The steps

  1. Brainstorm risks across financial, operational, clinical, WHS, reputational categories
  2. Score each risk on likelihood (1-5) and impact (1-5)
  3. Identify treatments — eliminate, mitigate, transfer (insure), accept
  4. Assign each risk an owner and review date
  5. Review quarterly in a leadership meeting
  6. Update after every incident, complaint and audit observation
  7. Report top risks to your board (if applicable)

Common mistakes to avoid

  • Empty risk register at audit
  • Risks logged but never reviewed
  • Treatment plans missing for high-priority risks