to implement a risk management plan a business must first

• Assessment Management
• Compliance Audits
• Enterprise Risk Management
• Fraud Risk Management
• IT Risk Management
• Operational Audits
• Operational Risk Management
• Security Compliance Management
• SOX Compliance
• SOX Readiness
• Vendor Risk Management
• Business Services
• Education, Government, and Non-Profit
• Energy, Materials, and Utilities
• Financial Services
• Manufacturing
• Media and Telecom
• Real Estate and Construction
• Travel and Transportation
• Technology & Security
• Resource Library
• AuditBoard TV
• Events & Webinars
• On-Demand Webinars
• Business Value Calculator

Risk Management 101: Process, Examples, Strategies

Effective risk management takes a proactive and preventative stance to risk, aiming to identify and then determine the appropriate response to the business and facilitate better decision-making. Many approaches to risk management focus on risk reduction, but it’s important to remember that risk management practices can also be applied to opportunities, assisting the organization with determining if that possibility is right for it.

Risk management as a discipline has evolved to the point that there are now common subsets and branches of risk management programs, from enterprise risk management (ERM) , to cybersecurity risk management, to operational risk management (ORM) , to  supply chain risk management (SCRM) . With this evolution, standards organizations around the world, like the US’s National Institute of Standards and Technology (NIST) and the International Standards Organization (ISO) have developed and released their own best practice frameworks and guidance for businesses to apply to their risk management plan.

Companies that adopt and continuously improve their risk management programs can reap the benefits of improved decision-making, a higher probability of reaching goals and business objectives, and an augmented security posture. But, with risks proliferating and the many types of risks that face businesses today, how can an organization establish and optimize its risk management processes? This article will walk you through the fundamentals of risk management and offer some thoughts on how you can apply it to your organization.

What Are Risks?

We’ve been talking about risk management and how it has evolved, but it’s important to clearly define the concept of risk. Simply put, risks are the things that could go wrong with a given initiative, function, process, project, and so on. There are potential risks everywhere — when you get out of bed, there’s a risk that you’ll stub your toe and fall over, potentially injuring yourself (and your pride). Traveling often involves taking on some risks, like the chance that your plane will be delayed or your car runs out of gas and leave you stranded. Nevertheless, we choose to take on those risks, and may benefit from doing so. 

Companies should think about risk in a similar way, not seeking simply to avoid risks, but to integrate risk considerations into day-to-day decision-making.

• What are the opportunities available to us?
• What could be gained from those opportunities?
• What is the business’s risk tolerance or risk appetite – that is, how much risk is the company willing to take on?
• How will this relate to or affect the organization’s goals and objectives?
• Are these opportunities aligned with business goals and objectives?

With that in mind, conversations about risks can progress by asking, “What could go wrong?” or “What if?” Within the business environment, identifying risks starts with key stakeholders and management, who first define the organization’s objectives. Then, with a risk management program in place, those objectives can be scrutinized for the risks associated with achieving them. Although many organizations focus their risk analysis around financial risks and risks that can affect a business’s bottom line, there are many types of risks that can affect an organization’s operations, reputation, or other areas.

Remember that risks are hypotheticals — they haven’t occurred or been “realized” yet. When we talk about the impact of risks, we’re always discussing the potential impact. Once a risk has been realized, it usually turns into an incident, problem, or issue that the company must address through their contingency plans and policies. Therefore, many risk management activities focus on risk avoidance, risk mitigation, or risk prevention.

What Different Types of Risks Are There?

There’s a vast landscape of potential risks that face modern organizations. Targeted risk management practices like ORM and SCRM have risen to address emerging areas of risk, with those disciplines focused on mitigating risks associated with operations and the supply chain. Specific risk management strategies designed to address new risks and existing risks have emerged from these facets of risk management, providing organizations and risk professionals with action plans and contingency plans tailored to unique problems and issues.

Common types of risks include: strategic, compliance, financial, operational, reputational, security, and quality risks.

Strategic Risk

Strategic risks are those risks that could have a potential impact on a company’s strategic objectives, business plan, and/or strategy. Adjustments to business objectives and strategy have a trickle-down effect to almost every function in the organization. Some events that could cause strategic risks to be realized are: major technological changes in the company, like switching to a new tech stack; large layoffs or reductions-in-force (RIFs); changes in leadership; competitive pressure; and legal changes.

Compliance Risk

Compliance risks materialize from regulatory and compliance requirements that businesses are subject to, like Sarbanes-Oxley for publicly-traded US companies, or GDPR for companies that handle personal information from the EU. The consequence or impact of noncompliance is generally a fine from the governing body of that regulation. These types of risks are realized when the organization does not maintain compliance with regulatory requirements, whether those requirements are environmental, financial, security-specific, or related to labor and civil laws.

Financial Risk

Financial risks are fairly self-explanatory — they have the possibility of affecting an organization’s profits. These types of risks often receive significant attention due to the potential impact on a company’s bottom line. Financial risks can be realized in many circumstances, like performing a financial transaction, compiling financial statements, developing new partnerships, or making new deals.

Operational Risk

Risks to operations, or operational risks, have the potential to disrupt daily operations involved with running a business. Needless to say, this can be a problematic scenario for organizations with employees unable to do their jobs, and with product delivery possibly delayed. Operational risks can materialize from internal or external sources — employee conduct, retention, technology failures, natural disasters, supply chain breakdowns — and many more.

Reputational Risk

Reputational risks are an interesting category. These risks look at a company’s standing in the public and in the media and identify what could impact its reputation. The advent of social media changed the reputation game quite a bit, giving consumers direct access to brands and businesses. Consumers and investors too are becoming more conscious about the companies they do business with and their impact on the environment, society, and civil rights. Reputational risks are realized when a company receives bad press or experiences a successful cyber attack or security breach; or any situation that causes the public to lose trust in an organization.

Security Risk

Security risks have to do with possible threats to your organization’s physical premises, as well as information systems security. Security breaches, data leaks, and other successful types of cyber attacks threaten the majority of businesses operating today. Security risks have become an area of risk that companies can’t ignore, and must safeguard against.

Quality Risk

Quality risks are specifically associated with the products or services that a company provides. Producing low-quality goods or services can cause an organization to lose customers, ultimately affecting revenue. These risks are realized when product quality drops for any reason — whether that’s technology changes, outages, employee errors, or supply chain disruptions.

Steps in the Risk Management Process

The six risk management process steps that we’ve outlined below will give you and your organization a starting point to implement or improve your risk management practices. In order, the risk management steps are: 

• Risk identification
• Risk analysis or assessment
• Controls implementation
• Resource and budget allocation
• Risk mitigation
• Risk monitoring, reviewing, and reporting

If this is your organization’s first time setting up a risk management program, consider having a formal risk assessment completed by an experienced third party, with the goal of producing a risk register and prioritized recommendations on what activities to focus on first. Annual (or more frequent) risk assessments are usually required when pursuing compliance and security certifications, making them a valuable investment.

Step 1: Risk Identification

The first step in the risk management process is risk identification. This step takes into account the organization’s overarching goals and objectives, ideally through conversations with management and leadership. Identifying risks to company goals involves asking, “What could go wrong?” with the plans and activities aimed at meeting those goals. As an organization moves from macro-level risks to more specific function and process-related risks, risk teams should collaborate with critical stakeholders and process owners, gaining their insight into the risks that they foresee.

As risks are identified, they should be captured in formal documentation — most organizations do this through a risk register, which is a database of risks, risk owners, mitigation plans, and risk scores.

Step 2: Risk Analysis or Assessment

Analyzing risks, or assessing risks, involves looking at the likelihood that a risk will be realized, and the potential impact that risk would have on the organization if that risk were realized. By quantifying these on a three- or five-point scale, risk prioritization becomes simpler. Multiplying the risk’s likelihood score with the risk’s impact score generates the risk’s overall risk score. This value can then be compared to other risks for prioritization purposes.

The likelihood that a risk will be realized asks the risk assessor to consider how probable it would be for a risk to actually occur. Lower scores indicate less chances that the risk will materialize. Higher scores indicate more chances that the risk will occur.

Likelihood, on a 5x5 risk matrix, is broken out into:

• Highly Unlikely
• Highly Likely

The potential impact of a risk, should it be realized, asks the risk assessor to consider how the business would be affected if that risk occurred. Lower scores signal less impact to the organization, while higher scores indicate more significant impacts to the company.

Impact, on a 5x5 risk matrix, is broken out into:

• Negligible Impact
• Moderate Impact
• High Impact
• Catastrophic Impact

Risk assessment matrices help visualize the relationship between likelihood and impact, serving as a valuable tool in risk professionals’ arsenals.

Organizations can choose whether to employ a 5x5 risk matrix, as shown above, or a 3x3 risk matrix, which breaks likelihood, impact, and aggregate risk scores into low, moderate, and high categories.

Step 3: Controls Assessment and Implementation

Once risks have been identified and analyzed, controls that address or partially address those risks should be mapped. Any risks that don’t have associated controls, or that have controls that are inadequate to mitigate the risk, should have controls designed and implemented to do so.

Step 4: Resource and Budget Allocation

This step, the resource and budget allocation step, doesn’t get included in a lot of content about risk management. However, many businesses find themselves in a position where they have limited resources and funds to dedicate to risk management and remediation. Developing and implementing new controls and control processes is timely and costly; there’s usually a learning curve for employees to get used to changes in their workflow.

Using the risk register and corresponding risk scores, management can more easily allocate resources and budget to priority areas, with cost-effectiveness in mind. Each year, leadership should re-evaluate their resource allocation as part of annual risk lifecycle practices.

Step 5: Risk Mitigation

The risk mitigation step of risk management involves both coming up with the action plan for handling open risks, and then executing on that action plan. Mitigating risks successfully takes buy-in from various stakeholders. Due to the various types of risks that exist, each action plan may look vastly different between risks. 

For example, vulnerabilities present in information systems pose a risk to data security and could result in a data breach. The action plan for mitigating this risk might involve automatically installing security patches for IT systems as soon as they are released and approved by the IT infrastructure manager. Another identified risk could be the possibility of cyber attacks resulting in data exfiltration or a security breach. The organization might decide that establishing security controls is not enough to mitigate that threat, and thus contract with an insurance company to cover off on cyber incidents. Two related security risks; two very different mitigation strategies. 

One more note on risk mitigation — there are four generally accepted “treatment” strategies for risks. These four treatments are:

• Risk Acceptance: Risk thresholds are within acceptable tolerance, and the organization chooses to accept this risk.
• Risk Transfer : The organization chooses to transfer the risk or part of the risk to a third party provider or insurance company.
• Risk Avoidance : The organization chooses not to move forward with that risk and avoids incurring it.
• Risk Mitigation : The organization establishes an action plan for reducing or limiting risk to acceptable levels.

If an organization is not opting to mitigate a risk, and instead chooses to accept, transfer, or avoid the risk, these details should still be captured in the risk register, as they may need to be revisited in future risk management cycles.

Step 6: Risk Monitoring, Reviewing, and Reporting

The last step in the risk management lifecycle is monitoring risks, reviewing the organization’s risk posture, and reporting on risk management activities. Risks should be monitored on a regular basis to detect any changes to risk scoring, mitigation plans, or owners. Regular risk assessments can help organizations continue to monitor their risk posture. Having a risk committee or similar committee meet on a regular basis, such as quarterly, integrates risk management activities into scheduled operations, and ensures that risks undergo continuous monitoring. These committee meetings also provide a mechanism for reporting risk management matters to senior management and the board, as well as affected stakeholders.

As an organization reviews and monitors its risks and mitigation efforts, it should apply any lessons learned and use past experiences to improve future risk management plans.

Examples of Risk Management Strategies

Depending on your company’s industry, the types of risks it faces, and its objectives, you may need to employ many different risk management strategies to adequately handle the possibilities that your organization encounters. 

Some examples of risk management strategies include leveraging existing frameworks and best practices, minimum viable product (MVP) development, contingency planning, root cause analysis and lessons learned, built-in buffers, risk-reward analysis, and third-party risk assessments.

Leverage Existing Frameworks and Best Practices

Risk management professionals need not go it alone. There are several standards organizations and committees that have developed risk management frameworks, guidance, and approaches that business teams can leverage and adapt for their own company. 

Some of the more popular risk management frameworks out there include:

• ISO 31000 Family : The International Standards Organization’s guidance on risk management.
• NIST Risk Management Framework (RMF) : The National Institute of Standards and Technology has released risk management guidance compatible with their Cybersecurity Framework (CSF).
• COSO Enterprise Risk Management (ERM) : The Committee of Sponsoring Organizations’ enterprise risk management guidance.

Minimum Viable Product (MVP) Development

This approach to product development involves developing core features and delivering those to the customer, then assessing response and adjusting development accordingly. Taking an MVP path reduces the likelihood of financial and project risks, like excessive spend or project delays by simplifying the product and decreasing development time.

Contingency Planning

Developing contingency plans for significant incidents and disaster events are a great way for businesses to prepare for worst-case scenarios. These plans should account for response and recovery. Contingency plans specific to physical sites or systems help mitigate the risk of employee injury and outages.

Root Cause Analysis and Lessons Learned

Sometimes, experience is the best teacher. When an incident occurs or a risk is realized, risk management processes should include some kind of root cause analysis that provides insights into what can be done better next time. These lessons learned, integrated with risk management practices, can streamline and optimize response to similar risks or incidents.

Built-In Buffers

Applicable to discrete projects, building in buffers in the form of time, resources, and funds can be another viable strategy to mitigate risks. As you may know, projects can get derailed very easily, going out of scope, over budget, or past the timeline. Whether a project team can successfully navigate project risks spells the success or failure of the project. By building in some buffers, project teams can set expectations appropriately and account for the possibility that project risks may come to fruition.

Risk-Reward Analysis

In a risk-reward analysis, companies and project teams weigh the possibility of something going wrong with the potential benefits of an opportunity or initiative. This analysis can be done by looking at historical data, doing research about the opportunity, and drawing on lessons learned. Sometimes the risk of an initiative outweighs the reward; sometimes the potential reward outweighs the risk. At other times, it’s unclear whether the risk is worth the potential reward or not. Still, a simple risk-reward analysis can keep organizations from bad investments and bad deals.

Third-Party Risk Assessments

Another strategy teams can employ as part of their risk management plan is to conduct periodic third-party risk assessments. In this method, a company would contract with a third party experienced in conducting risk assessments, and have them perform one (or more) for the organization. Third-party risk assessments can be immensely helpful for the new risk management team or for a mature risk management team that wants a new perspective on their program. 

