Find the Risk in 60 Seconds: Your 6-Week Business Risk Playbook

Risk management can feel overwhelming when treated as a large, one-time exercise.

The Find the Risk in 60 Seconds series takes a different approach: short, focused conversations that can fit into regular leadership meetings.

These quick checklists, spread over six weeks, assist leaders in pinpointing the actual areas of risk concentration within their organization.

Each week focuses on a different layer of business risk.

Week 1: Shadow IT: The Tools You Don’t See

Focus: understanding which tools teams use that may not be formally approved.

Questions to explore:

• What cloud and SaaS tools are in use across teams? • Which ones integrate with core systems or handle sensitive data? • How visible are these tools to central IT or security functions?

Suggested activity:

Have each team list their most-used tools, noting any unofficial or new ones.

Week 2: Access Controls: Who Can See What?

Focus: understanding how access to sensitive systems and data is granted and reviewed.

Questions to explore:

• How is access decided when someone joins or changes roles? • Are there shared accounts on important systems? • How often is access reviewed?

Suggested activity:

Select one or two key systems and ask managers to review whether existing access still matches people’s responsibilities.

Week 3: Vendor Risk: Your Vendors, Your Risk

Focus: recognizing where external providers affect risk.

Questions to explore:

• Which vendors provide critical services or handle important data?

• What do you know about their security measures?

• How is risk considered when new vendors are chosen?

Suggested activity:

Compile a simple list of key vendors and note what they do, what data they see, and how critical they are.

Week 4: Legacy Systems: Old Tech, New Exposure

Focus: considering the role of older systems in today’s environment.

Questions to explore:

• Which systems are older, challenging to update, or nearing end of life?

• How are they connected to the rest of the environment?

• What data or processes depend on them?

Suggested activity:

Identify a small number of legacy systems and discuss whether they can be isolated, strengthened with compensating controls, or scheduled for replacement.

Week 5: Everyday Operations: How Work Really Happens

Focus: how people, processes, and changes contribute to risk.

Questions to explore:

• How often do small incidents occur, and what causes them?

• Is there a clear, practised incident response approach?

• How are significant changes planned, tested, and approved?

Suggested activity:

Discuss a recent incident or change and reflect on what went well and what could be improved next time.

Week 6: Bringing It All Together

By the sixth week, patterns usually begin to emerge.

Some risks cluster around specific systems. Others appear in vendor relationships, operational practices, or aging technology, indicating that these areas may require closer scrutiny to identify and mitigate potential vulnerabilities.

Questions to explore:

• Where do the most significant risks appear to cluster?

• Which findings could be addressed through small process or behaviour changes?

• Which ones might require more formal projects or investment?

Suggested activity:

Create a short list of improvements and group them into:

• Quick wins: changes that can be implemented quickly

• Medium-term improvements: moderate coordination required

• Longer-term initiatives: projects requiring planning and investment

Closing

Risk usually appears gradually.

More often, it develops quietly across tools, access decisions, vendor relationships, aging technology, and everyday operational habits.

By taking a few minutes each week to ask focused questions, leaders can build a clearer picture of where attention is most needed and where small improvements can meaningfully strengthen resilience.