Risk Reporting for Small and Medium Businesses and Not-for-Profits

How to turn a 50+ line operational risk register into clear, strategic board reporting

Mark Scales

Stylised illustration of a desk with laptop and checklist

The Real Problem CEOs Are Raising

Over the past few months, I’ve had the same conversation with multiple CEOs:

“We’ve got a risk register. It’s in Excel or SharePoint. It’s got 50 or 60 risks in it. But I don’t know how to turn that into something useful for the Board.”

This is one of the most common governance maturity gaps in small and medium businesses and not-for-profits.

The executive team manages operational risks. The board needs strategic oversight.

But what gets presented is often:

  • A full export of the operational register
  • Long lists of low-level risks
  • Risk ratings that haven’t been updated in months
  • No clear link to strategy
  • No visibility of what’s actually outside appetite

The result?

Directors either:

  • Dive into operational detail (because that’s what they see), or
  • Lose confidence that they’re getting the full picture.

Neither outcome reflects strong governance.

TL;DR

If your board pack includes a spreadsheet dump of 50+ operational risks, you’re not reporting risk strategically.

The fix is simple (but takes some effort to set up):

  1. Establish clear Strategic Risk Classes
  2. Define measurable Risk Appetite Statements
  3. Report on an exception basis focusing only on risks outside appetite

This is how StartRisk helps small and medium businesses (SMEs) and not-for-profits (NFPs) move from operational noise to strategic clarity.

Why Sharing the Whole Risk Register with the Board Is Not Good Practice

It feels transparent. It feels thorough. But it’s rarely effective.

1. It Creates Information Overload

Fifty risks presented equally suggests they’re equally important. They’re not.

Boards need prioritisation, not volume.

2. It Drives Operational Conversations

If a board sees:

  • “Delayed supplier invoice processing”
  • “Single staff member trained in payroll”
  • “Outdated laptop fleet”

They will naturally ask operational questions.

That shifts board focus away from:

  • Strategy
  • Financial sustainability
  • Compliance exposure
  • Reputation
  • Long-term resilience

3. It Disconnects Risk from Strategy

A list of risks without structure doesn’t answer:

  • Which strategic objective does this threaten?
  • Is this risk within appetite?
  • Is our exposure increasing or decreasing?
  • Who owns this risk at a senior level?

Without structure, risk reporting becomes a compliance exercise, not a decision-support tool.

The StartRisk Approach: From Operational List to Strategic View

At StartRisk, we restructure reporting around three core building blocks:

  1. Strategic Risk Classes
  2. Clear Risk Appetite Statements
  3. Exception-Based Reporting

Together, these create what we call:

Strategic Risk Alignment
A reporting model where every operational risk links to a strategic class and is assessed against defined appetite, allowing boards to focus only on what matters.

Step 1: Establish Strategic Risk Classes

Strategic Risk Classes are high-level categories aligned to your strategy.

Typical examples for SMEs and NFPs:

  • Financial Sustainability
  • Fundraising Effectiveness
  • Service Delivery & Operations
  • People & Capability
  • Compliance & Legal
  • Cyber & Technology
  • Reputation & Stakeholder Trust

Every operational risk must map to one of these classes.

Operational Risk Strategic Risk Class
Overspending against budget Financial Sustainability
Data breach via phishing Cyber & Technology
Inconsistent client documentation Compliance & Legal
Inability to attract younger donors Fundraising Effectiveness

This allows you to group risks based on their primary strategic impact, so your Board is looking at 6–8 strategic categories with aggregated exposure.

Strategic risk classes should be defined and agreed with the Board.
This exercise supports building strong alignment and improves risk culture.

Step 2: Define Practical Risk Appetite Statements

Risk appetite is the mechanism that allows Boards to distinguish between acceptable exposure and escalation-level risk.

A risk appetite statement answers:

“How much risk are we willing to accept in this area in pursuit of our objectives?”

We work with four risk appetite settings as shown in the table below.

Table outlining StartRisk appetite levels including Avoid, Resist, Accept and Encourage

Once appetite is defined, each risk can be assessed as either within appetite or outside appetite based on its residual risk rating.

This enables focused, exception-based reporting.

Step 3: Move to Exception-Based Reporting

Instead of presenting all 50 risks, a board report should show:

  • Strategic Risk Class
  • Overall exposure rating
  • Risks outside appetite

Example Board View

Image 1 shows an example of a Strategic Risk Class Status Report showing each strategic risk class and its current risk position relative to risk appetite.

Image 1 shows an extract from a StartRisk report showing each strategic risk class, its current risk rating. There is one risk class outside of appetite, Postal Operations Risk, which is indicated by a red risk position indicator

Image 2 shows an extract from a StartRisk report showing a risk that is currently outside of appetite including the risk title and description, current controls, planned controls and current and forecast risk position.

Image 2 shows an extract from a StartRisk report showing details of the "Vandalism or Physical Tampering at Unmanned Sites" risk. The risk is currently outside of appetite as shown by a red risk position indicator but is forecast to being within appetite one a planned control is implemented. The planned control is CCTV monitoring.

Exception-based reporting enables strategic board conversations.

Why This Matters More Than Ever

Boards face increasing scrutiny while directors carry personal accountability.

Funders and regulators expect stronger governance from not-for-profits, regardless of their size or funding.

Small and medium businesses operate with the same key threats as large businesses:

  • Cyber threats
  • Funding volatility
  • Workforce shortages
  • Compliance pressure

Strategic risk reporting keeps your business focussed on what matters most, so you can make the best use of limited resources.

Food For Thought

If your board pack still includes a full export of your operational risk register, ask yourself:

Is this helping directors make better decisions — or just proving that risks exist?
Risk reporting should reduce noise, not create it.

How StartRisk Supports This

StartRisk has been built to provide SMEs and NFPs with an option between manual spreadsheets and enterprise GRC.

From as little as $29 per month, StartRisk provides:

  • AI-assisted mapping of operational risks to strategic classes
  • Structured appetite capture and monitoring
  • Automated identification of risks outside appetite
  • Board-ready reporting aligned to governance best practice

Instead of spending hours manipulating spreadsheets, executives can produce Board-ready risk reporting in seconds, allowing them to focus on:

  • Decision-making
  • Resource allocation
  • Control improvements
  • Strategic trade-offs

Best of all, you can have StartRisk up an running in minutes, not months.

If you’re ready to lift the quality of your Board risk reporting you can start now.

Or if you want to talk with a StartRisk expert you can book a call here.
Book now

More articles