Generally, third-party risk assessments result in a report of risks, findings, and recommendations. In some cases, a third-party provider may also be able to help draft or provide input into your risk register. As external resources, third-party risk assessors can bring their experience and opinions to your organization, leading to insights and discoveries that may not have been found without an independent set of eyes.

Components of an Effective Risk Management Plan

An effective risk management plan has buy-in from leadership and key stakeholders; applies the risk management steps; has good documentation; and is actionable. Buy-in from management often determines whether a risk management function is successful or not, since risk management requires resources to conduct risk assessments, risk identification, risk mitigation, and so on. Without leadership buy-in, risk management teams may end up just going through the motions without the ability to make an impact. Risk management plans should be integrated into organizational strategy, and without stakeholder buy-in, that typically does not happen. 

Applying the risk management methodology is another key component of an effective plan. That means following the six steps outlined above should be incorporated into a company’s risk management lifecycle. Identifying and analyzing risks, establishing controls, allocating resources, conducting mitigation, and monitoring and reporting on findings form the foundations of good risk management. 

Good documentation is another cornerstone of effective risk management. Without a risk register recording all of a company’s identified risks and accompanying scores and mitigation strategies, there would be little for a risk team to act on. Maintaining and updating the risk register should be a priority for the risk team — risk management software can help here, providing users with a dashboard and collaboration mechanism.

Last but not least, an effective risk management plan needs to be actionable. Any activities that need to be completed for mitigating risks or establishing controls, should be feasible for the organization and allocated resources. An organization can come up with the best possible, best practice risk management plan, but find it completely unactionable because they don’t have the capabilities, technology, funds, and/or personnel to do so. It’s all well and good to recommend that cybersecurity risks be mitigated by setting up a 24/7 continuous monitoring Security Operations Center (SOC), but if your company only has one IT person on staff, that may not be a feasible action plan.

Executing on an effective risk management plan necessitates having the right people, processes, and technology in place. Sometimes the challenges involved with running a good risk management program are mundane — such as disconnects in communication, poor version control, and multiple risk registers floating around. Risk management software can provide your organization with a unified view of the company’s risks, a repository for storing and updating key documentation like a risk register, and a space to collaborate virtually with colleagues to check on risk mitigation efforts or coordinate on risk assessments. Get started building your ideal risk management plan today!

Related Articles

Ready to Get Started?

• Contact sales

Start free trial

How to Make a Risk Management Plan (Template Included)

You identify them, record them, monitor them and plan for them: risks are an inherent part of every project. Some project risks are bound to become problem areas—like executing a project over the holidays and having to plan the project timeline around them. But there are many risks within any given project that, without risk assessment and risk mitigation strategies, can come as unwelcome surprises to you and your project management team.

That’s where a risk management plan comes in—to help mitigate risks before they become problems. But first, what is project risk management ?

What Is Risk Management?

Risk management is an arm of project management that deals with managing potential project risks. Managing your risks is arguably one of the most important aspects of project management.

The risk management process has these main steps:

• Risk Identification: The first step to manage project risks is to identify them. You’ll need to use data sources such as information from past projects or subject matter experts’ opinions to estimate all the potential risks that can impact your project.
• Risk Assessment: Once you have identified your project risks, you’ll need to prioritize them by looking at their likelihood and level of impact.
• Risk Mitigation: Now it’s time to create a contingency plan with risk mitigation actions to manage your project risks. You also need to define which team members will be risk owners, responsible for monitoring and controlling risks.
• Risk Monitoring: Risks must be monitored throughout the project life cycle so that they can be controlled.

If one risk that’s passed your threshold has its conditions met, it can put your entire project plan in jeopardy. There isn’t usually just one risk per project, either; there are many risk categories that require assessment and discussion with your stakeholders.

That’s why risk management needs to be both a proactive and reactive process that is constant throughout the project life cycle. Now let’s define what a risk management plan is.

What Is a Risk Management Plan?

A risk management plan defines how your project’s risk management process will be executed. That includes the budget , tools and approaches that will be used to perform risk identification, assessment, mitigation and monitoring activities.

Get your free

Risk Management Plan Template

Use this free Risk Management Plan Template for Word to manage your projects better.

A risk management plan usually includes:

• Methodology: Define the tools and approaches that will be used to perform risk management activities such as risk assessment, risk analysis and risk mitigation strategies.
• Risk Register: A risk register is a chart where you can document all the risk identification information of your project.
• Risk Breakdown Structure: It’s a chart that allows you to identify risk categories and the hierarchical structure of project risks.
• Risk Assessment Matrix: A risk assessment matrix allows you to analyze the likelihood and the impact of project risks so you can prioritize them.
• Risk Response Plan: A risk response plan is a project management document that explains the risk mitigation strategies that will be employed to manage your project risks.
• Roles and responsibilities: The risk management team members have responsibilities as risk owners. They need to monitor project risks and supervise their risk response actions.
• Budget: Have a section where you identify the funds required to perform your risk management activities.
• Timing: Include a section to define the schedule for the risk management activities.

How to Make a Risk Management Plan

For every web design and development project, construction project or product design, there will be risks. That’s truly just the nature of project management. But that’s also why it’s always best to get ahead of them as much as possible by developing a risk management plan. The steps to make a risk management plan are outlined below.

1. Risk Identification

Risk identification occurs at the beginning of the project planning phase, as well as throughout the project life cycle. While many risks are considered “known risks,” others might require additional research to discover.

You can create a risk breakdown structure to identify all your project risks and classify them into risk categories. You can do this by interviewing all project stakeholders and industry experts. Many project risks can be divided up into risk categories, like technical or organizational, and listed out by specific sub-categories like technology, interfaces, performance, logistics, budget, etc. Additionally, create a risk register that you can share with everyone you interviewed for a centralized location of all known risks revealed during the identification phase.

You can conveniently create a risk register for your project using online project management software. For example, use the list view on ProjectManager to capture all project risks, add what level of priority they are and assign a team member to own identify and resolve them. Better than to-do list apps, you can attach files, tags and monitor progress. Track the percentage complete and even view your risks from the project menu. Keep risks from derailing your project by signing up for a free trial of ProjectManager.

2. Risk Assessment

In this next phase, you’ll review the qualitative and quantitative impact of the risk—like the likelihood of the risk occurring versus the impact it would have on your project—and map that out into a risk assessment matrix

First, you’ll do this by assigning the risk likelihood a score from low probability to high probability. Then, you’ll map out your risk impact from low to medium to high and assign each a score. This will give you an idea of how likely the risk is to impact the success of the project, as well as how urgent the response will need to be.

To make it efficient for all risk management team members and project stakeholders to understand the risk assessment matrix, assign an overall risk score by multiplying your impact level score with your risk probability score.

3. Create a Risk Response Plan

A risk response is the action plan that is taken to mitigate project risks when they occur. The risk response plan includes the risk mitigation strategies that you’ll execute to mitigate the impact of risks in your project. Doing this usually comes with a price—at the expense of your time, or your budget. So you’ll want to allocate resources, time and money for your risk management needs prior to creating your risk management plan.

4. Assign Risk Owners

Additionally, you’ll also want to assign a risk owner to each project risk. Those risk owners become accountable for monitoring the risks that are assigned to them and supervising the execution of the risk response if needed.

Related: Risk Tracking Template

When you create your risk register and risk assessment matrix, list out the risk owners, that way no one is confused as to who will need to implement the risk response strategies once the project risks occur, and each risk owner can take immediate action.

Be sure to record what the exact risk response is for each project risk with a risk register and have your risk response plan it approved by all stakeholders before implementation. That way you can have a record of the issue and the resolution to review once the entire project is finalized.

5. Understand Your Triggers

This can happen with or without a risk already having impacted your project—especially during project milestones as a means of reviewing project progress. If they have, consider reclassifying those existing risks.

Even if those triggers haven’t been met, it’s best to come up with a backup plan as the project progresses—maybe the conditions for a certain risk won’t exist after a certain point has been reached in the project.

6. Make a Backup Plan

Consider your risk register and risk assessment matrix a living document. Your project risks can change in classification at any point during your project, and because of that, it’s important you come up with a contingency plan as part of your process.

Contingency planning includes discovering new risks during project milestones and reevaluating existing risks to see if any conditions for those risks have been met. Any reclassification of a risk means adjusting your contingency plan just a little bit.

7. Measure Your Risk Threshold

Measuring your risk threshold is all about discovering which risk is too high and consulting with your project stakeholders to consider whether or not it’s worth it to continue the project—worth it whether in time, money or scope .

Here’s how the risk threshold is typically determined: consider your risks that have a score of “very high”, or more than a few “high” scores, and consult with your leadership team and project stakeholders to determine if the project itself may be at risk of failure. Project risks that require additional consultation are risks that have passed the risk threshold.

To keep a close eye on risk as they raise issues in your project, use project management software. ProjectManager has real-time dashboards that are embedded in our tool, unlike other software where you have to build them yourself. We automatically calculate the health of your project, checking if you’re on time or running behind. Get a high-level view of how much you’re spending, progress and more. The quicker you identify risk, the faster you can resolve it.

Free Risk Management Plan Template

This free risk management plan template will help you prepare your team for any risks inherent in your project. This Word document includes sections for your risk management methodology, risk register, risk breakdown structure and more. It’s so thorough, you’re sure to be ready for whatever comes your way. Download your template today.

Best Practices for Maintaining Your Risk Management Plan

Risk management plans only fail in a few ways: incrementally because of insufficient budget, via modeling errors or by ignoring your risks outright.

Your risk management plan is one that is constantly evolving throughout the course of the project life cycle, from beginning to end. So the best practices are to focus on the monitoring phase of the risk management plan. Continue to evaluate and reevaluate your risks and their scores, and address risks at every project milestone.

Project dashboards and other risk tracking features can be a lifesaver when it comes to maintaining your risk management plan. Watch the video below to see just how important project management dashboards, live data and project reports can be when it comes to keeping your projects on track and on budget.

In addition to your routine risk monitoring, at each milestone, conduct another round of interviews with the same checklist you used at the beginning of the project, and re-interview project stakeholders, risk management team members, customers (if applicable) and industry experts.

Record their answers, adjust your risk register and risk assessment matrix if necessary, and report all relevant updates of your risk management plan to key project stakeholders. This process and level of transparency will help you to identify any new risks to be assessed and will let you know if any previous risks have expired.

How ProjectManager Can Help With Your Risk Management Plan

A risk management plan is only as good as the risk management features you have to implement and track them. ProjectManager is online project management software that lets you view risks directly in the project menu. You can tag risks as open or closed and even make a risk matrix directly in the software. You get visibility into risks and can track them in real time, sharing and viewing the risk history.

Tracking & Monitor Risks in Real Time

Managing risk is only the start. You must also monitor risk and track it from the point that you first identified it. Real-time dashboards give you a high-level view of slippage, workload, cost and more. Customizable reports can be shared with stakeholders and filtered to show only what they need to see. Risk tracking has never been easier.

Risks are bound to happen no matter the project. But if you have the right tools to better navigate the risk management planning process, you can better mitigate errors. ProjectManager is online project management software that updates in real time, giving you all the latest information on your risks, issues and changes. Start a free 30-day trial and start managing your risks better.

Deliver your projects on time and under budget

Start planning your projects.

Eight Steps to Establish a Firm Risk Management Program

Risk management is critical for all firms, including small- and medium-sized practices (SMPs). This is both in terms of protecting the assets, finances and operations of the firm and contributing to satisfactory legal compliance, corporate governance and due diligence. Effective risk management will protect the reputation, credibility and status of the firm.

It is important to establish a risk management “culture” in the firm. This emphasizes the importance of managing risk as part of each staff member’s daily activities at all levels of the firm. The goal of creating a risk management culture is to create a situation where partners and staff instinctively look for risks and consider their impacts when making effective operational decisions.

This article is part of a risk management series covering the benefits and steps of establishing risk management program. The second article will highlight 10 steps for successful risk management and the third focuses on business continuity planning and risk mitigation strategies. The articles are a result of discussions at recent IFAC SMP Committee meetings, which involves practitioners from around the world sharing their perspectives and insights and material included in the Guide to Practice Management for Small- and Medium-Sized Practices , which includes a whole module on risk management, including professionalism and ethics, client engagement, quality control and business continuity planning and disaster recovery.

Implementing a risk management program provides many benefits, including:

• More effective strategic planning;
• Better cost control through enhanced workflows, client evaluation and engagement processes;
• Increased profitability through better client and job controls;
• Reduced risks of litigation as a consequence of processes and contingency plans;
• Increased knowledge and understanding of exposure to risk;
• A systematic, well-informed and thorough method of decision-making;
• Less disruption and less rework through better understanding of process by all staff in the firm; and
• Setting the scene for continual improvement within the firm.

Establishing a Risk Management Program

Eight steps to establishing a risk management program are:

• Implement a Risk Management Framework based on the Risk Policy When developing the firm’s risk management framework, consideration should be given to the services offered, marketing and communication, staff and human resources issues, information and resource management, regulatory obligations, IT issues and security, succession planning, acceptance and continuance of clients and cash flow management.
• Establish the Context Consider the goals and objectives of the firm and the environment in which it operates (e.g. cultural, legal and operational). Identify internal and external stakeholders (e.g. clients, personnel, consultants, agents, internal systems, third parties, suppliers, etc.).
• Identify Risks Identify existing and potential risks as well as existing controls. The potential risks can be categorized as services performed, contract risk, acceptance or continuance risk and performance risk.
• Analyze and Evaluate Risks Analyze and evaluate the risks on a continuing basis. This involves a comparison of exposure levels against a predetermined tolerance level, the degree of control, potential or actual losses and benefits and opportunities presented by the risk. One of the simplest models to identify the cost of the controls and their adequacy is to consider the likelihood of occurrence of an event and the consequences of that event e.g. Risk = Likelihood x Consequence. In assessing the level of the risk and identifying high and low risks, the process should include the firm’s existing and anticipated areas of practice; the composition, experience and expertise of the firm; the management and internal control procedures; the likelihood of being sued and the process to assess new and existing clients. When assessing the kind of risks the firm is exposed to, it is important to consider both the internal risks and the external risks. Internal risks may include staff, the business premises and location, threats to goodwill and reputation and information technology. External risks may include clients and both current and potential competitors.
• Clarity on the terms of the engagement;
• Obtaining adequate insurance and controlling claims once they have occurred;
• Maintaining accurate documentation;
• Ensuring timeliness of action and diary systems;
• Only practicing in those areas where there is sufficient expertise; and
• Implementing strict selection criteria for clients and consultants or agents used.
• Communicate and Consult Communicate and consult with all parts of the firm, as well as outside parties, to ensure that all are kept well informed. For example, to avoid having to assume responsibility for the client’s risk-taking, advise the client in writing of relevant dates and consequences in the event of failure by the client to act. This will transfer the risk of noncompliance back to the client to act and/or follow-up.
• Monitor and Review Monitor and review the risk management strategies on an ongoing basis. Over time, new risks are created, existing risks are increased or decreased, risks no longer exist, the priority of risk may change or the risk treatment strategies may no longer be effective. Monitoring should comprise: monitoring existing risks, identifying new risks, identifying any trouble spots and evaluating the effectiveness of current risk treatment strategies. Monitoring ensures that new measures are introduced to control new risks as these emerge. Ongoing review is required to ensure that strategies remain relevant, and that the overall risk control position is relative to the potential costs of the risk.
• Record Keep a written record of all policies and procedures, including documentation of the assessment process, major risks identified and the measures designed to reduce the impact of these major risks. Failure to document policies can lead to breaches in performance due to misunderstanding or misinterpretation. A written set of policy statements supplied by documented procedures provides a constant reference, a guide to action and a framework for checking that the operations are conducted in the manner intended by the firm.

