How to Build a Risk Register That You'll Actually Use

The Destin real estate office had a problem. Their email provider went dark on a Friday afternoon. By Monday morning, they'd lost $47,000 in deals that couldn't be coordinated, contracts that couldn't be signed, and leads that went cold.

Why? Because nobody had written down the IT vendor's phone number. The owner's contact was on his personal phone, which was dead. The office manager's contact was "somewhere in her email." Three days of scrambling, and $47,000 in lost commissions.

A risk register isn't a consultant's document. It's a list of what can go wrong, what it would cost you, and what you're going to do about it. Here's how to build one in an afternoon.

What a Risk Register Actually Is

A risk register is a spreadsheet with three columns:

1. What can go wrong
2. How bad would it be (impact)
3. What are we doing about it

That's it. You can make it fancy later. For now, just get it documented.

Step-by-Step: Building Yours

Step 1: List your critical business functions.

For a typical Gulf Coast SMB, this looks like:

• Email and communications
• Payment processing (card reader, online payments)
• Customer records and data
• Point of sale system
• Internal file storage
• Vendor/supplier ordering systems
• Phones (landline and/or mobile)

Step 2: For each function, ask:

• What would happen if this stopped working for 1 day?
• For 1 week?
• What's the dollar cost of that downtime?

Step 3: List what could cause that failure.

Common culprits:

• Vendor outage (the company that provides the service goes down)
• Cyber attack (ransomware, phishing)
• Hardware failure (computer dies, server fails)
• Natural disaster (hurricane, flood, power outage)
• Staff error (accidental deletion, wrong configuration)
• Key person dependency (only one person knows how to run it)

Step 4: Assess likelihood and impact.

Rate each risk on:

• Likelihood: Low / Medium / High
• Impact: Low ($0-1,000) / Medium ($1,000-10,000) / High ($10,000+)
• Recovery Time: Hours / Days / Weeks

Step 5: Document your recovery plan.

For each High-impact risk, write down:

• Who to call (name and phone number)
• What to do first
• Where backups/data are located
• Who has access credentials

What This Costs

Do it yourself: 2-4 hours of your time. Free.

Templates: Microsoft has free risk register templates at templates.office.com. Search "risk register."

Risk management software: Not needed for businesses under 50 employees. A shared spreadsheet works fine.

Consultant to build it: $150-$300/hour, typically 4-8 hours. You don't need this for your first register. Build it yourself first.

What Can Actually Go Wrong

Building it and never looking at it again. Your risk register is a living document. If you build it and it sits in a folder until next year, it won't help you. Schedule quarterly reviews.

Listing risks you can't control. "Hurricane" is a risk, but you can't prevent it. Focus on risks where action can reduce impact or likelihood: do you have a backup of your customer data? Do you have vendor contact information documented?

Treating all risks as equal. Your email going down for a day is a 9/10 priority. Your printer jam is a 2/10. Don't spend equal time on both.

Forgetting about single points of failure. What happens if one piece of equipment fails and takes down everything? A restaurant learned this when their single router failed and killed their POS system, internet, and phone simultaneously during dinner rush.

Vendor Questions (Copy/Paste)

1. Do you have documented incident response procedures that we can review before signing up?

2. What is your actual average response time for support requests, and how do you measure it?

3. Do you provide a written summary of our account including all passwords, configurations, and contacts after each project?

4. Can you provide references from 3 clients in the hospitality/retail/[your industry] sector?

5. What happens to our data and configurations if we decide to switch vendors?

Minimum Viable Implementation (Do This Today)

1. Open a new spreadsheet. Columns: Asset/Function | Risk | Likelihood (H/M/L) | Impact (H/M/L) | Owner | Mitigation | Recovery Contact | Last Reviewed

2. Fill in the first 5 rows. Focus on: Email, Payment Processing, Customer Data, Phone/Internet, POS System.

3. For each row, write one sentence describing what you'd do in the first hour if that system failed.

4. Find and write down one phone number for each critical vendor.

5. Save this spreadsheet in at least two places: your computer and somewhere your spouse/second-in-command can access it.

6. Set a calendar reminder for 90 days from now to review and update.

When to Hire Help

Hire now if:

• You have more than 10 employees and no documented IT recovery procedures
• You've had a security incident (phishing, breach, ransomware) in the past 12 months
• You're in a regulated industry (healthcare, legal, financial) and need documented compliance
• Your business has hit $2M+ annual revenue and you're seeking bank financing (lenders want to see documented risk management)

You can wait if:

• You're a startup or micro-business with fewer than 5 employees
• Your technology stack is simple (mostly cloud services like QuickBooks, Gmail, Stripe)
• You've never had a significant technology outage