I know, the boring governance stuff. But bear with me. Having an eye on and acknowledging risks to your business or even an in-house project can save you a lot of time, money and grief.
Assuming you don't need a plan B or 'that will never happen' can be costly. Reputational damage, poor customer outcomes, safety issues for your employee's, I could drone on.
By having a risk register, you can have a list of factors that could impact your business and set up controls/insurances to mitigate these.
There is an element of sensibleness to this. E.G., we are all at risk of a giant meteor. But let's face it, once we are all gone the risk register will be moot!
What is a risk register?
In a nutshell, it is as it's titled. A list of risks to the business. It details the likelihood of it happening, the possible costs and the mitigation actions. Within Project management we would have a RAID log - Risk, Assumptions, Issue and Dependencies. But for the purposes of this article, I am going to keep this simple for SME businesses and focus on the Risk aspect. However, there are plenty of free resources on-line if you want to explore RAID logs further.
A great example of a very forward-thinking business is The All England Lawn Tennis and Croquet Club (Wimbledon). While most companies never factored for a global pandemic. Their board did. They took out an insurance policy to mitigate this risk. Which more than paid for itself.
How complex should it be?
That is the beauty of owning your own business you can define the complexity. What is key is to be self-aware about your business. What are the real threats and risks to your business? Such as the quality of your supply chain, how safe your place of work is for employees. Are you complying with Health and Safety regulations? If not, why not? Ask yourself and your team questions such as:
1. Internal People -
- Consider the risks of losing key staff.
- Do you allow key staff to travel together?
- Do you have people trained to cover if someone is on holidays or leaves suddenly?
- Do you have a control on company credit cards (risk of theft or expenses abuse)
- Do you have the right safety equipment?
2. Customer/Clients -
- How are you securing customer data?
- Risk of failing to fulfil an order correctly
- Risk of poor customer service
- Risk of customers going to a rival
- Health and Safety concerns
- Risk of non-payment
- Risk of changes to regulations (this is one you need to keep an eye out for regularly)
- Risk in changes to Taxes
4. Legal - Domestic and International
- Risk of new legislation that will impact on your product, sourcing etc
- New accounting regulations you have to be aware of.
- Risk of countries you export to or source inputs from making changes to laws that will impact your business.
- Risk your systems will no longer be supported by your vendor.
- End of licence period
- Risk of power cuts
- Risk of hacking
- Risk of your equipment becoming obsolete
- Risk of inflation
- Risk of consumer decline
- Risk of interest rate changes
- Risk of competition & substitutions
7. Environmental (there will be overlaps with political and Legal)
- Risk of labelling not being accurate (inputs not being recyclable when told they were)
- Access to electric charging points if moving vehicles to electric
- Risk of adverse weather
- Risk of earthquakes
- Risk of no rain (agribusinesses)
8. Internal - Business
- Risk of poor cashflow management
- Risk of fraud by leadership team
This can become a very long list, but hopefully you get the gist. In a way taking a PESTEL (a strategy tool for examining your external environment) and a SWOT analysis, then tailoring this to your business model. Once you have this broad range of questions asked, this will trigger other questions that are very unique to your business. It will come once you start with the standard questions.
You have the list of risk, what next?
Once you have your list, Excel is usually the place to create a register. I'm sure there are plenty of project tools that can be used as well, but if budgets are tight, Excel (or the free equivalent) will do just fine.
You can add as little or as much detail as you want. But as a minimum have a column to assess the level of risk - High, Medium, Low. You can even use conditional formatting to colour these to have Red, Orange and Green. In project lingo that is the 'RAG' status. I would then sort risks in order of severity.
Have a mitigation column. In this column you and your team outline what you can do to help minimise the impact of the threat. For example, it is very standard in companies not to allow key staff to travel together. Another mitigation could be backing up data to a cloud each night, or even throughout the day.
You can have another column for the cost of mitigation and it might be that the level of risk is negligible compared to the cost.
Finally, a column to cover why you can't mitigate the risk with follow up notes. You can also assign risks to certain people or departments and set the frequency of review for the risk register. The frequency can be based on risk level, green annually, red monthly, for example.
What will start to become apparent when preparing your risk register, is that this will help to develop and expand your policies and procedures. As well as your strategy. We see time and time again plans failing because the risks were ignored.
Could I just copy someone else's register? You could, but that can be very problematic. You might be blinkered to the real issues specific to your business and get side tracked by risks that have no bearing on your business.
So, it is extremely important to develop your own register. Even if you do copy from another company, take the time to overlay with the above types of questions. Then get your board to review and provide their guidance.
The register will evolve over time. As you add more and more team members, the risks of culture changes and clashes will increase. Expanding into new countries can bring their own challenges. Best to be ahead of the risk.