A Risk Register is the Siren Song of Risk Management
Before we go any further, let me state unequivocally that filling in boxes in a risk register chart is not Risk Management.
But on numerous occasions, RISKVIEWS has come across risk officers who have been concentrating on managing a Risk Register for multiple years. That is why the Risk Register is the siren song of Risk Management. No not the siren that makes a loud noise for the Fire Department. The Sirens of Homer’s Odyssey.
The siren’s song attracted sailors who as they got closer to listen crashed upon the rocks and died.
So with risk managers and risk registers. Risk registers provide two convenient things: plenty of tasks and evidence of accomplishment. However the tasks are ultimately lower value and the accomplishment is usually only internal to the Risk Register. The risk manager who is enthralled by the song of the risk register gets further and further into the world of the risk register and loses touch with the world of the company. They try to find ways to entice others into the world of the risk register.
But real risk management requires only a simple list of risks, risk owners and risk mitigation activities. This should never be maintained on spreadsheets in formats that can only be printed with 8 point type or never seen in total because there are just too many columns of important details. Nor should the list of risks require a special purchased system that allows only registered users to view or enter information.
Managing the process of
Adding cash or profits now while adding risk
reducing cash or profits now while decreasing risk
is real risk management.
Because the real job of risk management is not the manufacture of lists that are elevated in status by the name register. Real risk management involves making difficult decisions and taking actions based upon those decisions. Those decisions always involve a trade-off between cash or profits now and risk later. Adding cash or profits now while adding risk later or reducing cash or profits now while decreasing risk later. That is real risk management.