A regulatory risk register should not be a decorative spreadsheet. For a board, it is useful only if it shows what can go wrong, who owns the issue, what evidence shows progress, and when unresolved matters must be escalated. If the register merely lists statutes and departments, it may create comfort without control.
The board's review should begin with scope. Does the register cover the company's real risk areas, such as tax, labour, environment, data, sector regulation, contracts, licences, and litigation exposure? Are subsidiaries, plants, branches, and outsourced operations included? A register that excludes the messy corners of the business is tidy in the least helpful way.
The next layer is ownership. Each risk should have an accountable executive, a reporting line, and a due date for closure or mitigation. The board should ask whether management has identified root causes rather than only current non-compliance. Repeat notices, delayed filings, recurring audit remarks, and unresolved reconciliations usually point to a control weakness rather than a one-time lapse.
Minutes matter. If a material risk is discussed, the record should capture the question asked, the management response, and the follow-up expected. The minutes need not become a transcript, but they should show oversight. A silent minute book can make even a serious discussion look like it never happened.
Directors should also test evidence. A green dashboard is not proof by itself. Ask for closure documents, acknowledgements, payment challans, revised procedures, training records, or correspondence with the authority where relevant. For high-risk items, management should explain residual exposure, possible financial impact, and whether external advice is needed.
The board should distinguish between routine compliance tracking and regulatory risk review. Routine tracking asks whether filings were completed. Risk review asks whether the company understands exposure, remediation, recurrence, and escalation. Both are useful. They are not the same thing.
The register should also show movement. A risk that remains amber for four quarters without explanation is not amber; it is unattended. Directors should ask what changed since the last meeting, what remains open, and whether management has enough authority or budget to close the issue. If the answer is always "under process", the process deserves its own review.
For listed or regulated companies, the risk register should connect with internal audit, legal updates, whistle-blower inputs, and management certifications. These channels often describe the same issue in different language. The board's job is to make those signals speak to each other. A good register turns scattered noise into a short list of decisions, deadlines, and owners.
The board should also agree on closure standards. A risk should not disappear because a manager says it is closed. Closure may require a filing acknowledgement, payment proof, revised process note, training completion, regulator correspondence, or internal audit validation. For significant matters, the next dashboard should show whether the fix actually worked. That follow-through is where oversight becomes real rather than ceremonial.
Dashboards should remain readable. Use colour, but do not let colour replace explanation. A brief note on exposure, owner, next step, and ageing usually tells directors more than a page of green boxes and bland management assurances.
AGS Consulting helps boards and committees convert compliance information into an oversight-ready regulatory risk register. For assistance with board reporting or escalation design, contact AGS Consulting.
FAQs
What should a regulatory risk register show to the board?
It should show the issue, owner, exposure, status, evidence of action, escalation trigger, and expected closure date.
Should every compliance item go to the board?
No. Routine items can stay with management, but material, recurring, or high-exposure issues should be escalated.
How detailed should board minutes be?
Minutes should capture material questions, management responses, decisions, dissent where relevant, and follow-up actions.
What is a common weakness in risk registers?
Many registers list obligations but do not show ownership, evidence, root cause, or whether the issue is recurring.