The Risk Register Argument - When Your Co-Host Says You're Wrong About Governance

Podcast
Written By Noel Bradford

Graham Falkner looked me dead in the eye before we started recording and told me I was completely wrong about risk registers.

"Small businesses don't need formal risk registers," he said. "That's enterprise stuff. It's overkill."

I nearly walked out of the studio.

What followed was 40 minutes of the most intense debate we've ever had on this podcast. And by the end, Graham had completely changed his position. Not because I bullied him into it. Because the evidence is overwhelming, undeniable, and frankly terrifying.

The UK government's Cyber Security Breaches Survey 2025 just dropped. The numbers are brutal. Only 27% of UK businesses now have a board member responsible for cyber security. That's down from 38% in 2021. We're going backwards whilst attacks doubled. Meanwhile, 43% of businesses got breached last year. Nearly half. And 28% of small and medium businesses admit a single attack could put them out of business entirely.

Let me say that again. More than one in four UK SMEs are one bad day away from closing permanently. But only one in four have someone at board level actually managing this risk.

This is negligence. And Graham started this episode defending it.

The Government Data Nobody's Reading

The Department for Science, Innovation and Technology publishes the most comprehensive cyber security research in Europe. Thousands of businesses surveyed. Rigorous methodology. All available for free. And almost nobody reads it.

Here's what the 2025 survey actually shows. Board-level responsibility for cyber security has declined steadily since 2021. Not stayed flat. Not improved slowly. Declined. 38% to 27% in four years. That's not statistical noise. That's systematic abandonment of governance.

At the same time, breach rates remain catastrophically high. 43% of all UK businesses experienced some form of cyber security breach or attack in the last 12 months. For medium businesses it's 67%. For large businesses it's 74%. These aren't hypothetical risks. They're coin-flip odds.

The average cost of the most disruptive breach was £1,600 for businesses overall. For those who actually reported costs (excluding the "zero cost" answers that suggest underreporting or denial), it jumps to £3,550. And that's just direct costs. Lost productivity, reputational damage, customer churn, regulatory penalties - none of that's included.

Research from Vodafone Business in 2025 puts the total annual losses to UK SMEs at £3.4 billion. The average attack costs a small business £3,398. For companies with 50 or more employees, that rises to £5,001. And crucially, 28% of SMEs surveyed stated that the average cost of an attack would be enough to put them out of business.

Twenty-eight percent. More than one in four businesses are operating one security incident away from permanent closure. Yet only 27% have board-level oversight of the risk that could destroy them.

Why Graham Was Wrong (And Why He Changed His Mind)

Graham's argument was simple. Small businesses are busy. They're trying to keep the lights on. Formal risk registers are bureaucratic overhead they don't need. Just be sensible, patch your systems, train your staff, and get on with running the business.

It sounds reasonable. It's completely wrong.

Risk registers aren't bureaucracy. They're systematic thinking applied to survival. Every business already knows its top risks. Cash flow. Key clients. Staff retention. Market competition. These get discussed at board meetings constantly because they could kill the business.

Cyber security belongs on that list. It has the same potential to destroy a company. But it doesn't get the same attention because boards don't understand it, don't measure it, and don't assign responsibility for managing it.

A risk register forces three things that most boards avoid:

First, documentation. You write down the risk. You assess likelihood and impact honestly. You identify current controls. You document gaps. This sounds basic, but most businesses never do it. They have vague awareness that cyber security matters, but no structured understanding of what "good" looks like or where their vulnerabilities are.

Second, ownership. Someone at board level becomes responsible. Not your IT person. Not your external consultant. A director with actual authority and accountability. This person asks the uncomfortable questions. Are we actually secure or just compliant? Do we know what would happen if we got hit? Have we tested our backups? Can we restore operations?

Third, review. The register gets updated quarterly. Not when something goes wrong. Not when you remember. Quarterly. As a standing board agenda item. This turns risk management from something you think about occasionally into something you govern systematically.

