TL;DR

If you’ve just been handed “risk” as part of your role, your first instinct will probably be to download a template, look at software, or bring in a consultant.

None of those are wrong. They’re just usually done in the wrong order.

Start with the business. Talk to your people. Work out where you’re actually exposed. Build a simple first cut that reflects reality.

This article kicks off a six-part series on how to do that properly, without overcomplicating it.

The handover

I’ve seen this movie a few times now.

End of the Board meeting. Papers are half-packed away. One director says, “I don’t think we’ve got a clear line of sight on our top risks or how they’re being managed.”

No one argues.

The CEO nods. The CFO nods. Then both of them look at the Finance Manager.

Let’s call her Jess.

Jess is smart. Organised. Trusted. Good with numbers. Good with detail. Good at getting things done. She also has no formal background in risk management.

Which is exactly why the job lands with her.

That’s how this usually starts. Not with a grand strategy. With a glance across the table.

Now, to be fair, the organisation hasn’t ignored risk. There are policies. Insurance. Delegations. A few controls that work because good people have been holding things together. What it doesn’t have is a deliberate risk process. No common language. No usable register. No clear view that the Board can look at and say, “Right. I can see the picture.”

So Jess gets the brief.

Can you ‘sort out’ risk?

It sounds manageable. That’s the dangerous part.

Because from the outside, risk management can be seen as a document problem. Find the right template. Fill it in. Tidy it up. Put it in the Board pack. Done.

That is not how it goes.

The wrong first moves

So Jess does what most sensible people do first.

She opens Google.

Over the next week she downloads three risk register templates, skims summaries of ISO 31000, reads a couple of articles from firms that say a lot without saying much, and starts building a spreadsheet.

By Thursday she has six tabs open, three different rating scales, and less clarity than when she started.

One template is clearly built for government. One feels like it came out of a bank. One is trying so hard to be comprehensive that it turns every operational inconvenience into an enterprise risk.

She starts stitching them together anyway.

Cybersecurity. Fraud. WHS. Loss of key staff. Regulatory change. System outage. Reputational damage. Vendor failure.

All true. None very helpful.

Google is full of risk templates written for someone else’s organisation.

That’s the first trap.

A template is not a framework.

A template can help once you already understand your business, your language, your controls, your decision-making, and what the Board actually wants to see. Before that, it just gives you a very efficient way to document your confusion.

And the thing is, templates feel productive. They create motion. You can point to a spreadsheet. You can say, “We’ve started.”

But if the content inside it isn’t grounded in how the organisation actually works, it becomes shelf-ware. It gets shown once. Maybe twice. Then it dies quietly in a folder called Governance.

Jess can feel that happening. She’s got 47 lines in a spreadsheet and no real confidence that the top rated risks are the right ones.

So the next thought shows up.

Maybe we need a consultant.

That is not a stupid instinct. Good consultants can save months. They can facilitate conversations management would otherwise avoid. They can sit in the room, pull half-formed concerns out of people’s heads, and turn them into risk language the Board can actually use.

That’s valuable work.

But there are two catches.

First, it costs money. Real money. Not outrageous money, necessarily. Just enough that it gets noticed. Especially in an organisation that wasn’t planning to fund a risk uplift this quarter.

Second, and more importantly, outsourced thinking has a shelf life.

If a consultant disappears and the organisation can’t explain its own framework without them, you haven’t built capability. You’ve bought a document.

That’s the second trap.

A consultant should accelerate your thinking, not replace it.

So Jess hesitates. Then the third obvious idea arrives.

Maybe we need software.

This is usually about week three.

A link gets forwarded. Then another. A few demos get booked. Jess finds herself looking at dashboards, control libraries, workflow engines, automated reminders, attestations, incident modules, and pricing that assumes risk is already a mature function inside the business.

It all looks impressive.

It also doesn’t solve her actual problem.

She still doesn’t know, in plain English, what the organisation’s top risks are. She still doesn’t know whether the Board wants oversight, reassurance, or early warning. She still doesn’t know where management is genuinely exposed versus merely uncomfortable.

Software before thinking just digitises confusion.

That’s the third trap.

The order matters. More than people think.

Where it finally clicks

So Jess stops.

She closes the browser. Stops hunting for the perfect template. Stops looking for someone else’s answer. Stops pretending the problem is documentation.

And she starts with the business.

Not theory. The business.

