Sign in Subscribe
12 min read

Most Risk Registers Do Not Manage Risk

Share
Most Risk Registers Do Not Manage Risk
"The Illusion of Risk Management" prompted by E. Mehler with ChatGPT 2026

They Document Avoided Decisions.

By Eckhart Mehler for CISOsCISO — a perspective on cybersecurity leadership, governance and the decisions that determine whether organizations retain control.

I have yet to see a risk register that truly reflects how an organization operates under risk.

That may sound provocative.

It is not meant to be.

It is an observation that becomes difficult to ignore once you have sat in enough risk reviews, internal audits, steering committees, management reviews, and board discussions.

Because on paper, many organizations look disciplined.

They have hundreds, sometimes thousands, of risks documented. They have scoring models, heat maps, treatment plans, owners, deadlines, residual risk ratings, review cycles, mitigation measures, and escalation rules.

  • The register is maintained.
  • The report is produced.
  • The dashboard is updated.
  • The committee is informed.

And yet, when something serious happens, many of those risks do not seem to have mattered in the way they should have.

Not because the entries were necessarily wrong.

But because they were never truly decided upon.

This is one of the uncomfortable truths of risk management:

Most risk registers are not designed to drive decisions.

They are designed to prove that risk has been considered.

That distinction is everything.

The Illusion of Managed Risk

A risk register creates a powerful sense of control.

It gives structure to uncertainty. It allows organizations to categorize, score, prioritize, assign, track, and report. It makes risk visible in a format that auditors, managers, and committees can understand.

That is useful.

But it can also be misleading.

A well-maintained risk register can make an organization feel more mature than it actually is. The existence of documented risks can create the impression that risk is being actively managed, even when the organization is merely describing conditions it has already learned to tolerate.

This is especially true in large organizations.

  • Risks are entered.
  • Risks are reviewed.
  • Risks are re-scored.
  • Risks are transferred between owners.
  • Risks are linked to measures.
  • Risks remain open.

And over time, some of them become part of the operational landscape.

They are no longer treated as decisions waiting to be made.

They become background noise.

  • A known vulnerability.
  • A known dependency.
  • A known access weakness.
  • A known lack of monitoring.
  • A known backup limitation.
  • A known supplier exposure.
  • A known absence of tested recovery.

Everyone knows.

No one decides.

That is not risk management.

That is managed familiarity.

A Control Gap Is Not Yet a Risk Decision

Take a common risk register entry:

“Lack of multi-factor authentication for privileged accounts.”

  • It looks like a risk.
  • It sounds like a risk.
  • It is often treated like a risk.

But what is actually being described?

In many cases, it is not a risk in the sense that leadership needs to understand it.

It is a missing control.

That missing control may be serious. It may expose the organization to account takeover, lateral movement, privilege escalation, ransomware impact, fraud, data exfiltration, regulatory findings, and operational disruption.

But the statement itself does not yet describe the organizational decision.

  • It does not say what is at stake.
  • It does not say which business process depends on those privileged accounts.
  • It does not say who is operating under this exposure.
  • It does not say whether the organization has knowingly accepted it.
  • It does not say why treatment has not happened.
  • It does not say what trade-off is being made.

And most importantly, it does not answer the governance question:

Who decided that we continue to operate this way?

Because that decision has already been made.

It may not have been formalized.

It may not have been escalated.

It may not have been acknowledged.

It may not even have been understood as a decision.

But the organization is already living with the consequence.

The risk register merely describes the situation after the fact.

When Documentation Replaces Decision-Making

Most risk management frameworks assume that once a risk is documented, decisions will follow.

In practice, the opposite often happens.

Documentation replaces decision-making.

The more detailed the register becomes, the easier it is to believe that the organization is “on top of risk.” Each entry has a status. Each measure has a timeline. Each owner has a name. Each score has a rationale. Each review creates the impression of movement.

But underneath, the actual decision may remain untouched.

  • Are we accepting this exposure?
  • Are we funding treatment?
  • Are we changing the process?
  • Are we replacing the system?
  • Are we stopping the activity?
  • Are we escalating the decision?
  • Are we prepared to justify this position after an incident?

If these questions are not answered, the register is not driving governance.