Graham's position changed when he ran the maths. Creating a basic risk register takes two hours. Not two days. Not two weeks. Two hours to list your top risks, assess them honestly, document current controls, identify gaps, and assign ownership.

If those two hours of board time lead to implementing basic controls that cost £2,000 (Cyber Essentials certification, staff training, backup improvements), and that prevents just one breach averaging £3,398, you've just made £1,398 whilst dramatically reducing your existential risk.

The return on investment is absurd. But only if you actually do it.

The Legal Duties You're Already Ignoring

Here's what most directors don't realise. You already have legal obligations around cyber security. The Companies Act 2006 requires directors to exercise reasonable care, skill and diligence in managing company affairs. This includes understanding and managing material risks to the business.

Cyber security is now material risk. When 43% of businesses get breached, when 28% say an attack could close them, when the average cost exceeds £3,000, you cannot claim this isn't material. You cannot delegate it away. You cannot plead ignorance.

The NCSC Board Toolkit exists specifically to help directors understand these obligations. It's free. It's comprehensive. It's written in plain English for non-technical board members. And according to the government survey, only 22% of medium businesses and 33% of large businesses have even heard of it.

This is wilful blindness. And when the breach happens, "we didn't know we were supposed to do this" won't protect you from personal liability if you failed to exercise reasonable care in governance.

The Financial Conduct Authority, the Information Commissioner's Office, Ofsted, Ofgem, Ofwat - every major regulator now expects board-level cyber security governance. Not just technical controls. Governance. Strategy. Risk management. Incident response. All documented, regularly reviewed, with clear ownership.

If you're sitting on a board thinking "this doesn't apply to us because we're small," you're dangerously wrong. The size of your organisation doesn't change the nature of your governance duties. It just means you have fewer people to share the work.

What Actually Needs to Happen

At minimum, every UK business needs a cyber risk register containing:

Risk identification: What are our top cyber risks? Be specific. "Getting hacked" isn't specific. "Phishing attack compromising finance director's email leading to fraudulent payment authorisation" is specific.

Likelihood assessment: How likely is this risk? Use actual data from the government surveys. If 85% of breached businesses cite phishing, that's "highly likely." Not "possible." Not "unlikely." Highly likely.

Impact assessment: What happens if this occurs? Be honest. Not "we'd handle it." What actually happens? Systems go down for how long? What's the financial impact? What regulatory obligations get triggered? Do we have the cash reserves to survive this?

Current controls: What are we doing now to prevent or mitigate this risk? List them specifically. "We have antivirus" is vague. "We use Microsoft Defender with real-time protection enabled on all endpoints, automatically updated, monitored daily" is specific.

Control gaps: Where are the holes? What should we be doing that we're not? Be brutal. Most businesses discover they have far less protection than they thought once they document this honestly.

Risk ownership: Who at board level is responsible for managing this specific risk? Not "IT." Not "everyone." One named director with clear accountability.

Action plan: What are we doing to close the gaps? By when? With what budget? Who's responsible for delivery?

Review schedule: When do we next review this risk? Quarterly minimum. More frequently for high-priority risks or during periods of elevated threat.

This takes two hours to create initially. Thirty minutes quarterly to review and update. That's eight hours per year of board time dedicated to managing risks that could permanently destroy your business.

If you cannot spare eight hours annually on risk governance, you're not running a business. You're gambling.

The Challenge

Graham changed his mind during this conversation because he couldn't argue with the evidence. The statistics are undeniable. The legal framework is clear. The NCSC guidance is comprehensive. The maths is obvious.

Here's my challenge to anyone listening. If you don't have a cyber risk register, create one this week. Not next month. This week. Two hours. List your top five cyber risks. Assess them honestly using the government statistics. Document your current controls. Identify gaps. Assign board-level ownership.

Then take it to your next board meeting and have the conversation. See what happens.

You'll get one of two outcomes. Either you'll have a productive discussion about risk and start managing it systematically, or you'll discover your board doesn't take governance seriously. And if it's the latter, you have a much bigger problem than cyber security.

