sample risk management strategic plan

• Gartner client? Log in for personalized search results.

< View additional Gartner strategic planning resources

Develop a Risk Strategic Plan You Can Use

Put your risk management strategic plan on one page with this template.

Effective risk management strategic planning connects your enterprise strategy to specific initiatives for your function. Done well, your risk management strategy should provide a clear roadmap to deliver on your business goals.

Use this proven one-page risk management strategy template to:

• Build a successful risk strategic plan
• Communicate your risk strategy with precision and clarity 
• Secure buy-in from business partners
• Execute your strategic objectives on time and within budget

Download Your Risk Strategic Plan Template

Build a better risk management strategy for your business..

By clicking the "Continue" button, you are agreeing to the Gartner Terms of Use and Privacy Policy.

Contact Information

All fields are required.

Step 2 of 3

Company Information

Step 3 of 3

Please provide the consent below

I have read, understood and accepted Gartner Separate Consent Letter , whereby I agree (1) to provide Gartner with my personal information, and understand that information will be transferred outside of mainland China and processed by Gartner group companies and other legitimate processing parties and (2) to be contacted by Gartner group companies via internet, mobile/telephone and email, for the purposes of sales, marketing and research.

By clicking the "Submit" button, you are agreeing to the Gartner Terms of Use and Privacy Policy.

By clicking the "Download Resource" button, you are agreeing to the Gartner Terms of Use and Privacy Policy.

About Gartner Risk Strategic Plan Template

Gartner Risk Strategic Planning Template helps risk leaders define the roadmap for executing the key actions required to meet risk strategic goals in alignment to the enterprise business model and goals. Additionally it helps you create and communicate a clear action plan that states where the risk function currently is, where it needs to be, how to get there and how you will measure progress.

Webinar: 7 Key Trends That Will Impact Your Strategic Planning

Inflection points and wild cards continually threaten to shake up industries. However, future-fit organizations survive disruption by actively sensing and responding to changes. This complimentary webinar will help risk executives scope key macro and environmental trends that could impact their organization’s business models and risk management strategies.

Strategic Risk Management: A Complete Overview (With Examples)

{{cta('f5a5f652-7681-44f3-b622-a9cd8a89976c')}}

What is strategic risk?

Strategic risk is the probability of the organization’s strategy failing. It is an estimation of the future success of the chosen strategy. Since strategy is a set of clear decisions, strategic risk reflects the aggregate of the risks of those decisions.

At its core, strategic risks affect an organization's overall strategy. It can sometimes be difficult to spot and manage.

This means that particularly at an executive level, leaders and teams need to be able to look for strategic risk and, instead of categorizing them as things to hedge or mitigate, develop the acumen to ask the appropriate questions:

• Are we going to resist this, avoid it or maybe push it away?
• Or do we embrace it, use it as an indicator for the market and take it as an opportunity for a strategic change

{{cta('39c974a3-a4e7-4895-8eb1-5dc5454635b1')}}

Why strategic risk management is important

Organizations that fail to do proper risk management face significant threats. At times, they face existential threats. Kodak was a pioneer in the photography space (they actually filed a patent for one of the first digital cameras), but they lost the digital camera race. Blockbuster made $6 billion in revenue at its peak, but there is only one store left in the world!

MySpace was once one of the dominant social networks until Facebook came along. You could argue that these companies failed to innovate. Maybe, but they also failed to evaluate the threat properly and the risk involved in not dealing with it.

Every great company takes risks.

Smartphones, eReaders, car-sharing services, even natural cleaning products — so much of what we as consumers now take for granted was a brave step, once upon a time. But Apple, Amazon, Zipcar and Method didn’t launch their category-defining products overnight.

These organizations safeguarded their success with a strong risk management strategy. They knew what success would look like, which factors could cause them to fail, what failure could cost them, and how they would respond to obstacles in their path.

Managing strategic risk is an essential activity for all businesses, whether you’re launching an innovative solution to market or just trying to stay ahead of the competition.

Understanding the dangers (however small) and their potential impact (however minor) empowers leaders at different levels to make smart, well-informed decisions. 

That’s easier said than done. 

Risk management is a dynamic process - it shifts focus as internal and external influences change. It also requires joined-up thinking and communication across an organization. 

If you’re tasked with strategic planning and execution within your business, it can seem like an insurmountable task. Yet, armed with the right information, you can help ensure that your organization achieves its goals.

The two kinds of strategic risk factors

Internal strategic risk factors.

Every business has strategic objectives and established routines.

Strategic risk relates to the dangers companies face in trying to accomplish their strategic objectives. Even though your plan might seem viable and on track for success, analyzing the strategic risks involved can help organizations identify obstacles (or opportunities) — and address them before it’s too late.

Strategic risks relate to a business’s internal choices, such as product development routines, advertising, communication tools, sales processes, investments in cutting-edge technologies, and more. These all directly impact function, performance, and overall results.

External strategic risk factors

Some strategic risks originate outside the company.

These could apply to the current or projected environment into which products will be released. 

It’s often easier to understand strategic risk through real-world examples. For instance, a new type of smartphone might be in high demand today, but economic changes could lead to a drop in commercial interest, leaving the business in a totally different position than it might have expected. 

Or a competitor may release a groundbreaking product or innovative service that fills the gap first, creating significant risk to the success of a strategy.

And let’s not forget that technology’s swift evolution could cause a new product to become obsolete within a few months — I’m sure that the manufacturers of wired headphones felt their stomachs drop when they saw Apple had cut the headphone jack.

These types of risks pose a real danger to companies. Investing in a business model with little chance of achieving the envisioned success can lead to severe financial strain, loss of revenue, and damage to reputation.

And none of these are easy to recover from.

What is strategic risk management?

Strategic risk management is the process of recognizing risks, identifying their causes and effects, and taking the relevant actions to mitigate them. Risks arise from inside and outside factors such as manufacturing failures, economic changes, shifts in consumer tastes, etc. 

Strategic risk can disrupt a business’s ability to accomplish its goals, break out in the market or even survive. Effective, efficient management puts the power in leaders’ hands to avoid potential obstacles to success and maximize their performance. 

One of the first things you need to do to better manage risks is learn to identify them.

Strategic risk assessment - How to identify strategic risks

Recognizing and taking action on strategic risks is vital to mitigate costly problems.

In your strategic risk management toolkit, you’ll need two essentials:

• An in-depth understanding of where your organization stands. This includes your target audience, market sector, competitors, and the environment in which your business operates.
• A clear awareness of your organization’s core strategic goals, from conception to proposed execution.

Gathering data on both areas can take time and investment, but it’s worthwhile to achieve accurate insights into strategic risks.

The more information you have to draw upon, the more likely it is that you’ll be able to implement processes and safeguards that facilitate organizational success.

Teams have a choice of different approaches when identifying strategic risks. 

Initiate “What if” discussions

Gather employees from across the business to explore ‘what-if’ scenarios .

By mind mapping risk factors collaboratively — with a mix of perspectives and experiences from different departments — Heads of Strategy, Change Managers and Business Analysts may discover risks they wouldn’t have thought of on their own.

All potential risks are worth considering, no matter how unlikely they may seem at first. That’s why participants should be encouraged to let their minds wander and suggest virtually any viable risk that occurs to them.

It’s best to have a long list that can be reduced through elimination: underestimating risks can lead to businesses being unprepared down the line.

Recommended reading: Risk Matrix: How To Use It In Strategic Planning

Gather input from all stakeholders

Speak with the whole range of stakeholders and consider their views on strategic risks.

If you consult a wide enough group, they have different perspectives on an organization from your core employees.

Collecting a wide range of perspectives creates a holistic view of risk factors which can prove hugely beneficial when trying to understand the dangers the organization faces.

Their broad awareness of how the company operates can raise unexpected possibilities that need to be factored in.

Strategic risk examples

The specific strategic risks relevant to your business will largely depend on your sector, product range, consumer base, and many other factors. That being said, there are some broad types of strategic risk, each of which should be on your radar.

Regulatory risks

Let’s demonstrate the importance of regulatory risks with an example.

Imagine an organization working on a new product or planning a fresh service set to transform the market. Perhaps it spots a gap in the industry and finds a way to fill it, yet needs years to bring it to fruition.

However, in this time, regulations change and the product or service suddenly becomes unacceptable. The company can’t deliver the result of its hard work to the target audience, risking a substantial loss of revenue.

Fortunately, the organization had prepared for unexpected regulatory change. Now, elements of the completed project can be incorporated into another or adapted to offer a slightly different solution.

The lesson here? 

It’s vital for companies to stay updated on all regulations relevant to their market and be aware of upcoming changes as early as possible. 

Competitor risks

Most industries are fiercely competitive.

Companies can lose ground if their market rivals release a similar product at a similar or lower cost. Pricing may even be irrelevant if the product is suitably superior. Competitor analysis can help mitigate this strategic risk: businesses should never operate in a vacuum.

Economic risks

Economic risks are harder to predict, but they pose a real danger to even the most well-realized strategy. 

For example, economic changes can lead a business’s target audience to lose much of its disposable income or scale back on perceived luxuries.

Customer research is imperative to stay aware of what target audiences desire, their spending habits, lifestyles, financial situations, and more. 

Managing strategic risk vs operational risk

Companies face various kinds of risks.

Strategic risks and operational risks are two distinct kinds. While strategic risks originate from both internal and external forces, operational risks stem solely from the internal processes within a business. And they stand to disrupt workflow. 

However, the biggest difference between them is the level of the decisions they reflect.

Strategic risks reflect the risk of the decisions at a higher level, where the overall strategic plan is considered. The operational risks reflect the risk of the decisions in a lower level, the operational level, where the execution of the strategic plan is outlined.

Simply put, strategic risk is about what you do, and operational risk is how you do it.

Operational risks examples

Operational risks are critical to consider and must be dealt with as soon as possible. They directly impact a business’s work and can tie in with strategic risks, as the resources, processes, or staff available may be unable to achieve the established goals. 

One example of operational risk is outdated machinery. They can cause a slowdown in production, delay completion, and ultimately damage employee morale. In this case, the operational risk might stem from what appears to be a non-critical problem but has the potential to drag productivity down to rock bottom. So the decision of whether to upgrade the machinery should be considered.

Another example of operational risk is a company’s current payroll system. Let’s say they outsource to a small team with a weak reputation purely because it’s a cheaper alternative to working with a more reliable payroll solution . But this option could create a higher risk of late payments, processing errors, or other issues with the potential to frustrate the company’s most valuable asset: its employees.

Risk management strategies

Discuss opportunities and risks separately.

This is something that needs to happen before the risk identification process. Mixing in the same conversation potential opportunities and their risks handicaps the opportunity conversation.

You want your people to free their minds, brainstorm ideas, and locate all possible growth and incremental opportunities. Don’t allow that process to shrink and miss out on great opportunities. Discuss risks in a different meeting on a different day.

Distribute resources at the operational level

Once you have decided on your company’s strategy, you’ll have to align every department and person with it.

Allocate your resources in a way that serves your overall strategy to succeed. That means starving certain departments or regions to feed the ones that contribute the most to your strategic objectives.

Mitigating strategic risks is often nothing more than focusing on a great execution of your strategic plan.

Align your incentive structure

Focus on execution takes another form besides resource redistribution.

You have to visit and align with your strategic objectives the incentive structure of your top and middle management. This is a crucial step to executing your strategy because it eradicates internal conflicts.

If your leadership team is rewarded according to an older strategic plan, don’t expect them to take care of your new plan’s risks. They simply won’t have the incentive to do so.

Strategy risk management examples

Let’s examine two specific real-life examples of strategic risk. One that happened a little while ago, and one that is still happening now.

Complacency vs Disruption

Before Netflix, HBO Go, Amazon Prime, Disney + and all the other streaming platforms, people used to go to Blockbuster.

In its prime, Blockbuster had over 9,000 locations around the world and became synonymous with movie rental. It had a huge slice of the market share and looked pretty peachy until the late nineties. Until in 1997, when a little company called Netflix came knocking.

At the time, Netflix didn't stream. It simply delivered rentals in the mail for a set fee each month. There were no late fees (which was one of the biggest gripes from Blockbuster customers), and movie delivery was very convenient.