It is creating administrative continuity around unresolved risk.

That is dangerous.

Because unresolved risks do not disappear because they are reviewed.

They accumulate.

The Open Risk That Becomes Normal

Every CISO has seen this pattern.

A risk is identified.

The first review marks it as important.

A mitigation plan is defined.

A deadline is set.

The deadline moves.

The score is adjusted.

Dependencies are noted.

Budget constraints are mentioned.

Ownership changes.

A new project is expected to solve it.

The project is delayed.

A compensating control is discussed.

Another review takes place.

The risk remains open.

After two or three cycles, the conversation changes.

The urgency fades.

The organization becomes familiar with the exposure.

The risk is no longer perceived as a decision failure. It becomes a stable item in the register.

It is known.

It is tracked.

It is tolerated.

At that point, the risk register has become a historical record of avoided decisions.

Not because anyone intended that outcome.

But because the governance process never forced a clear position.

Real Risks Describe What Is at Stake

A real leadership-level risk does not merely describe what is missing.

It describes what is at stake.

That distinction is critical.

“Lack of MFA for privileged accounts” is a control gap.

“Loss of control over privileged access to business-critical systems” is a risk.

“Insufficient logging” is a control gap.

“Inability to detect or reconstruct critical security incidents in time to contain business impact” is a risk.

“No tested restore process” is a control gap.

“Inability to recover critical services within the time required to maintain operations” is a risk.

“Supplier security assessment missing” is a control gap.

“Dependence on a third-party provider whose security failure could disrupt a critical business process without sufficient contractual or operational leverage” is a risk.

This reframing changes the conversation.

It moves the discussion away from deficiencies and toward consequences.

It forces the organization to ask whether it is prepared to live with the state it is in.

That is where risk management becomes real.

Risk Registers Often Confuse Work Management with Risk Governance

Many risk registers become work management systems.

They track measures, tasks, deadlines, responsible persons, and progress updates. This is useful for operational follow-up, but it is not the same as risk governance.

Work management asks:

  • What needs to be done?
  • Who is doing it?
  • When will it be finished?
  • What is the current status?

Risk governance asks:

  • What exposure are we operating under?
  • Who owns the decision?
  • Is the exposure within our risk appetite?
  • What trade-off are we making?
  • What happens if we do nothing?
  • What evidence supports our position?
  • When must the decision be revisited?

These are different conversations.

Both are necessary.

But when the risk register becomes dominated by action tracking, the decision dimension often disappears.

The organization starts managing measures instead of managing risk.

The Missing Question: Who Chose This Risk?

The most important question in many risk reviews is rarely asked directly:

Who chose this risk?

  • Not who discovered it.
  • Not who documented it.
  • Not who owns the mitigation measure.
  • Not who updates the register.

Who chose that the organization will continue to operate under these conditions?

This question is uncomfortable because it reveals whether risk ownership is real.

In many organizations, risk ownership is assigned administratively, not decisively. A person’s name appears in the register, but that does not necessarily mean they have the authority, budget, mandate, or willingness to make the underlying decision.

This creates a governance gap.

The risk appears owned.

But the decision is not.

The owner may be responsible for updating the entry, but not capable of resolving the exposure. The measure may depend on another department. The budget may sit elsewhere. The system may belong to IT. The process may belong to the business. The regulatory exposure may concern legal. The operational impact may sit with operations. The accountability may ultimately belong to executive management.

If the register does not clarify this, it creates false accountability.

Risk Acceptance Without Decision

One of the most common forms of hidden risk acceptance is delay.

  • A measure is postponed.
  • A project is deferred.
  • A migration is rescheduled.
  • A control implementation is moved to the next budget cycle.
  • A critical dependency remains unresolved.

Everyone agrees that treatment is needed.

But nothing happens.

This is often treated as “risk in progress.”

In reality, it may be risk acceptance by behavior.

The organization continues to operate under exposure. The fact that no one has signed a formal acceptance does not change the operational reality.

This is important.

Risk acceptance is not only a form.

It is a condition.

If the organization knows the exposure and continues operating without treatment, it is effectively accepting the risk — whether or not the governance process has acknowledged it.

The CISO’s role is to make this visible.

