11/14/22, 10:41 AM Risk management process: What are the 5 steps?

What is a risk management process and why is it necessary?

Risk represents any kind of uncertainty that can improve or reduce the ability to achieve your objectives. It can
take many forms, including risks affecting projects, finances, security and privacy, and the environment. For both
positive risks (opportunities) or negative ones, you need an intentional approach to understand the balance
between risk and reward. This article focuses on the process for managing risks that could have a negative
impact on your organization; similar processes apply to determining how to exploit beneficial uncertainty, i.e.,
positive risk.

Recent history has highlighted the impact that risk factors can have on how businesses and individuals operate -
- and on whether they can continue to do so. The ability to navigate risk better than competitors will certainly
contribute to the enterprise's success. Failure to do so could spell disaster, perhaps beyond recovery.

For these reasons, it is important to apply a proven and consistent risk management process. When built upon a
solid foundation of understanding the organization's goals, objectives and internal/external context, a risk
management process will help ensure your organization's success.

What are the 5 steps of the risk management process?

Many bodies of knowledge have documented risk management, but perhaps the best known is that of the
International Organization for Standardization, or ISO. The ISO 31000 standard, Risk management --
Guidelines, includes extensive information on how to communicate about, manage and monitor various risks.
The process is essentially the same for any type of entity and comprises the following five steps:

THIS ARTICLE IS PART OF

What is risk management and why is it important?

Which also includes:

governance, risk management and compliance (GRC)

risk avoidance

https://www.techtarget.com/searchcio/feature/Risk-management-process-What-are-the-5-steps 1/6
11/14/22, 10:41 AM Risk management process: What are the 5 steps?

risk map (risk heat map)

1. Identify the risks.

2. Analyze the likelihood and impact of each.
3. Prioritize risk based on enterprise objectives.
4. Treat (or respond to) the risk conditions.
5. Monitor results and use those to adjust, as necessary.

While these steps are straightforward, every business has unique factors that affect how it should manage and
monitor risk. To determine and apply those factors, it is helpful to apply a risk management framework as part of
a comprehensive approach to planning, executing and tracking overall management of the various risks.

Figure 1. An effective risk management process requires these five steps.

It's also important to keep in mind that the goal of the risk management process, in the context of a broad
framework, is not to completely eliminate all risk but to determine acceptable levels of risk, given your
objectives, and then work to keep those risk factors within agreed-upon boundaries. The steps below will help to
determine and apply specific actions to do so.

1. Identify risks
The first step is to determine the potential risks themselves. That requires some context: To consider what could
go wrong, one needs to begin with what must go right.

Begin the process with a review of your goals and objectives and the various resources or assets that enable
them. Risk practitioners often apply a top-down, bottom-up approach to thinking about what might impede those
objectives.

The top-down portion considers mission-critical programs that should not be impaired (like sales transactions in
a retail store or manufacturing processes in a factory); it then lists the conditions that might impair those
programs.

https://www.techtarget.com/searchcio/feature/Risk-management-process-What-are-the-5-steps 2/6
11/14/22, 10:41 AM Risk management process: What are the 5 steps?

For the bottom-up portion, one can consider various known threat sources (like earthquakes, ransomware
attacks or economic downturns) and ponder what impact those might have on the enterprise.

Because risk is, by definition, any uncertainty that affects objectives, a risk is only a risk if it has impact. The
more impactful a risk is, the higher the priority. The analysis of that priority will occur in the next step, but first
one needs to consider the various risk factors to create a scenario that can be measured.

NIST Interagency Report (NISTIR) 8286A -- "Identifying and Estimating Cybersecurity Risk for Enterprise Risk
Management (ERM)" -- provides guidance on developing risk scenarios. According to the report, the following
four elements are necessary to be present to describe a negative risk (see Figure 2):

1. a valuable asset or resource that would be impacted;

2. a source of a threatening action that would act against that asset;
3. a preexisting condition (or vulnerability) that enables that threat source to act; and
4. some harmful impact that occurs from the threat source exploiting that vulnerability.

With these building blocks, one can compose a broad set of risk scenarios to be analyzed, sorted and treated.
Describing the risk as a scenario helps with communicating the risk conditions and analyzing the likelihood and
impact of the risk. It also makes it easier to consider how to respond. An example scenario might be, "The
manufacturing plant is affected by a power outage resulting from a tropical storm, disrupting plant operations for
several days."

Figure 2. A negative risk is defined as having these four attributes.

While hindsight is never perfect, it provides useful insight into what risk events might occur in the future. In
particular, it can be helpful to review headlines about risks that similar businesses have faced, the conditions
that enabled them and how the risks impacted the organizations.

Risk categories
In considering various types of risk, it may be helpful to organize them into categories. That categorization
enables each type of risk to be considered and tracked by individuals or teams that are familiar with particular
topics. For example, the Committee of Sponsoring Organizations of the Treadway Commission, a joint initiative
of professional organizations that provides risk management guidance, has suggested that risk can be
organized into the following four areas:
https://www.techtarget.com/searchcio/feature/Risk-management-process-What-are-the-5-steps 3/6
11/14/22, 10:41 AM Risk management process: What are the 5 steps?

strategic risk (e.g., reputation, customer relations, technical innovation);

financial and reporting risk (e.g., market, tax, credit);
compliance and governance risk (e.g., ethics, regulatory, international trade, privacy); and
operational risk (e.g., information and technology security and privacy, supply chain, labor issues, natural
disasters).

