Imagine for a moment the board-approved risk register of a luxury hotel in a popular tourist resort. The register’s food-safety entry reads: likelihood – medium, impact – high, controls in place. The register is current, reviewed by the audit committee and relevant controls are tested every quarter by the internal audit department.
One day, a catering event results in 40 cases of food-borne illness. The kitchen has no cooling log for the period. The supervisor on shift joined the company six days earlier.
The register was technically accurate – and completely beside the point.
Different tempo
Risk registers are governance documents, designed to give boards a structured view of the organisation’s risk landscape at a point in time, and typically reviewed once or twice a year. That cadence works for strategic and financial risks: credit exposure, regulatory change and concentration in a geography or counterparty. Those risks move slowly enough that an annual cycle can keep up.
Risk registers are built for one kind of decision-making and asked to serve another
Hospitality and food and beverage (F&B) risks don’t work that way. A temperature deviation in a walk-in chiller can become a food-safety incident before the end of the shift. A guest complaint goes viral before management has drafted a response. The sector exposes a stark truth: risk registers are built for one kind of decision-making and asked to serve another.
Most risk register frameworks don’t acknowledge this. Available guidance on enterprise risk management (ERM) is well-developed and internally coherent but none of it resolves the mismatch between a document reviewed quarterly and a risk environment that changes by the shift.
Hidden assumption
Every entry on a risk register carries a hidden assumption: that the people responsible for running the controls exist, know what those controls are and have the capacity to execute them. In hospitality and F&B, that assumption fails on a regular basis.
The framework assumes a stable, trained workforce behind every control
Hospitality has one of the highest workforce turnover rates of any sector globally. A combination of seasonal peaks, contractor staffing and a multi-nationality workforce means the person executing a control on any given shift may have joined the business two weeks ago.
For example, a register reviewed in, say, February says nothing useful about the Ramadan peak in March, when the kitchen runs at 140% capacity with a significant share of seasonal hires who have never seen the register and would not know where to find it. The framework assumes a stable, trained workforce behind every control. That is not what the sector looks like in practice.
Beyond the single unit
Standard ERM frameworks assume a single organisational unit with controls that are clear to the person writing the register. A hotel group, though, may hold one consolidated register covering 20 properties, each with a different management team, outlet mix, local regulatory environment and seasonal profile. Corporate consolidation produces entries that are accurate in aggregate but impossible to act on at the property level.
Significant risk events rarely look like the item rated ‘high likelihood, high impact’
Franchise structures make this harder. The franchisor holds the brand risk and the register, but the franchisee owns what actually happens in the kitchen. Brand standards give the appearance of uniform controls across the network; actual compliance depends on the outlet manager, the owner’s investment in training and who is on shift. An entry that reads ‘food handling procedures: compliant across portfolio’ can be accurate at the level of policy documentation and training records while being operationally false on any given evening.
Better documentation does not fix that gap because the problem is in how multi-unit hospitality businesses are organised, not in how they record their risks. What is needed is a separate monitoring layer that tracks what is happening day to day.
Convergence of ordinary things
Significant risk events in hospitality businesses rarely look like the item on the register rated ‘high likelihood, high impact’. They tend to be a convergence of ordinary things: a busy Saturday, an under-trained supervisor who signed off a temperature check without completing it, and a supplier who moved their delivery window.
None of these is unforeseeable on its own and, together, they don’t correspond to any entry. The risk lives in the distance between the control as documented and the person executing it.
The risk register cannot, and was never meant to, manage risk at the operational level
This sits alongside a broader critique that ACCA practitioners have been making. Steve Bailey FCCA has argued, for example, that traditional risk documentation fails to capture looming non-financial risks, calling for a shift toward quantified, financially expressed risk measures. Hospitality and F&B is where that gap shows up most clearly because the consequences are immediate, visible and usually traceable to a specific moment the register described and missed.
Connected layers
The risk register serves a legitimate function: it gives boards a common language for risk and a basis for oversight. It cannot, and was never meant to, manage risk at the operational level.
In practice, what works is treating the two functions as separate but connected. The governance register gives the board the strategic view: risk categories, ratings, ownership, trend direction. Below it sits an operational layer, connected to incident reports, near-miss logs, supplier records, food-safety checklists and staff training. The link between the two needs to be deliberately designed so that deterioration in the operational layer appears in the governance layer before an event forces the conversation.
Building that connection is the audit function’s job, because it is the only function with sight of both layers. A chief audit executive who presents a clean risk register to the audit committee without also telling them whether the operational layer beneath it is working is providing assurance on a document. In a sector where a single event can generate a regulatory response and a reputational crisis before the next board meeting, that is a meaningful distinction.
More information
Find ACCA guidance on risk-related issues in a wide range of sectors
