If you don’t write your risks down, you’re not ‘managing risk’, you’re just hoping. A proper risk register turns vague worries into owned actions, deadlines and numbers you can run the business on. If you want the wider context, cross-reference Legal, Risk & Compliance: The Practical Framework Every Founder Needs to Protect Their Business before you build yours.
In this article, we’re going to discuss how to:
- Identify the risks that actually threaten cash, delivery and reputation
- Document them in a risk register your team will keep up to date
- Prioritise actions so you reduce exposure without slowing the company down
Risk Register Basics: What It Is And What It Isn’t
A risk register is a living list of events that could hit your business, plus the evidence, owners and next actions to reduce the chance or the damage. It’s not a compliance document you create once for a client or a bank, it’s an operating tool that protects margin and momentum.
Here’s how to sense-check you’re doing the real thing:
- Owned: Every risk has one named owner, not ‘Ops’ or ‘The team’.
- Actionable: There’s a next step with a due date, not just commentary.
- Measured: Likelihood and impact are defined, even if you start simple.
- Reviewed: It’s updated on a cadence, not when something goes wrong.
Start With Fast Risk Discovery In 2 Hours
Founders overcomplicate this because it feels like it should take weeks. It shouldn’t. You can pull the first pass of a risk register together in a couple of hours if you start with internal signals, then check a few public data points.
Internal Signals To Gather First
Look for evidence in your own business, not opinions. You’re hunting for repeatable patterns.
- Cash: Debtor days, bounced payments, chargebacks, runway, concentration in top 3 customers.
- Delivery: Missed deadlines, rework rates, support tickets per customer, project overruns.
- People: Sick leave spikes, key person dependencies, contractor turnover, role gaps.
- Quality: Refund reasons, defect logs, incident tickets, ‘near misses’ that didn’t become disasters.
- Legal and compliance: Contracts you can’t find, missing DPAs, unapproved tools storing customer data.
Quick completion check: if you can’t point to a spreadsheet, a system report or a log, you’re guessing. Your first risk register should be built from artefacts you already have.
Public Signals To Cross-Check
Then step outside your four walls. This is about context, not fear.
- Supplier and platform risk: Status pages, outage histories, pricing changes, T&C updates.
- Sector enforcement: ICO fines in your industry, regulator updates, common breach types.
- Competitor failures: What went wrong publicly, layoffs, churn complaints, product recalls.
- Macro triggers: FX exposure if you’re paid in USD, shipping volatility if you import, interest rate changes if you’re leveraged.
Don’t try to capture everything. The point is to spot the handful of threats that can realistically hit you in the next 90 days.
Build Your Risk Register With Columns That Drive Action
If your risk register is just a list of scary headlines, it’ll die. The structure matters because it forces clarity. Here’s a founder-friendly set of columns that works for most businesses, from agencies to SaaS to ecommerce.
- Risk statement: ‘If X happens, then Y impact occurs’.
- Category: Commercial, Operational, Legal, Financial, Tech, People, Reputation.
- Owner: One person accountable for next actions.
- Likelihood (1 to 5): How probable in the next 12 months.
- Impact (£ and ops): Best estimate cost plus operational damage (lost weeks, churn, fines).
- Velocity: Slow burn or immediate hit, this changes how you respond.
- Existing controls: What already reduces likelihood or impact.
- Trigger indicators: Metrics or events that mean it’s getting closer.
- Next action: A single, specific task, not a wish.
- Due date: If it’s ‘someday’, it’s never.
- Residual risk: What’s left after controls, so you don’t pretend it’s solved.
Make it a Google Sheet at first. When the company grows, you can move to software, but software won’t fix a poor structure.
Write risk statements in plain English. For example:
- Bad: ‘Data protection’.
- Good: ‘If a contractor’s laptop is stolen without disk encryption, customer data could be exposed, leading to client churn and a regulatory complaint’.
Score It Simply So You Can Prioritise
You need a method that makes decisions easier, not a spreadsheet that wins awards. Start with a basic scoring model and tighten it later.
