--- title: "Your Risk Register Is Asking the Wrong Question" date: 2022-12-20T14:17 author: Julien Reszka description: "Most risk frameworks ask what can go wrong. This one starts earlier: what does wrong mean here? It answers that structurally, the same way, for every context." keywords: ["AI", "governance", "engineering", "strategy", "decision making", "alignment"] canonical: https://julienreszka.com/blog/your-risk-register-is-asking-the-wrong-question/ --- # Your Risk Register Is Asking the Wrong Question Most risk frameworks ask what can go wrong. This one starts earlier: what does wrong mean here? It answers that structurally, the same way, for every context. Most risk frameworks begin too late. They ask what can go wrong before defining what wrong even means in the context they are analysing. This is not a new observation. FMEA was standardized by the US military in 1949 and remains the dominant structured failure framework. It asks: what can fail, how severe, how likely. But it starts at the failure mode, not the doctrine upstream of it. That upstream layer, who has authority to define what the right belief even is for a given role, is a [governance problem, not a data problem](https://julienreszka.com/blog/grounding-is-a-governance-problem-not-a-data-problem/). Williams (2017, PMJ) found the same gap in practice: risk registers list risks in isolation and fail to capture causal chains. Recovery plans treat symptoms without touching the doctrine that produced them. Olivier and Schwella (2018) measured that organizations lose 49.6% of strategic potential in the gap between intent and execution, not because the strategy was wrong, but because no one named the drift. That omission matters because a hospital, a court, a sales department, and an engineering workshop do not fail in the same *content*. But they do fail in the same *structure*. A false doctrine produces the wrong attribute in the deliverable, the wrong attribute generates risk, the risk causes consequences, and recovery has to be specified at both the risk and consequence layer. ![Deliverable-centric risk register schema](https://julienreszka.com/assets/register/schema.png) In this register, every row uses the same anatomy: - environment and role - bad quality and good quality - false doctrine and true doctrine - actions and deliverable - wrong attribute and right attribute - active and passive countermeasures - external and internal risks - external and internal consequences - recovery paths for each risk and consequence The important column is `false_doctrine`. That is the alignment failure. In a doctor's office it may be charlatanism. In regulation it may be cronyism. In an engineering workshop it may be absurdism. The doctrine changes by sphere, but the structural path from misalignment to damage does not. The names themselves are imperfect and can be disputed. Take them as starting points for thinking, not as verdicts. The value is in the structure, not in whether charlatanism is the exact right word for a given failure mode. That structural focus is also what makes this a *generative* framework rather than a descriptive one. A descriptive register catalogues the domains it has already seen; it is a lookup table. This structure is a grammar. Take a context that appears nowhere in the example dataset: a maritime port authority, a hospice care team, a satellite launch crew. The structure still applies: there is a role, a deliverable, an attribute that can drift, a doctrine behind the drift, countermeasures, consequences, and recovery paths. You do not retrieve those entries from the dataset; you derive them from the anatomy. The columns constrain what a valid entry looks like, and that constraint is what makes the output meaningful even for domains no one has catalogued yet. That property has a direct implication for AI. A model fine-tuned on this structure would be unusually good at two questions that current systems handle poorly: what is the upstream cause of this failure, and what is the appropriate recovery given this consequence. Those are not retrieval questions. They require reasoning along the causal chain from doctrine to attribute to risk to consequence to recovery. The register makes that chain explicit in every row, which means the training signal is not just labelled examples but labelled *reasoning paths*. That is directly useful for AI systems that need to diagnose and correct their own behaviour, rather than merely pattern-match against past errors. The useful move is to instrument the gap between the wrong and right attribute for each deliverable you care about. Once that gap is explicit, the countermeasures, risks, and recovery plans stop being abstract policy language and become design decisions. The [example dataset](https://julienreszka.com/assets/register/register-example.csv) linked here was handcrafted over two years to see how far the framework could go. Thirty spheres, five roles each, every column filled. The answer is: pretty far. The structure held across domains that share nothing in surface content (from military logistics to spiritual communities to corporate legal) because the anatomy underneath them is the same. If you want to use this approach, start with one context you actually own: - Name the role. - Name the deliverable. - Define the wrong and right attribute. - Write the false doctrine that causes the wrong one. - Add one active and one passive countermeasure. - Write the recovery path before the failure happens. If you cannot name the false doctrine in your domain, you do not yet know what alignment failure looks like there. --- **Actionable insight:** Name the role, the deliverable, the wrong and right attribute, the false and true doctrine, and the recovery path. If you cannot fill all six, your risk register is too vague to govern action. ## Key figure **49.6%** — Share of strategic potential lost during execution due to misalignment between intent and action, measured across public sector organizations *Source: Olivier & Schwella, International Journal of Public Leadership, 2018* ## Myth vs reality **Myth:** A risk register only needs to list what can go wrong **Reality:** Before you can list risks, you need a structural definition of what failure means in that context. The register makes doctrine, attributes, countermeasures, consequences, and recoveries explicit in the same order for every domain. *Source: Author's risk register, 2022*