ISO 9001:2015 introduced risk-based thinking, and the quality world responded by creating risk registers. Every company now has one. It is usually an Excel spreadsheet with columns for risk description, likelihood, impact, risk score, mitigation action, and owner. It looks impressive. It impresses auditors. And it is almost completely useless.

I have reviewed dozens of risk registers across automotive and aerospace companies, and they all share the same fundamental problem: they are documents of intention, not instruments of management. A list of risks that nobody reviews, nobody updates, and nobody acts upon is not a risk management system. It is a spreadsheet of wishes.

The scoring charade

Most risk registers use a 5x5 matrix — likelihood from 1 to 5, impact from 1 to 5, risk score is the product. Scores above 15 are "high risk" and require mitigation. Scores below 9 are "low risk" and are accepted.

The problem is that the scores are subjective, the scales are undefined, and the thresholds are arbitrary. What does a likelihood of 3 mean? Once a year? Once a quarter? Whenever the assessor thinks it might happen? What does an impact of 4 mean? One million euros? One customer complaint? One safety incident? Without calibration, the scoring system produces numbers that look precise but carry no meaning.

I have seen the same risk scored differently by different assessors in the same organisation. I have seen risks downgraded to avoid the mitigation requirement. I have seen high risks listed with mitigation actions that were never implemented, reviewed, or verified. The risk register was maintained for the audit, not for the business.

A risk you have identified but not mitigated is not a managed risk. It is a documented risk. And a documented risk that everyone knows about and nobody addresses is worse than an unidentified risk, because it creates the illusion of control.

The mitigation myth

The mitigation column in most risk registers contains one of three entries: "monitored," "procedure in place," or "training provided." None of these is a mitigation. "Monitored" means we are watching the risk and hoping it does not happen. "Procedure in place" means we have a document that describes what we would do if the risk materialised. "Training provided" means we told people about the risk in a classroom.

Real risk mitigation changes the probability or the impact of the risk. It requires action: redesigning a process to eliminate a failure mode, adding a redundant control to detect a failure earlier, investing in equipment that reduces variability, qualifying a second supplier to reduce dependency. These are expensive, time-consuming, and cross-functional. So most organisations list the risk, write "monitored" in the mitigation column, and move on.

What real risk management looks like

When I took over quality at a division of Airbus, I inherited a risk register with 127 identified risks. I went through them one by one with the team. Within two hours, we had reduced the list to 34 risks that actually mattered. The other 93 were either duplicates, trivial risks inflated to look comprehensive, or risks that had already been mitigated but never removed from the register.

Then we did something that most risk registers never do: we mapped the remaining 34 risks to specific actions with owners, deadlines, and verification criteria. Not "monitor" — specific actions. If the risk was supplier dependency, the action was "qualify supplier B for part X by Q3." If the risk was equipment failure, the action was "install condition monitoring on the critical machine by Q2." Every risk had an action, every action had an owner, and every owner had a deadline.

We reviewed the risk register monthly, not annually. We tracked the actions like projects. And when a risk was mitigated, we removed it. The register was a living document that drove decisions, not a filing exercise that supported audits.

The PFMEA connection

Here is something that always amazes me: companies maintain a quality risk register and a PFMEA, and the two documents do not talk to each other. The risk register has strategic risks — market changes, supplier failures, regulatory shifts. The PFMEA has process risks — failure modes, effects, controls. These are the same risks viewed from different angles, and they live in separate documents maintained by separate people.

At the greenfield plant I set up in France, I integrated them. Every process-level risk from the PFMEA that scored above a defined threshold was escalated to the risk register. Every strategic risk in the register that had a process-level manifestation was linked to the PFMEA. The two documents became a single risk picture — strategic and operational, connected and consistent.

Stop building registers, start managing risk

If your risk register has more than thirty entries, it has too many. If it has not been updated in the last quarter, it is dead. If the mitigation column contains the word "monitored," you are not mitigating. If risks are not linked to actions with owners and deadlines, you are listing, not managing.

Risk-based thinking is one of the most valuable concepts in the modern quality standard. It forces organisations to look forward instead of backward — to anticipate problems instead of reacting to them. But a risk register that nobody uses is not risk-based thinking. It is risk-based paperwork. Kill the spreadsheet. Start managing risk for real. Your future nonconformances depend on what you do today, not on what you wrote in a cell.