Netflix was a pretty obvious strategic risk to Blockbuster, which needed to manage it somehow. This could also be seen as a clear opportunity for Blockbuster since they were in a position to buy Netflix but refused to do so.

Yes, Blockbuster passed on the $50 Million deal of Netflix and sealed its fate in the process.

Regulatory complexity

This story is still in development, so who knows how it will end.

Uber is known as the company that shook the cab industry around the world, but things are still changing. Uber is a tech company and understands that change happens and risk evolves faster than ever before.

This is why they began investing in self-driving technology early on. At first glance, this seems counter-intuitive since moving in this direction could really upset the thousands of Uber drivers out there, but Uber gets it.

They know that if they do nothing, someone else will sweep in, and soon enough, turn Uber into another Blockbuster story.

Uber is a great example of strategic risk management since they not only have to manage things like implementing self-driving cars, but they have also had to navigate through complex regulatory risks in multiple countries.

They have also faced issues around customer safety, assaults, and constant battles with all kinds of protests and regulatory issues.

How to measure strategic risk

So now you know the strategic risks your organization faces, you need a quantifiable figure to measure them. We suggest two specific tools:

Economic Capital

This relates to the amount of equity a business needs to cover any unplanned losses, according to a standard of solvency (based on the organization’s ideal debt rating). 

This metric allows businesses to quantify all types of risks related to launching new products, acquiring enterprises, expanding into different territories, or internal transformation. Then, it can take the necessary actions to mitigate against it.

RAROC: Risk Adjusted Return On Capital

This applies to the expected after-tax return on a scheme once divided by the economic capital. 

Companies can leverage this metric to determine if a strategy is viable and offers value, helping to guide leaders’ decision-making process. Any initiative with a RAROC below the capital amount offers no value and should be scrapped (sorry!).

Decision trees

Businesses on all scales can utilize both metrics to measure strategic risk, but the stakes will be different for a small enterprise than for a global corporation. The former may never recover from a bad investment, while the latter has a higher chance of weathering the storm. 

As a result, companies may use a decision tree to map the possible outcomes of a decision. This enables teams to determine which choices yield which results and prepare for all eventualities. Specific turning points can be identified and handled appropriately. 

Strategic risk management strategies

Now you have all the information, you need to capture it in one place: the strategic risk management framework. This is where you bring together all the resources (employees, technologies, capital, etc.) required to mitigate losses caused by internal or external forces.

Exactly how your framework is structured is your choice, but the following is a great strategic risk management template:

• Understand where you are right now . You could use a SWOT (Strengths, Weaknesses, Opportunities, and Threats) analysis, for example. Here you need to know where your organization is, your vulnerabilities, and what threats you face in the market. 
• Define your strategy and its goals . This is where you clearly outline the strategy for your organization. Use this battle-tested strategic planning template to build or revisit your strategy.
• Next, key performance indicators (KPIs) should be selected . These can be used to measure success, monitor changes, and explore improvement opportunities over time. 
• The next step is to identify those risks which can affect productivity and performance in the future. These factors may not be as apparent as others. For example, consumers’ changing tastes can be hard to predict but still have the potential to knock plans off the rails. 
• You can use a Risk Assessment Matrix that will help you score potential risks based on the probability and the impact on the business. 
• KRIs (key risk indicators) should be identified to gauge your business's tolerance to obstacles . Be sure to look ahead at issues that may lurk around the corner, and determine the right time to put mitigating actions into effect. 
• The final step is to continually monitor KPIs, KRIs, and their internal processes to chart progress . Are problems being resolved fast enough? Are target customers’ needs being addressed? Are all essential programs and processes in place? The aim is to stay on track and adapt to ensure you achieve your objectives. 

A long-term strategic risk management strategy

Managing strategic risk is an ongoing process.

It enables organizations to minimize their danger of experiencing severe losses and, ultimately, failure. It doesn’t guarantee every project will be a success (far from it!), but it will provide all the necessary tools to make better decisions in the long run. 

Remember to take your time, even if there’s market pressure to act fast. Trying to rush this process could lead to missed threats or opportunities in your risk analysis. Stay on top of your strategic risk management well into the future, that’s the key to organizational success. 

Cascade has integrated risk values that automatically calculate your strategic plan’s risks. Take a tour of our platform or book a demo with one of our strategist experts to help you develop your strategy.

Popular articles

Build A Digital Transformation Roadmap Step-By-Step + Free Template

4 PMO Templates And Tools To Deliver Your Portfolio Value

Executive Dashboards: Examples, Tips & Templates

7 Business Roadmap Examples To Hit Your Goals

Your toolkit for strategy success.

9 Strategic Risk Examples and How to Successfully Tackle Them

What is meant by strategic risk? Strategic risk examples encompass many different risks ' and depending on the nature of your business, you may face any or all of them. Understanding the types of strategic risk you face is fundamental to your ability to tackle them as part of your broader governance, risk and compliance (GRC) strategy.

Whether you are a chief risk officer and strategic risk falls firmly within your orbit, or whether as CFO, CEO or general counsel, you take more holistic responsibility for your organization's risk strategy. Understanding and mitigating risk at a strategic level will be a priority.

In today's hyper-connected world, the risk evolves faster than businesses can devise strategies to tackle it. Being familiar with different strategic risk examples can help you get ahead of the curve, helping you identify the types of strategic risk your organization faces and the tactics you can put in place to respond.  

Understanding the Different Types of Strategic Risk

'Strategic risk' is a term that's often bandied about. But what does the phrase mean in practice? What types of risk are defined as 'strategic?' How do you identify strategic risks? What are the examples of strategic risks you might face in your organization? What are the types of strategic risk you should prioritize in your risk mitigation strategy?

Strategic risk is a category of risk; alongside operational, financial, regulatory and other business risks, it forms part of the umbrella of risks your organization faces.

When we look at strategic risk examples, they are generally defined as those that threaten a business's ability to set and implement its chosen strategy.

They may be external; events like the Covid-19 pandemic are the perfect example here.

They may be 'self-inflicted,' brought about via an organization's own strategy and decision-making. An example of this would be the accelerating digital transformation of businesses, which has delivered many positives but has also exposed new types of risk.  

Exploring Strategic Risk Examples

Regulatory and legislative drivers relating to governance, risk and compliance strategies more generally are also prompting businesses to focus on strategic risk. At the same time, a spotlight has been thrown on strategic risk via growing awareness of the close ties between risk, compliance and business value .

This evolution of risk has led organizations to try and bring some structure to their mitigation strategies by categorizing and prioritizing the risks they face. Let's look at some of the examples of strategic risks you might face.

Some sources distill strategic risks into five types, sometimes called the 'five sources of strategic risk.' However, these aren't always consistent, however, look up several different sources, and you will find a variety of risks listed among the 'five types.'

Our list of strategic risk examples below therefore includes more than five.  

What Are the 9 Examples of Strategic Risk?

Among the types of strategic risk you should have on your radar are:

• Competitive risk. The risk is that you fall behind your competitors as they innovate and improve their offerings faster than you.
• Change risk. The digital transformation risk we cited above is a prime example of this ' the inherent risks of introducing any change program.
• Disrupt your business
• Create new responsibilities
• Demand new technologies (and therefore linking back to change risk)
• Distract your business leaders from their operations as their time is abstracted to put in place new governance processes and control measures
• Reputational risk . The risk that your corporate standing is threatened. The potential causes of this are legion, from regulatory compliance breaches to shareholder activism or poor performance in public ratings, such as those used to measure ESG performance .
• Political risk. The potential for political change, or the political landscape overall, to disrupt your business. For example, through volatility in a country within your supply chain .
• Governance risk. The risk brought about by poor governance, risk and compliance processes within your organization.
• Financial risk. Risks relating to the financial health of the organization. This differs from...
• Economic risk. This refers to the broader economic landscape and its potential to affect the success of your business strategy.
• Operational risk. The risk is that your operations and business processes are not up to standard.

Many of these examples of strategic risk are inter-connected. For instance, if you face operational risks around the efficacy and rigor of your processes, this is likely to expose you to financial or regulatory risk. Similarly, if you fail to tackle governance risks, you may well encounter reputational risk.

The intertwined nature of the types of strategic risk emphasizes how important it is to take an integrated approach to address them.  

How to Tackle the Different Types of Strategic Risk

Amongst all these strategic risk examples, there are positives. The linkages that cause one risk to increase the chances of another can also work to your advantage. Take a coordinated, integrated stance on one aspect of strategic risk, and your performance in others should also improve. As companies refine their approaches to risk mitigation, they become better able to recognize these connections. As a result, they can approach risk strategically, capitalizing on synergies for a more robust result.

Below we also set out some specific tips that can help you tackle the different strategic risk examples:

• Competitive risk. Remaining competitive means understanding your competition; data is key here, and technology can be your friend in enabling you to provide your board with the competitive intelligence they need .
• Change risk. Here, good governance is the secret. Put governance at the heart of your change programs and reduce the risks they bring while enhancing their benefits.
• Regulatory risk. Keeping on top of the latest developments in the fast-moving regulatory landscape is vital here ' you can't meet expectations if you're not aware of them. Ensure you keep abreast of the news and trends in risk and compliance .
• Reputational risk. Bolster your GRC processes , and you have a better chance of swerving the risks that can derail your brand.
• Political risk. There is less you can do here, although ensuring you build sustainable supply chains rooted in countries where political volatility is less of a threat can help make your operations more resilient.
• Governance risk. As with change risk, robust governance processes and controls are essential to reducing risk here.
• Financial risk. While some financial risks come from external factors, improving your ability to measure, monitor and respond to the business risks you face, if done successfully, should minimize the financial threats that fall within your wheelhouse.
• Economic risk. Sustainable supply chains can help here, reducing the threat from economic instability in countries you source from. And, again, keeping pace with external events that can affect your risk profile is vital.
• Operational risk. One of the areas you have the most control over, introducing agility , rigor and structure to your operations can significantly reduce your risk across all areas of your organization.

Understand and Respond to All Types of Strategic Risk

Hopefully, this article has given you a deeper understanding of the types of strategic risk you face, some examples of strategic risk that bring this to life. It has also provided insights into how you can tackle different strategic risks.

Remaining on the front foot in terms of upcoming legislation, economic trends and governance best practice can really make the difference ' amplifying your ability to be proactive in the face of changing risks.

Diligent's regular GRC Newsletter summarizes the latest insights, exploring strategic risk examples and mitigation strategies in-depth and, as a result, enabling organizations to develop successful enterprise governance risk and compliance programs. You can sign up to receive the newsletter here .

The Rising Tide of ESG – Navigating the Road Ahead

The Board's Role in Leading and Enabling GRC

Board and Executive Collaboration: Components of a Secure Platform for the Evolving Workplace

Value and resilience through better risk management

Today’s corporate leaders navigate a complex environment that is changing at an ever-accelerating pace. Digital technology underlies much of the change. Business models are being transformed by new waves of automation, based on robotics and artificial intelligence. Producers and consumers are making faster decisions, with preferences shifting under the influence of social media and trending news. New types of digital companies are exploiting the changes, disrupting traditional market leaders and business models. And as companies digitize more parts of their organization, the danger of cyberattacks and breaches of all kinds grows.

Stay current on your favorite topics

Beyond cyberspace, the risk environment is equally challenging. Regulation enjoys broad popular support in many sectors and regions; where it is tightening, it is putting stresses on profitability. Climate change is affecting operations and consumers and regulators are also making demands for better business conduct in relation to the natural environment. Geopolitical uncertainties alter business conditions and challenge the footprints of multinationals. Corporate reputations are vulnerable to single events, as risks once thought to have a limited probability of occurrence are actually materializing.

The role of the board and senior executives

Risk management at nonfinancial companies has not kept pace with this evolution. For many nonfinancial corporates, risk management remains an underdeveloped and siloed capability in the organization, receiving limited attention from the most senior leaders. From over 1,100 respondents to McKinsey’s Global Board Survey for 2017 , we discovered that risk management remains a relatively low-priority topic at board meetings (exhibit).

