Risk management basics
๐ 7 min readUpdated 2026-04-18
Risk management is the practice of identifying what could break the business and deciding, explicitly, how much of each risk you're willing to carry. Most companies do it implicitly, and badly. They discover a risk only when it materializes. Good operators keep a living risk register and revisit it every quarter.
The risk register
A simple table, maintained by whoever owns risk (COO, CFO, Head of Ops, someone senior, not a committee):
Risk | Likelihood | Impact | Score | Owner | Mitigation | Status
------------------|------------|--------|-------|-------|-----------------------|--------
Top customer | Medium | Critical| 12 | CEO | Diversify 2024 plan | Active
churn | | | | | |
Key engineer | Low | High | 6 | CTO | Knowledge transfer | Active
departs | | | | | |
Data breach | Low | Critical| 9 | CTO | SOC 2, pen test | Active
Regulatory change | Medium | Medium | 6 | COO | Monitor, counsel | Active
Likelihood (1โ4), Impact (1โ4), Score = product. Scores > 8 demand quarterly review. Scores > 12 demand monthly.
Categories to scan
Financial
- Runway / cash flow
- Customer concentration (single customer > 15% of revenue)
- Currency exposure (international revenue)
- Bad debt / collection risk
- Cost inflation (key inputs, labor)
Operational
- Key person dependency (bus factor)
- Vendor dependency (single-source strategic vendors)
- Infrastructure / systems failure
- Supply chain disruption
- Data loss / backup failure
Security + Compliance
- Data breach / cybersecurity
- Regulatory violation (GDPR, SOC 2, HIPAA, etc.)
- IP theft / leakage
- Insider threat
- Third-party risk (vendor compromise)
Market + Strategic
- Competitor move (new entrant, major pivot)
- Platform risk (reliance on AWS / Apple / Google / LinkedIn)
- Market shift (buyer priorities change)
- Technology disruption
People
- Executive turnover
- Harassment / culture incidents
- Union / labor action
- Hiring capacity / ramp risk
External
- Macroeconomic downturn
- Geopolitical events
- Natural disasters / pandemic
- Legal action (lawsuit exposure)
The four responses to risk
For each risk, pick one:
- Accept, the risk is low enough or the mitigation too expensive. Document the acceptance.
- Avoid, don't do the thing that creates the risk. Exit the line of business, drop the vendor.
- Mitigate, reduce the likelihood or impact. Invest in controls, backup plans, insurance.
- Transfer, shift the risk to someone else. Insurance, contracts with indemnification, escrow.
The act of classifying forces explicitness. "We chose to accept this risk" is a very different artifact than "we never talked about it."
Early warning indicators
For the top risks, define leading indicators:
Risk: Top customer churn
Leading indicators:
- Quarterly usage declining 3 months running
- Executive sponsor departure
- NPS drop > 20 points
- Support ticket escalation rate 2x baseline
- No executive meeting for 90 days
Any two simultaneously โ escalate to CEO for intervention.
Scenario planning
Annually, run three scenarios:
- Base case, expected plan
- Downside, revenue down 20%, top customer gone, key hire slipped 6 months
- Black swan, business-defining event (lawsuit, recession, market collapse)
For each scenario: what actions do we take? At what trigger? By whom? Writing this down now beats improvising when the scenario hits.
The risk committee
Quarterly, the top 3โ5 leaders review the risk register. 90 minutes. Format:
- New risks added this quarter
- Risks whose score changed
- Top 5 active risks, status of mitigation
- Any incidents since last review + what they teach
The quarterly ritual is what makes risk management a discipline instead of a one-time exercise.
What good looks like
- A living risk register exists and is reviewed quarterly
- Top 5 risks have named owners and mitigation plans
- Early warning indicators trigger specific actions
- After any incident, the register gets updated with what was missed
- Scenario planning happens annually and informs budget + plan
Related: Data + IP protection ยท Business insurance ยท Pre-mortems