A simple approach:
- Risk score: Likelihood (1 to 5) x Impact (1 to 5)
- RAG: 1 to 6 green, 7 to 14 amber, 15 to 25 red
Define what ‘impact’ means with numbers. Example impact bands for a small business:
- 1: Under £1k cost, under 1 day disruption
- 3: £5k to £15k cost, 3 to 7 days disruption, or 1 key customer escalates
- 5: Over £50k cost, over 2 weeks disruption, or regulator involvement
Then add one founder rule: if a risk threatens solvency, reputation or legal ability to trade, it’s red even if the score looks ‘only’ amber. Numbers guide judgement, they don’t replace it.
Use The Risk Register To Tighten Your Offer And Sales Process
This is where founders get an edge. Your best sales message often comes from the risks customers are trying to avoid. If your risk register includes customer-side failure modes, you can turn them into clear positioning and stronger risk reversal.
Here’s a one-sentence offer template you can fill in:
We help [specific customer] achieve [measurable outcome] in [timeframe] without [common risk or fear], using [your method].
Example: ‘We help UK ecommerce brands cut dispatch errors by 30% in 30 days without hiring more warehouse staff, using scan-based pick verification and daily exception reporting.’
That one line forces you to name the feared downside. It also feeds your risk register because you’ll spot delivery and capability gaps early, before customers do.
Link Risks To Money: Pricing, Unit Economics And Contingency
Risk management becomes real when it hits P&L. A decent risk register should change how you price, what you insure, what you automate and what you refuse to take on.
Two practical calculations you can do this week:
Expected Loss For The Top 5 Risks
For each of your top risks, estimate:
- Probability: A rough annual likelihood, expressed as a %
- Impact: A £ number for direct cost plus lost gross profit
Expected loss = Probability x Impact.
Example: if you think there’s a 20% chance a key platform outage costs you £25k in refunds and lost sales, expected loss is £5k per year. That number helps you justify spend on redundancy, monitoring or a better support process.
Margin Guardrails That Stop Risk Eating Your Week
Some risks don’t show up as one big bill, they show up as time leak and discounting. Put guardrails in writing:
- Minimum gross margin: If a project drops below 45% margin, you pause scope and re-price.
- Customer concentration: No single customer over 25% of revenue without board-level review.
- Credit terms: New customers start on 7-day terms until they’ve paid 3 invoices on time.
These are operational rules backed by your risk register, not random policies.
Validate And Improve In A 7 To 14 Day Sprint
A risk register improves when you test assumptions quickly. Don’t wait for a quarterly review. Run small validations that prove whether your controls work.
Pick 3 red or amber risks and run a sprint:
- Day 1: Assign owners, define triggers and agree the ‘done’ condition for each action.
- Days 2 to 5: Run one test per risk, something you can complete quickly.
- Days 6 to 10: Implement the smallest control that meaningfully reduces likelihood or impact.
- Days 11 to 14: Re-score residual risk and document what changed.
Small tests that work well:
- Tabletop incident drill: Simulate ‘client data exposed’, time how long it takes to identify, contain and notify.
- Contract retrieval test: Can you pull signed terms, scope and IP clauses for your top 10 customers in under 15 minutes?
- Supplier dependency test: Turn off one tool for an hour, can the team keep delivering without chaos?
Completion check: if you cannot show before and after evidence, like reduced response time from 6 hours to 60 minutes, you haven’t improved risk, you’ve just talked about it.
Operational Guardrails That Keep The Risk Register Alive
The biggest failure mode is neglect. The risk register becomes a stale spreadsheet, then everyone pretends it never existed. Treat it like any other operating rhythm.
Practical guardrails that work in real companies:
- One monthly slot: 30 minutes in the ops meeting, same agenda each time.
- Owner updates only: Each owner updates their risks before the meeting, no live editing circus.
- Change log: Add a ‘last updated’ date and a one-line note on what changed.
- Link to work: If an action takes more than 30 minutes, it becomes a task in your project system with a due date.
- New risk trigger: Every time you ship a new product, hire a new role, enter a new country or sign a big customer, you add a quick risk review.
Also decide who can accept risk. Not every decision needs founder approval, but some do. Example: any change that increases exposure above £20k, or any legal risk that affects your right to trade, comes back to you.
Micro Cases: Three Risk Registers In The Wild
Case 1: A 12-person marketing agency in Manchester
They had a ‘nice’ pipeline but cash was lumpy. The risk register highlighted customer concentration and scope creep. They introduced 50% upfront payments for new projects and a rule that any change request over 2 hours gets priced. Within 6 weeks, debtor days dropped from 41 to 23.
