Bonus 4 — Organisational Risk Management
Build the risk register every senior leader should own: delivery, talent, compliance, security, vendor, knowledge-concentration, single-point-of-failure.
On this page▾
- Bonus module 4 of the Manager-of-Managers program. Theme: See the risks before they see you.
- Quarterly risk register + escalation log — the real artefact you produce.
- Same shape as core 12: 90-min pre-read, 4-hr monthly intensive, falsifiable artefact.
- Reviewed by CHRO, VP/Director, sitting CEO, and OB faculty lenses.
Senior leaders are accountable for risks they often can't name. The discipline of a risk register — written, scored, reviewed, escalated — is the difference between a leader who absorbs surprises and one who creates them. This module installs the register, the scoring, and the escalation ritual.
What the evidence says
- ISO 31000 and COSO ERM: risk frameworks from outside HR/Eng map cleanly onto org leadership.
- Post-mortem case studies (Theranos, WeWork, multiple unicorn implosions): single-point-of-failure and knowledge-concentration risks were known internally for 12+ months before the public failure — they were just never escalated.
- Bus-factor research in eng teams: a bus factor of 1 (one person knowing critical knowledge) predicts incident severity 3× more than headcount does.
Pre-read (90 minutes)
- Read: the seven risk categories every senior leader should track — delivery, talent, compliance, security, vendor, knowledge-concentration, SPOF (25 min).
- Read: risk scoring — probability × impact × velocity — and the escalation matrix (20 min).
- Read: bus-factor analysis and how to remediate it (15 min).
- Reflect (30 min): list your top 10 risks. Mark which you've named publicly. Most leaders have named 2–3 of 10.
Monthly intensive (4 hours)
- 1Risk register build (60 min)Each leader builds their first 10-risk register: category, description, probability, impact, owner, mitigation, escalation date.
- 2Bus-factor audit (45 min)List every critical workflow your function owns. For each, name the people who could do it. Anything with bus-factor 1 becomes an immediate mitigation.
- 3Escalation drill (45 min)For each top-3 risk, draft the escalation comm: what's the risk, what's the ask, what's the decision date. Coach edits.
- 4Vendor & SPOF (45 min)Specifically: which vendors could fail and bring you down? Which person, system, or contract is unreplaceable? Document and route to procurement / IT / Legal.
- 5Wrap (45 min)Quarterly risk-review cadence committed; first review date set.
The artefact you produce
A live register with the seven categories, top 10 risks scored, named owner per risk, named mitigation, and a log of which risks you've escalated upward and what was decided. Reviewed quarterly with your manager and audit/legal as appropriate.
Tools at this layer
| Layer | Examples (2026) | Use |
|---|---|---|
| Risk registers | Notion / Coda templates, GRC platforms (LogicGate, Hyperproof, Drata, Vanta) for compliance-heavy orgs | Live document, not annual exercise |
| Bus-factor mitigation | Runbook discipline, pairing/shadowing programs, knowledge bases | Reduce SPOF by design |
| Vendor risk | Vendr / OneTrust / Whistic for SaaS risk, security review templates | Know who can take you down |
| Escalation discipline | Written escalation log, named decision dates, named exec sponsor | If it's not written down, it didn't happen |
Here's my function's snapshot [team size, key workflows, critical vendors, recent incidents]. Help me: (1) build a starter risk register across delivery / talent / compliance / security / vendor / knowledge-concentration / SPOF, (2) score each on probability × impact, (3) identify the top 3 risks to escalate this quarter, (4) draft the escalation comm for the highest-priority risk.
Between-session homework
- Risk register built, top 10 risks scored.
- Bus-factor audit complete; any factor-1 critical workflows have a 30-day mitigation plan.
- Top-3 risks escalated upward with named decision dates.
- Quarterly risk review added to operating cadence.
Success signal
By end of this module, you can name your top 5 organisational risks unprompted, your risk register is live (not a one-off exercise), and you've escalated at least one risk that previously sat in your head only.
Reviewer notes
The CHRO and the GC together can build a complete risk picture; most directors only see their slice. Bring them yours and you become the leader they brief upward.
Every reorg I've seen tried to fix risks that were named in someone's head for 18 months. Writing the register early is the most boring high-leverage thing you can do.
What I want from senior leaders is not zero risk — it's no surprise risk. Tell me what could break before it breaks and I'll back you on the mitigation.
March & Shapira's behavioural risk research is consistent: managers under-weight low-probability/high-impact risks until after they materialise. The register is the cognitive prosthetic that corrects that bias.
Read next
All playbooksTwelve modules for the second transition — from operating a team to designing and stewarding an org. Org design, strategy, calibration at scale, comp…
Plan and execute a reorg or reduction-in-force: criteria, sequencing, legal pre-clearance, communication architecture, and the after-care that determines…
Redesign your week around what only a manager-of-managers can do: org design, strategy, calibration, coaching managers, executive influence.