Skip to content
Playbook
AdvancedManagerHRFounder

Bonus 4 — Organisational Risk Management

Build the risk register every senior leader should own: delivery, talent, compliance, security, vendor, knowledge-concentration, single-point-of-failure.

12 min read
On this page
60-Second Summary
  • Bonus module 4 of the Manager-of-Managers program. Theme: See the risks before they see you.
  • Quarterly risk register + escalation log — the real artefact you produce.
  • Same shape as core 12: 90-min pre-read, 4-hr monthly intensive, falsifiable artefact.
  • Reviewed by CHRO, VP/Director, sitting CEO, and OB faculty lenses.

Senior leaders are accountable for risks they often can't name. The discipline of a risk register — written, scored, reviewed, escalated — is the difference between a leader who absorbs surprises and one who creates them. This module installs the register, the scoring, and the escalation ritual.

What the evidence says

  • ISO 31000 and COSO ERM: risk frameworks from outside HR/Eng map cleanly onto org leadership.
  • Post-mortem case studies (Theranos, WeWork, multiple unicorn implosions): single-point-of-failure and knowledge-concentration risks were known internally for 12+ months before the public failure — they were just never escalated.
  • Bus-factor research in eng teams: a bus factor of 1 (one person knowing critical knowledge) predicts incident severity 3× more than headcount does.

Pre-read (90 minutes)

  • Read: the seven risk categories every senior leader should track — delivery, talent, compliance, security, vendor, knowledge-concentration, SPOF (25 min).
  • Read: risk scoring — probability × impact × velocity — and the escalation matrix (20 min).
  • Read: bus-factor analysis and how to remediate it (15 min).
  • Reflect (30 min): list your top 10 risks. Mark which you've named publicly. Most leaders have named 2–3 of 10.

Monthly intensive (4 hours)

Cohort flow with a senior practitioner coach
  1. 1
    Risk register build (60 min)
    Each leader builds their first 10-risk register: category, description, probability, impact, owner, mitigation, escalation date.
  2. 2
    Bus-factor audit (45 min)
    List every critical workflow your function owns. For each, name the people who could do it. Anything with bus-factor 1 becomes an immediate mitigation.
  3. 3
    Escalation drill (45 min)
    For each top-3 risk, draft the escalation comm: what's the risk, what's the ask, what's the decision date. Coach edits.
  4. 4
    Vendor & SPOF (45 min)
    Specifically: which vendors could fail and bring you down? Which person, system, or contract is unreplaceable? Document and route to procurement / IT / Legal.
  5. 5
    Wrap (45 min)
    Quarterly risk-review cadence committed; first review date set.

The artefact you produce

Quarterly risk register + escalation log

A live register with the seven categories, top 10 risks scored, named owner per risk, named mitigation, and a log of which risks you've escalated upward and what was decided. Reviewed quarterly with your manager and audit/legal as appropriate.

Tools at this layer

LayerExamples (2026)Use
Risk registersNotion / Coda templates, GRC platforms (LogicGate, Hyperproof, Drata, Vanta) for compliance-heavy orgsLive document, not annual exercise
Bus-factor mitigationRunbook discipline, pairing/shadowing programs, knowledge basesReduce SPOF by design
Vendor riskVendr / OneTrust / Whistic for SaaS risk, security review templatesKnow who can take you down
Escalation disciplineWritten escalation log, named decision dates, named exec sponsorIf it's not written down, it didn't happen
Copy-paste AI prompt

Here's my function's snapshot [team size, key workflows, critical vendors, recent incidents]. Help me: (1) build a starter risk register across delivery / talent / compliance / security / vendor / knowledge-concentration / SPOF, (2) score each on probability × impact, (3) identify the top 3 risks to escalate this quarter, (4) draft the escalation comm for the highest-priority risk.

Between-session homework

  • Risk register built, top 10 risks scored.
  • Bus-factor audit complete; any factor-1 critical workflows have a 30-day mitigation plan.
  • Top-3 risks escalated upward with named decision dates.
  • Quarterly risk review added to operating cadence.

Success signal

By end of this module, you can name your top 5 organisational risks unprompted, your risk register is live (not a one-off exercise), and you've escalated at least one risk that previously sat in your head only.

Reviewer notes

CHRO (20+ yrs)

The CHRO and the GC together can build a complete risk picture; most directors only see their slice. Bring them yours and you become the leader they brief upward.

VP / Director (15+ yrs, 3+ scaled orgs)

Every reorg I've seen tried to fix risks that were named in someone's head for 18 months. Writing the register early is the most boring high-leverage thing you can do.

Sitting CEO

What I want from senior leaders is not zero risk — it's no surprise risk. Tell me what could break before it breaks and I'll back you on the mitigation.

OB / HR Professor (25+ yrs)

March & Shapira's behavioural risk research is consistent: managers under-weight low-probability/high-impact risks until after they materialise. The register is the cognitive prosthetic that corrects that bias.

Written by Pawan Joshi.Sources cited inline.
First published 30 Jun 2026See site changelog →