I mean it. Print it out, set it on fire, and watch the illusion of control go up in smoke. Because that’s mostly all it is—an illusion for those with responsibility without authority.
You know the one I’m talking about: a spreadsheet, 247 rows deep, each line item scored on some flavor of likelihood and impact, color-coded for banal digestion. Orange, yellow, green. Maybe even red, for the brave or foolish. Each “risk” carefully documented so that someone—anyone—can point to it later and say, “We knew.”
But here’s the problem: no one’s acting on it. No one’s funding decisions from it. And no one with actual authority is reading past line three.
Risk registers don’t drive strategy. They satisfy audits. They cover your rear end—but not really. They sit in GRC platforms and rot while the business moves on without them.
And let’s not pretend those scores mean anything. What’s “high likelihood”? What’s “moderate impact”? You think the business actually cares how you weighted “supply chain compromise” versus “legacy DNS exposure”? It’s all manufactured. A math-y placebo. And worst of all—it’s passive.
Here’s what I’ve seen over and over again: smart people build these registers thinking they’re helping prioritize, when all they’re really doing is deflecting. They offload judgment into a grid against a color gradient no one has interrogated. They assume rigor is the same as relevance.
But if everything is a risk and every risk is scored, you’re not prioritizing. You’re documenting. There’s no hierarchy of urgency against opportunity—the real driver of business. No framing of what’s at stake. No narrative thread that tells a decision-maker what matters now, what can wait, and what is blocking strategic momentum.
That’s the job. Not listing risks. Surfacing tradeoffs. Connecting exposures to opportunity cost. Translating security concerns into outcomes that matter outside your team.
But the register makes us feel responsible. It makes us feel like we’ve “captured” the landscape. Like we’ve “done the work.” And if something goes sideways, we can always say: “See? It was right there. Row 56.”
That’s not leadership. That’s liability management.
So burn it. Or at least stop pretending it’s strategy. You don’t need a better list—you need a better lens.