Risk Strategy

You Have a Risk Register. You Don't Have a Risk Program.

A risk register is documentation. A risk program is governance. Most mid-market companies built the documentation layer and never built the operating layer underneath.

By Eric Kennedy · Sat May 30 2026 · 8 min read

You Have a Risk Register. You Don't Have a Risk Program.
TL;DR: A risk register is documentation. A risk program is governance. Most mid-market companies have built the documentation layer (a polished register, an annual heat map, a quarterly board slide) and never built the operating layer underneath: named ownership, regular cadence, defined escalation paths, and a direct connection to executive decisions. This article covers what a functioning enterprise risk management framework actually requires, the 4 components that separate a program from a register, and what to do if you have a register but not a program. The thesis: if your ERM satisfies your auditors but not your executives, you have a documentation program, not a governance program.

Most risk registers share a telling characteristic: they're immaculate in February and untouched by November.

A deadline drives a flurry of updates. Heat maps get refreshed. Risk owners get assigned. Then the document returns to a shared drive where it waits, patient and irrelevant, for the next annual cycle.

That's not risk management. That's risk documentation. And for most mid-market companies, the two have quietly become the same thing.

What a risk register actually is, and isn't

A risk register is an output. It is a snapshot of identified risks at a point in time, formatted for review. Done well, it is a useful document. Done poorly, it is a compliance checkbox that gives leadership a false sense of coverage.

Either way, it is not a governance structure.

A risk register answers: what are our risks? A risk program answers: who owns each risk, when does it escalate, and how does that reach the people who can act?

Most mid-market companies can answer the first question. Very few can answer the second.

Two-column comparison diagram titled "Register vs Program" showing the differences between a risk register as a documentation layer (what risks exist, updated for the audit, reviewed annually, lives in a shared drive, satisfies the auditors) versus a risk program as an operating layer (who owns each risk, quarterly cadence with active review, defined escalation paths, connected to capital decisions, earns its place at the executive table)

According to the 2025 Baker Tilly and Internal Audit Foundation study of 567 ERM professionals, nearly 6 in 10 ERM programs still rely on basic tools like spreadsheets and word processing. The spreadsheet isn't the issue. The absence of a program behind it is.

Why the documentation trap happens

The documentation trap is not the result of negligence. It is the result of how ERM initiatives typically get launched.

A new CFO joins, or an auditor raises a concern, or a peer company has a visible risk failure, and the organization decides it needs to "do something about risk." A framework gets selected. Risks get catalogued. A register gets built.

And then the project ends.

What gets built is the documentation layer. What never gets built is the operating layer: the governance infrastructure that makes risk information useful on an ongoing basis.

According to Gartner's 2025 Trends for ERM Leaders, only 18% of ERM leaders express high confidence in their ability to identify and manage emerging risks. The gap is structural, not analytical.

The 4 components of a functioning risk management program

Horizontal four-card diagram titled "The 4 Components of a Functioning Risk Management Program" showing Named Ownership (a person, not a team), Regular Cadence (quarterly, not annually), Escalation Paths (defined thresholds), and Drives Decisions (capital allocation), with a navy banner below reading "A functioning risk program"

A risk register has none of these. A risk program requires all four.

1. Named Ownership. Every material risk needs a named owner. Not a department, not a committee, but a specific person accountable for monitoring it, reporting on it, and escalating it when thresholds are breached. Without named ownership, risk accountability defaults to everyone, which means it defaults to no one. (This is one of the four gaps that consistently breaks mid-market ERM programs.)

2. Regular Cadence. Risk is not reviewed annually. High-maturity programs establish a regular rhythm: quarterly risk reviews at the business unit level, escalation to the CFO or audit committee, and annual board-level reporting. The cadence is not bureaucracy. It is the mechanism that keeps risk intelligence current.

3. Defined Escalation Paths. When a risk moves, when a vendor fails, a key person departs, or a regulatory change lands, there is a defined protocol for how that information travels from the operational level to the decision-making level. Without escalation paths, known risks stay known at the wrong level of the organization.

4. Connection to Decisions. Risk data only creates value when it influences how capital gets allocated, how strategic initiatives get approved, and how operational trade-offs get made. A risk program that runs in parallel to business decision-making is a compliance program. A risk program that feeds into business decision-making is a governance program.

