Is Your Risk Register Hiding Program Problems? How to Tell Before It’s Too Late

Top view man hands typing on laptop. Virtual screen with risk management symbol and glowing diverse banking or marketing icons. Concept of business safety and financial analysis

The deck for Thursday’s steering committee just landed in your inbox. Slide 4 is the risk register summary. Three red risks closed since the last meeting. Two more downgraded from red to amber. The narrative line at the bottom reads: “Program risk posture has materially improved over the reporting period.” Your sponsor will see this slide in roughly 36 hours and form an opinion of the program’s health based on what it tells him.

That slide is lying. Not because anyone in the room is dishonest. Because every role at the table has an incentive to let it, and nobody has a natural incentive to stop it. By the time the dashboard turns red and the sponsor is being asked to explain what happened, the register will have been softening the picture for months, and the mitigation windows that existed when it last told the truth will have quietly closed.

This is the single most predictive early warning signal in transformation governance. It’s also the signal most governance committees are least equipped to catch, because the artifact doing the warning is the one everyone long ago stopped reading closely.

The Most Common Risk Register Red Flag: Risks That Close Without Being Resolved

In project management terms, a risk is properly closed when one of three things has happened: the event occurred and was addressed, the conditions that made it possible no longer apply, or the residual risk has been formally transferred to a named owner who accepted it in writing. That’s the whole list.

On a drifting program, risks get closed for reasons that aren’t on the list: the workstream lead stopped raising it and the PMO stopped tracking it, the likelihood was “reassessed” in a working session nobody took minutes for, the steering committee made a side comment about too many reds and the next deck had fewer reds, the program needed the risk to close so the narrative would hold. None of these are closures. They’re rewrites, and they accumulate.

We’ve seen this pattern before. Teams normalize delays as expected complexity, quality issues get deferred, status reports stay green too long, and governance focuses on updates rather than decisions. The register is the artifact-level version of that drift.

The tell is straightforward. When three red risks close in a single month without corresponding evidence of mitigation, the register is being rewritten. Evidence means a dated artifact: a completed test cycle, a signed-off design, a contract amendment, a delivered configuration. “The workstream lead is confident” isn’t evidence. “An updated mitigation approach is being finalized” isn’t evidence. If the evidence can’t be produced on 48 hours’ notice, the risk isn’t closed. It’s just been moved to a different line of the spreadsheet.

The cost compounds quietly. A Red risk that closes prematurely and materializes 90 days later typically costs 3 to 5 times the original mitigation cost, because the window for cheap intervention has passed and the secondary risks the original mitigation would have headed off are now in play.

Three or four such risks in a quarter can quietly add 4 to 8 percent to total program cost. None of it logged against any single decision. None of it visible until a downstream event forces the program to absorb it in compressed time.

Why the Risk Register Is a Narrative, Not an Objective Report

The risk register is a deposition. Every entry is recorded by people whose compensation, future work, and reputation depend on how the testimony lands. What gets into the record and what gets left out are two different decisions. The deck isn’t neutral data. It’s information filtered through interests. What’s present tells you something. What’s absent tells you more.

A register that closes three red risks in a month without showing the secondary risks those mitigations introduced has decided what the steering committee is ready to hear. A register tracking only primary risks isn’t tracking risk. It’s tracking optimism, and optimism doesn’t require evidence. Metrics that cannot be reliably produced or managed may look nice, but they lie. The risk register is the most polished-looking artifact in transformation governance, and the one most likely to be lying when no one is looking.

Call this Quiet Closure, or risks migrating off the deck without any of them being formally resolved. Quiet Closure is to the risk register what the Silent Re-Baseline is to the schedule: a governance event that should have been loud, conducted silently, because silence is cheaper for everyone except the client.

The same logic applies to forecasting versus reporting. If the SI can only tell you where the program was last month, they’re managing your perception. If they can tell you where it will be in 60 days, with the specific risks most likely to materialize in that window, they’re managing your program. The register should be doing both, but most are doing only the first.

Why Good Program Leaders Let Risk Register Drift Happen

Look at the room when the register gets reviewed, and what each person is measured on. The workstream lead’s number is delivery progress, not risk disclosure. Raising a risk creates work; lowering one removes it.

