How many risks should you have on your risk register?

By CompliSpace Managing Director James Field

To answer the question of “How many risks should an organisation have on its risk register?” it is necessary to understand the concept of “granularity” and how it applies in an enterprise risk context.

Have I lost you yet? Don’t worry, the concept of granularity is remarkably simple, although its meaning is not always immediately clear to those unfamiliar with the context in which it is being used.

Within the enterprise risk context, the term “granularity” is used to describe the level of detail in which you go when articulating risks. A simple example is probably needed here.

Most organisations will have workplace health and safety as a key risk that they regularly consider.  At a board level this might be articulated as a single risk as follows:

Risk name

Risk description 

Workplace Safety The organisation fails to develop, and effectively implement, a documented Workplace Safety program, which complies with relevant legislation and includes a risk management strategy designed to identify, assess, treat and control all potential safety hazards and risk areas.

However, as everyone knows, WHS laws require organisations to identify specific hazards and assess each hazard in terms of likelihood and consequence. You only need to look around and very quickly it becomes evident that you now have to deal with risk at a different level of granularity (a finer level of detail). Think of specific hazards such as building safety, staff bullying, driving, alcohol, hazardous substances, heights, manual handling, slips and trips … the list goes on.

So let’s go down another level of granularity.

Risk name

Risk description 

Electrical equipment Inappropriate use of, or faulty electrical equipment.

Many organisations will be satisfied with this level of granularity and link this risk to an Electrical Safety Policy that sets out how they manage electrical safety hazards. Others may decide to go into even further detail and consider electrical hazards relating to specific pieces of electrical equipment.

Risk name

Risk description


Overloaded power boards Use of multiple power boards sourced to a single electrical socket.

Very quickly you can see that “granularity” or the level of detail with which you articulate your risks will determine how many risks you will have on your risk register.

Across an organisation, even without going into finer detail, there may be hundreds of risks that could be (and probably should be) recorded and formally assessed. Think WHS, compliance, human resources management, technology, board governance, asset management, key stakeholder management, changes in law (Newsflash: new privacy laws commence in Australia on 12 March 2014), natural disasters, fraud, reputational management etc.

If you think this sounds overwhelming here are two simple rules that you can follow to assist you through the process:

Rule 1 – Board level risks: Boards don’t want to get bogged down in detail, however if you give them the detail they will often latch onto it and end up in micro management mode, which will be frustrating for all concerned.  As a general rule of thumb, boards should only consider a organisations top 5-15 risks articulated at a “macro” level.

Rule 2 – Less is usually better than more:  Whilst it may be very temping to dive into identifying risks at a micro level (e.g. someone slips on cables in the boardoom), if you take this approach you will find that you very quickly become lost in the detail, lose focus on your real risks, and your risk management framework becomes unworkable.  As a broad rule of thumb, when articulating risks “less detail is usually better than more detail”.

How CompliSpace can help

CompliSpace combines specialist governance, risk and compliance consulting services with practical, technology-enabled solutions.

If you are looking to update your existing governance, risk or compliance programs and make them more relevant to your organisation, contact us via the details below:

P: 1300 132 090



This blog is a guide to keep readers updated with the latest information. It is not intended as legal advice or as advice that should be relied on by readers. The information contained in this blog may have been updated since its posting, or it may not apply in all circumstances. If you require specific or legal advice, please contact us on (02) 9299 6105 and we will be happy to ass

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s