Ever had that “uh-oh” moment in a boardroom?
I recently worked with a mid-market professional services firm where this happened. Despite having solid oversight in most areas, I realised they didn’t actually have a formal, documented risk register in place.
It’s a classic boardroom blind spot.
Watch our Risk & Governance module → See how to build a board-ready risk register that satisfies your auditors and your board, while meeting your ASRS obligations.
Key Takeaways
- Risk Visibility: Most boards only realise their risk register is missing when a crisis hits and accountability becomes urgent.
- AASB Alignment: Climate risk must now be integrated into your register to meet mandatory ASRS rules before your reporting deadline.
- Professional Standards: Effective risk management requires evidence-based ratings and targeted ownership rather than generic policies.
Why do we treat risk registers like “boring” paperwork?
In my experience, risk registers often get stuck in an awkward middle ground. Most boards find them unglamorous and too operational to worry about.
The team on the ground often sees them as too strategic for daily tasks. Because they’re viewed as a compliance chore, they get pushed to the bottom of the to-do list.
The problem is that we only realise they’re missing when a crisis hits. By then, the question of accountability becomes urgent and very uncomfortable.
How can you spot your own blind spots?
The framework I use is the 52 Risks model developed by former Australian Chief Risk Officer Peter Deans. It starts with a simple question for each of 52 categories.
Is this material to our business? If so, who actually owns it?
When I sit down with a leadership team and ask those questions, we almost always find gaps. We map every threat across three core pillars.
- Strategic Risks. High-level threats to your business model and market position.
- Financial Risks. Threats to your liquidity, credit, and capital.
- Operational Risks. Threats to the day-to-day execution and delivery of your services.
In the professional services firm I mentioned at the start, two of the seventeen strategic risks had no owner at all. Both were climate-adjacent. Neither had been discussed at board level.
By reviewing these pillars, I’ve seen boards uncover everything from unmanaged key-person dependencies to climate change risks that haven’t been claimed by any department.
Climate risk now belongs in every risk register. To understand exactly what mandatory ASRS reporting requires and what your board needs to disclose, read: What Is ASRS Climate Reporting? →
What makes a risk register actually work?
The most useful risk register templates share four things in common. To avoid creating a generic file that just gathers digital dust, I ensure every register follows these standards.
- Consistent Rating. You must rank risks by likelihood and consequence, backed by evidence-based reasoning.
- Targeted Ownership. Accountability has to sit with the individual best positioned to mitigate the risk. I never recommend defaulting to the CEO for everything.
- Demonstrable Controls. A policy in a folder isn’t a control. A true control is a practical mechanism that demonstrably reduces the risk.
- Ongoing Review. If you only update your register for an annual audit, that’s just paperwork. True enterprise risk management requires a living document.
Expert Tip: When assigning “Targeted Ownership,” ask who would be the first person called if that risk materialised. That is almost always your owner. Don’t let titles get in the way of practical accountability.
How to create a risk register that’s board-ready?
Here’s where I see most boards get stuck. They build a solid risk register for traditional financial and operational threats, then treat climate risk as a separate conversation.
It isn’t. Under mandatory ASRS reporting, climate risk must sit inside your register with a named owner and measurable controls.
Effective corporate governance and risk management means treating climate data with the same rigour as your balance sheet. Risk management in Australia is increasingly expected to include climate as a financial risk, not just an environmental one.
The good news is that boards who act now have a genuine advantage over competitors who are still treating climate as an environmental footnote.
The Takeaway: Your risk register won’t fix itself
Book a free discovery call → We’ll review your current framework and tell you exactly what needs to happen, so your data is defensible and your board is protected.
Frequently Asked Questions
A risk register is a central document that identifies, assesses, and tracks the management of business threats. Boards need them to fulfil their oversight duties and ensure accountability is not just a guess during a crisis.
The framework is the set of rules and culture you use to manage risk. The register is the actual record of those risks and the specific controls you have in place to stop them.
Under Australian mandatory climate reporting rules, climate risk is no longer just an environmental issue. It must be treated as a financial risk within your register, with clear owners and measurable controls.
