Organizational Memory
Risks card, MethodKit for Memory & Reminiscence
Card 55 of 66 · MethodKit for Memory & Reminiscence
  • ThemeGovernance, Legal & Risk
  • CardCard 55 of 66
  • Questions5 to explore
Governance, Legal & Risk

Risks

Planning, avoiding & mitigating risks & crisis

A risk register is not a sign of pessimism; it is proof that someone in the organization is thinking clearly.

Every organization faces risks it knows about and risks it has not yet noticed. The point of a risk register is not to predict everything that can go wrong but to force a regular conversation about what the organization is most exposed to and whether the response is adequate.

A useful risk register is short and honest. It covers the risks that would materially affect the business, not every conceivable problem. For each one it notes the likelihood, the potential impact, what is currently being done to reduce it, and what the response would be if it materialized. That last part is the one most often missing.

Crisis planning is the companion to risk identification. When something goes badly wrong, the people who need to act are often under pressure and short on information. A brief plan written in advance, even a rough one, is worth far more than a comprehensive plan started the day the crisis begins.

What to capture

For this part of the company brain, what is worth writing down and keeping current. The goal is not a complete archive but a living record that new people can read and returning people can trust.

Risk register

The main risks the organization faces, assessed for likelihood and impact, with the current mitigation approach noted for each.

Risk owners

Who is responsible for monitoring and managing each significant risk, with a clear understanding of what that responsibility includes.

Crisis scenarios

The specific scenarios that would most seriously disrupt operations, and a summary of how the organization would respond to each.

Insurance coverage

What the organization is insured against, at what level, and the key exclusions or gaps in current coverage.

Questions to explore

Use these on your own or in a group. There are no right answers, only better conversations.

  1. What are the three risks that would most seriously damage the organization if they materialized this year?

  2. For each major risk, is there a concrete mitigation in place or just an intention to address it?

  3. Who would make decisions and communicate on behalf of the organization in a serious crisis?

  4. Are there risks the organization has identified but quietly decided to accept without documenting that decision?

  5. When did you last review the risk register against what has actually changed in the business and the external environment?

Things to notice

  • Risk registers that are created for a funding round or compliance exercise and then never reviewed again give false comfort rather than actual risk management.
  • Key-person risk, the exposure created when critical knowledge or relationships are held by one person, is consistently underestimated and rarely addressed until it becomes a crisis.
  • Insurance policies that looked adequate at signing may have coverage limits that no longer match the scale of the business or the nature of its risks.