Stratisian OS v4.0 · Module 08 · New in v4.0

Risk & Continuity

Large companies have risk committees. An MSME has this module: one page of named risks, a plan for the people the business cannot lose, a playbook for the bad day, and the boring hygiene (insurance, backups, access control) that decides whether a bad day becomes a fatal one.

A. The Ten-Line Risk Register

Not a 40-tab enterprise matrix. Ten risks, one page, reviewed quarterly at the strategy sprint (Governance cadence). Score severity × likelihood, 1–5 each:

Risk (example)SevLikScoreMitigationOwner
Top customer (>30% of revenue) leaves5210Client-success triggers (M05); pipeline diversification targetFounder
Sole supplier of critical input fails5315Dual-sourcing + buffers (M07)Ops head
Key employee exits with undocumented knowledge4312SOP coverage + knowledge-safe exit (M04)HR
GST/VAT non-compliance penalty428Compliance dashboard reviewed monthly (M01)Finance
Ransomware / data loss428Backup + access protocol (Section E below)Digital owner
RULES: Every risk has exactly one owner (a name, not a department) · Score ≥12 requires a mitigation with a deadline, not a description · New risks enter only by displacing an old one; the register stays at ten lines, which forces honesty about what matters.

B. Key-Person Continuity (The "Hit-By-Bus" Protocol)

For each of the 3–5 people whose absence would stop the business (usually including the founder), maintain a continuity card:

// CONTINUITY CARD: [NAME / ROLE]

KNOWS: What lives only in their head? (Target: nothing; see SOP coverage)
HOLDS: Passwords, bank tokens, statutory signatures, licences in their name
DEPUTY: Named person who can run the function for 30 days at 80% quality
DRILL: Once a year, the person takes 2 weeks of genuinely unreachable leave.
What broke is next quarter's documentation list.

Founders: the deeper programme is the 'Hit By A Bus' SOP checklist plus the Founder Dependency Audit. Family businesses should pair this with a real succession plan; a guide publishes in the Vault in late July 2026.

C. The Incident Response Playbook

One playbook, any incident: quality escape at a client, cyber event, warehouse fire, regulatory notice. The steps don't change; only the specialists do:

HOUR 0 · CONTAIN: Stop the bleeding (halt shipments, isolate systems, secure the site). Named incident lead takes command, by default the most senior person present, not the most senior person in the company.

HOUR 0–4 · ASSESS: What do we actually know vs assume? Write the two lists down separately. Most incident damage comes from acting on assumptions.

HOUR 4–24 · COMMUNICATE: Affected customers hear it from you before they discover it. Script: what happened, what we've done, what happens next, when you'll hear from us again. No speculation, no blame.

DAY 2–7 · RESTORE: Run the workaround (buffer stock, secondary supplier, manual process) while the root fix is built.

DAY 14 · POSTMORTEM: Blameless, written, 5-whys. Output = one SOP changed, one risk-register line updated. An incident that doesn't change a document will repeat.

D. The Insurance & Contracts Checklist (India-GCC)

Cover / ClauseProtects AgainstMSME Note
Fire & allied perils + business interruptionAsset loss and the revenue gap while you rebuildBI cover is the one MSMEs skip, and the one that decides survival
Marine / transit coverGoods in movement across the corridorConfirm incoterms decide whose policy covers which leg
Trade credit insurance (ECGC India, Etihad Credit UAE)Buyer default on export receivablesPairs with the collections ladder (M03)
Key-person insuranceDeath/disability of founder or critical staffLenders increasingly ask for it; price it before they do
Cyber liabilityBreach costs, notification, ransomware responseUsually conditional on the basics in Section E; read the exclusions
Force-majeure & penalty clauses in customer contractsLiability for disruptions you didn't causeMirror your supplier POs and customer contracts, never promise downstream what you haven't secured upstream

*Insurance products and export-credit schemes vary by jurisdiction and change over time. Validate current cover options with your broker.

E. Access Control & Backup Basics

// THE MINIMUM VIABLE SECURITY STACK

1. PASSWORD MANAGER: Company-wide, with shared vaults per team. No password lives in a WhatsApp message or a diary.
2. 2FA EVERYWHERE: Banking, email, ERP, cloud drives. Non-negotiable for anything that moves money.
3. ROLE-BASED ACCESS: People get the access their role needs, not the access they ask for. Review quarterly; revoke on exit day (see exit protocol).
4. 3-2-1 BACKUPS: 3 copies, 2 media, 1 offsite/cloud, for the ERP, accounts data, and the SOP library itself.
5. RESTORE DRILL: Twice a year, actually restore a backup. An untested backup is a hope, not a system.

This OS requires an Operator.

You can try to install this yourself, or you can partner with us to deploy it in 90 days.

Book a Strategy Call