Monica Foerster

Partner at Confidor, Chair of IFAC's SMP Advisory Group

Monica Foerster became Chair of the IFAC SMP Advisory Group (SMPAG) in 2017, after serving as its Deputy Chair. A SMPAG member since 2014, she was nominated by Conselho Federal de Contabilidade (CFC) and Instituto dos Auditores Independentes do Brasil (IBRACON). With 20 years of experience in the accountancy profession, Ms. Foerster is a partner at Confidor, an accounting, tax, and law firm with offices in Porto Alegre and São Paulo, Brazil.

Monica is currently a member of the Board of Directors of Ibracon Brazil (where she was the SMP Director and coordinator of the SMP Working Group for 6 years), and a board member at the Accounting Council (where she was also the coordinator of the Committee of Audit Studies (CRCRS) for 4 years. 

Monica holds an MBA in financial management, controllership and audit from the FGV – Fundação Getúlio Vargas, Brazil, and a degree in accounting from the Universidade Federal do Rio Grande do Sul – UFRGS, Brazil. 

Christopher Arnold

Christopher Arnold is a Director at the International Federation of Accountants (IFAC). He leads activities on contributing to and promoting the development, adoption and implementation of high-quality international standards, including the Member Compliance Program, Intellectual Property and Translations. Christopher is also responsible for IFAC’s SME (small- and medium-sized entities), SMP (small- and medium-sized practices) and research initiatives, which include developing thought leadership, public policy and advocacy. He was previously an Audit Manager for Deloitte and qualified as a professional accountant in a mid-tier accountancy practice in London (now called PKF-Littlejohn LLP). Christopher started his career as a Small Business Policy Adviser at the Association of Chartered Certified Accountants (ACCA).

Explore More On...

• Governance & Risk Management
• Small & Medium Practice Transformation

Guide for the Process of Managing Risk on Rapid Renewal Projects (2012)

Chapter: 9 implementing risk management plan.

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

103 9 IMPLEMENTING RISK MANAGEMENT PLAN INTRODUCTION As discussed in Chapter 8, the risk management plan is intended to optimize project performance through the following three basic elements: • Specific actions whose purpose is to reduce particular individual risks, focusing on the higher-priority risks; • Management of contingency to cover most of the residual risks and other uncer- tainties; and • Recovery if established contingency is inadequate (i.e., to cover the rest of the residual risks and other uncertainties). However, like any plan, the risk management plan must be appropriately implemented to be successful and actually achieve optimal project performance. Also like any plan, successful implementation requires the follow- ing (at a minimum): • Responsibility—assignment of a risk manager and “owners” of significant individual risks; • Commitment—the organization has to commit to the plan; • Resources—adequate resources (funding and staff) have to be provided to carry out the plan; and • Authority—specific individuals have to be given adequate authority, as well as resources, for carrying out their assigned plan responsibilities. Adequately and efficiently implement the risk management plan: • Proactively reduce individual risks. • Address changing conditions. • Establish, track, and control contingency. • Decide on “recovery” (if needed).

104 GUIDE FOR THE PROCESS OF MANAGING RISK ON RAPID RENEWAL PROJECTS A unique feature of the risk management plan, unlike most plans, is that it is actually an evolving document, with the expectation that it will be adjusted to reflect changes in the project as that project develops (including any changes due to recovery). This means that those project actions and conditions must be monitored and the plan periodically updated to reflect observed changes. For example: • Planned risk reduction actions generally should be performed as planned. Their progress should be monitored and their actual impact on risks should be assessed. However, these plans might be adjusted on the basis of their progress and pro- jected results, considering changing needs. For example, it might be determined (based on new information) that the risk being addressed is not as important as previously thought. • Risks will either happen or not happen during various project phases. If they have not happened while their window is open, they will not happen after their window has closed and they can be retired in the risk register. Conversely, if they have happened, contingency should be reserved for that risk and this should be noted in the risk register. However, such expenditure of contingency must be carefully controlled. • As conditions change, particular risks (either their assessed probability or impacts) whose windows have not yet closed can change (e.g., becoming either more or less likely). In fact, sometimes previously unidentified (“new”) risks are identified and should be assessed and included with the other existing risks. Such changes in remaining risks should be noted in the risk register. • As noted above, realized risks might result in spending or reserving some of the established contingency, leaving less contingency for the rest of the project. Con- versely, if few risks are realized, there might be excess contingency. The adequacy of the remaining contingency needs to be periodically reevaluated to give as much advance warning as possible of either possible future inadequacy (which might trigger recovery plans) or excess contingency (which can be released for other purposes). This process of implementing the risk management plan (which includes monitor- ing, updating, and implementing protocols for making significant project decisions, for example, regarding contingency and recovery) needs to be effective but should also be efficient and compatible with the DOT organization and project. PROCESS OF IMPLEMENTING THE RISK MANAGEMENT PLAN Implementation of the risk management plan consists of first getting set up to carry out the plan, and then actually implementing the various elements of the plan. Preparing to carry out the plan requires the following steps: • Organizationally committing to the plan; • Assigning responsibility for the plan;

105 GUIDE FOR THE PROCESS OF MANAGING RISK ON RAPID RENEWAL PROJECTS • Providing adequate authority and resources to carry out the plan; and • Gathering and distributing information. Without these steps, the plan likely will not be successfully implemented—it will be just another document on the shelf. As part of this, it is recommended that a risk manager, a position reporting directly to the project manager, be named for the project and given overall responsibility for implementing the plan; for small projects (which should not require much effort) the risk manager might simply be the project manager, whereas for larger projects (which might require significant effort) it would be a sepa- rate person (e.g., the assistant project manager). The risk manager then typically will delegate responsibility for various elements of the plan to those who are in the best position to complete them and will follow up with them to ensure that they actually complete those elements. For this to happen, the risk manager must be given adequate authority and resources (e.g., budget). However, this needs to be done as efficiently as possible to prevent wasting resources. For example, periodic risk management status meetings should be short and integrated into regular project status meetings. Similarly, risk management status reports should be streamlined, simply highlighting changes since the last report, and appropriately distributed in a timely fashion. With an adequate organizational structure and set of procedures in place, the vari- ous elements of the plan can be successfully implemented. The basic elements of the plan, which are somewhat flexible in order to be most efficient, include the following (see Chapter 8): • Risk reduction actions. A set of actions is specified in the risk management plan for reducing individual risks. These actions must be successfully performed to realize any risk reduction, although the actual amount of risk reduction, and typically to a lesser extent their cost and schedule to implement, will be uncertain before- hand. However, such actions can be adjusted (e.g., stopped) as their projected performance or need changes. The DOT must assign responsibility for each ac- tion, and then track progress of that action. The cost and schedule, as well as the results (in terms of risk reduction), of implementing that action will be re- ported. Figure 9.1 provides an example based on the Risk Management Plan form for Phase A for Phase A for Phase A for Phase B for Phase B for Phase B for Phase C for Phase C for Phase C 0 1 2 3 4 5 6 7 A B C Project Phase C on tin ge nc y ($ M ) cumulativetriggerrecovery Figure 9.1. Contingency drawdown and recovery for project phases.

106 GUIDE FOR THE PROCESS OF MANAGING RISK ON RAPID RENEWAL PROJECTS Example Risk Reduction Action from Risk Management Plan (this is not the hypothetical case study) Action successfully completed, and risk eliminated <by name and date> 6 2014.01.13 R09 10 Guide Chapter 9_final for composition.docx significant right-of-way risk. The management actions provide an estimate of the resources, an estimate of the risk reduction, and a person who is responsible for verifying that the risk plan has been implemented by a key milestone. Status updates can then be documented on this form. [Insert Box 9.2] Contingency management. Contingency allowances for cost and schedule are established in the risk management plan to cover the residual risks (after they have been reduced) with appropriate confidence. As risks are realized, some of the contingency must be reserved to cover them. However, like any project costs, such expenditures must be carefully controlled; similarly, giving up project float in the project schedule must also be carefully controlled. Conversely, if few risks occur and contingency is not used, then the excess contingency can be released for other purposes. As shown in Figure 9.1, such Example Risk Reduction Action from Risk Management Plan (this is not the hypothetical case study): ti n successfully complete , and risk eliminated <by name and date> RUi(1). The team will design around areas where right of way may be an issue, specifically at US555-SH111 junction. Design lead, in conjunction with right-of-way lead By end of preliminary design Need to get approval for design deviations. provided in Appen dix C. In this example, the project team has determined that it will be more cost-effective to design around an area with a significant right-of-way risk. The management actions provide an estimate of the resources, an estimate of the risk reduction, and a person who is responsible for verifying that the risk plan has been implemented by a key milestone. Status updates can then be documented on this form. • Contingency management. Contingency allowances for cost and schedule are es- tablished in the risk management plan to cover the residual risks (aft r they have been reduced) with appropriate confidence. As risks are realized, some of the con- tinge cy must be reserve to cover them. However, like a y project costs, such expenditures must be carefully controlled; similarly, giving up project float in the project schedule must also be carefully controlled. Conversely, if few risks oc- cur and contingency is not used, then the excess contingency can be released for other purposes. As shown in Figure 9.1, such contingencies are typically allocated to, and tracked by, the different phases of the project. For the case shown in red circles in this example, the contingency actually spent in each phase (and thus cumulatively) was less than that budgeted (e.g., in Phase A, only $2 million of the budgeted $3 million was spent); after each phase, unused contingency could be released. DOTs typically have established protocols for approving and tracking contingency expenditure and releases, with approvals generally required at higher organizational levels as the amounts increase. • Recovery. Contingency (or recovery) plans are identified in the risk management plan just in case the contingency allowances are found to be inadequate (e.g., if a disproportionate number of significant risks actually happen). For example, if as

107 GUIDE FOR THE PROCESS OF MANAGING RISK ON RAPID RENEWAL PROJECTS shown in the black square in Figure 9.1, the reserved contingency exceeds the allowable contingency during a phase, then recovery is triggered (e.g., in Phase A, $4 million was spent, which was $1 million more than the $3 million budgeted for that phase, meaning that there is not enough left for later phases). Typically, such plans are somewhat drastic (e.g., deferring or eliminating scope to save cost and/ or schedule) and are only intended as a last resort. However, in general, each such plan is only possible up to a specific point in project development; for example, savings associated with deferring some scope cannot be realized once that scope has been built. Clearly, such decisions must be made at a high organizational level. Because (as described above) the plans are somewhat flexible to adapt to changing conditions, to be successfully completed, each of the above elements of the risk man- agement plan requires specific information at various points in time: • The status and projected results of the various risk reduction actions, as well as projected needed performance improvements; • The status or availability of contingency, as well as projected contingency needs; and • The status or availability of recovery actions, as well as projected recovery needs. In particular, to determine changes in needs (whether for risk reduction, for con- tingency, or for recovery), the changes in risks should be adequately monitored and updated. Such changes in risks are due to inevitable changes in project conditions with time. Monitoring is relatively quick, but informative. The following should be moni- tored periodically (e.g., monthly, or less frequently at moderately important points or changes in project development): project development status and conditions, risk reduction action status and projected results, existing risks, and contingency and recov- ery plans. These should be adequately documented (e.g., in a memorandum or directly in the risk register). For example: (a) the status of a risk reduction action is illustrated in the above example; (b) qualitative changes in risk might simply be described, includ- ing their cause; and (c) the status of contingency is illustrated in Figure 9.1. Updating is more involved (including reassessment and reanalysis, if needed), but also more informative, than monitoring. The following should be updated periodically (e.g., quarterly, or less frequently at important points or changes in project develop- ment, as indicated by monitoring): base performance, risks (including adding new risks), and contingency and recovery requirements. These should be documented (e.g., in the risk register and in the risk management plan).