A long way to go

Boards spend only 9 percent of their time on risk—slightly less than they did in 2015. Other questions in the survey revealed that only 6 percent of respondents believe that they are effective in managing risk (again, less than in 2015). Some individual risk areas are relatively neglected, and even cybersecurity, a core risk area with increasing importance, is addressed by only 36 percent of boards. While many senior executives stay focused on strategy and performance management, they often fail to challenge capabilities or strategic decisions from a risk perspective (see sidebar, “A long way to go”). A reactive approach to risks remains too common, with action taken only after things go wrong. The result is that boards and senior executives needlessly put their companies at risk, while personally taking on higher legal and reputational liabilities.

Boards have a critical role to play in developing risk-management capabilities at the companies they oversee. First, boards need to ensure that a robust risk-management operating model is in place. Such a model allows companies to understand and prioritize risks, set their risk appetite, and measure their performance against these risks. The model should enable the board and senior executives to work with businesses to eliminate exposures outside the company’s appetite statement, reducing the risk profile where warranted, through such means as quality controls and other operational processes. On strategic opportunities and risk trade-offs, boards should foster explicit discussions and decision making among top management and the businesses. This will enable the efficient deployment of scarce risk resources and the active, coordinated management of risks across the organization. Companies will then be prepared to address and manage emerging crises when risks do materialize.

A sectoral view of risks

Most companies operate in a complex, industry-specific risk environment. They must navigate macroeconomic and geopolitical uncertainties and face risks arising in the areas of strategy, finance, products, operations, and compliance and conduct. In some sectors, companies have developed advanced approaches to managing risks that are specific to their business models. These approaches can sustain significant value. At the same time companies are challenged by emerging types of risks for which they need to develop effective mitigation plans; in their absence, the losses from serious risk events can be crippling.

• Automotive companies are controlling supply-chain risks with sophisticated monitoring models that allow OEMs to identify potential risks upfront across the supply chain. At the same time, auto companies must address the strategic challenge of shifting toward electric-powered and autonomous vehicles.
• Pharma companies seek to manage the downside risk of large investments in their product portfolio and pipeline, while addressing product quality and patient safety to comply with relevant regulatory requirements.
• Oil and gas, steel, and energy companies apply advanced approaches to manage the negative effects of financial markets and commodity-price volatility. As social and political demands for cleaner energy are increasing, these companies are actively pursuing growth opportunities to shift their portfolios in anticipation of an energy transition and a low-carbon future.
• Consumer-goods companies protect their reputation and brand value through sound practices to manage product quality as well as labor conditions in their production facilities. Yet they are constantly challenged to meet consumers’ ever-changing tastes and needs, as well as consumer-protection regulations.

Toward proactive risk management

An approach based on adherence to minimum regulatory standards and avoidance of financial loss creates risk in itself. In a passive stance, companies cannot shape an optimal risk profile according to their business models nor adequately manage a fast-moving crisis. Eschewing a risk approach comprised of short-term performance initiatives focused on revenue and costs, top performers deem risk management as a strategic asset, which can sustain significant value over the long term. Inherent in the proactive approach are several essential components.

Strategic decision making

More rigorous, debiased strategic decision making can enhance the longer-term resilience of a company’s business model, particularly in volatile markets or externally challenged industries. Research shows that the active, regular reevaluation of resource allocation, based on sound assessments of risk and return trade-offs (such as entering markets where the business model is superior to the competition), creates more value and better shareholder returns. 1 See, for example, Yuval Atsmon, “ How nimble resource allocation can double your company’s value ,” August 2016; William N. Thorndike, Jr., The Outsiders: Eight Unconventional CEOs and Their Radically Rational Blueprint for Success , Boston, MA: Harvard Business Review Press, 2012; Rebecca Darr and Tim Koller, “ How to build an alliance against corporate short-termism ,” January 2017. Flexibility is empowering in a dynamic marketplace. Many companies use hedging strategies to insure against market uncertainties. Airlines, for example, have been known to hedge future exposures to fuel-price fluctuations, a move that can help maintain profitability when prices climb. Likewise, strategic investing, based on a longer-term perspective and a deep understanding of a company’s core proposition, generates more value than opportunistic moves aiming at a short-term bump in the share price.

Debiasing and stress-testing

Approaches that include debiasing and stress-testing help senior executives consider previously overlooked sources of uncertainty to judge whether the company’s risk-bearing capacity can absorb their potential impact. A utility in Germany, for example, improved decision making by taking action to mitigate behavioral biases. As a result, it separated its renewables business from its conventional power-generation operations. In the aftermath of the Fukushima disaster, which sharply raised interest in environmentally friendly power generation, the utility’s move led to a significant positive effect on its share price (15 percent above the industry index).

Higher-quality products and safety standards

Investments in product quality and safety standards can bring significant returns. One form this takes in the energy sector is reduced damage and maintenance costs. At one international energy company, improved safety standards led to a 30 percent reduction in the frequency of hazardous incidents. Auto companies with reputations built on safety can command higher prices for their vehicles, while the better reputation created by higher quality standards in pharma creates obvious advantages. As well as the boost in demand that comes from a reputation for quality, companies can significantly reduce their remediation costs—McKinsey research suggests that pharma companies suffering from quality issues lose annual revenue equal to 4 to 5 percent of cost of goods sold.

Comprehensive operative controls

These can lead to more efficient and effective processes that are less prone to disruption when risks materialize. In the auto sector, companies can ensure stable production and sales by mitigating the risk of supply-chain disruption. Following the 2011 earthquake and tsunami, a leading automaker probed potential supply bottlenecks and took appropriate action. After an earthquake in 2016, the company quickly redirected production of affected parts to other locations, avoiding costly disruptions. In high-tech, companies applying superior supply-chain risk management can achieve lasting cost savings and higher margins. One global computer company addressed these risks with a dedicated program that saved $500 million during its first six years. The program used risk-informed contracts, enabling suppliers to lower the costs and risks of doing business with the company. The measures achieved supply assurance for key components, particularly during market shortages, improved cost predictability for components that have volatile costs, and optimized inventory levels internally and at suppliers.

Stronger ethical and societal standards

To achieve standing among customers, employees, business partners, and the public, companies can apply ethical controls on corporate practices end to end. If appropriately publicized and linked to corporate social responsibility, a program of better ethical standards can achieve significant returns in the form of heightened reputation and brand recognition. Customers, for example, are increasingly willing to pay a premium for products of companies that adhere to tighter standards. Employees too appreciate being associated with more ethical companies, offering a better working environment and contributing to society.

The three dimensions of effective risk management

Ideally, risk management and compliance are addressed as strategic priorities by corporate leadership and day-to-day management. More often the reality is that these areas are delegated to a few people at the corporate center working in isolation from the rest of the business. By contrast, revenue growth or cost savings are deeply embedded in corporate culture, linked explicitly to profit-and-loss (P&L) performance at the company level. Somewhere in the middle are specific control capabilities regarding, for example, product safety, secure IT development and deployment, or financial auditing.

Would you like to learn more about our Risk Practice ?

To change this picture, leadership must commit to building robust, effective risk management. The project is three-dimensional: 1) the risk operating model, consisting of the main risk management processes; 2) a governance and accountability structure around these processes, leading from the business up to the board level; and 3) best-practice crisis preparedness, including a well-articulated response playbook if the worst case materializes.

1. Developing an effective risk operating model

The operating model consists of two layers, an enterprise risk management (ERM) framework and individual frameworks for each type of risk. The ERM framework is used to identify risks across the organization, define the overall risk appetite, and implement the appropriate controls to ensure that the risk appetite is respected. Finally, the overarching framework puts in place a system of timely reporting and corresponding actions on risk to the board and senior management. The risk-specific frameworks address all risks that are being managed. These can be grouped in categories, such as financial, nonfinancial, and strategic. Financial risks, such as liquidity, market, and credit risks, are managed by adhering to appropriate limit structures; nonfinancial risks, by implementing adequate process controls; strategic risks, by challenging key decisions with formalized approaches such as debiasing, scenario analyses, and stress testing. While financial and strategic risks are typically managed according to the risk-return trade-off, for nonfinancial risks, the potential downside is often the key consideration.

Finding the right level of risk appetite

Companies need to find the right level of risk appetite, which helps ensure long-term resilience and performance. Risk appetite that is too relaxed or too restrictive can have severe consequences on company financials, as the following two examples indicate:

Too relaxed. One nuclear energy company set its standards for steel equipment in the 1980s and did not review them even when the regulations changed. When the new higher standards were applied to the manufacture of equipment for nuclear power plants, the company fell short of compliance. An earlier adaptation of its risk appetite and tolerance levels would have been significantly less costly.

Too restrictive. A pharma company set quality tolerances to produce a drug to a significantly stricter level than what was required by regulation. At the beginning of production, tolerance intervals could be fulfilled, but over time, quality could no longer be assured at the initial level. The company was unable to lower standards, as these had been communicated to the regulators. Ultimately, production processes had to be upgraded at a significant cost to maintain the original tolerances.

As well as assessing risk based on likelihood and impact, companies must also assess their ability to respond to emerging risks. Capabilities and capacities needed to manage these risks should be evaluated and gaps filled accordingly. Of particular importance in crisis management is the timeliness of an effective response when things go awry. The highly likely, high-impact risk events on which risk management focuses most of its attention often emerge with disarming velocity, taking many companies unawares. To be effective, the enterprise risk management framework must ensure that the two layers are seamlessly integrated. It does this by providing clarity on risk definitions and appetite as well as controls and reporting.

• Taxonomy. A company-wide risk taxonomy should clearly and comprehensively define risks; the taxonomy should be strictly respected in the definition of risk appetite, in the development of risk policy and strategy, and in risk reporting. Taxonomies are usually industry-specific, covering strategic, regulatory, and product risks relevant to the industry. They are also determined by company characteristics, including the business model and geographical footprint (to incorporate specific country and legal risks). Proven risk-assessment tools need to be adopted and enhanced continuously with new techniques, so that newer risks (such as cyberrisk) are addressed as well as more familiar risks.
• Risk appetite. A clear definition of risk appetite will translate risk-return trade-offs into explicit thresholds and limits for financial and strategic risks, such as economic capital, cash-flow at risk, or stressed metrics. In the case of nonfinancial risks like operational and compliance risks, the risk appetite will be based on overall loss limits, categorized into inherent and residual risks (see sidebar, “Finding the right level of risk appetite”).
• Risk control processes. Effective risk control processes ensure that risk thresholds for the specified risk appetite are upheld at all levels of the organization. Leading companies are increasingly building their control processes around big data and advanced analytics. These powerful new capabilities can greatly increase the effectiveness and efficiency of risk monitoring processes. Machine-learning tools, for example, can be very effective in monitoring fraud and prioritizing investigations; automated natural language processing within complaints management can be used to monitor conduct risk.
• Risk reporting. Decision making should be informed with risk reporting. Companies can regularly provide boards and senior executives with insights on risk, identifying the most relevant strategic risks. The objective is to ensure that an independent risk view, encompassing all levels of the organization, is embedded into the planning process. In this way, the risk profile can be upheld in the management of business initiatives and decisions affecting the quality of processes and products. Techniques like debiasing and the use of scenarios can help overcome biases toward fulfilment of short-term goals. A North American oil producer developed a strategic hypothesis given uncertainties in global and regional oil markets. The company used risk modelling to test assumptions about cash flow under different scenarios and embedded these analyses into the reports reviewed by senior management and the board. Weak points in the strategy were thereby identified and mitigating actions taken.

2. Toward robust risk governance, organization, and culture

The risk operating model must be managed through an effective governance structure and organization with clear accountabilities. The governance model maintains a risk culture that strongly reinforces better risk and compliance management across the three lines of defense—business and operations, the compliance and risk functions, and audit. The approach recognizes the inherent contradiction in the first line between performance (revenue and costs) and risk (losses). The role of the second line is to review and challenge the first line on the effectiveness of its risk processes and controls, while the third line, audit, ensures that the lines one and two are functioning as intended.

