Risk & Continuity
Large companies have risk committees. An MSME has this module: one page of named risks, a plan for the people the business cannot lose, a playbook for the bad day, and the boring hygiene (insurance, backups, access control) that decides whether a bad day becomes a fatal one.
A. The Ten-Line Risk Register
Not a 40-tab enterprise matrix. Ten risks, one page, reviewed quarterly at the strategy sprint (Governance cadence). Score severity × likelihood, 1–5 each:
| Risk (example) | Sev | Lik | Score | Mitigation | Owner |
|---|---|---|---|---|---|
| Top customer (>30% of revenue) leaves | 5 | 2 | 10 | Client-success triggers (M05); pipeline diversification target | Founder |
| Sole supplier of critical input fails | 5 | 3 | 15 | Dual-sourcing + buffers (M07) | Ops head |
| Key employee exits with undocumented knowledge | 4 | 3 | 12 | SOP coverage + knowledge-safe exit (M04) | HR |
| GST/VAT non-compliance penalty | 4 | 2 | 8 | Compliance dashboard reviewed monthly (M01) | Finance |
| Ransomware / data loss | 4 | 2 | 8 | Backup + access protocol (Section E below) | Digital owner |
B. Key-Person Continuity (The "Hit-By-Bus" Protocol)
For each of the 3–5 people whose absence would stop the business (usually including the founder), maintain a continuity card:
KNOWS: What lives only in their head? (Target: nothing; see SOP coverage)
HOLDS: Passwords, bank tokens, statutory signatures, licences in their name
DEPUTY: Named person who can run the function for 30 days at 80% quality
DRILL: Once a year, the person takes 2 weeks of genuinely unreachable leave.
What broke is next quarter's documentation list.
Founders: the deeper programme is the 'Hit By A Bus' SOP checklist plus the Founder Dependency Audit. Family businesses should pair this with a real succession plan; a guide publishes in the Vault in late July 2026.
C. The Incident Response Playbook
One playbook, any incident: quality escape at a client, cyber event, warehouse fire, regulatory notice. The steps don't change; only the specialists do:
HOUR 0–4 · ASSESS: What do we actually know vs assume? Write the two lists down separately. Most incident damage comes from acting on assumptions.
HOUR 4–24 · COMMUNICATE: Affected customers hear it from you before they discover it. Script: what happened, what we've done, what happens next, when you'll hear from us again. No speculation, no blame.
DAY 2–7 · RESTORE: Run the workaround (buffer stock, secondary supplier, manual process) while the root fix is built.
DAY 14 · POSTMORTEM: Blameless, written, 5-whys. Output = one SOP changed, one risk-register line updated. An incident that doesn't change a document will repeat.
D. The Insurance & Contracts Checklist (India-GCC)
| Cover / Clause | Protects Against | MSME Note |
|---|---|---|
| Fire & allied perils + business interruption | Asset loss and the revenue gap while you rebuild | BI cover is the one MSMEs skip, and the one that decides survival |
| Marine / transit cover | Goods in movement across the corridor | Confirm incoterms decide whose policy covers which leg |
| Trade credit insurance (ECGC India, Etihad Credit UAE) | Buyer default on export receivables | Pairs with the collections ladder (M03) |
| Key-person insurance | Death/disability of founder or critical staff | Lenders increasingly ask for it; price it before they do |
| Cyber liability | Breach costs, notification, ransomware response | Usually conditional on the basics in Section E; read the exclusions |
| Force-majeure & penalty clauses in customer contracts | Liability for disruptions you didn't cause | Mirror your supplier POs and customer contracts, never promise downstream what you haven't secured upstream |
*Insurance products and export-credit schemes vary by jurisdiction and change over time. Validate current cover options with your broker.
E. Access Control & Backup Basics
1. PASSWORD MANAGER: Company-wide, with shared vaults per team. No password lives in a WhatsApp message or a diary.
2. 2FA EVERYWHERE: Banking, email, ERP, cloud drives. Non-negotiable for anything that moves money.
3. ROLE-BASED ACCESS: People get the access their role needs, not the access they ask for. Review quarterly; revoke on exit day (see exit protocol).
4. 3-2-1 BACKUPS: 3 copies, 2 media, 1 offsite/cloud, for the ERP, accounts data, and the SOP library itself.
5. RESTORE DRILL: Twice a year, actually restore a backup. An untested backup is a hope, not a system.
This OS requires an Operator.
You can try to install this yourself, or you can partner with us to deploy it in 90 days.
Book a Strategy Call