Even the slickest businesses can get caught out
You’re busy scaling, growing the business. You’ve got great customers, cashflow is being managed and your team is delivering.
What could go wrong?
The question is not about pessimism. It’s good business sense. Even well-run businesses face risk and the impact of getting caught off guard can be catastrophic. You don’t need a disaster to fail. You just need the wrong person off long-term sick, the wrong customer to default, or a critical system to break. Suddenly, your profit, operations, or reputation are on the line.
This guide to practical risk management is for business owners who want to be proactive, not paranoid.
We’ll walk through a practical framework to review and reduce risk in your business: across people, process, cash, and compliance, without slowing you down or killing agility.
Click here if you would rather watch a video of our Founder, Nick, explaining this topic.
1. Key person risk: Who are you relying on too heavily?
Many businesses rely on one or two people who “just know how everything works.” It might be you, a co-founder, a finance manager, or a senior client handler. This isn’t inherently bad but if their knowledge isn’t documented or shareable, you’ve got a single point of failure.
If they’re off sick, resign suddenly, or become unavailable during a critical moment…you’re exposed.
What to do:
• Identify key roles with critical knowledge (use a “bus test”: what happens if they’re unavailable tomorrow?).
• Create basic SOPs (standard operating procedures) for repeating tasks.
• Cross-train one backup person, even if they only step in occasionally.
“We lost our accounts manager for two weeks and couldn’t even access the payroll login. Now we have a handover protocol and backup credentials stored securely.”
2. Client and revenue concentration: Too many eggs in one basket?
Is more than 25% of your revenue tied to one customer or contract? This is common in service businesses and high-ticket product firms but it’s risky. If that client cuts spend, goes bust, or brings work in-house, it creates an immediate financial hole.
Even if the client is reliable today, strategic dependence can creep up over time.
How to review:
• Run a revenue concentration report by client or product line.
• Set a red flag at 25% concentration from any single source.
• Build contingency plans: e.g. retainers with notice periods, pipeline diversification.
“When our biggest client changed strategy, our sales dropped 32% overnight. Since then, we’ve implemented a sales cap for all new accounts and built a 90-day cash buffer.”
3. Cash reserves and financial buffers: Are you built for resilience?
Many businesses assume that if there’s money in the bank, they’re fine. But is it enough?
Ask yourself: how long could you operate if income paused today?
Events like late-paying customers, seasonal dips, delayed projects, or one-off liabilities (tax liabilities, legal fees, hardware failure) can hit suddenly.
What to build:
• A cash reserve of at least 2–3 months’ fixed costs.
• Clear separation between working capital and long-term investments.
• A contingency credit facility (not to rely on, but to keep options open).
Also consider: what would you cut or pause first if needed? Know that before you need to act.
4. Legal and compliance blind spots: What’s out of date or missing?
You don’t need to be in a regulated industry to have legal exposure.
Common oversights include:
• Outdated client contracts.
• No formal data protection policy.
• Staff working without contracts or clear roles.
• Ignoring insurance changes or expiry dates.
Quick fixes:
• Review your T&Cs at least annually, especially if pricing or delivery models change.
• Make sure employment contracts and handbooks reflect reality.
• Ensure you’re registered for GDPR (ICO), and have clear privacy documentation.
• Confirm insurance levels (public liability, professional indemnity, cyber) still match risk.
5. Technology and cyber risk: How vulnerable are your systems?
Even small businesses are targets for cyber-attacks. The costs of downtime, data breaches or ransomware aren’t just technical, they’re reputational, operational, and potentially legal.
And it’s not just hackers. Many small business issues stem from:
• Poor password hygiene.
• No backups or recovery plan.
• Over-reliance on one piece of software or hosting provider.
What to check:
• Use password managers and multi-factor authentication (MFA) across key systems.
• Back up critical data daily and test your restore process quarterly.
• Document a basic disaster recovery plan who does what and when?
6. Operational risk: What process failures would derail delivery?
Every business has critical workflows. If one of them breaks, can your team step in and fix it or does everything grind to a halt?
Examples:
• No clarity on who follows up with clients if a project runs late.
• No system for quality checking product orders or fulfilment.
• No centralised way of tracking delivery across teams.
To review:
• Map your top 3–5 workflows (e.g. customer onboarding, product delivery, financial reporting)
• Identify where delays or errors most often occur
• Clarify who owns each step and what backup process exists
Sometimes risk comes not from a single disaster, but from 10 small friction points that compound.
7. Reputation risk: What’s the customer experience under pressure?
A key part of risk management is understanding how your business behaves under stress.
What happens to service quality when:
• A project overruns?
• A customer has a complaint?
• Your usual contact is unavailable?
The reputational fallout of poor handling can last longer than the problem itself.
Ways to manage this:
• Draft simple response templates or escalation protocols.
• Make sure more than one team member can communicate with key clients.
• Monitor feedback channels (Google reviews, Trustpilot, socials) and respond promptly.
“We had one delivery delay turn into a PR problem because no one replied to the customer for 3 days. We now track all queries centrally and have 2 named contacts per account.”
8. Supplier and third-party dependency: Do your partners have their own risks?
Whether you use outsourced IT, fulfilment centres, software platforms or white-labelled services their failure becomes your problem.
You don’t need to bring everything in-house, but you should understand:
• Who are your critical suppliers?
• What their own resilience looks like.
• What contingencies you have if they fail or go offline.
Questions to ask:
• Do we have backups or alternatives if this supplier/vendor folds?
• Do we rely on a single individual for tech or support?
• Can we access our own data or systems independently?
Risk doesn’t stop at your business boundary.
9. Team and culture risk: Will your people stay during turbulence?
Retention isn’t just a growth concern it’s also a risk factor.
If morale is low, progression is unclear, or expectations are misaligned, your best people may leave when you need them most.
And one sudden resignation can leave a skills gap, morale dip, and productivity drop you weren’t expecting.
What to review:
• Are roles, expectations and progression clear?
• Are there documented handovers or training plans in place?
• When was the last time you checked in with your team informally?
How to build a practical risk review habit
You don’t need a 50-page audit or a risk register the size of a novel.
Instead, build a lightweight periodic review:
• Review the 9 areas above across the year
• Document key risks + current mitigations
• Assign an owner to each action and track quarterly
Make risk review a leadership habit not a crisis response.
Resilience is a strategy
Risk management isn’t about expecting the worst. It’s about giving yourself choices when things change.
When you spot risks early:
• You can solve problems before they escalate
• You protect your team and your customers
• You keep growing with confidence
The best time to fix a leak is before the storm.
Want Our Help?
Explore our plans to see how we can support you in building your risk register via our ‘What Could Go Wrong: A Practical Risk Review’ advisory session.
This blog is for general information only and does not constitute professional advice. Always seek tailored advice relevant to your specific circumstances before making decisions based on this content.