The Difference Between Accepted and Accumulated Risk

Accepted risk and accumulated risk are not the same.

Accepted risk is conscious.

  • It is understood.
  • It is owned.
  • It is justified.
  • It is time-bound.
  • It is revisited.
  • It is connected to risk appetite.
  • It includes evidence and rationale.

Accumulated risk is different.

It grows through delay, ambiguity, underfunding, unclear ownership, competing priorities, and organizational fatigue.

  • No one fully owns it.
  • No one clearly accepts it.
  • No one rejects it either.

It simply remains.

And because it remains, it becomes normal.

This is one of the greatest weaknesses of risk registers that do not force decisions. They allow accumulated risk to look like managed risk.

Heat Maps Do Not Create Accountability

Risk heat maps can be useful.

They can help visualize relative exposure. They can support prioritization. They can give management a quick overview.

But heat maps do not create accountability.

A red risk on a heat map does not decide anything.

An orange risk does not tell you who must act.

A green risk may create unjustified comfort.

Scoring models can create the appearance of precision. But risk scoring often hides the harder questions:

  • What decision is required?
  • Who has authority to make it?
  • What is the organization prepared to trade off?
  • What are we no longer willing to tolerate?
  • What would we defend after an incident?

A heat map without decision rights is a graphic.

Not governance.

The Role of the CISO

In this context, the role of the CISO is not merely to maintain the risk register.

The role of the CISO is to challenge its purpose.

The CISO must ask whether the register is helping the organization make better decisions or merely helping it demonstrate that risk has been recorded.

That requires uncomfortable questions.

  • Which entries are actual risks, and which are control deficiencies?
  • Which risks require executive decision?
  • Which risks have been open so long that they represent hidden acceptance?
  • Which risks are outside risk appetite?
  • Which risks are owned by people without the authority to treat them?
  • Which risks are repeatedly deferred because the organization does not want to confront the trade-off?
  • Which risks would we be unable to justify after a serious incident?

These questions move risk management from administration to leadership.

Turning Risk Entries into Decision Statements

One practical way to improve risk registers is to convert key entries into decision statements.

Instead of writing:

“Logging for critical systems is incomplete.”

Write:

“We are currently unable to reliably detect and reconstruct security-relevant events across critical systems, which may delay containment, weaken forensic capability, and reduce legal defensibility after an incident. Management must decide whether to fund centralized logging and monitoring or formally accept the resulting detection and investigation limitations until a defined date.”

This is longer.

It is also more honest.

It makes visible what is at stake, what decision is needed, and what accepting the status quo means.

A decision-oriented risk entry should include:

  • The exposure.
  • The affected business capability or asset.
  • The consequence.
  • The current control or governance gap.
  • The decision required.
  • The accountable decision-maker.
  • The treatment options.
  • The time limit.
  • The residual risk if no action is taken.
  • This does not make the register bureaucratic.

It makes it useful.

Risk Appetite Must Become Operational

Risk appetite is often discussed at a high level.

Organizations say they have low appetite for regulatory violations, critical service disruption, data breaches, fraud, safety risks, or reputational damage.

But the real test is operational.

What does low appetite mean when privileged accounts lack strong controls?

What does low appetite mean when critical suppliers are onboarded without sufficient assurance?

What does low appetite mean when incident detection depends on incomplete logging?

What does low appetite mean when recovery capabilities are untested?

What does low appetite mean when sensitive data is copied into non-production environments?

What does low appetite mean when cloud dependency has no exit strategy?

A risk register should connect abstract risk appetite to concrete decisions.

Otherwise, risk appetite remains language.

Not governance.

Why Organizations Avoid Decisions

Organizations do not avoid risk decisions because people are irresponsible.

Often, they avoid them because the decisions are difficult.

A real risk decision may require funding.

It may delay a strategic program.

It may expose a weak system.

It may challenge a powerful stakeholder.

It may reveal that previous decisions created unacceptable exposure.

It may require accepting that the organization has been operating outside its stated risk appetite.

It may force executives to choose between speed, cost, resilience, compliance, and trust.

That is why risk registers can become comfortable substitutes.

They allow the organization to continue discussing risk without confronting the decision behind it.

The CISO must recognize this pattern.

