Key components of a business risk register

Understanding business risk is a key requirement for boards. For early stage businesses a business risk register can be confused with an operational risk register or a H&S risk register. A register can vary significantly between businesses in terms of both complexity and size. The risks facing bp may be different than an early stage Engineering and Technology business so its important to construct the register to reflect and then mange what is important to the business.

I would strongly advise creating a business risk register simply to meet compliance needs of the business and skim over during board meetings to focus on more 'interesting' topics. If the register is compiled intelligently then it will serve the board in keeping key risks 'top of mind' and so mitigations can be agreed, managed and progress upon.

In reality, the board members of an early stage business will be acutely aware of the risks facing the business as they probably spent significant thinking about them. However, be mindful that not all the team have the same tolerance for risk and may be thinking of risks impacting their cornerstone of the business. Therefore, make sure the register is sufficiently balanced.

I've extracted some of the information from "Business Risk - A practical guide for board members" by the IOD. You can find it here


  • Risks can be considered to the those things that affect the ability of an organisation to achieve its strategic objectives.

  • You want to ensure that the identified 'highest' really reflect the thraet to the business. Carry out a sanity check after completing the register.

  • Any determination of strategy should take account of the risks the organisation is exposed to. As risk and strategy are highly related, the challenge for boards is to align the risk and strategy discussion.

What to include in a business risk register.

An example is provided below. A good source of risks can be the business plan of strategic roadmap.

FINANCIAL RISKS – The complexion of risk will vary between businesses. Make sure you have the right level of detail and information to manage the risks. I.e. in many early stage business running out of cash is a key risk. Make sure you have a cash flow forecast and understand your burn rate. 

OPERATIONAL RISKS – As these will relate to the specific operations of the business, they will typically be managed from within the business and will often have a focus on health and safety-type issues, as industry regulations and standards require. These internally-driven risks may impact on the organisation’s ability to deliver its strategic objectives.

HAZARD RISKS – Often driven by major exogenous factors that impact the environment in which the organisation operates. A focus on the use of insurance and appropriate contingency planning will help address some of these. However, there is often a danger that as many of these risks cannot be controlled, boards and senior management will not reflect these in their strategic thinking. The mindset that strategy is focused on controllable factors creates the danger of not appropriately reflecting these risk drivers.


STRATEGIC RISKS – These include risk factors that are typically external or impact the most senior management decisions and, as such, are often missed from many risk registers. It is incumbent upon boards to ensure all these types of risks are included in the strategic discussion.


There are numerous free templates available online. An example from Smartsheet can be downloaded below. Don't get too caught up in the format. What's important is that you generate clarity on where to deploy both valuable board time in discussing and deploying company resources in mitigation measures.

This is an image of business risks to co