• Three lines of defense. Effective implementation of the three lines involves the sharp definition of lines one and two at all levels, from the group level through the lines of business, to the regional and legal entity levels. Accountabilities regarding risk and control management must be clear. Risk governance may differ by risk type: financial risks are usually managed centrally, while operational risks are deeply embedded into company processes. The operational risk of any line of business is managed by the business owning the product-development, production, and sales processes. This usually translates into forms of quality control, but the business must also balance the broader impact of risk and P&L. In the development of new diesel engines, automakers lost sight of the balance between compliance risk and the additional cost to meet emission standards, with disastrous results. Risk or compliance functions can only complement these activities by independently reviewing the adequacy of operational risk management, such as through technical standards and controls.
• Reviewing the risk appetite and risk profile. Of central importance within the governance structure are the committees that define the risk appetite, including the parameters for doing business. These committees also make specific decisions on top risks and review the control environment for enhancements as the company’s risk profile changes. Good governance in this case means that risk decisions are considered within the existing divisional, regional, and senior-management governance structure of a company, supported by risk, compliance, and audit committees.
• Integrated risk and compliance governance setup. A robust and adequately staffed risk and compliance organization supports all risk processes. The integrated risk and compliance organization provides for single ownership of the group-wide ERM framework and standards, appropriate clustering of second-line functions, a clear matrix between divisions and control functions, and centralized or local control as needed. A clear trend is observable whereby the ERM layer responsible for group-wide standards, risk processes, and reporting becomes consolidated, whereas the expert teams setting and monitoring specific control standards for the business (including standards for commercial, technical compliance, IT or cyberrisks) become specialized teams covering both regulatory compliance as well as risk aspects.
• Resources. Appropriate resources are a critical factor in successful risk governance. The size of the compliance, risk, audit, and legal functions of nonfinancial companies (0.5 for every 100 employees, on average), are usually much smaller than those of banks (6.9 for every 100 employees). The disparity is partly a natural outcome of financial regulation, but some part of it reflects a capability gap in nonfinancial corporates. These companies usually devote most of their risk and control resources in sector-specific areas, such as health and safety for airlines and nuclear power companies or quality assurance for pharmaceutical companies. The same companies can, however, neglect to provide sufficient resources to monitor highly significant risks, such as cyberrisk or large investments.
• Risk culture. An enhanced risk culture covers mind-sets and behaviors across the organization. A shared understanding is fostered of key risks and risk management, with leaders acting as role models. Especially important are capability-building programs on risk as well as formal mechanisms to assess and reinforce sound risk management practices.

An enhanced risk culture covers mind-sets and behaviors across the organization. A shared understanding is fostered of key risks and risk management, with leaders acting as role models.

3. Crisis preparedness and response

A high-performing, effective risk operating model and governance structure, with a well-developed risk culture minimize the probability of corporate crises , without, of course, completely eliminating them. When unexpected crises strike at high velocity, multinational companies can lose billions in value in the first days and soon find themselves struggling to keep their market position. A best-in-class risk management environment provides the ideal conditions for preparation and response.

• Ensure board leadership. The most important action companies can take to prepare for crises is to ensure that the effort is led by the board and senior management. Top leadership must define the main expected threats, the worst-case scenarios, and the actions and communications that will be accordingly rolled out. For each threat, hypothetical scenarios should be developed for how a crisis will unfold, based on previous crises within and beyond the company’s industry and region.
• Strengthen resilience. By mapping patterns that arose in previous crises, companies can test their own resilience, challenging key areas across the organization for potential weaknesses. Targeted countermeasures can then be developed in advance to strengthen resilience. This crucial aspect of crisis preparedness can involve reviewing and revising the terms and conditions for key suppliers, shoring up financials to ensure short-term availability of cash, or investing in advanced cybersecurity measures to protect essential data and software in the event of failures and breaches.
• Develop action plans and communications. Once these assessments are complete and resilience-building countermeasures are in place, the company can then develop action plans for each threat. The plans must be well articulated, founded on past crises, and address operational and technical planning, financial planning, third-party management, and legal planning. Care should be taken to develop an optimally responsive communications strategy as well. The correct strategy will enable frontline responders to keep pace with or stay ahead of unfolding crises. Communications failures can turn manageable crises into irredeemable catastrophes. Companies need to have appropriate scripts and process logic in place detailing the response to crisis situations, communicated to all levels of the organization and well anchored there. Airlines provide an example of the well-articulated response, in their preparedness for an accident or crash. Not only are detailed scripts in place, but regular simulations are held to train employees at all levels of the company.
• Train managers at all levels. The company should train key managers at multiple levels on what to expect and enable them to feel the pressures and emotions in a simulated environment. Doing this repeatedly and in a richer way each time will significantly improve the company’s response capabilities in a real crisis situation, even though the crisis may not be precisely the one for which managers have been trained. They will also be valuable learning exercises in their own right.
• Put in place a detailed crisis-response playbook. While each crisis can unfold in unique and unpredictable ways, companies can follow a few fundamental principles of crisis response in all situations. First, establish control immediately after the crisis hits, by closely determining the level of exposure to the threat and identifying a crisis-response leader, not necessarily the CEO, who will direct appropriate actions accordingly. Second, involved parties—such as customers, employees, shareholders, suppliers, government agencies, the media, and the wider public—must be effectively engaged with a dynamic communications strategy. Third, an operational and technical “war room” should be set up, to stabilize primary threats and determine which activities to sustain and which to suspend (identifying and reaching out to critical suppliers). Finally, a deliberate effort must be made to address and neutralize the root cause of the crisis and so bring it to an end as soon as possible.

In a digitized, networked world, with globalized supply chains and complex financial interdependencies, the risk environment has grown more perilous and costly. A holistic approach to risk management, based on the lessons, good and bad, of leading companies and financial institutions, can derive value from that environment. The path to risk resilience that is emerging is an effort, led by the board and senior management, to establish the right risk profile and appetite. Success depends on the support of a thriving risk culture and state-of-the-art crisis preparedness and response. Far from minimal regulatory adherence and loss avoidance, the optimal approach to risk management consists of fundamentally strategic capabilities, deeply embedded across the organization.

Daniela Gius is a senior expert in McKinsey’s Hamburg office, Jean-Christophe Mieszala is a senior partner in the Paris office, Ernestos Panayiotou is a partner in the Athens office, and Thomas Poppensieker is a senior partner in the Munich office.

Explore a career with us

Related articles.

The business logic in debiasing

Are you prepared for a corporate crisis?

Nonfinancial risk today: Getting risk and the business aligned

• Assessment Management
• Compliance Audits
• Enterprise Risk Management
• Fraud Risk Management
• IT Risk Management
• Operational Audits
• Operational Risk Management
• Security Compliance Management
• SOX Compliance
• SOX Readiness
• Vendor Risk Management
• Business Services
• Education, Government, and Non-Profit
• Energy, Materials, and Utilities
• Financial Services
• Manufacturing
• Media and Telecom
• Real Estate and Construction
• Travel and Transportation
• Technology & Security
• Resource Library
• AuditBoard TV
• Events & Webinars
• On-Demand Webinars

Building a Mature Enterprise Risk Management Plan

In 2017, COSO published “Enterprise Risk Management Framework: Integrating with Strategy and Performance,” an updated framework for audit, risk, and compliance professionals to leverage in developing their risk management plans. The framework defines enterprise risk management (ERM) as the “culture, capabilities, and practices, integrated with strategy-setting and performance, that organizations rely on to manage risk in creating, preserving, and realizing value.” 

Today, risks are growing in complexity and volume, rendering the need for ERM more important than ever. Evolving cybersecurity threats, political, social, and economic fluctuation, and external risk events, including the 2008 global financial crisis and the 2020 COVID-19 pandemic crisis, point to the need for mature ERM practices to help the organization manage its response to strategic risks  — the risk exposures that are most consequential to the organization’s ability to execute strategy and achieve its objectives.

Building a strategic risk management plan requires thorough preparation and involvement from management and the Board. The following is a step-by-step guide for audit, risk, and compliance professionals to build an enterprise risk management plan that can evolve and mature with the organization. 

1. Familiarize with risk management framework examples and guidance.

Whether your risk management effort sits with the audit, risk, or compliance team, it is important for all involved parties to familiarize with ERM guidance documents widely available to the industry. Some examples of risk management frameworks commonly employed by audit, risk, and compliance professionals include: 

• COSO ERM framework
• Creating and Protecting Value
• RIMS Risk Maturity Model (RMM)
• The IIA’s International Professional Practices Framework (IPPF)
• The Open Compliance and Ethics Group’s Red Book

2. Conduct risk management planning education and discussion sessions.

ERM is not a separate activity with its own objectives, but an integral part of the organization’s strategy setting and performance processes. For this reason, risk management planning requires the involvement of the Board and management. The Board is responsible for putting pressure on the CEO to identify those risks inherent in the business’s strategy, in addition to monitoring the organization’s risk culture. Management, with input from the Board, is responsible for identifying, managing, and monitoring strategic risks. 

However, the responsibility to engage management and the Board in ERM discussions lies with the audit, risk, and compliance professionals leading the organization’s risk management efforts. In order to solicit management’s and the Board’s required involvement in ERM planning, the risk function must proactively educate leadership regarding the importance of strategic risk management. During education and discussion sessions, the risk management team should aim to:

• Establish the objective of the risk management plan is to help the organization execute its strategy and achieve its objectives.
• Communicate the importance of embedding ERM into strategy.
• Provide examples of mature risk management practices.

3. Set a formal agenda item to discuss ERM strategies, objectives, and expectations.

Set a formal agenda item with senior leadership to discuss the role that risk management will play in the organization, as well as goals and expectations for the ERM program. A best practice is to identify an executive or Board member who will help drive ERM initiatives. Ideally, this risk advocate is already an embedded key player in the organization’s strategic planning process. It is also a best practice to establish an executive-level risk committee or working group to assist the appointed risk leader in driving risk management initiatives. 

4. Perform a strategic risk assessment

Performing a strategic risk assessment will produce the information needed to begin developing your risk management plan. A strategic risk assessment involves identifying, understanding, and ranking the risks that are most consequential to the organization’s ability to execute its strategy and achieve its business objectives. This process, led by the risk leader and their team, is performed through surveys, interviews, and discussions conducted with management. The results of these assessments are then discussed among Board members and management in order to achieve consensus upon the top key risks facing the organization.

The appointed risk leader and their team can reference example models from risk management frameworks, such as COSO ’s Return Driven Strategy Model (pictured below), as a first step in preparing to conduct the risk assessment. This encourages approaching the risk assessment with a strategy-centric attitude versus a risk-centric one. This is important because overemphasis on risk-prevention can hinder the business from taking risks that may be important for growth, and breed increasingly risk-averse cultures. 

For a step-by-step approach to conducting a strategic risk assessment, view AuditBoard’s article here. What will emerge from the process is a risk profile of the organization’s top strategic risks, which should ultimately be validated and finalized with management and the Board before moving on to the next step.

5. Develop enterprise risk management action plans.

Once you have validated and finalized the top strategic risks, the next step is to develop your risk mitigation action plans. During this phase of planning, a best practice is to develop a risk management charter that outlines risk management roles and responsibilities, and delineates specifically when and how internal audit and compliance will be involved. This is important because risk, internal audit, and compliance teams often overlap in their roles, capabilities, and methodologies — and allowing duplicative roles to persist can compromise the value of risk management initiatives. The risk charter may also include a universal appendix of risk definitions and a unified taxonomy, such as how the organization defines inherent risks, residual risks, and strategic risks. This can further unite risk perspectives and eliminate differing interpretations that may affect risk response strategies.  

Once risk management roles and responsibilities have been clearly defined, the responsible business group can use the five risk responses — accept, avoid, pursue, reduce, share — to determine the best response to each of the organization’s key risks and develop appropriate risk management action plans. For examples of risk response strategies appropriate for your key risks, refer to the framework that best suits your organization’s strategic risk profile. Once the risk management action plans have been completed, communicate the overall action plan and strategic risk profile with the business. 

6. Leverage technology to centralize your risk management plan and streamline collaboration.

ERM is a collaborative, cross-functional effort that requires modern technology to execute effectively at each stage. How organizations choose to leverage technology for ERM can have a significant impact on the quality and impact of their risk management plan. Managing risk across a large organization can be complex and involve many moving parts. One benefit an ERM solution can provide is the template for a universal, real-time risk register .   In theory, a risk register is a trusted, centralized location that houses all important information on your business’s key risks, as well as links to their correlating action plans and risk assessments. In a manual environment of spreadsheets, emails, and shared drives, managing a risk register is prone to version control issues and can easily lose credibility. An integrated ERM solution that is cloud-based and leverages a relational database — where updates made in one place cascade throughout the entire system — provides the platform for a trustworthy, real-time risk register. 

