Ben Tomhave

A member of the Gartner Blog Network

Ben Tomhave
Research Director
1 years at Gartner
19 years IT Industry

Ben is conducting research within the Security and Risk Management Strategies team under Gartner for Technical Professionals.

Coverage Areas:

Fatal Exception Error: The Risk Register

by Ben Tomhave  |  March 7, 2014  |  8 Comments

I read this article a few weeks ago and set it aside to revisit. In it, the author states that “Risk management used to be someone else’s job.” and then later concludes that “…in a global business arena that is increasingly unforgiving when it comes to missteps, the message is clear: Everyone—including you—now has to be a vigilant risk manager.” Yes, well, sort of, maybe, kind of… hmmm…

During RSA 2013 (last year) I had the opportunity to sit in on a half-day event around IT risk management. When I joined the closing panel, I asked how many people in the audience had “risk manager” in their titles, and then asked them to leave their hands up if they actually made decisions based on their risk analysis, or if they simply made recommendations. Unsurprisingly, the vast majority (possibly all) of the hands went down. You’re not “managing” anything if you’re not empowered to make a decision. And, inevitably, that means you’re going to be one of those people contributing to the “risk register,” which is the place where all good risk conversations seem to go to die.

My opinion is not necessarily shared by the rest of Gartner, or even by the rest of my team, but I want to make a few points about these risk registers and why I think they’re a faulty concept that needs to be deprecated within our environments. Similarly, I think these surveys (like the one noted in the article referenced earlier) are also silly. “What are your top concerns?” If you’re a business, it’s going to be “staying in business” and “growing revenue” and “avoiding foolishness.” The specifics of each of these varies year-to-year, but let’s be honest for a moment and admit that, at least within the US, this is really what execs are “worried” about (if you can even call it that – I’m convinced most really don’t think too much about it, instead preferring to focus on making good decisions that lead to up-side realization).

Here are three reasons why I think the risk register is really a silly notion:

Shouldn’t risk findings be driving actual remediation activities?

One of the reasons I hate risk registers is because, as a former consultant, auditor and assessor, I’ve often seen the same items maintained on the list year after year after year. What’s the point of that list? If you have a risk finding worth recording on the “really important scary things” list, then you doggone well better have a remediation plan or compensating controls. Your risk management program serves to inform, as well as to drive good decision-making. Risk registers don’t meet this need at all. I would far prefer that enterprises resolve to have a clear “register” every year (or quarter!) so that all risk assessment findings either drive directly to remediation or are summarily managed through compensating controls or are summarily dismissed as unconcerning. Failing to take action strikes me as an indefensible approach that will some day land your business in hot legal waters.

What exactly are you trying to accomplish with it, anyway? (it’ll never be complete)

You’ve built a risk register, probably over the course of a few years. Now what? What was the objective of making this list? Are you trying to give your executives a migraine? Or, maybe you secretly hope that hackers will find the list and start taking advantage of your weaknesses? I’ve heard of enterprises that make these lists and then keep them super-secret, but to what end? More importantly, though, is that these lists will never be complete. “Risk” evolves over time. Moreover, a lot of operational risks, particularly under IT, get short shrift and are underrepresented within risk registers. Or, even worse, they get rolled up into meaningless aggregate statements like “cybersecurity risk is high” (whatever that means?!). If your goal is prioritization, then improve your risk analysis and risk assessment capabilities. If your goal is to make better decisions, then turn that data into something actionable. But, know that the list is temporal and should always be in flux. If it’s not… if your risk register tends to be very static… then I submit you’re not truly doing something useful.

Risk registers reinforce the really bad idea of the “annual risk assessment.”

One of my other pet peeves around risk registers is that it tends to reflect the fatally flawed notion of the “annual risk assessment.” I’ll address this topic in-depth in another blog post, but suffice to say, if you’re only “assessing risk” on an annual basis, you’re doing it wrong. Risk assessment and risk management are ongoing activities that should be leveraged to make good decisions throughout the business calendar, rather than just ahead of the annual budget cycle. All meaningful decisions should be supported by at least a lightweight risk assessment that helps analyze key factors toward ensuring that due diligence is performed and that a reasonable standard of care is met.


When all is said and done, the risk register typically becomes a dumping ground for “things we don’t know how to manage” or “things we don’t care enough about to manage.” This is unacceptable, and often a cop-out. Any finding worth listing is worth listing in an action plan for remediation. Can’t do everything this year? No problem, put it on your strategic roadmap, documenting how you’re going to address it. Or, document your compensating controls (like insurance) and then move on. Yes, documentation should exist, but not as a list of “really scary things.”