Categories of risks also help to integrate information as managers communicate about, track and adjust risk
response. For each risk category, an intentional process for developing the scenarios will ensure that the list is
sufficiently comprehensive. Many tools are available to help visualize and evaluate the scenarios. Examples
include the following:

risk breakdown structures for project risks (e.g., "Use a risk breakdown structure (RBS) to understand your
risks");
threat trees for cybersecurity risk (e.g., Carnegie Mellon's OCTAVE Allegro methodology); and
Delphi exercises for considering investment risk.

The final component of this first step, risk identification, is to record the findings in a risk register. The risk
register provides a means of communicating and tracking the various risks throughout subsequent steps. The
NISTIR 8286 report cited above provides an example of such a register, along with a sample risk detail template
in which to record many of the results of the risk management process steps.

2. Analyze risk likelihood and impact

As noted above, a risk is only a risk if it has impact, so the second step of the risk management process is to
analyze how likely it is that a risk will occur and that it will have a measurable impact.

There's a whole science to risk analysis, but essentially this step is a calculation of the probability of a risk event
occurring and an estimation of the impact of the consequences if that happened. While there is often an
immediate impact, there may be other subsequent consequences, as well, so it is important to consider each of
these factors in the calculations. Consider the loss of a laptop containing patient health records -- there will be
an immediate property loss, but the loss of that patient information could result in fines, lawsuits and reputational
damage that far exceed the cost of the lost device.

Risk analysis should include time factors as a part of the calculation. Financial reporting systems are often
considered critical, but during tax preparation time their integrity and availability needs might be particularly
important. The frequency of risk events is another time-based factor to consider.

Many organizations use general, or qualitative, terms to express those values. For example, we often use terms
such as "high risk" or "low probability" to communicate risk, or perhaps use red-yellow-green color schemes.
Organizations may benefit from a more scientific and specific quantitative approach to risk analysis. For
example, the Factor Analysis of Information Risk (FAIR) approach, instantiated in the Open Group's OpenFAIR
standard, can be used to perform detailed risk calculations that may be more helpful than colors for estimating.

https://www.techtarget.com/searchcio/feature/Risk-management-process-What-are-the-5-steps 4/6
11/14/22, 10:41 AM Risk management process: What are the 5 steps?

There are dozens of methods to perform both qualitative and quantitative risk analysis, many of which are
described in the ISO/IEC (International Electrotechnical Commission) standard 31010, "Risk management --
Risk assessment techniques." That publication points out that the techniques "are used within the risk
assessment steps of identifying, analyzing, and evaluating risk as described in ISO 31000, and more generally
whenever there is a need to understand uncertainty and its effects."

3. Prioritize based on enterprise objectives

The results of risk analysis enable the risks to be sorted and ranked based on their importance. Since resources
are likely to be limited, prioritization helps to highlight those risks that will be most likely and most impactful.
Reflecting these results in a risk map helps to visualize the relative importance of each risk and may also be
helpful in sharing risk observations with other stakeholders -- particularly those who may be providing (or
authorizing) resources to respond to those risks.

While the initial prioritization of risks may be based on the combination of likelihood and impact, the final ranking
might be influenced by factors that are important to those stakeholders. For example, if leadership has
expressed that customer trust is a key value for the enterprise, then risks that might impact customers could be
highlighted.

4. Treat risks in a cost-effective manner

With a prioritized list of risks in place, the next step is to evaluate the options available to treat those risks and
apply various methods and controls to achieve an acceptable level of risk. There are several options available to
do so, including the following:

If the risk, based on leadership's risk appetite, is already at an acceptable level, no further treatment is
necessary.
If it is possible to share some of the impact with another entity (e.g., an insurance firm, an external service
provider), then some of the risk may be transferred in that manner.
Where practical, various management, technical and administrative risk controls may be applied that will
help reduce the likelihood or impact of each risk to an acceptable level.
If none of these risk response methods can be applied, then risk managers must avoid the risk by
eliminating the activities or exposures that would enable the scenario being considered.

It is important to be sure that the methods applied are both effective and cost-effective. This approach explains
why a bank might use a 20-cent chain to protect an ink pen and a million-dollar vault to protect its cash reserves.
The resources required to treat the risk should be commensurate with the assets being protected.

5. Monitor risk management results

Even after each of the above steps, it is important that results be tracked and monitored to ensure that risks
remain within the limits established by the organization's leaders. Risk conditions can change rapidly, asset
values can fluctuate and stakeholder preferences can change. A critical part of monitoring is ensuring that
managers and senior leaders are informed about progress toward risk goals and changes that might have
organizational impact. The cycle is similar to the PDSA (Plan-Do-Study-Act) cycle popularized by Dr. W.
Edwards Deming, enabling continual improvement of the risk management process. As various teams

https://www.techtarget.com/searchcio/feature/Risk-management-process-What-are-the-5-steps 5/6
11/14/22, 10:41 AM Risk management process: What are the 5 steps?

throughout the organization take actions to identify, analyze and respond to risk, the results inform and refine the
next iteration.

Conclusion
Through application of these steps, in the context of a broader framework of governance and management,
organizations can consistently identify those risks that are likely to have a harmful impact, then prioritize cost-
effective treatment and monitor the results to maintain continual improvement.

https://www.techtarget.com/searchcio/feature/Risk-management-process-What-are-the-5-steps 6/6