Investing in an intuitive, integrated risk management software solution can help your organization maximize collaborative efforts between internal audit, risk, and compliance groups by centralizing all risk management activities in one place, from your risk assessments to your risk management action plans. In addition, it can help you automate the risk assessment process and provide visibility into risk trends and mitigation activities. To learn how AuditBoard can help you manage your risk management plan from end to end, contact us by filling out the form below. 

Related Articles

Ready to Get Started?

How to Create a Project Risk Management Plan

By Kate Eby | February 27, 2023

Link copied

Teams can use a project risk management plan to identify and assess the potential risks to a project. We’ve gathered expert tips on creating an effective risk management plan, as well as step-by-step instructions for creating an example plan.

On this page, you’ll find information on what to include in a project risk management plan and how to create a plan , as well as step-by-step instructions for completing an example project risk management plan .

What Is a Project Risk Management Plan?

Project teams create a project risk management plan , a document that helps identify and assess potential risks to a project. The plan outlines how your team will analyze and mitigate the potential risks to ensure project success.

The project risk management plan is one of the most important documents in project risk management . You can learn more about project risks in general — as well as specific types of project risks — in our comprehensive guides

What Does a Risk Management Plan Cover?

A risk management plan should cover a number of areas detailing potential project risks and how your team will deal with them. It will include a description of the project, along with how your team will identify and assess risk.

At a minimum, your project risk management plan should include the following details:

• Project description, including its purpose
• The team plan for identifying, logging, and assessing potential risks
• How the team will identify broad categories of risk
• How the team will evaluate the severity of each potential risk
• How your team will continue to monitor risks throughout the project
• How team members will be assigned as owners of various risks
• Your organization’s tolerance for certain risks, along with criteria for a risk being too large to accept

“A risk management plan defines how the risks for a project will be handled to ensure that the project can be completed within the set timeframe,” says Veniamin Simonov, Director of Product Management at NAKIVO , a backup and ransomware recovery software vendor. “The plan should cover methodology, risk categorization and prioritization, a response plan, staff roles, and responsibility areas and budgets.”

“The risk management plan will address ‘What are we going to do? How are we going to do it? What are the processes we're going to follow?’” says Alan Zucker, Founding Principal of Project Management Essentials . “It may include things such as what are the major categories you're going to use to define your risks. It might also include some guidelines for assessing risks.”

Components in a Project Risk Management Plan 

A project risk management plan will include certain components and describe how your project team will use certain tools to understand and manage potential risks. Some components include a risk register, a risk breakdown structure, and a risk response plan.

Here are components or tools that a project risk management plan often includes or describes:

• Risk Register: A risk register is the document your project team will use to identify, log, and monitor potential project risks.
• Risk Breakdown Structure: A risk breakdown structure is a chart that allows your team to identify broad risk categories and specific risks that fit within each category. Your team can decide on the broad categories, depending on your project.
• Risk Assessment Matrix: A risk assessment matrix is a chart matrix that allows teams to score the severity of potential risks based on both the likelihood of each risk happening and the impact to the project if a risk happens.
• Risk Response Plan: A risk response plan is a document that details how your team plans to respond to each potential risk to try to either prevent it from happening or lessen the impact if it does happen. You can learn more about project risk mitigation . 
• Roles and Responsibilities: The risk management plan can provide details on the project risk management team, including the lead member for risk management. It also likely details the roles and responsibilities each team member will have in addressing and dealing with specific risks.
• Risk Reporting Formats: The risk management plan describes how the project team will document and report its work on monitoring and dealing with risks. It describes the risk register format that the team will use. It might also describe how risks will be added to or deleted from the register and how the project team will provide periodic summarized risk reports to top project and organization leaders.
• Project Funding and Timing: The plan will likely have a section describing the overall funding and timing for the project. That section also likely details funding for all project risk management work.

To determine what you need to include in your risk management plan, see the following requirements based on project size:

An Organization’s Risk Management Plan Often Doesn’t Change with Projects  

Many risk management experts emphasize that an organization’s project risk management plans might not change much from project to project. That’s because the plan sets out particulars that will be followed for all projects.

“Remember, it's just an approach document that answers the question: How?” says Kris Reynolds, Founder and CEO of Arrowhead Consulting in Tulsa, Oklahoma. “The company or the department as a whole should have a single risk management plan that gets built as you're building your project management methodology. And it’s your Bible. It’s your guidebook. 

“But it isn't going to change across projects,” Reynolds continues. “What changes are the artifacts, including the risk register. But your approach of how you're going to address risk or analyze risk or plan for risk is in the project risk management plan document. As a company or organization, you create that document, and it exists for a year or two years without changing.”

To create a project risk management plan, your team should gather important documents and decide on an approach for assessing and responding to risks. This process involves gathering support documents, listing potential risk management tools, and more. 

Consider some of these basic steps and factors as you begin creating the project risk management plan:

• Gather Supporting Documents: Gather and read through supporting documents related to the overall project, including the project and project management plan. It’s important for your project risk team to have a full view of project goals and objectives.
• Frame the Context: Make sure your team understands both the business value of the project and the impact on the organization if the project fails.
• Decide on Risk Assessment Criteria: Decide how your team will identify and assess important risks. That will require your team to have an understanding of which types of risks your organization can tolerate and which risks could be ruinous to the project.
• Inventory Possible Risk Management Tools: Make a list of risk management tools and documents that your team might use to help identify and manage project risk.
• Known Risks: At the start of a project, team members will be able to identify a number of known risks , such as budget issues, shortages of material, and human and other resource constraints, which are measurable and based on specific events. 
• Unknown Risks: At the start of a project, team members will not be able to identify a range of unknown risks that could impact your project. Those risks are not as easily or objectively measurable as known risks and can crop up at any point during a project. A main goal of project risk management is to help your team discover and address unknown risks before they happen.
• Unknowable Risks: Your team will not be able to anticipate unknowable risks that could affect the project, such as catastrophic weather events, accidents, and major system failures.
• Understand Human Bias: Studies have shown that people overestimate their ability to predict and influence the future. We often think we have more control than we do. Those biases can affect how we assess and manage risks in a project. We tend to give too much credence to what happened with past processes, fall into agreement with others in our group, and be more optimistic than we should be about how long a project will take or how much it will cost.  It’s important to account for all of those biases as your team identifies and assesses project risk.

Steps in Developing a Project Risk Management Plan

After your project team has gathered documents and done other preparation work, you will want to follow nine basic steps in creating a project risk management plan. Those start with identifying and assessing risks.

Here are details on the nine steps of project risk management to keep in mind while drafting your project risk management plan:

• Identify Risks: Your team should gather information and request input from team and organization members to determine potential risks to the project. Some specific risks can threaten many projects. Other risks will vary, based on the type of project and the industry. “If you're talking about a software project, you could have risks associated with the technology, resources, and interdependencies with other systems,” says Zucker. “If you have vendors you're working with, there may be risks associated with the vendors. There may be risks that are software- or hardware-specific. If you're working on a construction project, those risks obviously would be very different. ”You can learn more about project risk analysis and how to identify potential risks to a project .
• Assess Potential Impact of Each Risk: After your team identifies potential risks, it can assess the likelihood of each risk, along with the expected impact on the project if the risk happens. Your team can use a risk matrix to identify both the likelihood and impact of each risk. You can learn more about how to create a risk matrix and assess risks .
• Determine Your Organization's Risk Threshold and Tolerance: Your team will want to understand your organization’s risk threshold , or tolerance for risk. Organization leaders might decide that some risks should be avoided at all costs, while others are acceptable. Take the time to understand those views as you prioritize project risks.
• Prioritize Risks Based on Impact and Risk Tolerance: Once your team assesses the potential impact of a risk and your organization's risk tolerance for risks, it will prioritize risks accordingly. “Prioritize risks based on their disruptive potential for an organization,” says Simonov.
• Create a Risk Response Plan: Your team should then create a response plan for each risk that the team considers a priority. That response plan will include measures that could prevent the risk from happening or lessen the risk’s impact if it does happen.
• Select Project Risk Management Tools: Your team will need to decide on the best risk management tools to use for your project. That will likely include a risk register and a risk assessment matrix. It might include other tools, such as Monte Carlo simulations. Learn more about various tools and documents to use in risk management . 
• Select an Owner for Each Risk: Each identified risk should have an assigned owner. In some cases, a department might be an owner of a risk, but most often, the team will assign individuals to monitor risks. In some cases, the owner will be responsible for dealing with the risk if it happens. Teams can list the owners of each risk on their project risk register. 
• Determine Possible Triggers for Each Risk: As your team conducts a closer assessment of all risks, it should identify risk triggers where possible. Triggers are events that can cause a risk to happen. Your team won’t be able to identify triggers for all risks, but it will for some. For example, if you have a plant without sufficient backup power, a trigger could be warnings of a violent storm that could cause a power outage.
• Determine How Your Team Will Monitor Risks: An important part of your plan includes recording concrete details about how your team will ensure that it can continually monitor risks throughout the life of a project.

Risk Management Plan Examples, Templates, and Components

Examples of project risk management plans can help your team understand what information to include in a plan. The risk management plan can also detail various components that will be part of your team’s risk management.

Project Risk Management Plan Template

Download the Sample Project Risk Management Plan Template for Microsoft Word  

Download this sample project risk management plan, which includes primary components that might be described in a project risk management plan, such as details on risk identification, risk mitigation, and risk tracking and reporting.

Download the Blank Project Risk Management Plan for Microsoft Word

Use this blank template to create your own project risk management plan. The template includes sections to ensure that your team covers all areas of risk management, such as risk identification, risk assessment, and risk mitigation. Customize the template based on your needs.

Project Risk Register Template

Download the Sample Project Risk Register for Excel

This sample project risk register gives your team a better understanding of the information that a risk register should include to help the team understand and deal with risks. This sample includes potential risks that a project manager might track for a construction project.

Download the Blank Project Risk Register Template for Excel  

Use this project risk register template to help your team identify, track, and plan for project risks. The template includes columns for categorizing risks, providing risk descriptions, determining a risk severity score, and more.  

Quantitative Risk Register Template

Download the Sample Quantitative Project Risk Impact Matrix for Excel

This sample quantitative project risk impact matrix template can help your team assess a project risk based on quantitative measures, such as potential monetary cost to the project. The template includes columns where your team can assess and track the probability and potential cost of each project risk. The template calculates a total monetary risk impact based on your estimates of probability and cost.

Risk Breakdown Structure Template

Download the Risk Breakdown Structure Template for Excel

Your team can use this template to create a risk breakdown structure diagram that shows different types of risks that could affect a project. The template helps your team organize risks into broad categories.

Step-By-Step Guide to Creating a Project Risk Management Plan

Below are step-by-step instructions on how to fill out a project risk management plan template. Follow these steps to help you and your team understand the information needed in an effective risk management plan.

This template is based on a project risk management plan template created by Arrowhead Consulting of Tulsa, Oklahoma, and was shared with us by Kris Reynolds.

• Cover Section: Provide information for the cover section , also known as the summary section . This will include the name of the project, the project overview, the project goals, the expected length of the project, and the project manager.
• Risk Management Approach: Write a short summary of your organization's overall approach to project risk management for all projects, not only the project at hand. The summary might describe overall goals, along with your organization’s view of the benefits of good project risk management.
• Plan Purpose: Write a short summary explaining how the plan will help your team perform proper risk management for the project.
• Risk Identification: Provide details on how your team plans to identify and define risks to the project. Those details should include who is assigned to specific responsibilities for risk identification and tracking, as well as what information and categories will be included in your team’s project risk register.
• Risk Assessment: Provide details on how your team will assess the probability and potential impact of each risk it has identified. Your team should also include details on any risk matrices it plans to use and how the team will prioritize risks based on those matrices.
• Risk Response: Provide details on the ways your team can choose to respond to various risks. In the case of high-priority risks, that will include prevention or mitigation plans for each risk. In the case of low-priority risks, or risks that might be prohibitively expensive to mitigate, it might include accepting the risk with limited mitigation measures.
• Risk Mitigation: Provide more details on how your team plans to lessen the likelihood  or impact of each risk. Your team should also provide details on how it will monitor the effectiveness of prevention and mitigation strategies, and change them if needed.
• Risk Tracking and Reporting: Provide details on how your team plans to track and report on risks and risk mitigation activities. These details will likely include information on the project risk register your team plans to use and information on how your team plans to periodically report risk and risk responses to organizational leadership.

