• Narrowly focus on only the most obvious top-known risks when long-tail risks and emerging risks are the primary cause of business failures.
• Build a collection of past data that may not appropriately inform decision making under current and future business conditions.
• Reflect a white-washed view of risks considered presentable to top management or external stakeholders rather than an honest assessment of true organizational risks.
• Concentrate on standalone risks rather than a set of integrated risks in the context of organizational objectives or specific decisions.
• Skew toward risks as negative threats that need controls rather than presenting opportunities.
• Have missing or incomplete data that create risk blind spots.
• Provide a static view of risks when market dynamics can change abruptly.

Processes used to populate risk registers today can:  

• Impose cumbersome time-consuming standalone processes outside the flow of normal business activities.
• Occur on a quarterly or annual process cycle instead of within ongoing, dynamic, real-time business decision-making conditions.
• Build a database as an end product which is subsequently ignored.
• Prioritize the fulfillment of external reporting requirements over internal needs.
• Focus on potential negative consequences to set controls rather than considering risk-reward tradeoffs.
• Create the illusion of fully addressing risks.
• Set a risk-centric activity disconnected from specific business objectives and decisions.

Risk register software platforms can:

• Concentrate too much on risk list development, regulatory requirements, and controls versus decision support and identifying opportunities to leverage risks.
• Lack the context of business objectives and decision making.
• Require time-consuming manual input.
• Impose a process that grates against well-established business practices.
• Extend data requirements beyond what is necessary for effective risk management.
• Struggle to provide standards flexible enough for use across business functions and risk sources.
• Sometimes lack the ability to access a full set of relevant and critical data sources.
• Include an inconsistent set of qualitative and quantitative assessments that are difficult to integrate across a risk portfolio.
• Limit creative and open thought.

Changing the Current State of Risk Registers

A review of the pros and cons of risk registers reveals some strong potential benefits if integrated more seamlessly with organizational decision making. However, many businesses currently fall victim to the negative aspects of standalone risk register development and use.

Quarterly or annual exercises designed to populate and update risk registers may help optimize insurance portfolios, inform risk statements, and provide positive evidence to address regulatory and credit agency interests, but these value points remain divorced from decision-making processes.

While the information within risk registers has plenty of potential value, complaints tend to center on the tedious process needed to create “risk lists” and their perceived lack of value for use within the flow of normal business activities. Many ERM and GRC software platforms often just reinforce this negative perception.

Accentuating the positives and minimizing the negatives of risk registers calls for:

1. Constantly updated, broad-ranged risk information to feed into analytics that support real-time business objective setting and decision making.
2. Risk identification and assessment processes that integrate with ongoing business activities.
3. Software that can help automate risk identification and assessment and integration with business objectives and decision making.

The first point may seem to run counter to the need to reduce process demands for populating risk registers, but the solution lies in balancing human versus automated input requirements. Monitors, sensors, all forms of enterprise software, and third-party data providers are exponentially building sources for risk information. Nearly all of the information needed to identify risks to populate registers can exist in company data lakes and should eliminate any need to create lists from scratch.

Setting the Value of Human Versus Automated Processes

When employees participate in blank-slate risk identification exercises, the process typically begins with listing all known business risks before imagining potential new and emerging risks. There is a point along this continuum where the value of automated risk identification and human risk identification cross. Future concepts of risk register development and use will better leverage the strengths of both automated and human assessments.

Advancements in technology and machine learning now offer automated risk identification with higher accuracy and less bias than humans. Machine learning analysis of information associated with any system (operational or decision processes) can even uncover previously ignored risks. Individuals currently use statistical analysis to uncover key risks to populate risk registers, but AI engines can improve this process by assessing more data and a wider variety of information with less bias at a higher speed in real time.

The weakness of automated AI-driven risk analytics is the same as any statistical analysis. It can only predict future outcomes based on past data and whatever future considerations it is fed. This is where human thought processes and problem solving are still superior to any automation.

While automated analysis is more efficient for assessing past data, humans can better assess real-time anomalies (once detected) and imagine future conditions for new risk considerations.

Effectively integrating risk management with decision making calls for more automation to prepopulate risk registers in the context of specific business objectives and decisions, while leaning on human participation to confirm this initial list, consider real-time anomalies, and imagine future risk factors. Emphasis on these human strengths should encourage greater individual engagement and value perception.

The Future State of Risk Registers

In essence, a well-managed data lake is a raw risk register. It should provide all the potential information sources necessary to analyze decision systems and identify risks related to any business objective. Risk management software will have the ability to filter all related risk factors, probabilities, and consequences based on past information and present a prepopulated list to decision makers.

An individual or team should be able to (1) set an objective and decision context, (2) have a prepopulated set of initial risk considerations presented to them, (3) assess real-time dynamics, and (4) add potential new and emerging risks. Once a full list of risks related to a specific objective or decision is identified, it will be easier to determine the needs to address risk owners, risk responses, controls and other factors associated with risk registers.

This capability exists today, but it will take some time for companies to implement and realize this approach. The first priority should be identifying and assembling (currently used and potentially useful) information sources related to each major organizational objective. Then test automated AI-driven risk analysis in cases where current risk identification exercises use a significant amount of human resources. Business analytics thought leaders, Tom Davenport and Rajeev Ronanki, offer their advice on incrementally building AI automation into current business processes in this Harvard Business Review article “Artificial Intelligence for the Real World.”

All business managers should be considering where machine learning can create efficiencies and add value in current business processes. Risk identification and risk register development are processes ripe for this analysis. It will help transform risk registers from time-consuming standalone database exercises to valuable in-process, decision-support resources that can unleash more creative risk-taking considerations.

Yes, risk registers will live on, but not in the form you recognize them today.