At what point in a high‑level boardroom discussion does it become clear that a foundational governance element hasn’t yet been formalised?
Recently, while working with the senior leadership team of a large Australian organisation, led by highly experienced directors and a technically strong finance function, a useful realisation emerged during a broader governance discussion. Despite solid reporting and oversight in many areas, the organisation didn't yet have a formal, risk register in place.
This scenario is more common than you would think. Risk registers occupy an awkward middle ground, viewed as too operational for the board, yet too strategic for daily operations. Frequently regarded as unglamorous, they are deferred until a crisis occurs, at which point the question of accountability becomes urgent and undeniable.
A Structured Approach: The 52 Risks Framework
The first step in closing this gap is knowing exactly what to look for. At Acumentis, we use the 52 Risks framework, developed by former Australian Chief Risk Officer Peter Deans. This model maps every conceivable business risk across three core pillars:
- Strategic Risks (17): High-level threats to the business model and market position.
- Financial Risks (16): Threats to liquidity, credit, and capital.
- Operational Risks (19): Threats to the day-to-day execution and delivery of services.
The true value lies in a candid, systematic review of each category. By asking, "Is this material to our business, and if so, who owns it?" leadership teams often uncover unexpected vulnerabilities, ranging from unmanaged key-person dependencies to cyber exposures with no designated owner, or climate change risks that hadn’t been considered at all.
4 Pillars of a Robust Risk Register
The framework is a catalyst, not a cure. To prevent the common failure of creating a generic document that offers no practical use, a robust risk register must adhere to four professional standards:
- Consistent Rating: Evaluate risks based on likelihood and consequence, supported by clear, evidence-based reasoning.
- Targeted Ownership: Assign accountability to the individual best positioned to mitigate the risk, rather than defaulting to the CEO.
- Demonstrable Controls: Understand that a "policy" is not a control. A true control is a mechanism that demonstrably reduces the likelihood or limits the impact of a risk.
- Active Review: A register that is only updated during annual audit cycles is not risk management, it is paperwork.
Next Steps for Your Governance Strategy
If you’re looking to establish an enterprise risk register or embed climate risk into your existing register in preparation for mandatory climate reporting visit esg.acumentis.com.au to learn more.
We’ll soon be releasing a new video module that unpacks this topic in practical detail, helping boards and executives strengthen governance and reduce exposure.
ASRS readiness,
Live demo + free tool
21 April 2026 | 12:00–1:00pm AEST
Join this free, practical webinar with Acumentis ESG and NetNada to see what ASRS readiness actually looks like. Watch a live, end‑to‑end demo of the Acumentis ESG Assess tool on a real example company, then receive the tool after the session to use internally.
You’ll learn how to:
- Confirm your AASB S2 reporting group
- Assess ASRS readiness across key pillars
- Identify priority gaps and actions
- Build a clear 90‑day action plan
- Shape a board‑ready 12‑month roadmap
Spots are limited. We’ll confirm your place as registrations open.