She pulls out the strategic plan. The last few Board papers. Recent incidents. Audit findings. Complaints. Insurance claims. Budget pressure points. The big contract renewal nobody wants to talk about too directly. The legacy system everyone complains about but no one has time to replace. The awkward fact that one critical process lives mostly in the head of a single long-serving staff member.

Real life.

Then over the next ten days she books a series of short conversations. Operations. IT. HR. The CEO. A couple of line managers. The quiet operator who always seems calm and usually knows where the cracks are before anyone else does.

She doesn’t ask them to “identify enterprise risks”. Most people don’t think like that.

She asks simpler questions.

• What could stop you hitting your goals this year?
• Where are we too reliant on one person, one process, or one customer?
• What keeps going wrong, or nearly going wrong, that we’ve started treating as normal?

Now she’s getting somewhere.

The same themes keep coming back. Not in neat risk language. In operational language. Funding concentration. Key person dependency. Weak contract management. Patchy compliance habits. Cyber exposure sitting inside old processes. Managers carrying workarounds because the business has been too busy growing to clean things up properly.

That’s the moment risk management stops being abstract and starts being useful.

Jess drafts twelve risks. Not fifty-two. Twelve.

Each one is written in plain English. Each one links back to something real. Each one has an owner. Each one notes what’s already in place and what still needs attention.

At this point the organisation still doesn’t have a polished framework. Good.

What it has is something far more useful: an honest first draft.

That first cut is messy, of course. A couple of risks overlap. One executive pushes back because a risk description makes their area look exposed. Another tries to add a list of overdue tasks that are really actions, not risks. Someone else wants everything rated “medium” because it feels safer politically.

Normal.

Useful, even.

Because now the organisation is finally having the right conversation.

Not “what colour should this cell be?”

An actual conversation.

• What are we most exposed to?
• How bad could it get?
• What are we already doing?
• What are we not doing?
• Who owns it?

That’s the real work. A lot of early-stage risk management is just translation. Taking what people already know deep in the business and converting it into language the Board can use to govern.

Once Jess gets that, the whole thing changes.

She realises she does not need to become a career risk professional by next Thursday. She needs to create enough shared understanding that the next decision is better than the last one. That the Board can see the picture. That management can act on it. That the organisation stops pretending.

What this usually means

Most first moves in risk management are completely understandable.

Download a template. Call a consultant. Look at software.

None of those are ridiculous. They’re just often taken in the wrong order.

Here’s what I keep seeing.

People reach for polish before they have clarity.

They buy structure before they’ve worked out what they’re trying to structure.

They rush to produce a register before they’ve had the conversations that make a register worth reading.

The better sequence is much simpler.

Get clear on why the Board is asking now. Talk to the people closest to the work. Work out where the organisation is genuinely exposed. Build a first cut that reflects reality, not theory. Then decide what support, structure and technology you need to make it stick.

That is a very different path from buying a polished answer and hoping the organisation grows into it.

And for most SMEs, NFPs, schools, aged care providers, associations, and mid-sized businesses, that’s the right starting point.

Not a gold-plated enterprise risk program.

Minimum viable risk.

Enough structure to see clearly. Enough discipline to act. Not so much machinery that the whole thing collapses under its own weight.

Where we go next

If this story feels familiar, good. It means you’re normal.

It also means the next step is not more jargon. It’s a practical path forward.

Over the next five weeks I’m going to work through the parts that usually come next:

• How to assess your current level of maturity
• How to build a risk register people will actually use
• How to set a risk appetite when no one has ever properly articulated one before
• How to get buy-in from the people who matter
• What “good enough” really looks like when you don’t have the budget, time, or appetite for a heavyweight framework

That’s where this gets useful.

Because once you’ve got the first draft on the table, the real questions start.

• How mature are we, really?
• What level of risk are we prepared to accept?
• Who actually needs to be on board?
• What’s the smallest system that will still work?

Those are the questions worth spending time on.

If you’re in this spot right now, this is exactly the kind of work we do with organisations every week. Sometimes that means a Board workshop. Sometimes it means helping an executive team turn a fuzzy set of concerns into a usable framework. Sometimes it means putting the right technology underneath it so the whole thing doesn’t drift back into spreadsheets and wishful thinking.

The platform makes the ongoing management simple. But the real value is in getting the thinking right first.

If that sounds like your organisation, reach out. A conversation is usually the best place to start.