Ten mistakes organisations make when setting up a risk register

Organisations that struggle with risk management rarely lack a risk register. What they lack is one that functions.

The symptoms are familiar. The register gets opened twice a year, risks are described so vaguely that nobody knows what they mean, scores never change, and the listed owners left the company months ago. Having a register and actually managing risk are two very different things.

Risk register mistakes tend to repeat themselves across industries, sectors, and organisation sizes. In this article we name ten of them directly, not to be harsh, but because diagnosis is the only thing that leads to change.

If your register has two or three of these problems, you are in good company. If it has six, it is time to start over.

Mistakes that make your register useless on day one

1. Risks described too vaguely to be actionable

Descriptions like 'operational risk', 'IT failure', or 'supplier risk' are categories and do not describe a specific, tangible risk.

A risk is something specific that could happen: a key supplier delivers 40% below agreed volume during peak season, leaving production unable to fulfil orders. That description tells you what the trigger is, what the consequence looks like, and who needs to care about it.

Vague descriptions are not a minor formatting issue. They make scoring unreliable, ownership unclear, and measures impossible to design. If two people read the same risk description and picture completely different scenarios, the description is wrong.

When building or reviewing a register, a useful test: can someone who was not in the room when the risk was written understand exactly what could happen? If not, rewrite it.

2. Listing a team as the owner instead of a named person

Owners listed as 'IT department', 'operations team', or 'finance' are not owners at all.

A team cannot receive an overdue reminder. A team cannot be held accountable in a board meeting. When a risk is owned by a team, it is owned by nobody, and everyone in that team knows it.

Named individual ownership is one of the simplest things to get right in a risk register, and one of the most commonly ignored. We have seen registers where the owner column had been populated by copying the department name from the row above. Every risk, same owner, no accountability anywhere.

Risk Companion's risk register requires an owner for every risk. Email reminders go to that person, not to a team inbox that nobody monitors.

3. Scores assigned without discussion

Someone sits down, opens the spreadsheet, assigns a probability of 3 and an impact of 4 to each risk, and considers the job done. The scores look reasonable. Nobody questions them.

The problem lies not in the scores themselves but in how they were produced. Risk scoring should be treated as a conversation and not as just a calculation. The value of assigning probability and impact is not the number you end up with. It is the discussion that surfaces disagreement, uncovers information the risk manager did not have, and forces the team to think concretely about what could actually happen.

A register scored by one person in isolation gives you the illusion of analysis without the substance.

4. No link between risks and measures

A risk is identified. It gets a score and an owner. Nobody documents what is actually being done about it.

This is more common than it sounds. Many organisations treat the risk register as a list of things that could go wrong, not as a system for managing them. The measures, meaning the actions being taken to reduce probability or limit impact, live somewhere else: in a project plan, in someone's email, in a conversation that happened six months ago.

When there is no explicit link between a risk and its measures, you cannot tell whether the risk is being managed or just watched. And when an auditor asks "what are you doing about this risk?", pointing at a spreadsheet row with no measures attached is not a reassuring answer.

Measures in Risk Companion attach directly to the risk they address. Each measure has an owner, a due date, and a status. If a measure is overdue, the register tells you.

Mistakes that surface at the first review

5. Treating the register as a point-in-time document

The risk register gets built during a workshop, uploaded somewhere, and reopened when the next audit is six weeks away.

This pattern is nearly universal. The irony is that a register maintained only for audit purposes is precisely the kind of register that fails audits. Auditors are not checking whether you have a document. They are checking whether the document reflects reality, which means they are looking for update timestamps, owner changes, new risks added as the business evolved, and measures marked complete.

A register last updated fourteen months ago, with ten risks that have not changed since it was created, is a compliance artefact rather than a management tool.

6. Building the register for the auditor, not for the team

This is a subtler version of mistake five. The register exists and it is updated regularly, but it is written in language that makes sense to a framework, not to the people who are supposed to use it.

"Risk of non-compliance with applicable regulatory requirements resulting in reputational and financial exposure." Technically accurate. Completely useless to the operations manager who is supposed to do something about it.

Risk descriptions, measure titles, and owner assignments should be written for the people who will act on them, not for the person who will review them in an audit. If your team cannot read the register and understand what they are supposed to do, the register is serving the wrong audience.

7. No review dates, or review dates that nobody keeps

A risk without a next review date will not be reviewed, which means even well-intentioned teams let months pass while circumstances change and the register becomes outdated.

The other failure mode is even more frustrating: review dates exist, but nobody has any mechanism to surface them. The dates live in a column in a spreadsheet that nobody filters. They pass without comment. Nothing happens.

Risk Companion's dashboard surfaces overdue reviews automatically. You do not need to filter a spreadsheet or run a report. Overdue items appear the moment you open the tool.

Mistakes that undermine trust in the register

8. Too many risks, or too few

A register with 200 risks is not more thorough than one with 30. It is less useful. When everything is a risk, nothing is a priority. Teams stop reading, owners stop engaging, and the register becomes a catalogue rather than a management tool.

The opposite error, a register with three or four risks documented with obvious care, usually means the team captured the risks they were comfortable discussing and quietly ignored the ones that made people uncomfortable. Strategic risks, people risks, and supplier risks have a habit of not appearing in registers built by people who have to work with the same suppliers and colleagues every day.

A practical starting point for most SMEs is between 15 and 40 risks. Start there, keep them well-described and well-owned, and add more as the process matures. A lean register that is actively managed will outperform a comprehensive one that is not.

9. Scores that never change

Here is a genuine red flag: a risk register where the probability and impact scores have not changed across multiple review cycles, despite the business changing, measures being implemented, and new information becoming available.

Static scores signal one of two things. Either nobody is reviewing the register seriously, opening it, confirming nothing has changed, and closing it again. Or the review is happening, but nobody feels empowered to change a number that a senior person set eighteen months ago.

Risk Companion's assessments track the difference between your initial assessment and your target assessment after measures are applied. The gap analysis makes it visible whether your measures are actually reducing the risk, or whether you are doing work that has no measurable effect.

10. No one has clear accountability for the register itself

Risk ownership covers individual risks. But who owns the register as a whole? Who decides when a risk should be archived? Who ensures the scoring methodology stays consistent? Who runs the quarterly review and chases owners who have not updated their measures?

In many organisations, the answer is "nobody, officially." The register was built by a project manager who has since moved on, or by a quality officer who maintains it alongside seventeen other responsibilities without any formal mandate to do so.

A risk register without a clear owner at the programme level is in permanent decline. Someone needs to be accountable for the health of the whole thing, not just their slice of it.

Risk Companion's health checks flag missing owners, overdue measures, and incomplete risk records automatically. But a tool can only surface the gaps. A human needs to be accountable for closing them.

The pattern underneath the mistakes

What connects these ten mistakes is not negligence. Most teams that have a broken risk register tried to do the right thing. They set it up with good intentions, ran a workshop, populated the fields.

What goes wrong is that the register was built for a specific moment, such as an audit, a board presentation, or a project kick-off, rather than designed as a living tool. The infrastructure to keep it alive was never put in place: no named individual owners, no linked measures, no overdue surfaces, no regular review rhythm.

The teams that do risk management well are rarely the ones with the most elaborate frameworks. They are the ones where risk is a regular conversation with a single source of truth behind it, something everyone can open, trust, and act from.

If you are not sure whether your register has any of these problems, a practical first step is a checklist review. Work through each risk and ask: is this description specific enough? Does it have a named owner? Are the measures documented and current? When was it last reviewed?

You will find the gaps quickly. What you do with them is the real question.

Risk Companion's free 14-day trial generates a demo project based on your organisation's profile, so you can see exactly how a well-structured register looks before you build your own.