108 GUIDE FOR THE PROCESS OF MANAGING RISK ON RAPID RENEWAL PROJECTS CONCLUSIONS ON IMPLEMENTING THE RISK MANAGEMENT PLAN The risk management plan consists of three main elements designed to optimize project performance: (1) plans for individual risk reduction actions; (2) protocols for contingency management; and (3) protocols for recovery plans. Because project condi- tions, and hence risks, inherently change as a project moves through the development process, the risk management plan is intended to be an evolving document, adjusting as the project develops. This in turn requires monitoring (e.g., of the progress and results of specific risk reduction action, of specific risks in the risk register, and of con- tingency) and periodic updating (e.g., of residual risks, of risk reduction plans, and of contingency requirements). This then requires a DOT commitment to carrying out the risk management plan, including assignment of responsibility (e.g., a designated risk manager), with adequate authority and resources, and ways to gather and distribute relevant information. This also needs to be an efficient process, compatible with the DOT organization and project. Example Risk Register Update (this is not the hypothetical case study) There was a risk of a landowner being unwilling to sell a parcel needed to construct a project. When it was first identified, there was a high probability (50%) that the owner would not be willing to sell and the impact of this risk was $500,000 and 2-month delay, with an expected value of about $300,000 [including increased escalation and extended overheads (OHs)] and 1 month (critical path). However, as seen in a previous example, the manage- ment action was successfully taken to avoid this risk by designing around the parcel, at a cost of about $100,000 ($150,000 including increased escalation and extended OHs) and 1-month delay. The resulting reduction in risk meant that about $300,000 and 1 month less contingency was required; however, the resulting cost ($150,000) and delay (1 month) of the mitigation effort had to be added to the base cost and schedule. Based on such updates of the various inputs, the contingency requirements (and recovery requirements) could be recalculated. Risk RUi updated <by name and date> 10 2014.01.13 R09 10 Guide Chapter 9_final for composition.docx CBaum 1/30/14 11:16 AM Deleted: 2013.02.11 R09 10 Guide Chapter 9.docx <H1>Conclusions on Implementing the Risk Management Plan The risk management plan consists of three main elements designed to optimize project performance: (1) plans for individual risk re uction a tions; (2) p otocols for contingen y management; and (3) protocols for recovery plans. Because project co ditions, and hence risks, Example Risk Register Update (this is not the hypothetical case study): There was a risk of a landowner being unwilling to sell a parcel needed to construct a project. When it was first identified, there was a high probability (50%) that the owner would not be willing to sell and the impact of this risk was $500,000 and 2-month delay, with an expected value of about $300,000 [including increased escalation and extended overheads (OHs)] and 1 month (critical path). However, as seen in a previous example, the management action was successfully taken to avoid this risk by designing around the parcel, at a cost of about $100,000 ($150,000 including increased escalation and extended OHs) and 1-month delay. The resulting reduction in risk meant that about $300,000 and 1 month less contingency was required; however, the resulting cost ($150,000) and delay (1 month) of the mitigation effort had to be added to the base cost and schedule. Based on such updates of the various inputs, the contingency requirements (and recovery requirements) could be recalculated. Risk RUi updated <by name and date>

109 GUIDE FOR THE PROCESS OF MANAGING RISK ON RAPID RENEWAL PROJECTS Example The hypothetical QDOT case study (see Appendix D), which is used to illustrate the various steps of the risk man- agement process and includes a risk management plan (RMP, Appendix E), describes an effective and efficient implementation of its RMP following the principles and process outlined in this chapter, as documented in RMP Section 9 and summarized below. After QDOT developed the RMP, its implementation was adequately supported by management and adequate resources provided. The RMP included an organizational structure with specified responsibility and authority (i.e., the project manager served as the risk manager) to implement that RMP throughout project development. The project’s designated risk manager then successfully implemented that RMP, as follows: • Proactively and cost-effectively reduced individual risks that were within QDOT’s control, including monitor- ing and updating the risks and the RMP over time, resulting in successful reduction of several large risks; • Used established protocols for contingency control, including monitoring and periodic updating of con- tingency status (expended to date and capacity required for completion) and recommending contingency expenditure (to cover actual risk occurrences as needed) and releasing excess contingency (when no longer needed), resulting in adequacy of the initially established contingency throughout the project, with the unused contingency subsequently released; and • Used established protocols for recovery decisions, including monitoring and periodic updating of recov- ery status (achieved to date and capacity required for completion) and recommending recovery actions as needed when remaining contingency was not sufficient, resulting in no recovery actions being required.

TRB’s second Strategic Highway Research Program (SHRP 2) S2-R09-RW-2: Guide for the Process of Managing Risk on Rapid Renewal Projects describes a formal and structured risk management approach specifically for rapid renewal design and construction projects that is designed to help adequately and efficiently anticipate, evaluate, and address unexpected problems or “risks” before they occur.

In addition to the report, the project developed three electronic tools to assist with successfully implementing the guide:

• The rapid renewal risk management planning template will assist users with working through the overall risk management process.

• The hypothetical project using risk management planning template employs sample data to help provide an example to users about how to use the rapid renewal risk management template

• The user’s guide for risk management planning template will provide further instructions to users who use the rapid renewal risk management template

Renewal Project R09 also produced a PowerPoint presentation on risk management planning.

Disclaimer: This software is offered as is, without warranty or promise of support of any kind either expressed or implied. Under no circumstance will the National Academy of Sciences or the Transportation Research Board (collectively "TRB") be liable for any loss or damage caused by the installation or operation of this product. TRB makes no representation or warranty of any kind, expressed or implied, in fact or in law, including without limitation, the warranty of merchantability or the warranty of fitness for a particular purpose, and shall not in any case be liable for any consequential or special damages.

Errata: When this prepublication was released on February 14, 2013, the PDF did not include the appendices to the report. As of February 27, 2013, that error has been corrected.

Welcome to OpenBook!

You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

Do you want to take a quick tour of the OpenBook's features?

Show this book's table of contents , where you can jump to any chapter by name.

...or use these buttons to go back to the previous chapter or skip to the next one.

Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

To search the entire text of this book, type in your search term here and press Enter .

Share a link to this book page on your preferred social network or via email.

View our suggested citation for this chapter.

Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

Get Email Updates

Do you enjoy reading reports from the Academies online for free ? Sign up for email notifications and we'll let you know about new publications in your areas of interest when they're released.

How to Create a Project Risk Management Plan

By Kate Eby | February 27, 2023

Link copied

Teams can use a project risk management plan to identify and assess the potential risks to a project. We’ve gathered expert tips on creating an effective risk management plan, as well as step-by-step instructions for creating an example plan.

On this page, you’ll find information on what to include in a project risk management plan and how to create a plan , as well as step-by-step instructions for completing an example project risk management plan .

What Is a Project Risk Management Plan?

Project teams create a project risk management plan , a document that helps identify and assess potential risks to a project. The plan outlines how your team will analyze and mitigate the potential risks to ensure project success.

The project risk management plan is one of the most important documents in project risk management . You can learn more about project risks in general — as well as specific types of project risks — in our comprehensive guides

What Does a Risk Management Plan Cover?

A risk management plan should cover a number of areas detailing potential project risks and how your team will deal with them. It will include a description of the project, along with how your team will identify and assess risk.

At a minimum, your project risk management plan should include the following details:

• Project description, including its purpose
• The team plan for identifying, logging, and assessing potential risks
• How the team will identify broad categories of risk
• How the team will evaluate the severity of each potential risk
• How your team will continue to monitor risks throughout the project
• How team members will be assigned as owners of various risks
• Your organization’s tolerance for certain risks, along with criteria for a risk being too large to accept

“A risk management plan defines how the risks for a project will be handled to ensure that the project can be completed within the set timeframe,” says Veniamin Simonov, Director of Product Management at NAKIVO , a backup and ransomware recovery software vendor. “The plan should cover methodology, risk categorization and prioritization, a response plan, staff roles, and responsibility areas and budgets.”

“The risk management plan will address ‘What are we going to do? How are we going to do it? What are the processes we're going to follow?’” says Alan Zucker, Founding Principal of Project Management Essentials . “It may include things such as what are the major categories you're going to use to define your risks. It might also include some guidelines for assessing risks.”

Components in a Project Risk Management Plan 

A project risk management plan will include certain components and describe how your project team will use certain tools to understand and manage potential risks. Some components include a risk register, a risk breakdown structure, and a risk response plan.

Here are components or tools that a project risk management plan often includes or describes:

• Risk Register: A risk register is the document your project team will use to identify, log, and monitor potential project risks.
• Risk Breakdown Structure: A risk breakdown structure is a chart that allows your team to identify broad risk categories and specific risks that fit within each category. Your team can decide on the broad categories, depending on your project.
• Risk Assessment Matrix: A risk assessment matrix is a chart matrix that allows teams to score the severity of potential risks based on both the likelihood of each risk happening and the impact to the project if a risk happens.
• Risk Response Plan: A risk response plan is a document that details how your team plans to respond to each potential risk to try to either prevent it from happening or lessen the impact if it does happen. You can learn more about project risk mitigation . 
• Roles and Responsibilities: The risk management plan can provide details on the project risk management team, including the lead member for risk management. It also likely details the roles and responsibilities each team member will have in addressing and dealing with specific risks.
• Risk Reporting Formats: The risk management plan describes how the project team will document and report its work on monitoring and dealing with risks. It describes the risk register format that the team will use. It might also describe how risks will be added to or deleted from the register and how the project team will provide periodic summarized risk reports to top project and organization leaders.
• Project Funding and Timing: The plan will likely have a section describing the overall funding and timing for the project. That section also likely details funding for all project risk management work.

To determine what you need to include in your risk management plan, see the following requirements based on project size:

An Organization’s Risk Management Plan Often Doesn’t Change with Projects  

Many risk management experts emphasize that an organization’s project risk management plans might not change much from project to project. That’s because the plan sets out particulars that will be followed for all projects.

“Remember, it's just an approach document that answers the question: How?” says Kris Reynolds, Founder and CEO of Arrowhead Consulting in Tulsa, Oklahoma. “The company or the department as a whole should have a single risk management plan that gets built as you're building your project management methodology. And it’s your Bible. It’s your guidebook. 

“But it isn't going to change across projects,” Reynolds continues. “What changes are the artifacts, including the risk register. But your approach of how you're going to address risk or analyze risk or plan for risk is in the project risk management plan document. As a company or organization, you create that document, and it exists for a year or two years without changing.”

To create a project risk management plan, your team should gather important documents and decide on an approach for assessing and responding to risks. This process involves gathering support documents, listing potential risk management tools, and more. 

Consider some of these basic steps and factors as you begin creating the project risk management plan:

• Gather Supporting Documents: Gather and read through supporting documents related to the overall project, including the project and project management plan. It’s important for your project risk team to have a full view of project goals and objectives.
• Frame the Context: Make sure your team understands both the business value of the project and the impact on the organization if the project fails.
• Decide on Risk Assessment Criteria: Decide how your team will identify and assess important risks. That will require your team to have an understanding of which types of risks your organization can tolerate and which risks could be ruinous to the project.
• Inventory Possible Risk Management Tools: Make a list of risk management tools and documents that your team might use to help identify and manage project risk.
• Known Risks: At the start of a project, team members will be able to identify a number of known risks , such as budget issues, shortages of material, and human and other resource constraints, which are measurable and based on specific events. 
• Unknown Risks: At the start of a project, team members will not be able to identify a range of unknown risks that could impact your project. Those risks are not as easily or objectively measurable as known risks and can crop up at any point during a project. A main goal of project risk management is to help your team discover and address unknown risks before they happen.
• Unknowable Risks: Your team will not be able to anticipate unknowable risks that could affect the project, such as catastrophic weather events, accidents, and major system failures.
• Understand Human Bias: Studies have shown that people overestimate their ability to predict and influence the future. We often think we have more control than we do. Those biases can affect how we assess and manage risks in a project. We tend to give too much credence to what happened with past processes, fall into agreement with others in our group, and be more optimistic than we should be about how long a project will take or how much it will cost.  It’s important to account for all of those biases as your team identifies and assesses project risk.

Steps in Developing a Project Risk Management Plan

After your project team has gathered documents and done other preparation work, you will want to follow nine basic steps in creating a project risk management plan. Those start with identifying and assessing risks.

Here are details on the nine steps of project risk management to keep in mind while drafting your project risk management plan:

• Identify Risks: Your team should gather information and request input from team and organization members to determine potential risks to the project. Some specific risks can threaten many projects. Other risks will vary, based on the type of project and the industry. “If you're talking about a software project, you could have risks associated with the technology, resources, and interdependencies with other systems,” says Zucker. “If you have vendors you're working with, there may be risks associated with the vendors. There may be risks that are software- or hardware-specific. If you're working on a construction project, those risks obviously would be very different. ”You can learn more about project risk analysis and how to identify potential risks to a project .
• Assess Potential Impact of Each Risk: After your team identifies potential risks, it can assess the likelihood of each risk, along with the expected impact on the project if the risk happens. Your team can use a risk matrix to identify both the likelihood and impact of each risk. You can learn more about how to create a risk matrix and assess risks .
• Determine Your Organization's Risk Threshold and Tolerance: Your team will want to understand your organization’s risk threshold , or tolerance for risk. Organization leaders might decide that some risks should be avoided at all costs, while others are acceptable. Take the time to understand those views as you prioritize project risks.
• Prioritize Risks Based on Impact and Risk Tolerance: Once your team assesses the potential impact of a risk and your organization's risk tolerance for risks, it will prioritize risks accordingly. “Prioritize risks based on their disruptive potential for an organization,” says Simonov.
• Create a Risk Response Plan: Your team should then create a response plan for each risk that the team considers a priority. That response plan will include measures that could prevent the risk from happening or lessen the risk’s impact if it does happen.
• Select Project Risk Management Tools: Your team will need to decide on the best risk management tools to use for your project. That will likely include a risk register and a risk assessment matrix. It might include other tools, such as Monte Carlo simulations. Learn more about various tools and documents to use in risk management . 
• Select an Owner for Each Risk: Each identified risk should have an assigned owner. In some cases, a department might be an owner of a risk, but most often, the team will assign individuals to monitor risks. In some cases, the owner will be responsible for dealing with the risk if it happens. Teams can list the owners of each risk on their project risk register. 
• Determine Possible Triggers for Each Risk: As your team conducts a closer assessment of all risks, it should identify risk triggers where possible. Triggers are events that can cause a risk to happen. Your team won’t be able to identify triggers for all risks, but it will for some. For example, if you have a plant without sufficient backup power, a trigger could be warnings of a violent storm that could cause a power outage.
• Determine How Your Team Will Monitor Risks: An important part of your plan includes recording concrete details about how your team will ensure that it can continually monitor risks throughout the life of a project.

Risk Management Plan Examples, Templates, and Components

Examples of project risk management plans can help your team understand what information to include in a plan. The risk management plan can also detail various components that will be part of your team’s risk management.

Project Risk Management Plan Template

Download the Sample Project Risk Management Plan Template for Microsoft Word  

Download this sample project risk management plan, which includes primary components that might be described in a project risk management plan, such as details on risk identification, risk mitigation, and risk tracking and reporting.

Download the Blank Project Risk Management Plan for Microsoft Word

Use this blank template to create your own project risk management plan. The template includes sections to ensure that your team covers all areas of risk management, such as risk identification, risk assessment, and risk mitigation. Customize the template based on your needs.

Project Risk Register Template

Download the Sample Project Risk Register for Excel

This sample project risk register gives your team a better understanding of the information that a risk register should include to help the team understand and deal with risks. This sample includes potential risks that a project manager might track for a construction project.

