Every programme board receives a risk register. It's usually a spreadsheet with 40+ items, colour-coded by likelihood and impact, last updated sometime in the previous fortnight. It's comprehensive. It's structured. And it's almost completely useless for making decisions.
The risk register problem
Risk registers are static snapshots of dynamic situations. They conflate strategic risks with operational issues. They're maintained by project managers who are incentivised to keep things green. And they're presented without the context that board members need to act.
The result: boards either ignore the register entirely or fixate on the wrong items. Real risks hide in plain sight.
From registers to intelligence
Effective risk governance needs three things: live data (not last week's update), escalation thresholds (not subjective RAG), and decision context (what happens if we don't act). Tools like Orchestrate build these into the governance framework so that risk becomes something the board acts on, not something it receives.