Your Risk Register Is a Fossil (And What to Replace It With)

The first time I saw a risk register that mattered, I almost didn't recognize it.

It was 2019. I was consulting at a payments company, and the Chief Risk Officer pulled out a single sheet of paper. Not a spreadsheet. Not a Power BI dashboard. A single A4 page with twelve risks, each one written in the present tense — "Our reconciliation cycle assumes settlement at T+1, but our newest corridor is T+0" — and a column called "What we're watching this week."

That was the whole register.

I'd seen registers before, of course. Most of them were 400-line spreadsheets. Color-coded. Heat-mapped. Quarterly reviewed. They felt thorough. They felt risk-managed.

But standing in front of this CRO's single page, I realized something I'd been avoiding for years. Most risk registers are fossils.

The problem

A fossil is what's left when something used to be alive.

Most risk registers are exactly that. At some point, a team sat in a room, brainstormed every threat they could imagine, scored each one on likelihood and impact, mapped them to a 5×5 grid, and called it done. The register was alive for those four hours. By the time it hit the board pack, it was already calcified.

You can recognize a fossil by the way no one argues with it.

Living things provoke disagreement. They surprise you. They change when conditions change. A real risk — say, the one that's actually going to take down your company in the next 18 months — is the one your team can't agree on. It's the one that's halfway between two functions, doesn't fit a category, and makes people uncomfortable when raised.

That kind of risk almost never makes it onto the register, because the register is designed to be agreed-with.

Why this matters more than you think

Here's what happens when your risk register is a fossil.

Your audit plan, which is risk-based, derives from the register. So your engagements get pointed at last year's risks. Your control library, which is risk-mapped, accumulates controls against threats that no longer move. Your KRIs, which are risk-derived, track lagging indicators of dead concerns.

The entire GRC operating model downstream of the register inherits the fossilization.

Meanwhile, the actual risks — the ones moving — never enter the system. They live in Slack threads, in offhand comments at the offsite, in the CFO's gut. When one of them lands, the post-mortem always reads the same: "This risk wasn't on the register." And the response, every time, is to expand the register.

But the register isn't undersized. It's overfit to a moment in time that's already passed.

I've watched three companies in three different sectors lose serious money to risks that were obvious to anyone in the operating function, and invisible to the GRC team. Each time, the response was a bigger register. Each time, the next year's near-miss came from somewhere completely different.

This is how risk management quietly becomes theater.

The solution

What that CRO with the single A4 page taught me was simple, and I'm going to give it to you in three moves.

1. Separate the inventory from the conversation

You still need an inventory of risks. It belongs in a database, not in the board pack. Treat it like a control library — a reference asset, not a decision asset. No one runs the company by reading the control library, and no one should run risk by reading the register.

2. Maintain a moving register

A small, opinionated list of the risks you're actively watching this quarter. Maximum 10 to 15. Each one written in plain language, present tense, with a name attached. This is the document the executive committee should be arguing about. If they're not arguing, it's already a fossil.

3. Build a forward-looking surface

This is the hardest part. You need a structured way to ingest weak signals — from internal audit findings, from operational incidents, from regulatory shifts, from market events — and let them push risks onto and off of the moving register. In modern GRC platforms, this looks like an event-driven layer: domain events flow into the system, agents like RiskSentinel score them against your register, and risks get re-ranked weekly.

The point isn't the technology. The point is that risk is a flow, not a list. The list is the snapshot you take of the flow. The moment the snapshot becomes the artifact, you're managing fossils.

A reframe that may help

Try this: every quarter, ask your team a simple question.

"If we deleted the entire risk register tomorrow and rebuilt it from scratch, in two hours, with only the risks you'd swear are real — what would the new list look like?"

Then compare it to your current register.

The overlap is your living risk. The non-overlap on the current register is your fossil. The non-overlap on the rebuilt list is your blind spot — the risks you've been carrying in your head but haven't dignified with a row in a spreadsheet.

This exercise is uncomfortable. Some quarters, our delta is 60%. That tells me the register has been drifting and the team has been compensating informally. That's a failure of GRC tooling, not of the team.

Closing

I'll say what I think every chief risk officer secretly knows.

The risk register, as it's currently implemented at most companies, is not where risk management happens. Risk management happens in the conversations between the CRO, the CFO, the heads of operations, and the audit committee. The register is the receipt of those conversations.

If the receipt becomes more important than the conversation, you have a fossil on your hands.

The job is to keep the register alive — small enough to argue about, moving enough to surprise you, anchored enough that it connects to your audit plan, your controls, and your reporting. That's not a deliverable. That's a discipline.