Download the Blank Project Risk Register Template for Excel  

Use this project risk register template to help your team identify, track, and plan for project risks. The template includes columns for categorizing risks, providing risk descriptions, determining a risk severity score, and more.  

Quantitative Risk Register Template

Download the Sample Quantitative Project Risk Impact Matrix for Excel

This sample quantitative project risk impact matrix template can help your team assess a project risk based on quantitative measures, such as potential monetary cost to the project. The template includes columns where your team can assess and track the probability and potential cost of each project risk. The template calculates a total monetary risk impact based on your estimates of probability and cost.

Risk Breakdown Structure Template

Download the Risk Breakdown Structure Template for Excel

Your team can use this template to create a risk breakdown structure diagram that shows different types of risks that could affect a project. The template helps your team organize risks into broad categories.

Step-By-Step Guide to Creating a Project Risk Management Plan

Below are step-by-step instructions on how to fill out a project risk management plan template. Follow these steps to help you and your team understand the information needed in an effective risk management plan.

This template is based on a project risk management plan template created by Arrowhead Consulting of Tulsa, Oklahoma, and was shared with us by Kris Reynolds.

• Cover Section: Provide information for the cover section , also known as the summary section . This will include the name of the project, the project overview, the project goals, the expected length of the project, and the project manager.
• Risk Management Approach: Write a short summary of your organization's overall approach to project risk management for all projects, not only the project at hand. The summary might describe overall goals, along with your organization’s view of the benefits of good project risk management.
• Plan Purpose: Write a short summary explaining how the plan will help your team perform proper risk management for the project.
• Risk Identification: Provide details on how your team plans to identify and define risks to the project. Those details should include who is assigned to specific responsibilities for risk identification and tracking, as well as what information and categories will be included in your team’s project risk register.
• Risk Assessment: Provide details on how your team will assess the probability and potential impact of each risk it has identified. Your team should also include details on any risk matrices it plans to use and how the team will prioritize risks based on those matrices.
• Risk Response: Provide details on the ways your team can choose to respond to various risks. In the case of high-priority risks, that will include prevention or mitigation plans for each risk. In the case of low-priority risks, or risks that might be prohibitively expensive to mitigate, it might include accepting the risk with limited mitigation measures.
• Risk Mitigation: Provide more details on how your team plans to lessen the likelihood  or impact of each risk. Your team should also provide details on how it will monitor the effectiveness of prevention and mitigation strategies, and change them if needed.
• Risk Tracking and Reporting: Provide details on how your team plans to track and report on risks and risk mitigation activities. These details will likely include information on the project risk register your team plans to use and information on how your team plans to periodically report risk and risk responses to organizational leadership.

Do Complex Projects Require More Complex Project Risk Management Plans? 

Experts say that complex projects shouldn’t require more complex project risk management plans. A project might have more complex tools, such as a more detailed risk register, but the risk management plan should cover the same basics for all projects.

“The problem is, most people get these management plans confused. They then start lumping in the artifacts [such as risk registers] — which can be more complex and have more detail — to the risk management plan itself,” says Reynolds. “You want it to be easily understood and easily followed.

“I don't think the complexity of the project changes the risk management plan,” Reynolds says. “You may have to circulate the plan to more people. You may have to meet more frequently. You may have to use quantitative risk analysis. That would be more complex with more complex projects. But the management plan itself —  no.”

Effectively Manage Project Risks with Real-Time Work Management in Smartsheet

From simple task management and project planning to complex resource and portfolio management, Smartsheet helps you improve collaboration and increase work velocity -- empowering you to get more done. 

The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed.

When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time. Try Smartsheet for free, today.

Discover a better way to streamline workflows and eliminate silos for good.

Featured Content

Cost Management

Artificial Intelligence

Build for the Future

• © 2023 Boston Consulting Group
• Terms of Use
• Site Search Search
• Companies with mature risk management were better poised to handle crises, with 71% acknowledging its benefits, compared with only 37% of less prepared companies.
• Effective risk management requires a strong strategic foundation in combination with effective operative implementation, with 58% of top performers citing the central strategic risk management team as a success factor during crises.
• Starters in risk management must first fix the basics, while leaders have the burden of maintaining frameworks and processes.

Subscribe to our Risk Management and Compliance E-Alert.

Risk Management and Compliance

/ article, mature risk management in uncertain times, global esg, compliance, and risk report 2023.

By  Julia Gebhardt ,  Katharina Hefter ,  Juliane Butters ,  Eva Kalteier ,  Matteo Coppola ,  Bernhard Gehra ,  Thomas Pfuhler ,  Jeanne Kwong Bickford ,  Abhinav Bansal , and  Pierre Roussel

Companies—in particular, in industries outside the financial sector—navigated the risk management challenges of the COVID-19 pandemic and the Ukraine conflict with varied outcomes. Some emerged strengthened and renewed, while others faltered. What strategies did top-performing companies employ to manage these challenges effectively, and what insights can others learn from them?

BCG's Global ESG, Compliance, and Risk Report 2023 delves into these questions. The report assesses the status of risk management, drawing insights from a comprehensive survey of senior executives across industries globally. It further outlines actionable steps that businesses can implement to bridge the gap between risk management aspirations and achievements.

The report has three main conclusions:

1. Companies that had proactively cultivated mature risk management emerged from these crises thankful that they had done so. Their experience with such unpredictable and highly volatile events was notably smoother than that of competitors without equally mature risk management strategies. The disparity was stark: 71% of companies with mature risk management agreed that these capabilities helped mitigate the many potential negative outcomes from these crises, while only 37% with less robust risk management concurred. Clearly, investing in risk management yielded significant dividends during critical moments.

2. Our study also pinpoints what mature risk management means in practice. Effective risk management during intense crises rests on a crucial interplay: a strong strategic foundation in combination with effective operative implementation. The corporate center first sets the overall strategy. Then, the various business units and subsidiaries bring it to life, firmly integrating risk management within the entire organization’s culture and daily processes. In companies with mature risk management, the corporate center and the outlying units and entities cooperate closely and constantly.

In fact, 58% of top performers cited the central strategic risk management team as a success factor during crises. Other key factors were embedding risk management into strategy and planning processes (46%) and data and analytics (also 46%). The latter finding underscores that data analysis, together with artificial intelligence (AI) and generative AI in particular, are essential elements of advanced risk management.

3. Both starters and leaders in risk management face distinct challenges. Starters can gain insights from the path taken by leaders but must first solidify foundational elements, such as obtaining senior management's endorsement to prioritize risk management. Leaders, given their advanced risk management capabilities, have the burden of maintaining more developed frameworks and processes. While starters primarily focus internally within their organization, leaders are also attuned to the external environment and its emerging risks, such as the rapid growth of regulatory scrutiny.

It is imperative for starters to elevate their risk management maturity to fully harness the benefits outlined in our study. The report explains how they can make that happen.

Managing Director & Partner

Project Leader

Managing Director & Senior Partner; Global Leader, Risk & Compliance Practice

Managing Director & Senior Partner

Mumbai - Nariman Point

ABOUT BOSTON CONSULTING GROUP

Boston Consulting Group partners with leaders in business and society to tackle their most important challenges and capture their greatest opportunities. BCG was the pioneer in business strategy when it was founded in 1963. Today, we work closely with clients to embrace a transformational approach aimed at benefiting all stakeholders—empowering organizations to grow, build sustainable competitive advantage, and drive positive societal impact.

Our diverse, global teams bring deep industry and functional expertise and a range of perspectives that question the status quo and spark change. BCG delivers solutions through leading-edge management consulting, technology and design, and corporate and digital ventures. We work in a uniquely collaborative model across the firm and throughout all levels of the client organization, fueled by the goal of helping our clients thrive and enabling them to make the world a better place.

© Boston Consulting Group 2023. All rights reserved.

For information or permission to reprint, please contact BCG at [email protected] . To find the latest BCG content and register to receive e-alerts on this topic or others, please visit bcg.com . Follow Boston Consulting Group on Facebook and X (formerly Twitter) .

Related Content

What’s Next

Read more insights from BCG’s teams of experts.

The New World of Risk—and What to Do About It

Risk has always outpaced risk management, but the scale, complexity, and interconnectedness of risk today mean that businesses need a new approach.

How Banks Can Unleash the Power of ESG Data

With the right strategy and platform, banks can transform ESG data from a headache into an opportunity.

Global ESG, Compliance & Risk Report 2022

Today’s complex regulatory environment poses not only enormous challenges for compliance functions but also an opportunity for companies to hone an important competitive edge.

BCG's Risk and Compliance consulting supports their client's growth ambition with strategic, transformational, and technical functional offerings in Finance.

A risk management plan can help minimise the impact of risks that could weaken your cash flow or damage your brand. It will also help create a culture of sensible risk awareness and management in your business.

Our Crisis planning template and checklist includes a risk management plan:

Follow these steps to create a risk management plan that's tailored for your business.

1. Identify risks

What are the risks to your business?

For example:

• data breach
• contamination
• power outage

Some risks will cause major disruption while others will be a minor irritation.

2. Assess the risks

Assess the risks that you've identified.

Try to estimate the:

• potential severity of each risk
• likelihood that it might happen

Prioritise your risk planning based on the results of your assessment.

3. Minimise or eliminate risks

Some risks are preventable, so eliminate or minimise these where possible. For some risks, it might be as simple as installing an alarm system or buying extra personal protective equipment (PPE).

Check your insurance

Insurance is one way to reduce the impact of an event or disaster.

For example, business interruption insurance can make sure that you receive your average earnings for the insured period until you're able to start operating again.

Make sure your insurance is enough to cover you in the event of a significant disruption to your business.

4. Assign responsibility for tasks

Identify what needs to happen if a crisis or disaster occurs and who is responsible for each action. Having clear directions is one of the simplest and most powerful tools for a fast recovery.

5. Develop contingency plans

Come up with contingency plans for how you'll continue or resume your operations if a crisis occurs. Your contingency plan is basically your 'plan B' for risks that you can't avoid completely.

Your contingency plans will depend on the:

• type, style and size of your business
• extent of the damage

6. Communicate the plan and train your staff

People in or connected to your business must be aware of the strategies you've put in place to mitigate or recover from a disaster situation.

To do this:

• Decide if you'll communicate by phone, email, text or other means.
• Create procedural statements.
• Inform the relevant people (such as staff, suppliers, contractors and service providers).

Next, train your staff in your procedures and have them practise. This way if a disaster occurs, the process can take over and guide the staff.

7. Monitor for new risks

Risks can pop up during day-to-day operations, so it's important to know how to identify potential risks before they escalate.

Continuously monitoring for risks will help you develop realistic and effective strategies for dealing with issues if they occur.

4 Steps To Build an Effective Project Risk Management Process

What is the risk management process, and why is it necessary?

1. understand and identify risks, 2. assess the identified risks, 3. create a response plan, 4. monitor and control risks, minimize risks and keep your projects on track with a risk management process..

No matter how experienced you are as a project manager or how well you plan project tasks, things can still go wrong. There are some risks that you can't entirely avoid or manage. And this is in addition to your core job of keeping projects on track to achieve goals.

So, how do you deal with unexpected project risks? Risk planning is the solution.

Planning for risks is key to project success. You can't stop every problem, but you can prepare for them in advance so your project schedule is not disturbed.

If you don’t know where to begin with project risk management , you are at the right place. In this blog, we list four steps to set up an effective risk management process that will help ensure your projects are completed on time and with utmost efficiency. But first, let's learn the basics!

The risk management process is a critical step in project management. It helps identify potential risks and devise a plan to address them before they cause any serious issues and eventual project failure.

This process typically involves risk identification, assessment, response, monitoring, and reporting. For most projects, the risk management process helps tackle three types of risks: technical, organizational, and external.

Technical risks: These are risks associated with the technology involved in your project. They might include failure in design or construction, problems with software or hardware, or issues with data security.

Organizational risks : These risks come from within your company; for example, when a project team member quits or when your business doesn’t have adequate funds.

External risks: These risks come from outside your organization. Some examples are natural disasters, market fluctuations, economic instability, and pandemics.

To ensure your projects work well and meet their goals, it’s important to have a risk management strategy in place. It will help you avoid or reduce any negative impact the risks may have.

Every project involves some risks. It's important to understand and identify risks that could impact your project and take steps to manage and reduce them before they become too big to handle. There are many different ways to identify risks, but it’s best to use a technique that fits your project.

Here are some risk identification techniques to determine and assess potential project risks:

Have brainstorming sessions. Get together with the project team and related stakeholders to brainstorm risk scenarios. This way everyone is on the same page and understands what could go wrong with the project. If a potential risk does materialize, you’ve already thought of a plan to fix it, in most cases.

Use a risk matrix. It’s a tool that rates the probability (low, medium, high) and impact (low, medium, high) of each risk to help you focus on the most likely issues and plan steps for risk mitigation .

Maintain a risk register. By recording information about each risk (such as its description, potential impact, and likelihood), a risk register helps track which threats have been identified and what actions have been taken to mitigate them.

Perform SWOT analysis . By assessing the strengths, weaknesses, opportunities, and threats of your project, you can consider all possible risks that may occur and plan steps to prevent or reduce them.

Leverage a cause-and-effect diagram. By assessing the causes and effects of each probable risk, you can identify potential project issues that you may not have otherwise considered.

Once you have identified all possible risks, it’s time to assess how they could affect your project. This step is called risk analysis, and it helps figure out which project threats should be prioritized and what actions should be taken. It involves understanding the consequences of each potential risk event.

Qualitative risk analysis vs. quantitative risk analysis

Qualitative risk analysis is a subjective process that helps assess project crises on a scale of likelihood and impact. It’s used to prioritize project risks and is often employed when little risk data is available or the threats are difficult to quantify.

Quantitative risk analysis relies heavily on data and is often used when it’s easy to quantify risks. It’s usually conducted by experts to make decisions about responding to project risks. This risk analysis approach assigns numerical values to likelihood and impact and then uses mathematical models to calculate the total project risk.

Here are four ways to assess risks accurately:

Risk probability and impact matrix: This matrix helps prioritize risks by assessing how likely they are to happen and how much damage they could do to your project.

Risk ranking: This method ranks risks according to their severity so you can focus on the most critical project issues first.

Risk heat map: This map visualizes risks that are most likely to negatively influence your project.

Risk breakdown structure: This helps you break down risks into categories and subcategories so you can better understand and assess them.