And then carefully, repeatedly, and constructively disrupt it.

From Register Maintenance to Governance Discipline

A better risk register is not simply a cleaner spreadsheet or a more advanced GRC tool.

A better risk register is one that creates governance discipline.

It should make unresolved decisions visible.

It should distinguish between control gaps and business risks.

It should show where risks are accumulating.

It should identify decision owners, not only task owners.

It should connect risk to business objectives and risk appetite.

It should trigger escalation when exposure remains unresolved beyond defined thresholds.

It should preserve evidence of why a risk was accepted, treated, transferred, or rejected.

Most importantly, it should make avoidance harder.

That is the real test.

If the register allows serious risks to remain open for years without forcing a position, the tool is not the problem. The governance model is.

What a Decision-Oriented Risk Review Looks Like

A decision-oriented risk review is different from a status review.

It does not simply ask:

Has the score changed?

Is the measure on track?

Has the owner updated the entry?

It asks:

What decision is pending?

Is the current exposure within appetite?

Who has authority to decide?

What options are available?

What is the cost of delay?

What happens if the scenario materializes before treatment?

Can the current position be defended?

Is this still a risk treatment plan, or has it become hidden acceptance?

This kind of review changes the atmosphere in the room.

The discussion becomes less about administration and more about accountability.

That is exactly the point.

The Danger of Growing Registers

Risk registers tend to grow.

New risks are added.

Old risks remain.

Categories expand.

Controls are mapped.

Findings are converted.

Projects generate entries.

Audits add observations.

Incidents create new items.

At some point, the register becomes too large to govern meaningfully.

When everything is in the register, nothing is truly visible.

The CISO must help distinguish between levels of risk information.

Not every deficiency belongs in the executive risk register. Not every control issue requires board attention. Not every finding is a strategic risk. Operational issues need management, but leadership-level risk registers must remain decision-oriented.

Otherwise, the register becomes a landfill of unresolved work.

And the few risks that truly matter become buried.

A Practical Test for Every Risk Register Entry

A simple test can help improve risk quality.

For every significant risk entry, ask:

Does this describe what is at stake, or only what is missing?

Is there a clear business consequence?

Is there a decision required?

Is the decision-maker identified?

Is the risk linked to risk appetite?

Is the current exposure time-bound?

Is there evidence supporting the treatment or acceptance?

Would this entry help management make a decision?

Would we be comfortable showing this entry after an incident?

If the answer is no, the entry may not yet be a risk.

It may be a finding, a task, a control gap, or a concern.

That does not make it irrelevant.

But it means it should be managed in the right place and in the right language.

Final Reflection

Risk registers are necessary.

But they are not sufficient.

They can support governance, but they can also conceal its absence. They can create transparency, but they can also produce the illusion of control. They can help organizations prioritize, but they can also allow difficult decisions to remain indefinitely unresolved.

The question is not whether an organization has a risk register.

Most do.

The question is whether the register changes decisions.

Does it force clarity?

Does it expose avoided choices?

Does it connect risk to business consequence?

Does it identify who is accepting what?

Does it distinguish between missing controls and leadership-level exposure?

Does it prevent accumulated risk from pretending to be managed risk?

If the answer is no, the register will continue to grow.

And with every new entry, the organization may feel more mature while becoming more exposed.

The real purpose of risk management is not to prove that risk has been considered.

It is to ensure that risks are consciously chosen, treated, escalated, or rejected.

That is where the CISO must lead.

Not by maintaining a perfect register.

But by insisting that risk management becomes what it was always meant to be:

A discipline of decision-making under uncertainty.

Because the most important question is not:

“What risks do we have?”

The more important question is:

“Which risks have we actually chosen — and which ones are simply happening to us?”

Publication Note & Disclaimer
This article was originally published on LinkedIn on May 7, 2026 and may have been edited or updated for publication on this site.

It reflects my personal professional perspective and does not represent the official policy or position of my employer. Drafting and editorial refinement may have been supported by commercially available AI-assisted tools. The analysis, conclusions and final curation are entirely my own.

For information regarding image credits, copyrights, trademarks and other intellectual property rights, please refer to the Imprint.

Published by:

Eckhart Mehler

Member discussion