8 Comments »

Category: Risk Management     Tags: , , , ,

8 responses so far ↓

  • 1 Fatal Exception Error: The Risk Register | All that All   March 7, 2014 at 6:45 pm

    [...] By Ben Tomhave [...]

  • 2 Fatal Exception Error: The Risk Register : 6config: Le blog   March 7, 2014 at 7:00 pm

    [...] By Ben Tomhave [...]

  • 3 Chandra   March 10, 2014 at 1:33 am

    I completely agree with your views. What’s the point in collecting data that will never be used for any meaningful purpose; worse people thinking they have completed their ‘risk management’ responsibility by simply maintaining a risk register. I have also seen situations where these risk registers are used in ‘blame games’ when a risk turns into an issue. I fully agree with your suggestion that there should be a goal and corresponding measure to see how fast we reduce number of the items in the register with clear accountability for post mitigation effectiveness.

    One positive thing that I see with the register is at least people are thinking about risks. I hope such awareness in some way results in reduced impact, though one can not assume ‘knowledge by default turns into action’.

  • 4 Reem El-Agha   March 11, 2014 at 1:56 pm

    I completely agree with your perspective, on why risk registers are such a faulty concept. They have ironically grown to defy the purpose of risk management, which aims to create and carry out resolutions that will contribute to the prevention of unfavorable events and minimize the effects of those events. Risk involves a definite probability of damage for a given outcome. Consequently, it is essential to permit risk managers to make decisions in order to recognize, measure, and absorb the risk, rather than storing them all away. As you stated, if a discovery is worth listing in the risk registry, then it is worth analyzing for a resolution. There is no harm in documenting these risks, but it is important to stay aware that they exist and eventually take action.

    The compliance and risk management department is crucial to maintaining positive progress throughout the life of a project. It is their job to observe, assess, and manage any risk factors identified. However, many risk managers are not empowered to make decisions. Improvements in Risk Management can contribute to reducing damage, increasing the number of accomplished objectives, and increased consistency and communication. Process flow analysis is a helpful tool for documenting these risks and identifying improvement opportunities. For Risk Management Departments to remain effective, they should work towards eliminating obstructive procedures. In fact, control point implementation costs routinely exceed targets by 20% and often much more, while control effectiveness goals fall short. This is due to unclear steps for implementing controls within operations.

    Most Risk Managers who want end-to-end business process flows will have to convince higher level executives to bring in an outside management consulting firm who may or may not guarantee any real improvements, or implement any of their analysis. Business process flows as well as KPIs are great tools when it comes to reforming and standardizing business processes within an organization. The data represented in the process maps is so valuable; no consulting firm will make that data publicly accessible. However, for managers, who cannot make those executive level decisions, there are some resources available. This free online source provides various kinds of process flow templates, benchmarks and KPIs, best practices and other improvement tools:

    http://opsdog.com/improvement/

  • 5 Threat Assessment – A Tough Subject (And Sharks with Fricking Lasers!)   April 16, 2014 at 3:00 pm

    [...] assessment”, apart from a subject that hardly anybody seems to care about? Is it part of risk assessment? Is it one of the threat intelligence use cases? Is it something that only 1%-ers [...]

  • 6 Threat Assessment – A Tough Subject (And Sharks with Fricking Lasers!) : 6config: Le blog   April 16, 2014 at 3:04 pm

    [...] assessment”, apart from a subject that hardly anybody seems to care about? Is it part of risk assessment? Is it one of the threat intelligence use cases? Is it something that only 1%-ers [...]

  • 7 Threat Assessment – A Tough Subject (And Sharks with Fricking Lasers!) | All that All   April 16, 2014 at 3:06 pm

    [...] assessment”, apart from a subject that hardly anybody seems to care about? Is it part of risk assessment? Is it one of the threat intelligence use cases? Is it something that only 1%-ers [...]

  • 8 Threat Assessment – A Tough Subject (And Sharks with Fricking Lasers!) | Euler Global Consulting   April 16, 2014 at 3:43 pm

    [...] assessment”, apart from a subject that hardly anybody seems to care about? Is it part of risk assessment? Is it one of the threat intelligence use cases? Is it something that only 1%-ers [...]

Leave a Comment