After identifying and assessing risks, the next step is to create a response plan to mitigate them. A clear, detailed response plan will identify potential risks and define how each one will be handled. It will also identify who is responsible for each step in the response process. This way, everyone involved knows their role and can take action quickly.

The image below highlights tips to use a response plan to efficiently manage risk events:

Things to keep in mind when creating a risk response plan

Make sure your plan is achievable and realistic . It's important to have a plan that you can actually implement rather than something impossible or overly ambitious.

Make sure your plan is comprehensive . Your plan should address as many potential risks as possible.

Make sure your plan is timely . The sooner you can put your project risk management plan into action, the better.

Make sure your plan is adaptable . Your plan should be flexible enough to accommodate changes and unexpected events.

Make sure your team is involved . Your team should be familiar with the plan and know their role in implementing it.

Make sure to update your plan regularly . The risk response plan should be updated as new information becomes available.

The risk management process is not a “set-and-forget” task, so you must track it regularly. The final step of this process is to ensure you are aware and in control of all identified project vulnerabilities. This includes implementing risk mitigation measures, tracking and reporting the risk status, and preventing further threats.

Regular risk monitoring and control helps execute the response plan as planned. It also ensures any new risks are accounted for and existing ones are kept under control.

Let’s discuss a few measures to monitor and control risks:

Perform trend analysis. Spot patterns or trends in the risk data and identify any potential hazards that may have been missed.

Conduct risk audits. Assess the overall effectiveness of your risk management process and identify improvement areas.

Use risk simulation. Test different project risk scenarios (e.g., what would happen if a supplier failed to deliver a critical component) and check how they impact your project’s outcome.

Implement a risk management plan. Mitigate any project uncertainties that may arise.

Adjust risk control. As the project progresses, adjust risk control measures such as increasing or decreasing the monitoring frequency based on changes in the project risk landscape.

Bring everything together to make your projects risk-free

The best way to prevent project risks from turning into actual issues is to have a well-run risk management process. The steps we discussed can help reduce the chances of nasty surprises in your project roadmap. They can also ensure your project stays on track and delivers the intended results. So go ahead, put your risk management process into action and celebrate project success!

Was this article helpful?

About the author.

Shubham Gupta

Shubham Gupta is a writer at Capterra, covering project management and advertising with a focus on emerging small business trends. He believes in ideating and creating purpose-driven content to help businesses succeed. As part of the content space since 2016, Shubham has written about education, technology, lifestyle, human interest, and social relevance. Outside of work, he enjoys annoying his dog, reading Urdu poetry, and watching thrillers while sipping a heavenly brewed cup of coffee.

Related Reading

How to highlight duplicates in google sheets, what is a job requisition and how to write one, exploring hr responsibilities: key areas of focus for effective human resource management, a guide to parametric estimating: make project planning easy, what is a risk register a complete guide, what is loe in project management what you need to know, 2024 u.s. tech trends report: 58% of businesses regret a recent software purchase, hr compensation and benefits: how to create a competitive package, top skills hr leaders need to increase effectiveness.

The Risk Management Process: 4 Essential Steps

• 27 September 2021

Risk Management

• Risk Management Process​​

In Project Risk Management  and the Elements of Risk Management Implementation , we looked at what risk management is and the essential elements for implementing risk management into your organization. In this article, we look at the process of risk management and how to identify, assess, and respond to project risks.

The Risk Management Process is a clearly defined method of understanding what risks and opportunities are present, how they could affect a project or organization, and how to respond to them. 

Table of Contents

The 4 essential steps of the risk management process are:.

• Identify the risk.
• Assess the risk.
• Treat the risk.
• Monitor and Report on the risk.

Step 1: Risk Identification

The first step in the risk management process is to identify all the events that can negatively (risk) or positively (opportunity) affect the objectives of the project:

• Project milestones
• Financial trajectory of the project
• Project scope

These events can be listed in the risk matrix and later captured in the risk register.

A risk (or opportunity) is characterized by its description, causes and consequences, qualitative assessment, quantitative assessment and mitigation plan. It can also be characterized by who is responsible for its action. Each of these characteristics are necessary for a risk (or opportunity) to be valid.

In order to be managed effectively, the Risks and Opportunities (R&O) identified must be as precise and specific as possible. The title of the risk or opportunity must be succinct, self-explanatory and clearly defined. 

All members of the project can and should identify R&O, and the content of these is the responsibility of the Risk (or Opportunity) Owners. Risk Managers are responsible for ensuring that a formal process for identifying risks and developing response plans are conducted through exchanges with risk owners. We will explain each of these roles in further detail in our next article on Risk Management Team Roles .

Below are examples of tools to help identify R&O:

• Analysis of existing documentation
• Interviews with experts
• Conducting brainstorming meetings
• Using the approaches of standard methodologies – such as Failure Modes, Effects and Criticality Analysis (FMECA), cause trees, etc.
• Considering the lessons learned from R&Os encountered in previous projects 
• Using pre-established checklists or questionnaires covering the different areas of the project (Risk Breakdown Structure or RBS).

Step 2: Risk Assessment

There are two types of risk and opportunity assessments: qualitative and quantitative. A qualitative assessment analyzes the level of criticality based on the event’s probability and impact. A quantitative assessment analyzes the financial impact or benefit of the event. Both are necessary for a comprehensive evaluation of risks and opportunities.

Qualitative Assessment

The Risk Owner and the Risk Manager will rank and prioritize each identified risk and opportunity by occurrence probability and impact severity , according to the project’s criticality scales.

Evaluating occurrence probability (P):

This is determined preferably based on experience, the progress of the project, or else by speaking to a risk expert, and is on a scale of 1 to 99%.

For example, suppose the risk that: “the inability of supplier X to conduct studies on a modification Y by the end of 2025” is 50% probable. This could be determined from feedback and analysis of the supplier’s workload.

Evaluating impacts severity (I):

To assess the overall impact, it is necessary to estimate the severity of each of the impacts defined at the project level. A scale is used to classify the different impacts and their severities. This ensures that the assessment of the risk and opportunity is standardized and reliable.

The criticality level of a risk or opportunity is obtained by the equation: Criticality = P x I

The purpose of the qualitative assessment is to ensure that the risk management team prioritizes the response on critical items first.

Quantitative Assessment

In most projects, the objective of the quantitative assessment is to establish a financial evaluation of a risk’s impact or an opportunity’s benefit, should it occur. This step is carried out by the Risk Owner, the Risk Manager (with support of those responsible for estimates and figures), or the management controller depending on the organizational set up in the company. These amounts represent a potential additional cost (or a potential profit if we are talking about an opportunity) not anticipated in the project budget.

For this, it is therefore necessary:

• Hours of internal engineering 
• Hours of subcontracting
• Additional work to do
• Amendments and/or claims made to contracts
• To calculate the cost of the undesired event’s consequences by adding these values.

This step will make it possible to estimate the need for additional budget for risks and opportunities of the project.

Step 3: Risk Treatment

In order to treat risks, an organization must first identify their strategies for doing so by developing a treatment plan. The objective of the risk treatment plan is to reduce the probability of occurrence of the risk (preventive action) and/or to reduce the impact of the risk (mitigation action). For an opportunity, the objective of the treatment plan is to increase the likelihood of the opportunity occurring and/or to increase its benefits. Depending on the nature of the risk or opportunity, a response strategy is defined for the project. The following 7 strategies are possible:

7 Risk Response Strategies

• Accept: Do not initiate any action but continue to monitor.
• Mitigate/Enhance: Reduce (for a risk) or increase (for an opportunity) the probability of occurrence and/or the severity of impact.
• Transfer/Share: Transfer responsibility of a risk to a third party who would bear the consequences of the problem (share the benefits of a realized opportunity).
• Avoid/Exploit: Entirely eliminate uncertainty / take advantage of the opportunity. 

Monitoring the progress of the treatment plan is the responsibility of the risk owner. They must report regularly to the risk manager, who must keep the risk register up to date.

Note: The cost of a risk mitigation plan must be integrated into the budget of the project.

When defining a treatment plan:

• Each action begins with an action verb and has a clear purpose.
• Each action has an actionee and a deadline.
• Actions that could generate costs must be tracked and considered in the project.
• For example: to reduce the risk of my car breaking down, a treatment plan could be to have it checked annually by a repair shop.

When does risk become an issue?

It is possible that, despite the actions put in place to mitigate or prevent it, a risk probability could increase and reach 100%. Once a risk is confirmed, we no longer refer to it as a risk but as an issue. The Risk Manager must then inform the various project stakeholders who will relay that a risk has become an issue and transfer it to the issue log.

Step 4: Risk Monitoring and Reporting

Risks and opportunities and their treatment plans need to be monitored and reported on. The frequency of this will depend on the criticality of risk/opp. By developing a monitoring and reporting structure it will ensure there are appropriate forums for escalation and that appropriate risk responses are being actioned.

In the previous article we identified the Risk and Opportunity Management Plan or ROMP as one of the five essential elements of Project Risk Management .  It should include not only the project stakeholders and steering members, but the governance cadence for monitoring and reporting on risks and opportunities. How this is organized and governed is defined by the Risk Manager in conjunction with the Project Manager.

We will go over both of these roles as well as additional roles within the Risk Management Team in more detail in our next article.

This article was written by: Marie BELGODERE, Jérémie CLAUSTRE, Capucine COMTE, Alioune DIALLO, Emmanuel LATGE, Jessy MIGNOT, Ingrid NGOBAY, Pierre PETILLON, Louann SUGDEN, Chris WAMAL .

More on the same subject

Podcast #06 – Risk Assessment and Management

Risk management team roles: who takes care of project risk, 5 key elements of risk management implementation, risk contingency reserve.

You might also like:

Loved what you just read? Let's stay in touch.

No spam, only great things to read in our newsletter.

Perfect jobs also result from great environments : the team, its culture and energy.  So tell us more about you : who you are, your project, your ambitions, and let’s find your next step together. 

• Netherlands
• South East Asia
• Switzerland
• United Kingdom
• United States

In accordance with the General Data Protection Regulations (GDPR), the data entered is processed for the management of recruitment and its improvement. To find out more, visit our privacy policy .

Dear candidates, please note that you will only be contacted via email from the following domain: migso-pcubed.com . Please remain vigilant and ensure that you interact exclusively with our official websites. The MIGSO-PCUBED Team

Subscribe to our Newsletter

A monthly digest of our best articles on all things Project Management.

Subscribe to our newsletter!

Our website is not supported on this browser

The browser you are using (Internet Explorer) cannot display our content.  Please come back on a more recent browser to have the best experience possible

How to Implement Risk Management Framework (Quick Guide)

Meeba Gracy

Sep 02, 2023.

“Risk Management lets you appreciate the risk while you let someone else shoulder all the worry.” – Anthony T. Hincks

Risk is a natural part of business and any projects you undertake. Be it the day-to-day operations or financial choices, the risk is always present. But there’s a smart way to handle it: Risk management Framework. This approach allows you to understand the risks while others handle the stress.

In this article, we’ll take you through it step by step. We’ll define risk management, break down its key elements, its importance, and provide core strategies that you can use to navigate risks effectively. 

Let’s dive in…

What is the Risk Management Framework?

A Risk Management Framework serves as a structured template and guiding principle that enterprises employ to discern, mitigate, and curtail risks. The beginning of the RMF can be traced back to the National Institute of Standards and Technology, which devised it with the main goal being –  safeguarding the information systems of the United States government. Moreover, it also helps prevent losses, like losing advantages over other companies or facing legal problems.

Originally, the RMF was meant for federal agencies to follow better regulations like the Privacy Act of 1974 and the Federal Information Security Modernization Act of 2014 (FISMA). Over time, these guidelines, crafted by NIST, have found usefulness beyond just federal agencies. Now, private organizations also see their value in managing risks effectively.

Importance of risk management framework

A risk management framework is important because it is a go-to strategy that helps you discover possible problems in your company. This plan helps you see the risks already there or might happen in the future.

For example, a company needs a better plan for cybersecurity risks. They store lots of valuable information, like customer data and financial records, on their computers. Without a risk management framework in place, you can fall victim to the following risks:

• Data Breach Risk  
• Reputation Damage  
• Legal Troubles  
• Financial Loss  
• Business Impact

So, having a risk management plan is like bringing that umbrella in case it rains unexpectedly. It keeps the company safe and helps it make smart choices. Also, if a company takes too many risks without a good plan, it can make others see it differently and even affect its money situation. 

How to implement a risk management framework?

Implementing a risk management framework is undeniably critical in the risk management process. If implementation falls short, it could mean not using the carefully designed framework you’ve dedicated significant time and energy to build. 

However, with Sprinto all these steps will fall easily into your plan. You don’t need to put in so much manual effort, which was a thing of the past. But what is Sprinto? Sprinto is a compliance automation platform that helps you get compliant in no time. 

This is because 90% of the efforts inducing the implementation of a risk management framework for your company are automated with the help of Sprinto. To know how it works, just get in touch with our experts and take a demo call. Also, I will get a brownie point if you do 🙂

But first things first, here is how you can start:

Step 1: Prepare your information systems

This step supports all the other steps we will explore in the framework. It pulls together guidance from different NIST publications and incorporates requirements from the Office of Management and Budget (OMB) policy, or sometimes a mix of both. 

Occasionally, your company might have already included some of the tasks from the Prepare step within your existing risk management program. 

The main objectives of this step are to:

• Simplify the process of implementing your RMF
• Advance your IT modernization goals
• Save security and privacy resources
• Give utmost priority to protecting your most critical assets and systems
• Ensure the privacy of individuals

Step 2: Create a category for your information systems

To get the ball rolling, you need to organize your IT systems based on your company’s main goals, financial plans, and industry. To better understand security categories and potential risks, you need to follow the guidance provided by NIST in FIPS 199. This helps you determine which information and systems need the highest coverage against internal and external vulnerabilities. 

Step 3: Select the necessary security controls 

NIST has created a wide collection of security measures you can use for your systems worldwide. Choose the specific controls from this collection that match your security from your organization. Sprinto has control mapping to make it easier and will help you monitor these controls. It’s because these controls are important as they will mitigate cyber risks and safeguard the assets of your company.

Step 4: Implement your security controls

Once you’ve picked the appropriate security controls for your IT systems, it’s time to implement them. You can proceed to the next stage if these controls function as expected and meet all required regulatory standards.

