Almost every Australian association has a risk register. Most of them are compliance theatre — produced because regulators or auditors expect them, approved by boards as a formality, filed, and never used between approvals. The risk register itself becomes evidence of governance, regardless of whether any actual risk governance is happening.

The difference between a working risk register and a compliance-theatre risk register is observable. Once you know what to look for, you can usually tell within five minutes of reviewing the document.

Sign 1: The risk descriptions are generic

Compliance-theatre risk registers describe risks in generic language that could apply to any organisation. "Cyber security risk." "Financial risk." "Reputational risk." "Compliance risk."

Working risk registers describe risks in specific language that applies only to this organisation. "Risk of member data exposure through staff use of consumer AI tools without enterprise data protection contracts." "Risk of sponsorship concentration — Sponsor X represents 28% of total non-membership revenue." "Risk that the new CPD platform fails to launch by Q3 2026, delaying member compliance with regulator deadline."

Generic risk descriptions are evidence that nobody has actually thought about what could go wrong in this organisation. They are filler.

Sign 2: The risk owners are job titles, not people

Compliance-theatre risk registers list risk owners as "CEO" or "Operations Manager" or "Finance Team." Working risk registers list named individuals.

The reason this matters: a job title isn't accountable. A person is. If a risk has been allocated to "the CEO" rather than to a specific named person who has accepted the allocation, no one is actually managing that risk. Everyone assumes someone else is.

When you see job-title risk owners on a register, ask the obvious question: does the person currently in that role know they own this risk, and what they're supposed to do about it? The answer is often no.

Sign 3: The controls are described, not tested

A control is a measure that reduces the likelihood or impact of a risk. Compliance-theatre risk registers list controls as descriptions: "Annual policy review." "Staff training." "Board oversight."

Working risk registers list controls with test dates and outcomes: "Annual policy review — last reviewed March 2026, next review March 2027." "Staff training — 14 of 16 staff completed AI awareness training in Q1 2026; 2 remaining staff scheduled by April 30." "Board oversight — risk register reviewed at every board meeting; AI standing item added January 2026."

An untested control is a hope, not a control. The risk register should be the place where the difference becomes visible.

Sign 4: The likelihood and impact ratings haven't changed in years

Compliance-theatre risk registers show identical likelihood and impact ratings year over year. Every risk is "medium-medium." Every action is "ongoing." Every status is "managed."

Working risk registers show movement. Some risks have decreased in likelihood as controls have strengthened. Some have increased in impact as the organisation's exposure has grown. Some are new this year. Some have been closed because they no longer apply.

If your risk register looks the same as it did three years ago, either the risk environment hasn't changed (which it has) or the register isn't being maintained (which it isn't).

Sign 5: The board has never actually used it to make a decision

This is the most diagnostic test. Working risk registers are referenced in actual board decisions. "Given that vendor concentration is rated high-high on the risk register, we should consider..." "The risk register flags this as our top emerging risk, so the strategic plan should..."

If the risk register exists only as an agenda item that gets reviewed every quarter and then set aside, it's not informing decisions. It's being filed.

A risk register that has never changed a board decision is not a risk register. It's a document.

How to convert a compliance register into a working register

This isn't a complicated job. It usually takes a single board meeting plus four to six hours of CEO and risk owner time. The steps:

  1. Rewrite the risk descriptions. Every risk should be specific to this organisation, at this moment, with concrete failure modes named.
  2. Reassign risk ownership to named individuals. Confirm with each named owner that they accept the allocation and understand what they're responsible for.
  3. Audit the controls. For each control, name the last test date and the next test date. Anything that hasn't been tested in 12 months gets flagged.
  4. Re-rate likelihood and impact honestly. Forget last year's ratings. Rate each risk based on current conditions. If everything still rates the same, that's a sign you're still in compliance theatre.
  5. Add the emerging risks. AI, cyber, regulatory change, workforce capability — these are the live risks of 2026, and many association registers haven't caught up.
  6. Reference the register in a board decision. The next strategic discussion, the next budget review, the next significant operational call — bring the register into the conversation. Make it a working document.

Why it matters

Risk governance is one of the four core functions of any board. A board that exercises risk governance well protects the organisation, supports the CEO with proper escalation pathways, and meets its legal obligations to act with care and diligence. A board that has only a compliance-theatre risk register has none of that. It has a document.

The work to convert the document into a tool is modest. The cost of not doing it accumulates quietly, until a risk materialises that the register described but nobody actually managed.

This quarter is when to look at your risk register honestly and ask: is this a tool, or a document?