Risk in a scaling business isn’t necessarily bad.

Unidentified, unmitigated and unmanaged risk is bad.

We have a simple process to help evaluate risk and report it to the board so that you focus on the right things. The outline below can be used by your company to get better at ‘risk’

Sample Risk Process

As a board, we will identify, mitigate and report on risks that we feel could have an impact on the business.

This document outlines the process that we propose to follow and your feedback on this process is very much welcomed.

To help identify risks, we will think about categories of risk. A proposed set of categories is shown below:

Categories of Risk

-      Technology

-      People

-      Reputation

-      Financial

-      Regulatory

* Security is a horizontal not a vertical and applies to all the categories above

The Risk Register

Every risk will be documented and recorded in a risk register using a format like this:

Scoring of Risks

We score a risk’s likelihood and impact as follows:

 Scores:

Low = 1

Moderate = 2

High = 3

Total risk score – impact * likelihood

Once we have scored a risk, we can represent it as follows:

The risks will be collated and presented as follows:

Presenting Risk

Impact and Likelihood

What do we do with these?

1-3 = Low. Report new ones at board and review with board annually. Report any risks removed from the risk register and why they were removed.

4-6 = Medium. Report new ones at board and review with board quarterly

7-9 = High. Report at every board meeting and update on mitigation plan for each of these risks – has anything changed and is the mitigation plan sufficient?