Step 5: Assess your security controls

With the initial setup complete, evaluating how well your security controls are performing is now necessary. The aim is to ensure that they consistently meet the set standards. You can perform this evaluation on your own, or you can use tools like Sprinto (Compliance automation platform). This significantly reduces your manual effort, and you don’t need to assess it constantly!

Step 6: Get authorization from senior officials for your Information Systems

If the previous steps have produced positive outcomes, you’re ready to give the green light for the wider IT risk management framework implementation. If other people are involved in decision-making, like stakeholders and executives, make sure to get their approval as well.

Step 7: Continuously monitor and review the controls with Sprinto

The last step is to continuously monitor and assess your risk management plans. Things change – new risks pop up, old ones shift, some might disappear, and priorities can shift. This is why you must keep an eye on what’s already in place, spot any new issues, find trouble areas, and see if your current strategies are still doing the job.

But the manual process of checking every time is simply arduous. This is why you need a continuous compliance tool (like Sprinto). This is your time to transition to a compliance system that operates continuously and seamlessly integrates with your existing systems. (Just look at the screenshot below). Anytime something fails, you will get an alert, and you can navigate to Sprinto’s all-in-one dashboard to resolve the issue.

Sprinto gathers high-quality evidence for audits automatically, maintains your compliance status through ongoing monitoring, and sustains compliance progress by automating the resolution of issues and compliance-related tasks. 

To understand more about continuous monitoring, read the following case study – Audit & Assurance firm Sensiba LLP on why ‘continuous readiness’ should be the goal of compliance programs !

Here’s the highlighted citation from the firm – “Managing compliance in one place makes visibility easy to achieve and helps everyone keep track of what’s happening,”

Risk management framework examples

Here are some risk management framework examples:

Strategic risks 

• Business vitality decrease from competition, healthcare changes, and pricing pressure
• Intellectual property and trade secrets loss
• Rising trade barriers due to protectionism and nationalism
• Challenges accessing affordable, quality healthcare due to limitations in healthcare systems
• Reputation damage and loss of public trust

Compliance risks

• Ensuring the safety of clinical trial subjects/patients
• Handling personal information following data privacy rules
• Prioritizing employee health and safety
• Adhering to rules in selling and promoting products, including healthcare compliance and global anti-corruption laws
• Meeting requirements for U.S. government contracts/programs
• Concerns regarding the quality, safety, and effectiveness of products
• Dealing with major legal proceedings, including product liability cases

Operational risks

• Disruption in the flow of goods and information within the organization, suppliers, and consumers
• Business continuity or resilience getting compromised
• Risks with procurement and suppliers, including human rights concerns
• Challenges in getting vital materials and labor
• Resources being used inefficiently and product costs rising

Financial risks

• Unfavorable financial outcomes or economic performance
• Shifts in tax regulations leading to possible extra tax responsibilities
• Instability in currency exchange rates, alongside inflation and currency devaluation
• Errors in financial reporting
• Exposure to credit-related risks

Environmental risks

• More frequent and intense severe weather events like storms and floods
• Rise in pollution because of insufficient waste management
• Incorporation of unsustainable materials in the product lifecycle

Cybersecurity risks

• Data breach or fraudulent activities
• Disruption to the availability of crucial information systems
• Security issues arising from critical third-party incidents that affect business operations

Continuous Improvement with Sprinto

No matter your business’s industry, dealing with risks is inevitable. It’s just part of running a business. Yet, how you handle these risks can determine whether your business flourishes or falters.

Since risk management can be complex, it’s smart to rely on a seasoned expert like Sprinto. Integrate Sprinto seamlessly into your tech setup through ready-to-use connections and personalized APIs to ensure nothing is overlooked. Now you can streamline and automate tasks like monitoring controls and gathering evidence. 

And then, you will attain a detailed perspective on your compliance status and access to higher levels of efficiency, all in one place.

Schedule a call with us now to know more !

What are the 4Ts of risk management?

The 4 Responses to Risks are Tolerate, Terminate, Treat, and Transfer. This is a concise and effective method to outline various approaches for handling enterprise risks.

What are the four 4 elements of risk management?

The 4 elements of risk management are:

• Risk Identification
• Risk Assessment
• Risk Action Management
• Risk Reporting and Monitoring

How much does risk assessment software cost?

The cost of risk assessment software varies based on the vendor you choose. If you choose Sprinto, you can get it done within a fraction of the cost. However, the platform cost starts from $5000, and more premium vendors charge up to $25k.

Meeba, an ISC2-certified cybersecurity specialist, passionately decodes and delivers impactful content on compliance and complex digital security matters. Adept at transforming intricate concepts into accessible insights, she’s committed to enlightening readers. Off the clock, she can be found with her nose in the latest thriller novel or exploring new haunts in the city.

Subscribe to our newsletter to get updates

Soc 2 compliance checklist: a detailed guide for 2023, iso 27001 requirements – a comprehensive list, a complete guide to gdpr certification, hipaa compliance checklist (all you need to know in 2023), liked this blog.

• Share on Facebook
• Email this Page
• Share on LinkedIn

Schedule a personalized demo and scale business

Subscribe to our monthly newsletter, recommended articles.

10 Best Compliance Management Software in 2024

10 Best Compliance Software: Feature, Pro, and Con Comparison

10 Best ISO 27001 Management Software

Sprinto: Your growth superpower

Use Sprinto to centralize security compliance management – so nothing gets in the way of your moving up and winning big.

Steps to Implementing Project Risk Management for Your Project

Editorial Team

For your business’s project to be successful, you’ll need to implement a solid project risk management strategy.

Without project risk management, even the most tightly-planned projects may end in failure. This important concept allows for companies to identify and appropriately plan for any risks that may occur. This better allows them to adjust to any potential difficulties, allowing for the project to continue with as little interruption as possible.

For those without a solid project risk management strategy in place, unexpected errors can cause significant delays and even failure. It’s for this reason that business owners should ensure that a proper plan is in place before implementing new strategies.

Below, we include a comprehensive guide to building the perfect project risk management strategy. Keep the below information in mind as you work to bring your company’s project to successful completion.

Our step-by-step guide will walk you through the four basic steps that you’ll need to take in order to build the perfect project risk management plan.

1. Plan Risk Management

The first step in the development of a project risk management strategy has two parts: planning and preparing a risk management plan.

Proper risk management planning requires business owners and managers to follow a four-step process. This process includes:

• Conducting planning sessions
• Involving project stakeholders
• Complying with their organization’s objectives and policies
• Standardizing project templates

Let’s take a look at each of these four requirements in turn.

For starters, the risk management planning process starts with conducting planning sessions with relevant individuals. These meetings work to facilitate discussion among project members in order to develop the groundwork for their risk management plan.

Please enable JavaScript

Next, management should be sure to involve all stakeholders in the process. As stakeholders bear part of the business’s risks, companies should make sure that they have a say regarding the eventual risk management plan.

Of course, this plan must comply with the company’s objectives and policies in a general sense, as well. For example, a company must learn to handle risks in such a way that it proves beneficial to both their image and to their bottom dollar.

Finally, during this planning portion, those involved must start creating and standardizing the list of items that will be used during the risk management process. These documents include risk registers (includes information about all risks), risk status reports (includes the current status of the risk), and risk breakdown structures (creates a hierarchy of risks).  

Having standardized documents will ensure that all teammates are working in unison, helping lead to a faster resolution of any risks faced.

Following the risk management planning phase, organizations should start on the second phase: developing a risk management plan.

A risk management plan outlines the company’s response in the event that a certain potential risk becomes a reality. For a risk management plan to be successful, it must include all of the following:

• Project Description
• Risk Management Methodology
• Roles and Responsibilities
• Stakeholder Risk Tolerance
• Communication Plan
• Risk Breakdown Structure

As you can see, the risk management plan should be an involved document that provides a comprehensive overview of the company’s response to any risks faced during the project management cycle.

The first step to developing a project risk management is to include a project description. This description should give all involved a clear idea of what your project is and where it is headed.

Next, a risk management methodology must be established. This outlines your company’s plan in the event that your project encounters a certain risk.

Part of having an established methodology includes knowing the specific roles of every team member in helping address risks that your project may face. For this to be a success, project managers and team members alike should have a clear understanding of what their roles will be in the risk management process. By clearly defining these roles, you can streamline your company’s response when or if a risk is encountered.

Next, those involved must establish the stakeholder risk tolerance. This refers to the amount of risk that stakeholders are willing to accept for a project. This tolerance level may different from organization or even from project to project, depending on the views and values of stakeholders.

After this has been established, those involved need to ensure that their plan is communicated clearly and fully to relevant parties. Once this has been done, a risk breakdown structure should be created. Risk breakdown strategies define the scope of certain potential risks and provide a hierarchy. This structure organizes risks into separate categories based on how they might affect the company.

With this information, management and stakeholders then create a risk management strategy that will serve to guide the team throughout the project management process.

2. Identify Risks

The next step of the risk management process is to identify risks. It’s during this process that the team brainstorms possible risks that might affect the outcome of the project.

There are several methods to identify risks. These include:

• Brainstorming
• Cause and Effect Diagrams
• Affinity Diagrams
• Root Cause Analyses
• SWOT Analyses

Let’s look at each of these effective methods in turn.

Interviews are conducted to find the right individuals and approaches appropriate to determine risks that could be facing the project. Brainstorming, on the other hand, involves team members using their knowledge to predict a vast number of potential issues with the project.

Cause and effect diagrams attempt to show a correlation between parts of a business plan and potential risks that could be associated with them. Root cause analyses work to show a similar cause and effect relationship between different situations.

To better illustrate the points being made, many companies tend to use affinity diagrams. These diagrams organize verbal information into different categories to allow team members to more effectively process the information.

An audit occurs when a company decides to have a separate group, either internal or external, evaluate the situation to assess for any additional risks that may not have been caught.

Finally, SWOT analyses work to identify strengths, weaknesses, opportunities, and threats facing a project. These can be used to identify both internal and external threats.

Before moving on to the final steps of the risk management process, let’s first look at two different types of risk analyses that a company can take: qualitative and quantitative. Keep in mind that companies should use both of these techniques to get a comprehensive look at any risks facing the project.

Qualitative Risk Analysis

In any risk management plan, a qualitative risk analysis is performed first. This analysis allows for companies to prioritize and categorize risks based on certain subjective qualities unique to the project.

This analysis has five steps:

• Select Risk Characteristics
• Collect and Analyze Data
• Prioritize Risks
• Categorize Risk Causes
• Document Results

The first step of the process involves selecting risk characteristics. Here, risks are identified by their potential impact on the project. For example, do they pose issues of money or time? Will they affect company morale or public perception?

Next, the data needed to perform the analysis is collected. Then, this data is analyzed by a set of standards already established in the risk management plan. This often includes analyzing them based on their probability and their impact to the company. When multiplied together, these values provide each risk a score that can help prioritize them based on how pressing they are to the project.

Next, these risks are categorized based on their causes, with the results being documented for use by the team throughout the project.

Once this is done, a quantitative risk analysis must be performed.

Quantitative Risk Analysis

Next, a certain number of these risks will be analyzed with a quantitative risk analysis. These are usually determined based on the score these risks received from the qualitative risk analysis already performed.

In fact, the first step of a quantitative risk analysis is to perform a qualitative risk analysis. Consider the five steps of the quantitative risk analysis process below:

• Risk Prioritization (Qualitative Risk Analysis)
• Examine Relationship between Risks
• Collect High Quality Risk Data
• Perform Quantitative Risk Analysis

Following risk prioritization, companies must then determine what relationship exists between different risks. Then, high quality data regarding the probability and the potential impact of each risk must be gathered. This is often collected by looking at historical cases and making a future estimate.

Once this is done, a risk quantitative analysis is performed. This will determine the financial impact of risks on a project, as well as the amount of additional time that may need to be spent resolving these risks. Keep in mind that only a small portion of the overall risks need to be analyzed in this manner.

Because of the important and in-depth nature of a quantitative risk analysis, it’s imperative that team members use only high-quality data. Common risk analysis techniques include the Monte Carlo Simulation and Decision Tree Analyses.

Once these have been run, results are recorded to be reviewed and used by all involved.

After these analyses have been run, it’s time to complete the final two steps of the risk management process.

Related Articles:

• Project Cost Management: Step by Step Implementation Guide
• Project Scope Management: Step by Step Implementation Guide
• Project Resource Management: Step by Step Implementation Guide
• Project Communications Management: Step by Step Implementation Guide
• Project Schedule Management: Step by Step Implementation Guide
• 10 Steps to Implement PMO and Project Management Processes in Your Organization
• Steps to Implementing Project Procurement Management For Your Project
• Steps to Implementing Project Quality Management for Your Project

3. Plan Risk Responses

With risk identified, management and stakeholders must then plan responses to any risks that have been identified.

To do this, they must plan a risk response strategy that provides specific guidelines on what must be done in the event that a risk is encountered. A risk response strategy must consider the following items:

• Avoid or Exploit
• Transfer or Share
• Mitigate or Enhance

Under the first strategy, businesses must decide if they would avoid—not accept—a risk, or if they would exploit—take advantage of—the possible benefits a risk offers.

Transferring a risk refers to outsourcing it to a third party, while a sharing it would require both third-party and in-house responsibilities.

Mitigating a risk looks to minimize the impact it has on project operations. Enhancing a risk works to increase the possibility that a risk occurs. It can be differentiated from exploiting a risk in that the approach isn’t as aggressive and leads more to chance.

Finally, the last option businesses have is to accept the risk and work their plan around it.

4. Monitor and Control Risks

The final step of the risk management process is to monitor and control risks. During this stage, companies use the information gathered in the first three steps to keep a constant eye on potential risks throughout the project management process.

To do this, two different actions must be taken: status reviews and audits.

Status reviews, in particular, are an involved process and involve:

• Managing Contingency Reserves
• Tracking Trigger Conditions
• Tracking Overall Risks
• Tracking Compliance

Status reviews provide updated information on the current state of risks affecting a project. To do this, companies must be able to accurate manage the contingency reserve—the money set aside to deal with any unpredicted risks.

Next, status reviews involve tracking trigger conditions—those conditions that might cause a certain risk to occur. This can help mitigate situations before the risk is realized.

Additionally, business owners must keep stock of and track overall risks and compliance. This allows a business to know where they stand in relation to the risks they face, as well as manage their responses to them.

Finally, an audit can be conducted to ensure that the company is appropriately monitoring and controlling risks. This is often done by a third-party that can bring fresh eyes and objectivity to the table, providing for a more accurate final report.

