Does anyone have a risk register and if so, how do you manage it?

Hey peeps,

We have a risk register that currently lives in a spreadsheet. I’d like to know how other co-ops/orgs manage their risks, and how they do it. Here are some prompts :smiley:

  • What format is it?
  • Who looks at it and how frequently
  • (and the golden question) how do you prevent it from becoming a biiiiig spreadsheet that no-one wants to open because it’s just too much to look at it. So I guess my question is, how do you manage it safely?

Thanks, can’t wait for all the answers to come flowing in :relaxed:

Hi Kayleigh,

We’ve just started over the last 6 months or so at Co-operative Web getting to grips with this within our ISO team. We have a spreadsheet that we review as part of our regular management meetings alongside our DPO to keep it under some control. Let us know if we can do anything to help


1 Like

Ours is a big spreadsheet! We’ve split it up into separate sheets for Finance, Tech, Biz Dev, Welfare, etc (~10 in total), and we use a probability/impact/proximity/response model to record risks.

Each sheet broadly corresponds to a group with responsibility for that area of our work, who update it as and when they want to give it some attention. In practice, there’s a few individuals who are particularly dedicated to the cause who do 90%+ of the work, and most of the rest of us are glad they do!

We don’t use it as much as we should; we’re still working out how we choose what to prioritise in terms of co-op development (6 years in!) and we should really use it as more of a source of information about our business context than we do when making those kinds of decisions.

1 Like

To add to Rob’s answer, I see three uses for our risk register:

  1. Making it in the first place, which helped us figure out what we were worried about and which of those things weren’t that big of a deal;
  2. Updating it as new info comes in or on a regular cadence. I think this is very useful, just as way of processing thoughts.
  3. Doing a meta-review of the co-op against the mitigation strategies that we have outlined. Writing down a mitigation strategy and then realising six months later “oh shit, we could never do that” is a very good motivator for change. This is the most valuable practice for me but not something we formalise.

The challenges are:

  1. Interconnected and cascading risks are not well represented in a risk register format. (But could be with a bit data magic?)
  2. Having a functioning escalation system. I don’t think we have this figured out, particularly around risks that I would describe as “smouldering”.
  3. Turning the idea of mitigation into the actual work of mitigation.

So, overall, I see it as a useful bit of information infrastructure but, at the same time, worry that it gives us the illusion of managing risk without actually doing so!

1 Like

This is so helpful and summarises what I am grappling with, particularly:

  1. Turning the idea of mitigation into the actual work of mitigation.

I also think it’s healthy to get things onto a spreaddie/somewhere that isn’t just our brain, and to add to that - it’s good to get an insight into all of the things we need to think about as business owners. It sounds like we do it in a similar way to what @robredpath has described (although it’s all on one tab!). Do you think you’d be up for sharing a blank template with me so that I can see how it works? I am wondering if I should try and design a workflow and talk to someone with better Excel skillz than me (that’s anyone, btw)

Thanks @mattjhnprc what is an ISO team and what is DPO?

I’d be interested for seeing a blank template if you’re able to share one?


The ISO Team is just the people within Co-operative Web who are responsible for our information security and any related certifications. DPO is data protection officer, we employ a third-party to handle that to advice on any potential issues around data protection and if there was an issue, the steps we would need to take.

Shouldn’t be an issue with getting you a blank template, I’l sort one and send it


I’ll send a blank copy over @Kayleigh!