Do Complex Projects Require More Complex Project Risk Management Plans? 

Experts say that complex projects shouldn’t require more complex project risk management plans. A project might have more complex tools, such as a more detailed risk register, but the risk management plan should cover the same basics for all projects.

“The problem is, most people get these management plans confused. They then start lumping in the artifacts [such as risk registers] — which can be more complex and have more detail — to the risk management plan itself,” says Reynolds. “You want it to be easily understood and easily followed.

“I don't think the complexity of the project changes the risk management plan,” Reynolds says. “You may have to circulate the plan to more people. You may have to meet more frequently. You may have to use quantitative risk analysis. That would be more complex with more complex projects. But the management plan itself —  no.”

Effectively Manage Project Risks with Real-Time Work Management in Smartsheet

From simple task management and project planning to complex resource and portfolio management, Smartsheet helps you improve collaboration and increase work velocity -- empowering you to get more done. 

The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed.

When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time. Try Smartsheet for free, today.

Discover a better way to streamline workflows and eliminate silos for good.

• Contact Sales

Risk management plan template

Starting a project without considering risks is, well, a big risk to take. Prevent major issues from occurring in your project with a risk management plan template. Learn how to create a risk management plan template in Asana.

INTEGRATED FEATURES

Recommended apps.

Before you start a project, it’s important to take into account any potential issues and risks that can prevent your project from progressing smoothly. 

Using a risk management plan template can help you mitigate risk and establish a contingency plan so you can successfully hit your goals without a hitch. Here’s how to do it. 

What is a risk management plan template?

A risk management plan template is a tool to help project managers prevent and measure potential risks. While the content of the template may change from project to project, the main structure of the template will not change. Using a template to manage the risk management process can help expedite future projects and align your team members so they know what to expect in the event that a risk occurs.

Creating a risk management plan template also makes it easier to manage projects with multiple stakeholders. When everyone is familiar with your established template, there’s less of a learning curve each time you start a new project.

What’s the purpose of a risk management plan?

Why create a risk management plan template.

Creating a risk management plan template is a best practice for project management professionals, and for good reason. Here’s why you should create a project risk management plan template before starting a large project.

Proactively prevent risks

With a risk management plan template, you can proactively ensure that problems that could occur already have a solution before they ever happen. By assigning a specific risk to a team member, you’re specifying the person responsible for actively monitoring each potential risk. 

For some teams, developing mitigation strategies for high-impact projects is necessary before a project is even approved. This prevents high-risk projects from affecting major business operations. If your team doesn’t have mitigation plans in place, your project may not make it past the approval stage. 

Provide clarity

A risk management plan template gives your team clarity, especially when it comes to contingency plans . Stakeholders often don’t enjoy hearing that something could go wrong with a project schedule , but if you and your team already have response strategies in place, it’s much easier to quell that anxiety. Collaborative work management software like Asana allows everyone on your team to access important risk management documentation, such as a risk log, a risk assessment matrix , or other project documents. 

Encourage accountability

It’s not easy to own up to an issue when things go wrong. But when there’s an assigned risk owner, that individual is responsible for mitigating that risk as much as possible if it occurs. This allows team members to evaluate the negative impact of a potential risk and develop contingency plans if or when issues arise. Individual team members have the agency to find the right solution. And if any key stakeholders have questions regarding that specific risk, they know exactly which team member to ask. 

What to include in your risk management plan template

Creating a risk management plan template is easy, but the way you manage information within the plan can vary from team to team. So how should you organize the information in your risk management plan template?

One of the easiest ways to do this is by importance—for example, by ranking risks according to their potential impact on your project. Or, you could organize your risk management plan template by the likelihood of each risk happening. 

No matter how you organize your risk management plan template, it’s important to utilize a tool that is customizable and collaborative. That way, your team can organize your risk management plan template in a way that makes the most sense for your team. 

4 steps to use your risk management plan template

Brainstorm which risks to add. Use collaborative software so everyone on your team can identify and add any potential risks that can negatively impact your project. 

Assess the probability and impact of each risk. The probability and impact of each risk combined represents the potential impact of the risk. Make sure your template has a way to track both risk likelihood and severity.

Predict how likely each risk is . Based on historical data or previous projects, team members can predict the probability that each risk will occur. 

Monitor risks during the project lifecycle. The easiest way to do this is to assign team members a specific risk to monitor throughout the lifetime of a project.

Integrated features

Custom fields . Custom fields are the best way to tag, sort, and filter work. Create unique custom fields for any information you need to track—from priority and status to email or phone number. Use custom fields to sort and schedule your to-dos so you know what to work on first. Plus, share custom fields across tasks and projects to ensure consistency across your organization.

Dependencies . Mark a task as waiting on another task with task dependencies. Know when your work is blocking someone else’s work, so you can prioritize accordingly. Teams with collaborative workflows can easily see what tasks they’re waiting on from others, and know when to get started on their portion of work. When the first task is completed, the assignee will be notified that they can get started on their dependent task. Or, if the task your work is dependent on is rescheduled, Asana will notify you—letting you know if you need to adjust your dependent due date as well.

Start dates . Sometimes you don’t just need to track when a to-do is due—you also need to know when you should start working on it. Start times and dates give your team members a clear sense of how long each task should take to complete. Use start dates to set, track, and manage work to align your team's objectives and prevent dependencies from falling through the cracks.

Subtasks . Sometimes a to-do is too big to capture in one task. If a task has more than one contributor, a broad due date, or stakeholders that need to review and approve before it can go live, subtasks can help. Subtasks are a powerful way to distribute work and split tasks into individual components—while keeping the small to-dos connected to the overarching context of the parent task. Break tasks into smaller components or capture the individual components of a multi-step process with subtasks.

Gmail . With the Asana for Gmail integration, you can create Asana tasks directly from your Gmail inbox. Any tasks you create from Gmail will automatically include the context from your email, so you never miss a beat. Need to refer to an Asana task while composing an email? Instead of opening Asana, use the Asana for Gmail add-on to simply search for that task directly from your Gmail inbox. 

Outlook . As action items come in via email, like reviewing work from your agency or a request for design assets from a partner, you can now create tasks for them in Asana right from Outlook. You can then assign the new task to yourself or a teammate, set a due date, and add it to a project so it’s connected to other relevant work.

Zendesk . With Asana's Zendesk integration, users can quickly and easily create Asana tasks directly from Zendesk tickets. Add context, attach files, and link existing tasks to track work needed to close out the ticket. The integration also provides continuing visibility across both systems, so everyone is kept up to speed regardless of which tool they use. 

Jira . Create interactive, connected workflows between technical and business teams to increase visibility around the product development process in real-time—all without leaving Asana. Streamline project collaboration and hand offs. Quickly create Jira issues from within Asana so that work passes seamlessly between business and technical teams at the right time.

Do I need a risk management plan template?

A risk management plan template is a helpful collaboration tool. If you’re looking for a way to connect your project team members and your key stakeholders, a risk management plan template can help your team get on the same page by compiling all work in one central place.

How do you use a risk management plan template?

A risk management plan template is most commonly used to help mitigate potential risks. Use your risk management plan template during the project planning phase. Brainstorm potential risks with your team and log them into your already existing template. Remember to include the likelihood of the risk happening, a description of the risk, and a team member who is responsible for that specific risk should it occur.

What is the purpose of a risk management plan template?

Use a risk management plan template to help mitigate risks as your team moves through the project lifecycle. You can use a risk management plan template to help align project managers and team members to establish a tentative plan if a risk happens. You can also use it to help establish set processes for future projects. This can help expedite the risk management process and give your team some guidelines to work with.

How do I make a risk management plan template?

Your risk management plan template should live in a project management platform that your entire team has access to. By tracking this information in a central source of truth, you can track all potential risks, the impact of those risks, and who is responsible for monitoring and reacting to the risk if it occurs. Your risk management plan template should include descriptions of potential risks, the level of impact a risk would have on a project, the likelihood of that risk occurring, and a dedicated individual to monitor that specific risk.

What are the benefits of creating a risk management plan template?

A risk management plan template can help your team proactively prevent risks, provide your team clarity on contingency plans, and encourage accountability with team members. Creating a risk management plan template can help standardize processes across the organization, further preventing more risk.

Related templates

Waterfall project management

Standardize your project process with a waterfall project management template. Break your project into sequential phases that map to your end goal.

Status report

Keep track of project status and provide key stakeholders with at-a-glance progress updates with a project status report template.

Weekly to-do list template

Clarity doesn’t have to be complicated. With a weekly to-do list template, you can create a new task list in seconds every Monday.

Project timeline template

Learn how to keep a project on track—and ensure success—by creating a project timeline template.

RFP Process

Use our template to prepare an RFP, then organize and evaluate the responses—all in the same place—so you can pick the best vendor for the job.

Business process management template

Learn how a business process management template can help improve your business processes.

Project estimation

Create a project estimation template to accurately scope project resources and align on project expectations.

Communication plan

Keep everyone on the same page and clearly communicate important information to stakeholders by creating a communication plan template in Asana.

Work log template

See where you're losing time and kickstart your productivity by creating a work log template in Asana.

Project schedule

Complex work, simplified. Organize project tasks, deliverables, and milestones into one cohesive schedule. Learn how to create a customized project schedule template in Asana.

Prioritization matrix

Take the guesswork out of task prioritization by creating a prioritization matrix template. Prioritize your work by business impact and needed effort.

IT project plan

Organize your IT work in one place. Manage deployments, order equipment, and connect teams—without compromising security.

Risk register template

Create a risk register template to proactively identify and solve potential roadblocks before they become a bigger problem.

Daily planner template

Keeping your day organized is more than just writing down a list of daily to-dos. Learn how to create a daily planner template in Asana.

Event promotion plan

Use Asana’s event marketing plan template to increase event awareness, build excitement, and drive audience attendance.

Marketing project plan

Our template guides you through project management best practices for marketing teams so you can get from strategy to tactics to results.

HR project plan

No matter the project, human resources teams can use our template to set priorities, track progress, and streamline recurring work.

Design project plan

What’s the secret to more productive design and creative projects? A smooth creative process.

Project documentation

Looking for documents is a giant time waster for most people—which is where a project documentation process comes in. Learn how to create a project documentation template so that you always know where documents live—for every project, company-wide.

Eisenhower Matrix template

Overwhelmed by your to-do list? Learn how to create an Eisenhower Matrix template in Asana so you can prioritize and sort your tasks based on their urgency and importance.

Project scope management plan

A project’s scope is just as important as its budget or timeline. Prioritize this crucial part of project management by creating a project scope management plan template.

RACI matrix

Team decision-making can be hard—a RACI matrix template makes it easier. Define each project task role to instantly boost clarity for all your stakeholders.

Project initiation document

A project initiation document template is a helpful way to standardize the information you share with your team before a project begins.

Project premortem

A premortem is a brainstorming tactic your team uses to anticipate different ways a project can fail. Learn how to use a premortem template to minimize project risk.

Implementation plan

Create an implementation plan template to break down your business goals into manageable, achievable steps.

Project charter template

Want to nail your next project pitch? Create a project charter template and outline everything you need to get your next initiative approved.

Public relations plan

Create focused, targeted, and organized PR campaigns—no matter who’s planning them—with a public relations plan template.

A sales plan template can help provide your team with the organized framework they need to establish their sales goals. Learn how you can do that with Asana.

Operations project plan template

Operations teams strive to optimize and gain efficiency across the business, and can do the same for their own projects with our template.

Web production template

Let our template help you coordinate a web production schedule—even if producers and web developers work out of different tools.

Action items template

No matter your best intentions, you need more than motivation to knock out your to-dos. An action item template—where you decide the who, what, and when of every task—can help you organize your workflows and get more done.

Learn how creating a RAID log template in Asana can help you proactively identify and mitigate project risks.