The Bottom Line

The risk management process proves important to the overall success of a project. For projects to come to fruition, management and stockholders must first decide what levels of risks are acceptable.

This can be done by following the four-step process outlined above. By identifying and planning for certain risks, companies can then prioritize then and discover the best risk-management strategy.

Keep this information in mind as you plan your company’s next project in order to achieve the most successful results possible.

Related posts:

Leave a Comment

Most recent.

Top SEO Challenges for Emerging SaaS Companies and How a Trusted SaaS SEO Agency Can Solve Them

A Complete Guide to Executive Compensation Negotiation Strategies

Tips & Guides

Logo design for e-commerce: best practices and examples.

A Short Guide to Saving Money

Five Factors That Affect Personal Injury Settlements

Best Ways to Automate Your Marketing Effectively

© 2023 Copyright ProjectPractical.com

Secondary navigation

• AUSTRAC Online
• Subscribe to InBrief
• Check if you need to enrol or register
• Enrol or register
• Who and what we regulate
• Your obligations
• The geographical link requirement
• Carrying out applicable customer identification procedures after creating an online gambling account
• Indicators of suspicious activity for bullion dealers
• Digital currency (cryptocurrency) overview
• Financial services providers
• Motor vehicle dealers overview
• Not for profits
• Indicators of suspicious activity for pubs and clubs
• Remittance service providers overview
• Unregistered remittance dealers
• Solicitors overview
• Superannuation industry
• All guidance resources
• Latest guidance updates
• Customer identification (KYC)
• Beneficial owners
• Politically exposed persons (PEPs)
• Customer identification and verification: easy reference guide
• Identifying customers who don’t have conventional forms of ID
• Reliable and independent documentation and electronic data
• High-risk countries, regions and groups
• How to comply with KYC requirements during the COVID-19 pandemic
• Source of funds and source of wealth
• Exceptions to verifying a customer before providing a designated service
• Reliance under customer due diligence arrangements
• Managing risk and assessing foreign jurisdictions for reliance
• Resolving issues with CDD arrangements and liability
• Requirements for reliance on a case-by-case basis
• Examples: reliance in practice
• ML/TF risk assessment

Implement a risk management process

• Compliance officers
• Independent reviews
• Employee due diligence
• Employee training: AML/CTF risk awareness training program
• Enhanced customer due diligence (ECDD)
• Transaction monitoring
• Designated business groups (DBG)
• Suspicious transactions identified by your transaction monitoring system
• Top tips to improve your reports
• How to submit a threshold transaction report (TTR)
• Reporting multiple cash transactions
• Reporting structuring
• Your SMR reporting obligations
• Submitting your SMR
• SMR case study examples
• Tipping off
• Exceptions to tipping off
• Tipping off examples
• Money transferred to and from overseas (IFTI)
• Cross border movement reports
• Preview questions in the AUSTRAC 2022 compliance report
• Guidance on debanking
• Exemptions from obligations
• Applying for exemptions and modifications
• Record-keeping
• Industry contribution levy
• Consequences of not complying
• Preventing financial crime using a risk-based approach
• Data breaches and AML/CTF considerations
• Sign in to AUSTRAC Online
• Manage your account
• Update your details
• Update your annual earnings
• Request removal from AUSTRAC roll or registers
• Renew your registration
• Add a new business to your account
• Reporting Entity System Transformation (REST) Program
• AML/CTF Act
• Explanatory statements relating to amendments to the AML/CTF Rules
• Financial Transaction Reports Act
• Industry contribution legislation
• AML/CTF advisers
• External auditors
• Current consultations
• Fintel Alliance
• Agency request to access AUSTRAC information
• Exchange instruments list
• International cooperation initiatives
• Law enforcement task forces
• Sample forms and languages other than English
• Why you might be asked for ID
• Frauds and scams
• Media releases
• AUSTRAC InBrief newsletter
• Latest updates for business
• For journalists
• Intelligence
• AUSTRAC CEO
• AUSTRAC organisational chart
• Freedom of Information disclosure log
• Information publishing scheme
• Information Publication Scheme Plan
• AUSTRAC's approach to regulation
• Code of conduct procedures
• English language translation policy
• Exemption policy
• Privacy policy
• Public Interest Disclosures
• Corporate plan
• Annual reports
• AUSTRAC Audit and Risk Committee (ARC) Charter
• Statement of Expectations and Statement of Intent
• ACLEI corruption prevention report
• Commonwealth Child Safe Framework - annual statement of compliance (2021)
• Gifts and benefits register
• Report on the statutory review of the AML/CTF Act and associated Rules and Regulations
• Review of the AUSTRAC industry contribution levy arrangements
• Senate file list
• Current vacancies
• How to apply
• AUSTRAC culture and benefits
• AUSTRAC salary rates
• Our commitment to diversity and inclusion

Main navigation

• Bookmakers and betting agencies
• Bullion dealers
• Digital currency (cryptocurrency)
• Motor vehicle dealers
• Pubs and clubs
• Remittance service providers
• Customer identification and verification
• AML/CTF programs
• Exemptions and modifications
• AML/CTF Rules
• Freedom of information
• AUSTRAC policies
• Reports and accountability

This guidance is designed to help your business meet your risk management obligations. You may choose a different way to manage risk which is more suited to your business and the risks it faces.

What is risk and risk management?

In simple terms, risk is a combination of the:

• chance that something may happen, and
• the degree of damage or loss that may result if it does occur.

Risk management is the process of recognising risks and developing methods to both reduce and manage those risks. This requires the development of a method to identify, prioritise, and control risks, and then monitor how effectively risks are being managed.

In a risk management process, risks are assessed against the chance of them occurring (likelihood) and the amount of loss or damage (impact) that may result if they do happen.

Which risks do you need to manage?

You need to manage the risk that your business may be exploited for money laundering, terrorism financing and other serious crimes. This is known as money laundering and terrorism financing (ML/TF) risk .

Managing risk does not mean operating in a completely risk-free environment – this is not realistic. Instead, you must identify the risks your business faces and then find the best ways to reduce and manage those risks. This should be in proportion to the size of your business, the risks you face, and the resources you have available.

The four-step risk management process

On this page, you will find a summary of a four-step process to help you to manage ML/TF and regulatory risks.

The steps are:

• Identify risks
• Assess and measure risks
• Apply controls
• Monitor and review effectiveness.

1. Identify risks

Identify the ML/TF risks that exist for your business when providing designated services . You must consider the risks posed by:

• your customers
• your products and services
• your business practices/delivery methods (channels)
• the countries you do business in or with (jurisdictions).

The following are some examples of the types of risk that you may find for each of these categories.

• the type of customer – for example, an individual, sole trader or company etc.
• new customers
• customers who want to carry out large transactions
• a customer or group of customers making lots of payments to the same recipient
• customers who have a business which involves large amounts of cash
• a customer whose identification is difficult to check
• customers who use large amounts of bank notes and/or small denominations.

Products and services

• remittance service
• gambling/wagering account
• superannuation fund account
• digital currency exchange
• banking products.

Business practices/delivery channels

• face to face
• online/internet
• third-party agent or broker.

Countries/jurisdictions

• any country or particular region of a country in which you may do business
• any country subject to trade sanctions
• any country known to be a tax haven, source of narcotics or other significant criminal activity.

2. Assess and measure risks

Once you have identified the risks your business faces, each risk needs to be assessed and measured in terms of the chance (likelihood) it will occur and the severity or amount of loss or damage (impact) which may result if it does occur.

The risk level associated with each event is a combination of the likelihood that the event will occur and the impact it could have.

Likelihood x Impact = Risk level

Likelihood refers to the potential of a particular risk occurring in your business.

Three levels of likelihood are provided as examples, but you can have as many as you need for your business.

• Very likely : Almost certain –  it will probably occur several times a year
• Likely : High probability it will happen once a year
• Unlikely : Unlikely but not impossible.

Impact refers to the seriousness of the damage which could occur if the risk happens.

You know your business, and are in the best position to know how it would be affected by any impacts.what impacts may affect it and how those impacts would affect it. Some examples of impacts to think about could include:

• How your business would be affected by a financial loss from a crime.
• The risk that a particular transaction may result in a terrorist act and loss of life.
• The risk that a particular transaction may result in funds being used for any of the following: corruption, bribery, tax evasion, drug trafficking, human trafficking, illegal arms trading, terrorism, theft, or fraud.

Note that these do not cover every scenario and are not prescriptive.

Three levels of impact are shown here, but you can have as many as necessary for your business:

• Major : Severe damage
• Moderate : Moderate level of damage
• Minor : Minimal damage.

Once you assess the likelihood and impact of each risk, you can determine the risk level based on these two factors. Following is an example of how you could use a risk matrix and risk score to determine the risk level posed by customers.

Risk matrix and risk score

You can use a risk matrix to combine the likelihood and impact to obtain a risk score . The risk score may be used to aid decision making and help in deciding what action to take in view of the overall risk.

How the risk score is derived can be seen from the risk matrix and risk score table shown below. Four levels of risk are shown, but you can have as many as you believe are necessary.

Risk score/level and response table

3. apply controls to manage risks.

This step is about determining how to manage the risks you have identified and assessed. Managing ML/TF risks involves applying your systems and controls. Examples of risk reduction or controls could be:

• setting transaction limits for high-risk products (for example limiting the amounts or frequency of transactions)
• having a management approval process for higher-risk products or customers
• a process to place customers in different risk categories and apply different identification and verification methods
• not accepting customers who wish to transact with a high-risk country.

The following table provides an example of how you could record this information.

Example: Customers

It is important to keep in mind that if a customer, transaction or country is identified as high risk it does not necessarily mean that criminal activity is occurring or will occur.

The opposite is also true. Just because a customer or transaction is seen as low risk, this does not mean the customer or transaction is not involved in criminal activity. Your knowledge of your business and common sense should be applied to your risk management process.

4. Monitor and review

Once documented, your business should develop a method to regularly evaluate whether your AML/CTF program is working correctly. If not, you need to work out what needs to be improved and put changes in place. This will help keep your program effective and also meet the requirements of the AML/CTF Act.

For more information about AUSTRAC’s expectations for businesses to continuously review their risk assessment, download Insights: Assessing ML/TF Risk  (PDF, 439KB).

Keeping records and regularly doing an evaluation of your risk and AML/CTF program is essential. Risks change over time, for example, changes to your customer base, your products and services, your business practices and the law. Whenever you update your AML/CTF program, you must keep a record of the previous version/s for seven years from the date it is replaced.

The content on this website is general and is not legal advice. Before you make a decision or take a particular action based on the content on this website, you should check its accuracy, completeness, currency and relevance for your purposes. You may wish to seek independent professional advice.

Was this page helpful?

• Project Implementation Guide

Implementation of the Risk Management Plan

by MyMG Team · June 2, 2011

In addition, the implementation can be done in various ways. For instance, in a marketing campaign project a number of implementation approaches for the risk management plan are available to develop or maintain a competitive advantage. They include such methods as creating barriers to market entry, establishing competitive pricing, damping, using new unique technology, innovation, adjusting or reorganizing personnel management etc. Each of these methods implies a very different set of tools for implementation.

However, no matter what methods and tools you are going to choose to implement your risk management plan, there are three fundamental activities that define success of the overall implementation process. These are:

• Resource Acquisition. Before you can start implementing your risk management plan you need to be certain that correct quantity of required resources is available and ready for use. You can obtain the resources in a range of way, for example by purchasing with credit, renting/leasing, sub-contracting, shared arrangements, partnership etc.
• Resource Flow. It is important to manage the flow of resources. The key idea behind this is to ensure that the resources are available at appropriate levels in needed placed at required time. Hence the flow of resources should be managed in terms of quantity, location and time . If the use of resources is optimized then the risk management process is likely to generate optimum output.
• Resource Coordination. When the resources are acquired and allocated in a proper way now you need to coordinate the use of resources throughout the implementation process. The coordination requires you to develop detailed operational plans and conduct day-to-day oversight of the operations.

All the resources available for performing your risk management initiative will be the driving force that lets you make decisions on the scope of the implementation process. The way you acquire , use and coordinate the resources within the process determines the future of your project effort. Your resources include people, finances, time, buildings, technology, others.

Reviewing the Plan

During the implementation process of the risk management plan it is very important to ensure the plan remains current and efficient. Regular reviews help find out if the plan provides feasible and effective risk mitigation activities assigned to individuals who are responsible for success of the implementation process.

Throughout the process, risk identification should be made to take changing circumstances into consideration when responding to risks, hence the risk management plan should clearly identify what people are responsible for the maintenance.

Reporting on the Results

It’s a common practice of effective project implementation to add the outcome of the risk management activities in certain project reports so that it can be taken into account when making decisions on how efficiently the project has been performed and whether the risk management plan has been implemented appropriately. Team reports need to have a separate section dedicated to risk management results showing which threats have been identified, which opportunities have been exploited and how all this has been managed. The risk register document is used as the primary source of information on the identified risks and ways of mitigation. In case no risk have been identified and managed an appropriate record should be created in team reports.

Tags: implement planning risk

We are a small group of professionals specializing in project management. We wish you success in your career, business, studies, or whatever else you think is worth your time and effort—we are pleased to know that our advice is helpful.

• Next story  9 Lessons of Effective Crisis Management for Project Managers
• Previous story  Design of the Risk Management Plan

You may also like...

Avoid inadequate planning, the primary project management mistake.

April 2, 2013

Strategic Business Planning: Definition, Output, Role

December 2, 2011

Project Objectives

July 14, 2011

Worth Reading

Key aspects in managing procurement team performance

May 13, 2010

Project Pre-Charter as a Sub-Phase of the Initiation Phase

November 24, 2010

Work Packages in Project Management

July 14, 2022

How to Benefit from Remote Workers

March 9, 2012

VPNs for Distributed Teams: What Project Managers Should Know

September 28, 2022

#ezw_tco-3 .ez-toc-widget-container ul.ez-toc-list li.active{ background-color: #ededed; } Table of Contents Toggle

How-to Guides

4 Steps to Creating and Managing a Project Budget

Top 5 Communication Tips for Effective Project Managers

Project initiation stage – Project Initiation Document (PID). Duties of project owner and project team

Organizing Procurement and Purchasing Activities in a Project

Two Common Mistakes in Project Procurement Contracts

Project Sponsor – The Role and Responsibilities