Case 2: A UK-UAE ecommerce brand
Returns were climbing and warehouse errors were blamed on ‘busy periods’. Their risk register added trigger indicators: mis-picks per 1,000 orders and refunds by SKU. They ran a 10-day sprint to add barcode scanning on high-return items. Refund rate fell by 0.8% and support tickets dropped fast.
Case 3: A B2B SaaS founder selling to finance teams
Sales cycles were slow because security questions arrived late. Their risk register treated ‘late-stage compliance blockers’ as a commercial risk with a cost per stalled deal. They created a basic security pack, added a DPA and tightened access controls. Deals moved quicker because the buyer felt safer saying yes.
Common Mistakes And Simple Hedges
Most founder risk mistakes are predictable. The good news is you can hedge them without building a bureaucracy.
Mistake: Listing ‘risks’ that are just tasks.
Hedge: Use the ‘If X, then Y’ format so you capture events and outcomes, not to-do items.
Mistake: Treating legal and data risks as ‘someone else’s problem’.
Hedge: Keep a minimum pack of signed contracts, DPAs and policy links in one place. If you need a deeper framework, refer to Legal, Risk & Compliance: The Practical Framework Every Founder Needs to Protect Their Business and align your register with it.
Mistake: Scoring everything as ‘high’ because it feels safer.
Hedge: Put numbers on impact bands and agree a red threshold. If everything is red, nothing is.
Mistake: No triggers, so risks only get reviewed after damage happens.
Hedge: Add one measurable trigger per top risk, even if it’s basic: chargebacks above 1.5%, uptime below 99.5%, support backlog over 50 tickets.
Mistake: Confusing ‘transfer’ with ‘solve’.
Hedge: Insurance, indemnities and suppliers help, but you still need operational controls and rehearsals.
Do And Don’t Checklist For Founders
- Do keep the first risk register short, 15 to 25 risks is plenty.
- Do assign one owner per risk and give them authority to act.
- Do review red risks monthly and amber risks quarterly.
- Don’t build a 100-line register to feel organised, it will rot.
- Don’t let ‘policy writing’ replace real controls like backups, access reviews and payment terms.
- Don’t accept a risk you haven’t priced into margin, cash or timelines.
Download The Risk Management Toolkit And Build Yours This Week
If you want a faster start, download the Risk Management Toolkit: Incident Logs, Risk Register & Mitigation Templates and use it to create your first working risk register in one sitting, then run a 7 to 14 day sprint on your top 3 risks to prove the controls actually work.
- Key Takeaways: A risk register is only useful when every risk is owned, scored and linked to a next action with a due date.
- Key Takeaways: Validate your biggest risks with small tests in days, then re-score residual risk so you can see progress and protect margin.
- Key Takeaways: Use triggers, guardrails and a fixed review cadence so the register stays alive and doesn’t turn into ‘a file you once made’.
FAQ For Building A Risk Register
What’s the difference between a risk register and an issues log?
A risk register covers potential events that might happen, plus controls and triggers to reduce them. An issues log is for problems already happening, with actions to fix them.
How many risks should a small business include?
Start with 15 to 25, otherwise you’ll stop maintaining it. Add more only when you’ve got a cadence and owners who actually update it.
Who should own the risk register in a founder-led company?
One person should administer it, often Ops or Finance, but each individual risk needs a dedicated owner with authority. As founder, you own the thresholds and the decisions on what you’ll accept.
How often should we review our risk register?
Review red risks monthly and anything tied to growth moves, like new markets or big hires, immediately. A full register review quarterly is enough for most teams under 50 people.
How do I score likelihood and impact without perfect data?
Use ranges and define impact bands in £ and time so scores are consistent. As you collect incidents and near misses, refine the scoring based on what actually happens.
What should I do if a risk has no obvious mitigation?
You either avoid it, transfer it, or accept it with eyes open and price it in. Acceptance should still include triggers and a response plan so you’re not improvising under pressure.
Is a risk register only for regulated industries?
No, it’s for any business that wants predictable delivery and stable cash. Regulation just makes the consequences louder, the underlying operating discipline is the same.