The cost of treating the register as the finish line

Bar chart titled "The ERM maturity gap" showing 61% of finance leaders saying risk complexity has increased mostly or extensively in recent years compared to only 35% who have comprehensive ERM processes in place, with a 26-point gap indicator between the two bars, sourced to AICPA and NC State University ERM Initiative 2025 State of Risk Oversight Report (16th edition)

According to the AICPA and NC State 2025 State of Risk Oversight Report (the 16th annual edition, surveying 273 organizations), 61% of senior finance leaders say the volume and complexity of corporate risks has changed "mostly" or "extensively" in recent years. Only 35% say their organizations have comprehensive ERM processes in place.

That gap is not a data problem. It is a program design problem.

Companies with functioning risk programs respond to operational surprises faster, absorb them at lower cost, and communicate about them more credibly to boards and lenders. Companies with risk registers respond reactively, escalate chaotically, and often discover that the exposure was visible to someone in the organization long before it became a crisis.

The risk environment is not getting simpler. The gap between documentation and governance is not getting cheaper.

What to do if you have a register but not a program

If your organization has a risk register but no clear answer to who owns each risk, when it gets reviewed, or how it reaches leadership, you have a documentation program, not a governance program.

The good news is that this is a solvable problem. It does not require a year-long implementation or a new software platform. It requires a clear-eyed assessment of where your program actually stands, and a structured path to building the operating layer that turns risk documentation into risk governance.

If your current program satisfies your auditors but not your executives, that is the right place to start.

Key Takeaways

Where to Start {eyebrow="BUILD THE OPERATING LAYER"}

If your risk program is producing the same register every quarter and nothing else, the answer is not better documentation. It is a deliberate rebuild of the operating layer underneath: named owners, defined cadence, real escalation, and direct connection to executive decisions.

ERM Foundation Build{.cta-primary} ERM Diagnostic{.cta-secondary}

The ERM Foundation Build (8 to 12 weeks) is KRG's flagship engagement for organizations ready to move from documentation to governance. We name owners, build the cadence, define the escalation thresholds, and stand up the first quarterly cycle with the leadership team and audit committee. If you want a maturity assessment first, start with the ERM Diagnostic. The diagnostic fee is credited toward the Foundation Build if you move forward.

Frequently Asked Questions

What is the difference between a risk register and a risk program?

A risk register is a document. A risk program is a governance system. The register lists what risks exist; the program defines who owns each risk, when it gets reviewed, how it escalates when material changes happen, and how it influences executive decisions. Most mid-market companies have built a register and stopped there, which is why so many ERM efforts feel like compliance exercises rather than strategic tools.

What are the components of an enterprise risk management framework?

A functioning enterprise risk management framework at a mid-market company has four operating components: named ownership for every material risk (a specific person, not a department), a regular review cadence (typically quarterly, not annual), defined escalation paths for when risks move or thresholds get breached, and a direct connection between the risk picture and how the leadership team makes capital allocation and strategic decisions. Without all four, the framework is documentation rather than governance.

How often should a risk program be reviewed?

A working mid-market risk program reviews risks quarterly at the business unit level, escalates material changes to the CFO or audit committee between cycles, and brings the full risk picture to the board annually. Annual-only review cycles fail because the risk environment changes faster than the cycle. Quarterly is the floor for keeping risk intelligence current at most mid-market companies.

What is the role of the CFO in a risk program?

At most mid-market companies, the CFO is the de facto owner of the enterprise risk management program. The CFO is the bridge between the operational signal (what risk owners are surfacing each quarter), the executive conversation (what the leadership team is doing about it), and the capital allocation cycle (how the risk picture influences the next round of investments). When the CFO is not actively connecting those three layers, the program drifts toward documentation.

How do you turn a risk register into a risk program?

The shift requires four structural moves that most mid-market companies have not made: assign a single named owner to every material risk, establish a quarterly review cadence with a fixed agenda, define what triggers an escalation and where escalated risks go, and integrate the quarterly risk picture into existing leadership team and audit committee conversations. The work is not technological. It is structural. A clear program design can be built in 8 to 12 weeks and starts producing value immediately on the first quarterly cycle.