Change management plan template

Is your organization starting to make some big changes? Create a change management plan template to make the process easier.

Critical path method template

Project delays holding you back? Create a critical path method template to visualize everything that needs to be done in order to reach your end goal.

Bill of materials

Learn how a bill of materials template helps keep you organized by housing all the information needed for the successful completion of your project.

Short-term goals template

Learn how reusable short-term goals templates can take your goals from vision to reality.

Milestone chart template

Milestone charts highlight significant moments in your workflow. Learn why this matters and how to create one for yourself.

Create templates with Asana

Learn how to create a customizable template in Asana with a free Premium trial today.

• Contributors

Strategic Risk Management: A Primer for Directors

Matteo Tonello is managing director of corporate leadership at the Conference Board. This post is based on an issue of the Conference Board’s Director Notes series by Mark L. Frigo and Richard J. Anderson, director and professor of strategic risk management, respectively, at DePaul University. This Director Note was based on a book authored by Dr. Frigo and Mr. Anderson, available here .

As noted by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), “In the aftermath of the financial crisis, executives and their boards realize that ad hoc risk management is no longer tolerable and that current processes may be inadequate in today’s rapidly evolving business world.” [1] However, especially for nonfinancial companies that may be relatively new to these topics, enhancing risk management can be a somewhat daunting task.

This article focuses on two key aspects of the relationship between risk and strategy: (1) understanding the organization’s strategic risks and the related risk management processes, and (2) understanding how risk is considered and embedded in the organization’s strategy setting and performance measurement processes. These two areas not only deserve the attention of boards, but also fit closely with one of the primary responsibilities of the board — risk oversight.

The Advent of Strategic Risk Management

Enterprise risk management (“ERM”) and risk management in general can encompass a wide range of risks that face any organization. Some risks may reflect exposures that, although harmful, will not threaten the overall health of an organization or its ability to ultimately meet its business objectives. For example, a temporary data center outage can result in a short-term problem or customer dissatisfaction, but once recovered, the organization can quickly be back on track. Other more significant risk events can be catastrophic, resulting in losses that can not only impair an organization’s ability to meet its objectives, but may also threaten the organization’s survival. The recent credit crisis is an example of this type of risk. These more significant risk exposures have given rise to a focus on “strategic risks” and “strategic risk management.” “Strategic risks” are those risks that are most consequential to the organization’s ability to execute its strategies and achieve its business objectives. These are the risk exposures that can ultimately affect shareholder value or the viability of the organization. “Strategic risk management” then can be defined as “the process of identifying, assessing and managing the risk in the organization’s business strategy—including taking swift action when risk is actually realized.” Strategic risk management is focused on those most consequential and significant risks to shareholder value, an area that merits the time and attention of executive management and the board of directors.

Standard & Poor’s included the following attributes for strategic risk management in its 2008 announcement that it would apply enterprise risk analysis to corporate ratings:

Management’s view of the most consequential risks the firm faces, their likelihood, and potential effect; The frequency and nature of updating the identification of these top risks; The influence of risk sensitivity on liability management and financial decisions, and The role of risk management in strategic decision making. [2]

Clearly the potential impact of strategic risks is significant enough to deserve the attention of the board and its directors.

Strategic Risk Management and the Role of the Board

At the board level, strategic risk management is a necessary core competency. [3] In Ram Charan’s book, Owning Up: The 14 Questions Every Board Member Needs to Ask, one of the questions posed is “Are we addressing the risks that could send our company over the cliff?” [4] According to Charan, boards need to focus on the risk that is inherent in the strategy and strategy execution:

Risk is an integral part of every company’s strategy; when boards review strategy, they have to be forceful in asking the CEO what risks are inherent in the strategy. They need to explore ‘what ifs’ with management in order to stress-test against external conditions such as recession or currency exchange movements. [5]

Regarding risk culture, Charan provides the following insight: “Boards must also watch for a toxic culture that enables ethical lapses throughout the organization. Companies set rules—but the culture determines how employees follow them.” [6] We believe that corporate culture plays a significant role in how well strategic risk is managed and must be considered as part of a strategic risk assessment.

Understanding an Organization’s Strategic Risks and Related Risk Management Processes

A necessary first step for boards to understand their strategic risks and how management is managing and monitoring those risks is a strategic risk assessment. A strategic risk assessment is a systematic and continual process for assessing the most significant risks facing an enterprise. [7] It is anchored and driven directly by the organization’s core strategies. As noted in a 2011 COSO report, “Linkage of top risks to core strategies helps pinpoint the most relevant information that might serve as an effective leading indicator of an emerging risk.” [8]

Conducting an initial assessment can be a valuable activity and should involve both senior management and the board of directors. Management should take the lead in conducting the assessment, but the assessment process should include input from the board members and, as it is completed, a thorough review and discussion between management and the board. These dialogues and discussions may be the most beneficial activities of the assessment and afford an opportunity for management and the directors to come to a consensus view of the risks facing the company, as well any related risk management activities.

The strategic risk assessment process is designed to be tailored to an organization’s specific needs and culture. To be most useful, a risk management process and the resultant reporting must reflect and support an enterprise’s culture so the process can be embedded and owned by management. Ultimately, if the strategic risk assessment process is not embedded and owned by management as an integral part of the business processes, the risk management process will rapidly lose its impact and will not add to or deliver on its expected role.

The Strategic Risk Assessment Process

There are seven basic steps for conducting a strategic risk assessment:

1 Achieve a deep understanding of the strategy of the organization The initial step in the assessment process is to gain a deep understanding of the key business strategies and objectives of the organization. Some organizations have welldeveloped strategic plans and objectives, while others may be much more informal in their articulation and documentation of strategy. In either case, the assessment must develop an overview of the organization’s key strategies and business objectives. This step is critical, because without these key data to focus around, an assessment could result in a long laundry list of potential risks with no way to really prioritize them. This step also establishes a foundation for integrating risk management with the business strategy. In conducting this step, a strategy framework could be useful to provide structure to the activity.a

2 Gather views and data on strategic risks The next step is to gather information and views on the organization’s strategic risks. This can be accomplished through interviews of key executives and directors, surveys, and the analysis of information (e.g., financial reports and investor presentations). This data gathering should also include both internal and external auditors and other personnel who would have views on risks, such as compliance or safety personnel. Information gathered in Step 1 may be helpful to frame discussions or surveys and relate them back to core strategies. This is also an opportunity to ask what these key individuals view as potential emerging risks that should also be considered.

3 Prepare a preliminary strategic risk profile Combine and analyze the data gathered in the first two steps to develop an initial profile of the organization’s strategic risks. The level of detail and type of presentation should be tailored to the culture of the organization. For some organizations, simple lists are adequate, while others may want more detail as part of the profile. At a minimum, the profile should clearly communicate a concise list of the top risks and their potential severity or ranking. Colorcoded reports or “heat-maps” may be useful to ensure clarity of communication of this critical information.

4 Validate and finalize the strategic risk profile The initial strategic risk profile must be validated, refined, and finalized. Depending on how the data gathering was accomplished, this step could involve validation with all or a portion of the key executives and directors. It is critical, however, to gain sufficient validation to prevent major disagreements on the final risk profile.

5 Develop a strategic risk management action plan This step should be undertaken in tandem with Step 4. While significant effort can go into an initial risk assessment and strategic risk profile, the real product of this effort should be an action plan to enhance risk monitoring or management actions related to the strategic risks identified. The ultimate value of this process is helping and enhancing the organization’s ability to manage and monitor its top risks.

6 Communicate the strategic risk profile and strategic risk management action plan Building or enhancing the organization’s risk culture is a communications effort with two primary focuses. The first focus is the communication of the organization’s top risks and the strategic risk management action plan to help build an understanding of the risks and how they are being managed. This helps focus personnel on what those key risks are and potentially how significant they might be. A second focus is the communication of management’s expectations regarding risk to help reinforce the message that the understanding and management of risk is a core competency and expected role of people across the organization. The risk culture is an integral part of the overall corporate culture. The assessment of the corporate culture and risk culture is an initial step in building and nurturing a high performance, high integrity corporate culture.

7 Implement the strategic risk management action plan As noted above, the real value resulting from the risk assessment process comes from the implementation of an action plan for managing and monitoring risk. These steps define a basic, high-level process and allow for a significant amount of tailoring and customization to reflect the maturity and capabilities of the organization. As shown by Figure 1, strategic risk assessment is an ongoing process, not just a one-time event. Reflecting the dynamic nature of risk, these seven steps constitute a circular or closed-loop process that should be ongoing and continual within the organization.

Integrating Strategic Risk Management in Strategy Setting and Performance Measurement Processes

The second step for an organization is to integrate strategic risk management into its existing strategy setting and performance measurement processes. As discussed above, there is a clear link between the organization’s strategies and its related strategic risks. Just as strategic risk management is an ongoing process, so is the need to establish an ongoing linkage with the organization’s core processes to set and measure its strategies and performance. This would include integrating risk management into strategic planning and performance measurement systems. Again, the maturity and culture of the organization should dictate how this performed. For some organizations, this may be accomplished through relatively simple processes, such as adding a page or section to their annual business planning process for the business to discuss the risks it sees in achieving its business plan and how it will monitor those risks. For organizations with more developed performance measurement processes, the Kaplan- Norton Strategy Execution Model described in The Execution Premium may be useful. [9] This model describes six stages for strategy execution and provides a useful framework for visualizing where strategic risk management can be embedded into these processes.

Stage 1: Develop the strategy This stage includes developing the mission, values, and vision; strategic analysis; and strategy formulation. At this stage, a strategic risk assessment could be included using the Return Driven Strategy framework to articulate and clarify the strategy and the Strategic Risk Management framework to identify the organization’s strategic risks.

Stage 2: Translate the strategy This stage includes developing strategy maps, strategic themes, objectives, measures, targets, initiatives, and the strategic plan in the form of strategy maps, balanced scorecards, and strategic expenditures. Here, the strategic risk management framework would be used to develop risk-based objectives and performance measures for balanced scorecards and strategy maps, and for analyzing risks related to strategic expenditures. [10] At this stage, boards may also want to consider developing a risk scorecard that includes key metrics.

Stage 3: Align the organization This stage includes aligning business units, support units, employees, and boards of directors. The Strategic Risk Management Alignment Guide and Strategic Framework for GRC (Governance, Risk and Compliance) would be useful for aligning risk and control units toward more effective and efficient risk management and governance, and for linking this alignment with the strategy of the organization. [11]

Stage 4: Plan operations This stage includes developing the operating plan, key process improvements, sales planning, resource capacity planning, and budgeting. In this stage, the strategic risk management action plan can be reflected in the operating plan and dashboards, including risk dashboards. One organization we worked with developed a “resources follow risk” philosophy to make certain that resources were appropriately and efficiently allocated. This philosophy focused on ensuring that resources used in risk management are justified economically based on the relative amount of risk and cost-benefit analysis.

Stage 5: Monitor and learn This stage includes strategy and operational reviews. “Strategic risk reviews” would be part of the ongoing strategic risk assessment, which reinforces the necessary continual, closed-loop approach for effective strategy risk assessment and strategy execution.

Stage 6: Test and adapt This stage includes profitability analysis and emerging strategies. Emerging risks can be considered part of the ongoing strategic risk assessment in this stage. The strategic risk assessment can complement and leverage the strategy execution processes in an organization toward improving risk management and governance.

For more information about integrating risk management in the strategy execution model and a discussion of risk scorecards, see “Risk Management and Strategy Execution Systems.” [12]

Final Thoughts: Moving Forward with Strategic Risk Management

Management teams and boards must challenge themselves and their organizations to move up the strategic risk management learning curve. Developing strategic risk management processes and capabilities can provide a strong foundation for improving risk management and governance. Boards may want to consider engaging independent advisors to advise and educate themselves on these matters. For organizations that are early in this process, the seven keys to success for improving ERM as described in a 2011 COSO Thought Leadership Paper may be useful, and are applicable in strategic risk management:

• 1. Support from the top is a necessity
• 2. Build ERM using incremental steps
• 3. Focus initially on a small number of top risks
• 4. Leverage existing resources
• 5. Build on existing risk management activities
• 6. Embed ERM into the business fabric of the organization
• 7. Provide ongoing ERM updates and continuing education for directors and senior management [13]

However the board decides to proceed, their leadership, direction, and overall oversight will be critical to the success of a strategic risk management process.

