The Organization’s Risk Register Hasn’t Been Updated in 14 Months. Three Significant Operational Changes Have Occurred. The Board Risk Committee Meets in Three Weeks. Is Presenting It as Current Acceptable?

Quick Answer

Is presenting an outdated risk register to a board risk committee — without disclosing that it hasn’t been updated to reflect material operational changes — a governance problem?

Yes — and it creates two distinct problems. First, presenting a 14-month-old risk register to the board as representative of the organization’s current risk profile is materially misleading, even if no one explicitly says it is current. Board members are entitled to accurate information about organizational risk. Second, the outdated register is not just a documentation problem — it indicates the organization has been managing operational risk without a current framework for 14 months, meaning risks introduced by the new product line, market expansion, and systems migration have not been formally assessed or assigned ownership.

The Situation

A risk manager at a mid-size company is preparing materials for the upcoming Board Risk Committee meeting. In reviewing the risk register — the organization’s formal inventory of identified risks, their likelihood and impact ratings, and their assigned risk owners — the risk manager realizes it was last comprehensively updated 14 months ago. Since then, three significant operational changes have occurred: the company launched a new product line in a heavily regulated market, expanded into two new international markets, and completed a major ERP system migration.

None of these changes are reflected in the risk register. The risk manager’s manager — who is presenting to the board — says they should “just use the existing register” for the upcoming meeting and “schedule a refresh for next quarter.” There are two weeks before the meeting.

The risk manager knows the register is materially incomplete. They’re not sure what they can do about it with two weeks to the board meeting and a manager who wants to proceed with the existing document.

Choice AUse the existing register as directed. The board meeting is in two weeks. There isn’t time for a full refresh and the manager has made the decision. A complete register next quarter is better than an incomplete refresh rushed in two weeks.

Choice BDocument the gap in writing to the manager and recommend one of two approaches: present the existing register with an explicit disclosure to the board that it does not reflect material changes since the last update and that an updated register will be provided at the next meeting — or conduct an emergency partial update covering the three specific operational changes before the board meeting and present that alongside the existing register.

Choice CConduct a quick partial update independently — add the three new risk areas without formal review or risk owner assignment — and present the updated register without disclosing that it was rushed in two weeks without the full assessment process.

The Right Call

Choice B — Document the gap and recommend transparent disclosure or an emergency partial update with explicit context.

Choice A presents materially incomplete information to the board without disclosure — which is a governance failure regardless of the manager’s instruction. Choice C adds rushed, unreviewed entries without disclosing the process — which may be worse than Choice A because it creates a false appearance of completeness. Choice B is the only option that preserves the board’s right to accurate information: either by being transparent about the gap or by documenting the specific new risks even if the full formal process hasn’t been completed. The manager’s preference for convenience does not override the board’s governance rights.

An outdated risk register isn’t just a documentation problem — it’s evidence of unmanaged risk.

A risk register is not a compliance artifact produced for board meetings. It is a living operational tool that identifies risks, assigns ownership, and tracks mitigation. A register that doesn’t reflect three significant operational changes indicates those changes have been managed without formal risk identification, assigned risk owners, or board-level visibility. The documentation gap is secondary to the governance gap it represents.

Presenting incomplete documentation to a board without disclosure is a governance failure — even if the instruction came from a manager.

Board members rely on the accuracy and completeness of management’s representations. A risk register presented as the organization’s current risk framework when it is 14 months old and missing three significant risk areas is a material misrepresentation, whether or not anyone explicitly says it is current. The manager’s instruction to use the existing register doesn’t change what the board will infer from receiving it.

Transparency to the board about a governance gap is not a sign of failure — it is a sign of function.

A risk manager who tells the board, “Our risk register does not currently reflect three significant operational changes, and we are committed to an updated register within 60 days,” has done something valuable: they have given the board accurate information and a remediation commitment. That disclosure is significantly better for the organization’s governance than a clean presentation that conceals a material documentation gap. Boards that are informed about governance gaps can help address them. Boards that discover governance gaps after the fact lose confidence in management.

How frequently should a risk register be updated?

Best practice calls for a comprehensive review at least annually — typically aligned with the annual planning cycle — and a triggered review whenever a material operational change occurs. Material changes that should trigger an immediate risk register update include: new product or service launches, geographic expansion, major systems or infrastructure changes, significant M&A activity, leadership changes at senior levels, and material regulatory changes in markets where the organization operates. A 14-month gap in a period with three significant operational changes represents a failure on both dimensions.

Who owns the risk register and is responsible for keeping it current?

Risk register ownership typically sits with the Chief Risk Officer, the Chief Compliance Officer, or the Internal Audit function — depending on the organization’s governance structure. Individual risk entries should have assigned risk owners who are responsible for monitoring and reporting on their specific risks. The failure in this scenario is structural: no one was assigned responsibility for triggering a register update when significant operational changes occurred. That is a process design gap that the risk function should escalate to leadership as a governance issue, not just a documentation backlog.

What should a risk manager do when instructed to present incomplete risk documentation to a board without disclosure?

Document the concern in writing to the manager, outlining specifically what is incomplete and why presenting it without disclosure creates governance and accuracy problems. If the manager does not address the concern, escalate to the Chief Risk Officer, General Counsel, or the board’s Audit Committee Chair directly. Board members have a fiduciary duty that requires them to have accurate information. A risk manager who knows that information presented to the board is materially incomplete has an independent obligation to address that gap — one that is not satisfied by following a manager’s instruction to present incomplete documentation without disclosure.

How to Use This Scenario in Training

Recommended for risk managers, internal auditors, compliance officers, and anyone involved in board or executive reporting. This scenario is also highly relevant for CFOs, General Counsels, and CROs who need to model the governance behavior that accurate board reporting requires — including disclosing gaps rather than concealing them.

This scenario illustrates the authority pressure signal from the Decision Readiness Engine™: “My manager said to use the existing register” is the pressure that makes inaction feel like compliance. Decision-ready risk managers recognize that board governance obligations are independent of the management instruction that conflicts with them — and that transparency about a gap is always better governance than concealment.

More GRC Scenarios