The Problem With Risk Registers in Modern ERM

Key Takeaways

• Risk Must Be Tied to Objectives: Both ISO 31000 and COSO ERM define risk as uncertainty affecting the achievement of objectives. A risk that is not explicitly linked to an objective does not meet either framework’s definition.
• Entity Risk Registers Lack Technical Support: Neither standard provides conceptual or architectural justification for using a standalone list of risks as the foundation of enterprise risk management.
• ISO 31000 Prioritizes Decision-Making, Not Inventories: The standard requires risk management to support governance, strategy, planning, and performance, not the cataloguing of hazards or concerns.
• COSO ERM Was Designed to Move Beyond Risk Lists: The 2017 framework embeds risk into strategy, objective-setting, and performance management, making objective-free risk registers fundamentally misaligned.
• Risk Registers Persist for Practical, Not Technical Reasons: Legacy compliance practices, consultant templates, regulatory tolerance, and board comfort with symbolic governance explain their continued use, not alignment with ISO or COSO.

Deep Dive

In my latest post, I discuss how if you look at how enterprise risk management is practiced today, you’d be forgiven for thinking that the entity-level risk register sits at the center of ISO 31000 and COSO ERM. It doesn’t.

In fact, neither framework provides technical or conceptual support for using a standalone list of risks as the foundation of ERM. When read as written, not as commonly implemented, both point in the opposite direction.

The short answer is simple: no.

ISO 31000 Draws a Clear Line and Risk Registers Cross It

ISO 31000 does not hedge on what risk is or what risk management exists to support. It opens with a definition that leaves very little room for creative interpretation:

“Risk is the effect of uncertainty on objectives.”

That sentence matters more than most organizations treat it. If risk is defined as an effect on objectives, then risk cannot exist on its own. It cannot be listed, ranked, or categorized in isolation. Without an objective, there is no risk, only a vague concern. That framing shapes everything else in ISO 31000.

Risk identification, under the standard, must be done in relation to objectives. Risk management must be integrated into governance, strategy, planning, and performance. The point is not to build an inventory of threats, but to support better decisions and improve the likelihood that objectives are actually achieved.

This is where the entity risk register quietly falls apart.

A typical enterprise risk register treats risks as objects. It groups them into neat categories, assigns owners, and scores them on generic likelihood and impact scales. What it rarely does is explain what objective is at risk, how performance is affected, or why leadership should care right now.

Under ISO 31000’s logic, a “risk” that is not explicitly tied to an objective is not a risk at all. It is a hazard, an issue, or a concern, but it does not meet the framework’s own definition.

From an ISO 31000 perspective, there is simply no justification for using an entity risk register as the foundation of ERM.

COSO ERM Was Built to Move Past Risk Lists

COSO ERM reached the same conclusion and redesigned its framework accordingly. The 2017 update was not cosmetic. It was a direct response to years of ERM programs that produced impressive-looking risk inventories and very little strategic value.

COSO defines risk as the possibility that events will occur and affect the achievement of strategy and business objectives. That definition is then embedded directly into how strategy is set, how objectives are defined, and how performance is managed.

Risk, in COSO ERM, is not something that sits alongside the business. It is something that shapes decision-making.

That design choice is deliberate. COSO expects risks to be identified in the context of objectives. Risk appetite is meant to express how much deviation from those objectives’ leadership is willing to tolerate. Boards are expected to oversee risk exposure tied to strategic and value-critical outcomes — not review a generic list of enterprise risks once a year.

This is where objective-free risk registers fail COSO just as clearly as they fail ISO. A risk register that is disconnected from objectives offers no real line of sight to strategy execution. It cannot support meaningful risk appetite statements. It does little to inform board oversight of performance. At best, it documents activity. At worst, it creates false comfort.

COSO ERM was explicitly designed to move organizations away from this model. Using a standalone risk register as the foundation of ERM is misaligned with the framework’s architecture and intent.

So Why Does Risk-List ERM Refuse to Die?

If neither ISO 31000 nor COSO ERM actually supports this approach, the obvious question is why it remains so common. The answer has very little to do with the standards themselves.

Risk registers persist because they fit comfortably with legacy internal audit and compliance mindsets. Because neither ISO nor COSO explicitly bans them. Because consultant templates and GRC platforms are built around them. Because regulators rarely challenge them. And because listing risks is far easier than confronting how uncertainty threatens mission-critical objectives.

They also persist because they are safe.

A risk register spreads accountability thin. Objective-anchored risk management concentrates it. One produces documentation. The other forces uncomfortable conversations about performance, trade-offs, and strategic choices.

Boards often tolerate the former. The latter demands engagement.

What the Frameworks Actually Demand

Neither ISO 31000 nor COSO ERM provides technical support for entity risk registers as the foundation of enterprise risk management. Both frameworks define risk in relation to objectives, strategy, and performance and both are undermined when risk is reduced to a standalone list.

ERM was never meant to be about collecting risks. It was meant to help organizations make better decisions in the face of uncertainty.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.