The dangerous risk is the one you never wrote down
Look at enough incident reviews and the pattern shows up fast. The risk that caused the damage was not always unknown. Someone saw it. Someone mentioned it in a hallway, an email thread, or a meeting that ran long. Then it never made it onto anything governed. No entry, no score, no owner.
A risk register is not a record of everything that could go wrong. It is a record of what the organization captured. The gap between those two things is where losses live. You do not usually get blindsided by the risks already owned, scored, and reviewed. You get blindsided by the ones that never made it there.
The uncomfortable truth is that many registers are honest about the known and silent about the noticed-but-unlogged. That silence is not neutral. It is exposure you cannot see, cannot measure, and cannot defend when someone asks why nobody acted.
The failure is capture, not analysis
Many risk programs are better at analyzing risks than catching them. Teams build heat maps, scoring models, and quarterly reviews for the risks already on the list. None of that helps with the material risk that never got onto the list in the first place.
Capture fails for boring reasons. The risk surfaced in a channel that is not the register. The person who noticed it was not the person who owns the register. It felt too small to log, or too obvious, or someone assumed somebody else already had. So it lives in a chat, a slide, an inbox, and nowhere that governance can reach.
This is why bigger frameworks do not fix small gaps by themselves. You can have a mature program and still lose to a risk nobody wrote down, because the sophistication sits downstream of a capture step that quietly failed. Fix the intake, and the rest of the machine finally has more complete input to work with.
Scattered registers are the same as no register
A risk logged in a place nobody governs is barely logged at all. Many organizations do not have one register. They have a spreadsheet per team, a tracker per project, a list in someone's notes. Each one looks reasonable on its own. Together they make it hard to know whether the single view is complete.
PwC's Global Risk Survey 2023, based on 3,910 business and risk leaders across 67 territories, identified a top-performing 5% of organizations as Risk Pioneers. PwC describes that group as underpinned by strategic enterprise-wide resilience and a human-led, tech-powered approach. The point is not that everyone else is failing. The point is that resilience is easier when risk signals are connected across the enterprise instead of trapped in isolated pockets.
When risk data is scattered, you cannot answer the simplest questions without a hunt. What is our top exposure this quarter? Who owns it? Has anything changed? Which control, audit finding, supplier issue, or regulatory change created it? Scattered registers make those answers a scavenger hunt. A single governed risk register makes them a lookup. That is the difference between managing risk and hoping you remembered it.
Capture risks from work, not memory
A modern risk register should not depend only on someone remembering to type a risk. Intake should come from contract exceptions, regulatory changes, assessment gaps, incidents, audit findings, vendor reviews, and policy deviations. Each entry should keep the source that created it.
That changes capture coverage. The contract with an unusual liability cap, the new rule that changes a control, and the failed assessment item all become candidate risks without waiting for a quarterly workshop. People still decide materiality. The system makes sure the signal is not lost before they see it. That matters for regulated work too: DORA turns ICT risk, incidents, testing, and ICT third-party dependencies into governed evidence, while NIS2 pushes cybersecurity risk-management accountability into management bodies.
The frameworks already told you: capture first
The frameworks already assume the risk has been identified before the rest of the process can work. ISO 31000 provides general risk-management guidance. COSO ERM's Performance component includes identifying risks that affect strategy and business objectives, assessing severity, prioritizing risks, selecting responses, and developing a portfolio view. ISO/IEC 27005 makes the information-security version concrete: identify and describe risks, identify risk owners, analyze and evaluate risks, prioritize them for treatment, and document risk assessment and treatment results.
That logic is not subtle. You cannot evaluate a risk you never named. You cannot treat one you never recorded. You cannot report on one that lives only in someone's memory. ISO/IEC 27001 certification work depends on this because risk assessment, risk treatment, control selection, and the Statement of Applicability need traceable inputs. NIST CSF 2.0 points the same direction from a governance angle: identify assets, risks, roles, responsibilities, and improvement actions before pretending the program is managed.
The frameworks are not the problem. The intake is. If risks are landing in scattered channels instead of one governed register, you have a serious process running on incomplete input. Garbage in, confident out.
One governed source of truth for material risk
The fix is structural, not motivational. You do not close capture gaps by asking people to try harder. You close them by giving every material risk one obvious place to land, so logging it is easier than not logging it.
That is what Sorena SSOT, our Single Source of Truth, is built to do. Risks, controls, policies, and evidence live in one governed store instead of a dozen spreadsheets. A risk noticed anywhere in the business can go to the same place, get an owner, get a score, and stay visible to everyone who should see it. Nothing depends on the right person remembering to copy the right cell into the right tab.
Grounded on that single store, the Sorena risk management workspace turns capture into governance. Each entry carries its owner, its status, its history, and its link to the controls and evidence that address it. When something changes, the change is recorded, not remembered. The register stops being a snapshot someone maintains by hand and becomes a live account of your actual exposure.
A complete register is also an audit-ready one
The register that captures material risks consistently is the same register that survives an audit. When capture happens in one governed place, the audit trail is a byproduct, not a scramble. Who logged the risk, when, who owns it now, what treatment was chosen, what changed and why: all of it is recorded because that is how the risk got there in the first place.
Contrast that with the scattered model, where audit prep means reconstructing history from memory and email. That is slow, it is error-prone, and it is exactly when the unlogged risk gets exposed in front of the wrong audience. A single governed register removes the reconstruction step entirely.
Humans decide what matters, how to treat it, and how much risk to accept. The system executes the capture, the tracking, and the evidence trail so those human decisions rest on a more complete picture. That is the split that makes governance both faster and more defensible: judgment stays with people, bookkeeping stays with the system.
Log it, or lose to it
The risk that sinks you may not be exotic. It may be ordinary, and it may be one someone already noticed and never wrote down. You do not prevent that with a sharper analyst or a longer meeting. You prevent it by making sure material risks have one place to land the moment they are seen, with an owner and a record attached. Capture the signal into one governed register. The risks you write down are the ones you can manage. The rest are just waiting.
Frequently asked questions
Why do risks that cause incidents so often turn out to be already known?+
Because knowing about a risk and capturing it are different things. Someone may notice the risk, mention it once, and never log it in a governed place. Without an entry, it is never scored, owned, or tracked, so nobody acts. The failure is often capture, not intelligence.
Isn't a mature risk framework like ISO 31000 or COSO ERM enough to catch this?+
Only if intake works. ISO 31000, COSO ERM, and [ISO/IEC 27005](/artifacts/global/iso-27005) all depend on identified risks before assessment, prioritization, treatment, monitoring, and reporting can work. If risks are scattered across spreadsheets and chats instead of one governed register, you have a sophisticated process running on incomplete input. Fixing capture is what makes the framework deliver.
How does a single source of truth reduce unlogged risk?+
It gives material risks one obvious place to land, so logging is easier than not logging. In Sorena SSOT, risks, controls, policies, and evidence live in one governed store with owners, scores, and a recorded history. A risk noticed anywhere in the business can go to the same place and stay visible to everyone who should see it.
Sources
- PwC, Global Risk Survey 2023 (3,910 leaders across 67 territories)https://www.pwc.com/gx/en/issues/risk-regulation/global-risk-survey.html?ref=sorena.io
- ISO 31000, Risk management guidelineshttps://www.iso.org/iso-31000-risk-management.html?ref=sorena.io
- ISO/IEC 27005:2022, Information security risk managementhttps://www.iso.org/standard/75281.html?ref=sorena.io
- COSO, Enterprise Risk Management: Integrating with Strategy and Performancehttps://www.coso.org/guidance-erm?ref=sorena.io