The PMO’s job is steering committee readiness, easier with fewer reds on the deck. The SI watches program momentum, which an improving register supports. The executive sponsor is on the hook for outcomes, which the register also makes look better. Four reasonable people, each acting sensibly. The combined effect is a register reporting improvement the program hasn’t actually made.

The drift is structural, not moral. Moral solutions, like asking people to be more diligent, more honest, more careful, don’t fix it. Only structural ones do. Someone has to be empowered, paid, or positioned to challenge the register against the program’s actual state. Otherwise, the incentives run the register, and the register runs the steering committee.

The risk register is one of the quietest instruments on a program, and quiet instruments are the ones SIs find easiest to work with. A loud register that keeps red risks red until evidence closes them is bad for SI margin. A quiet register is neutral for the SI and slowly expensive for the client.

he 48-Hour Evidence Rule: How to Know If a Risk Closure Is Real

There’s one discipline that separates programs whose registers tell the truth from programs whose registers rewrite themselves.

Every risk closure, every severity downgrade, and every material rewording has to be supported by a specific, dated artifact, producible within 48 hours. If the artifact can’t be produced, the risk is reopened at its prior severity. No negotiation, no judgment call, no working session. The reopening is automatic.

Workstream leads don’t like this rule. Neither does the PMO, and definitely not the SI, because the SI’s incentive to quietly downgrade risks evaporates the moment a downgrade costs them a reopened Red on the next steering committee deck. Which is exactly why it works.

A register that can be trusted has five things going for it. Every closure has evidence attached. Every downgrade has a dated, specific mitigation tied to it. Residual and secondary risks get logged whenever a primary risk closes. Risk owners are named individuals, not “Workstream 4.” And the register’s trajectory gets tested against the rest of the program. A register trending improving while the change order pipeline is growing hasn’t improved. It’s diverged from the program, and the divergence is a governance event worth naming.

We’ve seen this at the status-report level. The register is the same pattern, one artifact removed. When it starts behaving like a status report, the program has already begun drifting, and the register is the last honest place to see it.

What to Do Before Your Next Steering Committee Meeting

Executive Sponsor. Establish a standing agenda item: second-line review of every risk closed, downgraded, or reworded since the last meeting. Twenty minutes, every meeting. It’s the single governance move that does the most work against Quiet Closure. We know what intelligent recalibration looks like when a program drifts; the register audit is where it starts.

CIO. Require the named risk owner to present the evidence for any closure or downgrade, in the room. Not the SI’s engagement partner, not a slide on behalf of someone who couldn’t make it. The person accountable for the mitigation. Presence is evidence of ownership, absence is evidence of evasion, and risks owned by absent parties get reopened.

PMO Lead. Audit the current register against last month’s. Every risk closed, downgraded, or reworded gets evidence produced. Where evidence isn’t available within 48 hours, the risk reopens. Roughly two hours per fifty-risk register. The return is measured in months of mitigation window otherwise lost.

CFO. Pick three risks closed in the last quarter that carried contingency reserves. For each, ask the program controller: was the reserve released to general funds, or is it still being held? A held reserve on a closed risk is finance’s quiet vote of no confidence in the closure, often a six- or seven-figure one. Either the register is wrong or the reserve is wrong. Resolve it before the next forecast cycle.

Procurement and Sourcing. Pull the SOW and review its language on risk reporting cadence and risk ownership. Many SOWs contain explicit clauses clients have never operationalized. Use them.

One Question Every Executive Sponsor Should Be Able to Answer

If your program struggles, who in the room is solely focused on protecting the enterprise? Not the engagement, not the methodology, not the SI relationship. The outcome and the people attached to it.

If the honest answer is no one, your register will keep telling you the program is improving, right up until the moment the program stops being recoverable. By then the dashboard will already be red, the SI will have filed the extended hypercare CR, the sponsor will be in front of the board, and the mitigation windows that existed when the register was last honest will have closed months back.

The register isn’t a marketing document. When it starts behaving like one, it’s already telling you what comes next. The only real question is whether anyone at the table is still reading it closely enough to hear it.

If your register has been trending in a direction the rest of your program hasn’t, the register is telling you something your dashboard isn’t. UpperEdge’s Project Execution Advisory Services apply the 48-hour evidence rule, restore second-line review, and have helped clients preserve mitigation windows on programs the governance dashboard had not yet flagged. Learn how.

Related Blogs