Risky business
There isn't an aspect of any business that doesn't involve risk. The risk of losing a big order, the risk of a key team member getting sick or leaving, etc.
These might be nigglings living rent-free in your head. You think you have a plan to manage these, but when the time comes, have you really thought these through? What happens if two or three unexpected risks come together, what is your priority?
This is where the unglamourous, but incredibly useful management tool of a risk register comes in.
Who owns this
Well, in large organisations the compliance and internal audit functions own this. With key leaders feeding in from Finance etc. The board will have oversight over this via a form of risk and audit committee.
However, in a scaling business or even a start-up, it may have to be in the remit of the founders to get this started. Then to find a team member who can look after the administration. You can ask your board to help, but it is often the case they do not have the capacity due to them being voluntary.
No matter your size you can build up the register over time. Setting aside an hour a month could potentially save a lot of time and resources by having some structure around managing and mitigating risk.
What should it be?
Excel is usually the best way to keep this record (other branded spreadsheets are available:)).
You could use your SWOT analysis as your starting point (guide here). This highlights internal and external threats to your business, which are an important starting point.
If you don't have a SWOT no worries (though no harm creating one first). Then in your spreadsheet of choice:
1. Simply list all the risks your business faces (not all the details). Look at your operations, customers, competitors, finance, HR, technology, natural disasters, and geopolitical matters that might impact your business.
2. Once you have that list, in another column write up some more detail.
3. In the third column rate how likely it is to happen. E.g. most organisations recorded the risk of a global pandemic as low. However, many companies would have had pandemic coverage as part of their insurance. Another example is the cost of supplies during a period of inflation. These will have a higher likeliness score for the risk of an 'increase of supplier costs'.
4. In the next column what would be the impact of this risk? You might have a sales team of 12 and if 1 left, is that the end of the world, probably not - low impact. But if you have a dependency on 1 developer, their leaving could be a huge setback - high impact.
5. Column 5 is to capture the mitigation you need to consider/implement. These might be a few actions, per risks. Such as getting insurance, training for Staff, new software etc.
6. You might find, that if it is a long list, you are better off grouping these risks under separate tabs that make sense for your business. I.E. by operational areas. This might also aid the review and maintenance process.
Once you have the register set up, then you can tidy it up. You can add in fancy filters, order by the severity of risk, etc. You might find as you implement mitigations, that some items can be de-risked. Or as the business environment changes, some items might get raised in severity.
You will also notice that some risks can be dependent on each other. Therefore you might want to use a new column to reference these dependancies.
In conclusion
This will be an evolving document. Depending on your document management policy (yes you will need one of these:)) you can track changes through the likes of SharePoint. Or simply copy and rename the files for each new version - Version 1, Version 2, etc. You may want to assign people to a risk to assign responsibility (this will come down to your way of working).
It might also be a useful exercise once a year to review the current version compared to the version at the start of the year. It may tell you a lot about how your business manages risk and how mitigations have or have not worked.
The register will form part of your corporate governance. As with board minutes, having a risk register aids in demonstrating that directors and founders are acting in the best interest of the company.
You may miss out on certain risks, but empower your team to speak up. They may have experiences from other employers that are invaluable to tap into. Especially when the team is small, engaging them to understand the risk you are operating under. It will help them appreciate why you have to make the decisions, you have to make.
If you need help creating a risk register drop me a line at darryl@darrylbannon.com to arrange the service. It might even be a good opportunity to do a half-day workshop with the team to build compliance and governance knowledge.