The chances are that 2020 was a lot less scary for people who’d anticipated the worst-case scenario and put together a proper risk register with contingency plans.
First, just to be clear – what is a risk register? Put simply, it’s a document that records an organisation’s collective thinking on:
- events that might interrupt business – fire, hacking, zombie attack
- who in the business ‘owns’ each risk
- who will need to do what, when, if they come to pass
- and what can be done to make those events less likely to happen.
Usually, the risk register is handled by a finance director or business manager, although it’s something we can help small creative businesses with as well because, let’s be honest, most people resent having to keep it up.
For most people, it’s just another bit of paperwork to worry about, often requiring long, difficult meetings to get straight. It can be easy to become complacent with risk registers, going through the motions to prepare for common risks while leaving the business open to unforeseen disasters.
It can also be pretty miserable subject matter. For example, about 20 years ago, lots of British firms found themselves having to reflect on what they’d do if their building came under attack by gun-wielding terrorists.
Increasingly, we’re going to have to focus on climate change, water supply, extreme weather conditions, cybercrime and other 21st century issues.
And let’s not talk about the possibility of another pandemic, shall we?
Risk registers are about “what if…?”
It’s not all high drama and global crises.
For most businesses, the risks are likely to be things like a specialist member of staff leaving, the card payment facility failing or a health and safety inspection shutting down production for a fortnight.
Here’s how one of those might look in a simple risk register document:
|Lead designer leaves|
Notes on the jargon there: mitigation is what you can do to head off the problem, making it less likely to happen; contingencies are what you can do after it’s happened to reduce the damage. In this case, it’s about how you can prevent the lead designer leaving on the one hand, and what you can do to keep things moving if the steps you’ve taken don’t work.
You can see even in that quick example how taking time to reflect can flush out things that might not obviously spring to mind. And, in a way, the process is quite reassuring. It certainly beats running around in a panic on the day it happens.
A full risk register would also include notes on who is responsible for each action. Ownership is an important part of risk register management because without it, it just ends up being “somebody ought to…” – but nobody does.
Impact vs. probability
Another thing to think about is grading each risk by (a) how bad it would be for your business and (b) how likely it is to happen. If it’s highly unlikely and wouldn’t be that big a problem, you can pay it less attention.
If the converse is true – it’s both extremely likely and would be absolutely catastrophic – that’s where you want to spend your time and energy on contingency planning.
Red-amber-green (RAG) ratings can work quite well here. Just resist the urge to mark everything red or you can easily be overwhelmed. Not what you need after a year of pandemic-related stress.
Just detailed enough
If your risk register is too large and unwieldy, it’s less likely to get used and updated. That’s one reason why – sorry! – you should aim to review it at least once a year, if not quarterly, and remove anything that’s expired.
For example, you might have wanted Brexit on your risk register in 2020, but probably won’t need it there in 2023. Political unrest and cybercrime show no signs of abating, though, and should continue to present serious risks.
Cybercriminals continue to target more small businesses, rather than individuals, with ransomware attacks. These can breach your systems and shut you down until you pay up. They might also lead to a leak of the private details of your clients, who could then find themselves vulnerable to fraud.
Think about that for a second – how would your clients react if the data you hold on them was stolen? You can be pretty sure trust levels would be damaged. And the slower you are to take action, because you haven’t prepared for it, the worse it would be.
There are plenty of risks out there for businesses. The key is to whittle those down and focus on the ones that could do the most potential damage to your business.
When to do a risk register
In terms of when you should do your risk register, I think an ideal time is either just before or during your budget process, or while you’re reviewing business insurances. Many insurers like to see your risk register, so having it ready before you review your protection policies is a smart move.
It can also come in handy to have your risk register up to date if you’re planning on selling your creative company. While it might not answer all the questions a buyer has, it should indicate how seriously risks have been covered in the past. That can help show your business is well run.
And once you’ve completed your first risk register, it will hopefully become a habit that is built into your processes from then on. One thing’s for sure, it’s far easier to maintain a risk register than to put one together from scratch.
For more advice on how you can help your business grow in turbulent times, get in touch.