The full episode is available now on all podcast platforms. Graham's complete conversion from skeptic to believer makes for fascinating listening. And if you're a board member who's been avoiding this topic, this episode is specifically for you.

Listen to Episode 31 now. Then create that risk register. Because 28% of UK SMEs are one bad day from closure, and the only difference between them and the survivors is systematic risk management.

Claim Source Date URL
27% of UK businesses have board member responsible for cyber security DSIT Cyber Security Breaches Survey 2025 April 2025 gov.uk/government/statistics/cyber-security-breaches-survey-2025
Down from 38% in 2021 DSIT Cyber Security Breaches Survey 2025 April 2025 gov.uk/government/statistics/cyber-security-breaches-survey-2025
43% of UK businesses experienced breach or attack DSIT Cyber Security Breaches Survey 2025 April 2025 gov.uk/government/statistics/cyber-security-breaches-survey-2025
Average cost £1,600 (all businesses), £3,550 (excluding zero cost) DSIT Cyber Security Breaches Survey 2025 April 2025 gov.uk/government/statistics/cyber-security-breaches-survey-2025
28% of SMEs say attack could put them out of business Vodafone Business / WPI Strategy "Securing Success" Report April 2025 vodafone.co.uk/newscentre/wp-content/uploads/2025/04/Vodafone-SME-Cybersecurity-April-2025.pdf
Average attack cost £3,398 (small businesses), £5,001 (50+ employees) Vodafone Business / WPI Strategy Report April 2025 vodafone.co.uk/newscentre/wp-content/uploads/2025/04/Vodafone-SME-Cybersecurity-April-2025.pdf
Total UK SME annual losses £3.4 billion Vodafone Business / WPI Strategy Report April 2025 vodafone.co.uk/newscentre/wp-content/uploads/2025/04/Vodafone-SME-Cybersecurity-April-2025.pdf
67% of medium businesses breached, 74% of large businesses DSIT Cyber Security Breaches Survey 2025 April 2025 gov.uk/government/statistics/cyber-security-breaches-survey-2025
22% medium businesses, 33% large businesses heard of NCSC Board Toolkit DSIT Cyber Security Breaches Survey 2024 April 2024 gov.uk/government/statistics/cyber-security-breaches-survey-2024
Companies Act 2006 director duties UK Companies Act 2006 Section 174 2006 legislation.gov.uk/ukpga/2006/46/section/174
NCSC Board Toolkit guidance NCSC Board Toolkit Updated 2024 ncsc.gov.uk/collection/board-toolkit
Noel Bradford

Noel Bradford – Head of Technology at Equate Group, Professional Bullshit Detector, and Full-Time IT Cynic

As Head of Technology at Equate Group, my job description is technically “keeping the lights on,” but in reality, it’s more like “stopping people from setting their own house on fire.” With over 40 years in tech, I’ve seen every IT horror story imaginable—most of them self-inflicted by people who think cybersecurity is just installing antivirus and praying to Saint Norton.

I specialise in cybersecurity for UK businesses, which usually means explaining the difference between ‘MFA’ and ‘WTF’ to directors who still write their passwords on Post-it notes. On Tuesdays, I also help further education colleges navigate Cyber Essentials certification, a process so unnecessarily painful it makes root canal surgery look fun.

My natural habitat? Server rooms held together with zip ties and misplaced optimism, where every cable run is a “temporary fix” from 2012. My mortal enemies? Unmanaged switches, backups that only exist in someone’s imagination, and users who think clicking “Enable Macros” is just fine because it makes the spreadsheet work.

I’m blunt, sarcastic, and genuinely allergic to bullshit. If you want gentle hand-holding and reassuring corporate waffle, you’re in the wrong place. If you want someone who’ll fix your IT, tell you exactly why it broke, and throw in some unsolicited life advice, I’m your man.

Technology isn’t hard. People make it hard. And they make me drink.

https://noelbradford.com
Next

Opinion: IoT Security Is Security Theatre Until We Make Default Passwords Illegal