The Risk Register Is Not a Risk Function
Documenting risk is not the same as managing it. Most registers protect the function. They do not protect the business.
It is also, in most cases, a fiction.
Not because the entries are wrong. Because the entries are manageable. The risk register documents the risks the organization is comfortable naming. The risks that are actually material, the ones that would change the trajectory of the business are almost never on it.
If you have ever been surprised by a risk event, look back at the register from the quarter before. The event is rarely there. And the question is not „why did we miss it?“ The question is „why does our register systematically miss this kind of thing?“
The register selects for the wrong risks
A risk register is a document.
A risk function is a behaviour.
Confusing the two is the most expensive governance mistake in mid-market and PE-backed companies, and it is also the most common.
The register exists to be reviewed.
To be reviewed, it must be ownable.
To be ownable, each risk must have a name attached.
To get a name attached, someone has to volunteer.
Volunteering for a risk you cannot control is career-limiting. So the risks that get onto the register are the risks that already have a plan attached. The register becomes a list of work being done not a list of dangers being watched.
Three structural reasons your register cannot see real risk
Risks get onto the register through politics, not analysis.
The supply chain head names supply chain risks. The CFO names liquidity risks. The CTO names cyber risks. Each function names the risks it has budget to address. The risks that fall between functions, the interface risks have no natural owner, and so they have no entry.
But the interface is where mid-market companies fail. Quality breaks down between operations and the supplier. Cash breaks down between finance and commercial. Talent breaks down between the function head and HR. None of these have an owner. None of them are on the register.
The format demands ownership, which means homeless risks disappear.
A register entry without an owner gets removed in the next review. So the moment a risk is genuinely cross-functional, the register pushes it out. The risks that survive are the risks that have a single home. The risks that matter most are precisely the ones that do not.
Probability times impact obscures correlation.
The 5x5 matrix assumes risks are independent. They are not. The supplier issue, the regulatory shift, and the loss of the head of quality are three medium risks on the register. Together, in the same quarter, they are an existential event. The register cannot show you that. It only shows you the entries one at a time.
What a risk function actually does
The register is not the function. The function is three behaviours that happen *outside* the document.
It watches the interfaces. A risk function spends most of its time looking at the seams between teams, between systems, between contracts. Not at what each function owns. At what falls in the gaps.
It maintains a correlation view. It asks every quarter: *which of our medium risks would, together, be a crisis?* It runs the cascade. It stress-tests the combination, not the line items.
It separates the watcher from the operator. The head of supply chain cannot be the one who scores supply chain risk. They are the operator. Someone independent of the function has to hold the second view. Without that separation, the register reflects only what the operator is comfortable saying about their own work.
Three questions that change how you use the register
What risk is sitting between two functions today and has no owner?
Which three medium risks, if they hit in the same quarter, would change our value-creation plan?
Who in the business is currently watching something they have not been asked to watch?
The first surfaces interface risk. The second surfaces correlation. The third surfaces the informal sensing network you already have but are not using.
The meta-point
A risk register is a useful artifact. It is not a risk function. If the only place your organization watches for risk is in the document the board reviews, your organization is not watching for risk. It is watching the document.
The register tells you what your team is comfortable naming. A risk function tells you what they are not.
Build the second one.
The first one will not save you.