[1] “Effective Enterprise Risk Oversight: The Role of the Board of Directors,” COSO 2009, p. 1. (go back)

[2] “Enterprise Risk Management, Standard & Poor’s to Apply Enterprise Risk Analysis to Corporate Ratings” Standard & Poor’s press release, May 7, 2008 (www.standardandpoors.com). (go back)

[3] Mark L. Frigo, “Strategic Risk Management: The New Core Competency,” Balanced Scorecard Report, 11, no. 1, January–February 2009. (go back)

[4] Ram Charan, Owning Up: The 14 Questions Every Board Member Needs to Ask (San Francisco: John Wiley & Sons 2009). (go back)

[5] Charan, Owning Up: The 14 Questions Every Board Member Needs to Ask, p. 23. (go back)

[6] Charan, Owning Up: The 14 Questions Every Board Member Needs to Ask, p. 28. (go back)

[7] Mark L. Frigo and Richard J. Anderson, “Strategic Risk Assessment: A First Step for Improving Risk Management and Governance,” Strategic Finance, December 2009. (go back)

[8] Mark S. Breasley, Bruce C. Branson and Bonnie V. Hancock, “Developing Key Risk Indicators to Strengthen Enterprise Risk Management,” COSO, 2011 p.2. (go back)

[9] Robert S. Kaplan and David P. Norton, The Execution Premium (Cambridge, MA: Harvard Business Press, 2008). (go back)

[10] Mark L. Frigo and Richard J. Anderson, “Strategic Risk Management: A Primer for Directors and Management Teams,” 2012. (go back)

[11] Mark L. Frigo and Richard J. Anderson, “A Strategic Framework for Governance, Risk and Compliance,” Strategic Finance, February 2010. (go back)

[12] Robert S. Kaplan, “Risk Management and Strategy Execution Systems,” Balanced Scorecard Report, Vol. 11, No. 6, November-December 2009. (go back)

[13] Mark L Frigo and Richard J. Anderson, “Embracing Enterprise Risk Management: Practical Approaches for Getting Started,” COSO, 2011. (go back)

ERM and SRM should consider integrating with the Competitive Intelligence process. This will guarantee proficiency in Collection and Strategy development and Integration.

Integration of CI into this process will increase to identify risks in advance. I have written about it three years ago.

One Trackback

[…] full article via Strategic Risk Management: A Primer for Directors — The Harvard Law School Forum on Corporate Gove…. Share OptionsPrintEmailMoreFacebookLinkedInStumbleUponTwitterPinterestRedditDiggTumblrLike […]

Supported By:

Subscribe or Follow

Program on corporate governance advisory board.

• William Ackman
• Peter Atkins
• Kerry E. Berchem
• Richard Brand
• Daniel Burch
• Creighton Condon
• Arthur B. Crozier
• Renata J. Ferrari
• John Finley
• Carolyn Frantz
• Bruce H. Goldfarb
• Joseph Hall
• Jason M. Halper
• David Millstone
• Theodore Mirvis
• Maria Moats
• Erika Moore
• Morton Pierce
• Philip Richter
• Paul K. Rowe
• Marc Trevino
• Steven J. Williams
• Daniel Wolf

HLS Faculty & Senior Fellows

• Lucian Bebchuk
• Robert Clark
• John Coates
• Stephen M. Davis
• Allen Ferrell
• Jesse Fried
• Oliver Hart
• Howell Jackson
• Kobi Kastiel
• Reinier Kraakman
• Mark Ramseyer
• Robert Sitkoff
• Holger Spamann
• Leo E. Strine, Jr.
• Guhan Subramanian

Please wait while your request is being verified...

RISK-ACADEMY Blog

Controversial thoughts about modern day risk management in non-financial companies, training and consulting services.

4 steps to integrate risk management into strategic planning

Let me first start by saying integrating risk management into strategic planning is NOT doing a strategic risk assessment or even having a risk conversation at the strategy setting meeting, it is so much more. You will also find it difficult to relate if the objectives have not been defined or documented in your company or if the objectives are not measurable. 

Kevin W Knight, during his first visit to Russia a few years ago, said ‘ risk management is a journey… not a destination’. Risk practitioners are free to start their integration journey at any process or point in time, however, I believe that evaluating strategic [email protected] can be considered a good starting point. The reason why I think this is a good starting point is because it is relatively simple to implement, yet has an immediate and a significant impact on senior management decision making.

STEP 1 – STRATEGIC OBJECTIVES DECOMPOSITION

Any kind of risk analysis should start by taking a high-level objective and breaking it down into more tactical, operational key performance indicators (KPIs) and targets. When breaking down any objectives it is important to follow the McKinsey MECE principle (ME – Mutually Exclusive, CE – Collectively Exhaustive) to avoid unnecessary duplication and overlapping. Most of the time strategic objectives are already broken down into more tactical KPIs and targets by the strategy department or HR, so this saves the risk manager a lot of time.

This is a critical step to make sure risk managers understand the business logic behind each objective and helps make risk analysis more focused.

Important note, while it should be management’s responsibility to identify and assess risks, the business reality in your company may be that sometimes the risk manager should take the responsibility for performing risk assessment on strategic objectives and take the lead. 

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

EXAMPLE: RISK MANAGEMENT IMPLEMENTATION

STEP 2 – IDENTIFYING FACTORS, ASSOCIATED WITH UNCERTAINTY

Once the strategic objectives have been broken down into more tactical, manageable pieces, risk managers need to use the strategy document, financial model, business plan or the budgeting model to determine key assumptions made by the management.

Most assumptions are associated with some form of uncertainty and hence require risk analysis. Risk analysis helps to put unrealistic management assumptions under the spotlight. Common criteria for selecting management assumptions for further risk analysis include:

• The assumption is associated with high uncertainty.
• The assumption impact is properly reflected in the financial model (for example, it makes no sense to assess foreign exchange risk if in the financial model all foreign currency costs are fixed in local currency and a change in currency insignificantly affects the calculation).
• The organisation has reliable statistics or experts to determine the possible range of values and the possible distribution of values.
• There are reliable external sources of information to determine the possible range of values and the possible distribution of values.

For example, a large investment company may have the following risky assumptions: the expected rate of return for different types of investment, an asset sale timeframe, timing and the cost of external financing, rate of expected co-investment, exchange rates and so on.

Concurrently, risk managers should perform a classic risk assessment to determine whether all significant risks were captured in the management assumptions analysis. The risk assessment should include a review of existing management and financial reports, industry research, auditors’ reports, insurance and third party inspections, as well as interviews with key employees.

By the end of this step risk managers should have a list of management assumptions . For every management assumption identified, risk managers should work with the process owners, internal auditors and utilise internal and external information sources to determine the ranges of possible values and their likely distribution shape .

EXAMPLE: RISK MANAGEMENT IMPLEMENTATION (CONTINUED)

STEP 3 – PERFORMING RISK ANALYSIS

The next step includes performing a scenario analysis or the Monte-Carlo simulation to assess the effect of uncertainty on the company’s strategic objectives. Risk modeling may be performed in a dedicated risk model or within the existing financial or budget model. There is a variety of different software options that can be used for risk modeling. All examples in this guide were performed using the Palisade @Risk software package , which extends the basic functionality of MS Excel or MS Project to perform powerful, visual, yet simple risk modeling.

When modeling risks it is critical to consider the correlations between different assumptions. One of the useful tools for an in-depth risk analysis and identification of interdependencies is a bow-tie diagram. Bow-tie diagrams can be done manually or using the Palisade Big Picture software . Such analysis helps to determine the causes and consequences of each risk, improves the modeling of them as well as identifying the correlations between different management assumptions and events.

The outcome of risk analysis helps to determine the risk-adjusted probability of achieving strategic objectives and the key risks that may negatively or positively affect the achievement of these strategic objectives. The result is [email protected].

STEP 4 – TURNING RISK ANALYSIS INTO ACTIONS

Risk managers should discuss the outcomes of risk analysis with the executive team to see whether the results are reasonable, realistic and actionable. If indeed the results of risk analysis are significant, then the management with the help from the risk manager may need to:

• Revise the assumptions used in the strategy.
• Consider sharing some of the risk with third parties by using hedging, outsourcing or insurance mechanisms.
• Consider reducing risk by adopting alternative approaches for achieving the same objective or implementing appropriate risk control measures.
• Accept risk and develop a business continuity / disaster recovery plan to minimise the impact of risks should they eventuate.
• Or, perhaps, change the strategy altogether (the most likely option in our case)

Based on the risk analysis outcomes it may be required for the management to review or update the entire strategy or just elements of it. This is one of the reasons why it is highly recommended to perform risk analysis before the strategy is finalised.

At a later stage, the risk manager should work with the internal audit to determine whether the risks identified during the risk analysis are in fact controlled and the agreed risk mitigations are implemented.

WATCH THE FREE WEBINAR TO FIND OUT MORE: https://www.youtube.com/watch?v=Ne0k-YW9ffA

Please comment, share and like.

– – – – – – – – – – – – – – – – – – – – –

RISK-ACADEMY offers decision making and risk management training and consulting services. Our corporate risk management training programs are specifically designed to promote risk-based decision making and integrating risk management into business processes. Risk managers all over the world call us in to help sell idea of integrating risk analysis into decision making and using quantitative risk analysis techniques. Check out most popular course for decision makers https://riskacademy.blog/product/risk-based-decision-making-executives/  or our dedicated programs to help risk managers learn the foundations of quant risk analysis https://riskacademy.blog/product/risk-managers-training/ . We can also help audit risk management effectiveness or develop a roadmap for risk management integration into decision making https://riskacademy.blog/product/g31000-risk-management-maturity-assessment/  

Check out other decision making books

RISK-ACADEMY offers online courses

Informed Risk Taking

Learn 15 practical steps on integrating risk management into decision making, business processes, organizational culture and other activities!

ISO31000 Integrating Risk Management

Alex Sidorenko , known for his risk management blog http://www.riskacademy.blog , has created a 25-step program to integrate risk management into decision making, core business processes and the overall culture of the organization.

Advanced Risk Governance

This course gives guidance, motivation, critical information, and practical case studies to move beyond traditional risk governance, helping ensure risk management is not a stand-alone process but a change driver for business.

Please share to improve risk literacy

• Click to share on Twitter (Opens in new window)
• Click to share on Facebook (Opens in new window)
• Click to share on LinkedIn (Opens in new window)
• Click to share on Reddit (Opens in new window)
• Click to share on Tumblr (Opens in new window)
• Click to share on Pinterest (Opens in new window)
• Click to share on Pocket (Opens in new window)
• Click to share on Telegram (Opens in new window)
• Click to share on WhatsApp (Opens in new window)
• Click to share on Skype (Opens in new window)
• Click to print (Opens in new window)
• Click to email a link to a friend (Opens in new window)

Published by Alex Sidorenko

View all posts by Alex Sidorenko

16 thoughts on “ 4 steps to integrate risk management into strategic planning ”

Hi Alex,Congratulations for the very nice presentation!

• Pingback: Risk Management Could Be a Powerful Tool, But it Just isn’t (part 1) – RISK-ACADEMY Blog
• Pingback: Here is a small lesson I learned a while back – RISK-ACADEMY Blog
• Pingback: RISK-ACADEMY top blog posts in 2017 – RISK-ACADEMY Blog
• Pingback: COSO ERM 2017 – full review by Alex Sidorenko (part 1) – RISK-ACADEMY Blog
• Pingback: COSO ERM 2017 – full review by Alex Sidorenko (part 2) – RISK-ACADEMY Blog
• Pingback: 4 steps to integrate risk management into strategic planning - РИСК-АКАДЕМИЯ АНО ДПО ИСАР
• Pingback: COSO ERM 2017 – full review by Alex Sidorenko (part 1) RISK-ACADEMY Blog
• Pingback: 4 steps to integrate risk management into strategic planning - RISK OWNER by RISK-ACADEMY
• Pingback: Most influential risk management articles of 2021 RISK-ACADEMY Blog

Leave a Reply Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed .