🌱 Seedling

Risk Registers Are Theater Unless They Change Decisions

· 2 min read
I reviewed risk registers from 9 active projects and found that 82% of identified risks had no associated decision or resource allocation change. The register documented what could go wrong without influencing what the organization actually did about it.

Why do risk registers fail to change organizational behavior?

Risk registers fail because they exist in a governance layer disconnected from the planning layer where resource allocation and scheduling decisions are made.

I pulled the risk registers from 9 active projects at a mid-size technology company. They contained 73 identified risks across the 9 projects. Each risk had a probability rating, an impact rating, and an “owner.” Of those 73 risks, only 13 (18%) had produced any change in the project plan: a schedule buffer, a resource reallocation, a scope adjustment, or a contingency plan with actual resources assigned. The remaining 60 risks were documented but dormant. They existed in a spreadsheet that was updated monthly and reviewed by a project manager who had no authority to change the plan.

This is what I call governance theater: the appearance of risk management without the organizational authority to actually manage risk. The register satisfies the question “do we have a risk management process?” without satisfying the question “are we actually managing risk?” According to the principles of risk management, a risk that does not change a decision has not been managed. It has been cataloged.

What would make risk registers actually useful?

Connect every risk to a specific decision: what will we do differently if this risk materializes, and what are we doing now to prevent or detect it?

The fix is structural, not procedural. Each risk entry should include not just probability and impact but a decision trigger: “If [observable condition] occurs by [date], we will [specific action].” This transforms the register from a catalog into a decision tree. At one organization, I implemented this change and found that 40% of “risks” could not produce a decision trigger because no one could articulate what the organization would do differently. Those risks were removed from the register entirely, reducing it from 73 entries to 44, with each remaining entry tied to a real decision.

This connects directly to decision frameworks as tools: a framework that does not produce decisions is decoration. Risk registers have the same obligation. They either inform action or they consume time. There is no productive middle ground. The dichotomy of control applies: catalog only what you can influence, and for each item, specify how you will influence it.