The risk register that comes out of a mature GRC program should tell the board something true about the organization’s exposure. Too often it tells them something comfortable instead.
The most common symptom: everything is medium. Dozens of open findings, color-coded in yellow, clustered somewhere between “this is fine” and “we should probably get to this.” No urgent reds. A few reassuring greens. A heat map that looks, from a distance, like a well-managed portfolio. It is not.
An all-medium risk posture is a calibration failure. It means the rating process has drifted away from measuring actual impact and toward managing internal political dynamics.
Why ratings drift toward medium
Risk ratings don’t start wrong. They drift there over time, for consistent reasons.
The most direct: flagging a risk as high creates follow-up. Boards and executives ask questions. Remediation timelines get requested. Accountabilities get named. Risk owners who weren’t expecting scrutiny suddenly have it. For teams that are already stretched, “high” is not just a color — it is a commitment to spend political capital on something that may not get resourced anyway.
So ratings get softened. A risk that would break operations under a realistic threat scenario gets documented with generous assumptions about compensating controls, favorable likelihood estimates, and optimistic mitigation credit. It lands at medium. Everyone moves on.
There’s also a peer calibration effect. Risk ratings get compared across categories, across departments, across peer organizations. Nobody wants their function to appear dramatically more exposed than adjacent ones. Ratings normalize to a common band. The common band is medium.
Over time, the register stops recording organizational exposure and starts recording organizational tolerance for difficult conversations.
What boards actually need
Boards are responsible for organizational oversight, not technical detail. What they need from a risk report is different from what most GRC programs provide.
They don’t need a list of vulnerabilities or control gaps. They need to understand: under realistic conditions, what would materially hurt this organization, how likely is that, and what is being done about it?
That requires scenario-based framing, not category ratings. The difference is significant.
A category rating says: “our access management risk is rated medium.” A scenario says: “a ransomware event affecting our production environment would take us offline for 72 hours, affect $12M in operations, and trigger regulatory notification in three jurisdictions. Our current backup posture reduces that to 24 hours. We have not tested that assumption in 14 months.”
The second version is actionable. The board can ask whether 24 hours is acceptable, whether testing should happen, whether the $12M exposure is appropriately insured. The first version produces a nod and a slide transition.
Most GRC programs are optimized for the first version because it is easier to produce, easier to defend, and less likely to generate difficult questions.
The governance signal in an all-medium register
There is actually useful information in a risk register full of medium ratings — it just isn’t the information it’s supposed to contain.
An all-medium register is often evidence that ownership is unclear. When nobody owns a risk outcome, there is no one to escalate it, no one to accept it formally, and no one to push back when the rating seems off. The default is medium because medium doesn’t force a decision.
It can also indicate that the risk rating methodology is disconnected from operational data. Ratings based on qualitative gut-feel, without reference to incident history, business impact analysis outputs, threat intelligence, or control effectiveness testing, will tend toward the center of the scale. The center of any scale is where uncertainty lives.
A healthy register has some highs and some lows. The highs exist because someone was willing to name what could actually break the business and didn’t flinch when it came out red. The lows exist because some risks are genuinely well-controlled, and there’s evidence to support that, not just assumption.
If the distribution is entirely clustered in the middle, the register is not measuring exposure. It is performing stability.
Scenario-based reporting as an alternative
A workable alternative to heat map reporting is presenting the board with three to five plausible, named scenarios with business impact quantification, current control posture, residual exposure, and owner accountability.
Not: “Third-party risk — medium.”
Instead: “We have 14 critical vendors with access to production data who have not completed security reviews in the past 12 months. One of those is [category: payment processing]. If a significant breach occurred at that vendor, our regulatory exposure under applicable frameworks would require notification within 72 hours. We currently have no real-time alerting tied to that vendor’s access logs.”
That framing is harder to produce. It requires pulling together threat data, vendor inventory, business impact analysis, and control testing results. That is exactly why it is more valuable: it cannot be assembled without actually knowing what is happening in the environment.
Scenario-based reporting also makes ownership obvious. A named scenario has a named owner. It either gets resourced or it gets explicitly accepted. That is how governance is supposed to work.
Bottom Line
An all-medium risk register is not evidence of a managed program. It is evidence of a calibration process that has optimized for avoiding uncomfortable conversations rather than representing reality.
Boards cannot govern what they cannot see. When the risk report is designed to soothe rather than inform, the board is being asked to provide oversight of a picture that has been retouched to remove the concerning parts.
The register tells you what the organization is willing to name. What it is not willing to name is often more important.