The risk register said the building was covered.
Access control: mitigated. Emergency response: documented. Security training: completed.
Then, on an ordinary weekday evening, something happened that wasn’t extraordinary at all.
A contractor who hadn’t worked in the building for months walked in after hours.
His card still worked. He didn’t rush. He didn’t hide. He didn’t look suspicious. He took the lift, moved between floors, and left unnoticed.
No alarms triggered. No procedures were breached. No one responded — because nothing technically went wrong.
The incident only surfaced later, after missing equipment was reported and access logs were reviewed.
By then, the question wasn’t what happened. It was how did this slip through when the risk was already “managed”?
That question sits at the centre of one of the most common failures in risk management today: the gap between what’s written down and what actually happens.
Human Risk Factors in Security
Most organisations don’t lack risk documentation. In fact, many are drowning in it.
Risk registers are reviewed quarterly. Controls are listed. Likelihood and consequence are scored. Auditors sign off. Boards are briefed. On paper, the risks look controlled.
But incidents don’t unfold on paper.
They happen after hours. When staffing is thin. When information is incomplete. When people hesitate because they’re unsure who’s meant to decide.
And when that happens, the register stops being a tool and starts being a comfort blanket.
According to data from the Office of the Australian Information Commissioner, Australia recorded more than 1,100 notifiable data breaches in a single year the highest since mandatory reporting began.
In most cases, investigations found that the risk itself wasn’t unknown. It had been identified. The failure was operational.
The same pattern appears in physical security incidents, building emergencies, and safety events. The hazard was listed. The control existed. The response didn’t hold.
Spend enough time reviewing real incidents in buildings and facilities and the story starts to repeat itself.
The risk register says “unauthorised access” is mitigated by access cards. In reality, expired credentials accumulate quietly over time.
The register says “emergency response procedures are in place.” In reality, tenants don’t know who leads when something actually happens.
The register says “staff are trained.” In reality, training was completed months ago, in calm conditions, without pressure or consequence.
None of this shows up in a spreadsheet.
Risk registers are good at identifying things. They are far less effective at accounting for people — especially people under stress.
Human behaviour changes in ways risk matrices rarely model. Stress narrows attention.
Ambiguity slows decision-making. Social norms discourage confrontation. People wait for confirmation instead of acting.
These aren’t failures of character or professionalism. They’re predictable responses to pressure.
Yet most risk documentation assumes perfect execution: the right information arrives at the right time, the right person makes the right call, and controls function exactly as intended.
Operational Risk Failure
In buildings, this gap becomes visible faster than almost anywhere else.
High-rise and multi-tenant environments concentrate risk vertically and socially.
A single decision or lack of one can affect hundreds or thousands of people.
Access systems are shared. Emergency responses are interdependent. Responsibility is fragmented between owners, managers, tenants, contractors, and security providers.
When something goes wrong, the risk register doesn’t coordinate those relationships. People do.
And when command is unclear, response slows.
This is why post-incident reviews so often conclude that “communication breakdown” or “role confusion” contributed to the outcome.
It’s not because plans didn’t exist. It’s because plans didn’t translate into action when conditions were messy.
The Australian Signals Directorate has repeatedly noted that incidents affecting critical infrastructure often involve cascading failures where a small issue triggers larger consequences because systems and people aren’t aligned under pressure.
The same dynamic plays out in buildings every day, just on a different scale.
A cyber issue disables access control. A safety alarm creates crowd movement. A security incident becomes a reputational crisis.
Risk categories collapse. The register doesn’t.
Emergency Response Risk
What separates organisations that cope well from those that struggle isn’t the thickness of their documentation. It’s whether they’ve confronted this gap honestly.
Resilient organisations don’t abandon risk registers. They stop treating them as protection.
They assume that:
- People will hesitate
- Information will be incomplete
- Controls will degrade
- Decisions will be uncomfortable
So they test those assumptions.
They run scenarios that feel inconvenient.
They simulate incidents at the worst possible times.
They stress-test not just procedures, but leadership.
They ask, repeatedly, “Who decides?” and “What happens if they’re not available?”
They focus training on judgement, escalation, and coordination — not just compliance.
And they measure readiness by how teams perform, not by whether documents exist.
That’s the difference between documented risk and managed risk.
The cost of ignoring this gap is rarely immediate, but it is consistent.
Slower response times. Higher liability exposure. Greater impact from otherwise manageable incidents.
Loss of confidence from tenants, occupants, and regulators.
After almost every serious incident, organisations discover the same uncomfortable truth: the risk wasn’t missed. It just wasn’t operationalised.
Conclusion
The register knew. The system didn’t respond.
There’s a simple way to tell whether the gap exists in your organisation.
If an incident started right now — not during a drill, not during business hours, not with everyone present — how confident are you that:
- People on site would know what to do
- Someone would clearly take charge
- Decisions would be made quickly
- Controls would hold up under pressure
If that confidence wavers, the issue isn’t your risk register.
It’s the space between documentation and reality.
And that’s where risk actually lives.
The gap between risk registers and real incidents exists because documented risks rarely account for human behaviour, unclear decision authority, and degraded conditions under pressure.
We’ve seen this gap come up repeatedly across building security reviews and incident debriefs, which is why we broke it down further using Australian examples and a practical maturity model in our broader analysis.
Related Readings:
– What to look for in Corporate Security
– Why Security Training Is a Critical Risk Control for Executive Teams
FAQs
What is the gap between risk registers and real incidents?
The gap refers to the difference between documented risks and how incidents actually unfold. Risk registers identify hazards, but often fail to account for human behaviour, unclear decision authority, and degraded conditions during real emergencies.
Why do risk registers fail during real incidents?
They assume perfect execution. In reality, incidents involve incomplete information, stress, hesitation, and fragmented leadership conditions rarely modelled in traditional risk documentation.
Are risk registers still important?
Yes. Risk registers are essential for governance and compliance, but they must be supported by operational testing, training, and clear command structures to be effective during real incidents.
How can organisations close the gap between documented risk and reality?
By stress-testing scenarios, defining clear decision authority, training for judgement under pressure, and validating controls through real-world simulations rather than relying on documentation alone.
Why is this especially important for buildings and facilities?
Buildings concentrate people, assets, and responsibility. During incidents, unclear leadership and delayed decisions can quickly escalate risk across tenants, floors, and shared systems.