Skip to content

What is risk management?

Risk management is the process of minimizing or mitigating the adverse risks and taking advantage of positive opportunities. It starts with the identification and evaluation of risk, followed by optimal use of resources to monitor, and minimize the risk.

Risk generally results from an uncertainty. In organisations this risk can come from an uncertainty in the global marketplace (demand, supply, and stock market), failure of projects, accidents, natural disasters, global pandemics such as COVID-19 etc. There are different tools and methods to assess and control the risk depending upon the kind of risk that is identified.


Ideally in risk management, a risk prioritisation process is implemented in which those risks identified that pose the biggest threat of great loss and have the greatest probability of occurrence are dealt with first.

The two factors that govern the actions required are the probability of occurrence and the severity or impact of the risk. For example, where a condition where the impact is minor and the probability of occurrence is low, it is often practicable to accept the risk without any interventions. A event or risk where the likelihood is high, and the impact is more significant, a more extensive management is required. This is how certain priorities can be established in dealing with and controlling the risk.

Risk management is always a continuous process, a fluid and dynamic strategy in which risks, and the risk management systems are reviewed and re-evaluated with the outcomes implemented back into the management system for further assessment and reviews.

The two most common areas to deal with within Risk Management

Risk Source

The source can be either internal or external to the system. External sources are beyond control whereas internal sources can be controlled to a certain extent.


A problem at the surface level could be the threat of accident and casualty at the plant, a fire incident etc.

When any or both of the above two are known beforehand, certain steps can be taken to deal with the same.

After the risks have been identified then they must be assessed on the potential of criticality. Here we arrive upon risk prioritization.

In generic terms “likelihood of occurrence × impact is equal to risk”

This is followed by development of a risk management plan and implementation of the same. It comprises of the effective security controls and control mechanisms for mitigation of risk.

A more challenging risk to organisational effectiveness is the risk that is present but cannot be identified. For example, a perpetual inefficiency in the production process accumulates over a certain period of time and translates into operational risk.


Various organisations have laid down principles for risk management. There are risk management principles by the International Standardisation Organisation (ISO) and by Project Management Body of Knowledge.

There are 8 principles making up ISO31000 and the Project Management Body of Knowledge (PMBOK) has laid down 12 principles.

An amalgamation of the various principles are:

Please click on the links to read more about each of the principles.

Organisational context

Read more

Organisational context

Every organisation is affected to varying degrees by various factors in its environment (Political, Social, Legal, and Technological, Societal etc). For example, an organisation may be immune to change in import duty whereas a different organisation operating in the same industry and environment may be at a severe risk. There are also marked differences in communication channels, internal culture and risk management procedures. The risk management should therefore be able to add value and be an integral part of the organisational process.

Involvement of stakeholders

Read more

Involvement of stakeholders

The risk management process should involve the stakeholders at each and every step of decision making. They should remain aware of even the smallest decision made. It is further in the interest of the organisation to understand the role the stakeholders can play at each step.

Organisational objectives

Read more

Organisational objectives

When dealing with a risk it is important to keep the organisational objectives in mind. The risk management process should explicitly address the uncertainty. This calls for being systematic and structured and keeping the big picture in mind.


Read more


In risk management communication is the key. The authenticity of the information has to be ascertained. Decisions should be made on best available information and there should be transparency and visibility regarding the same.

Roles and responsibilities

Read more

Roles and responsibilities

Risk Management has to be transparent and inclusive. It should take into account the human factors and ensure that each one knows its roles at each stage of the risk management process.

Support structure

Read more

Support structure

Support structure underlines the importance of the risk management team. The team members have to be dynamic, diligent and responsive to change. Each and every member should understand his intervention at each stage of the project management lifecycle.

Early warning indicators

Read more

Early warnings indicators

Keep track of early signs of a risk translating into an active problem. This is achieved through continual communication by one and all at each level. It is also important to enable and empower each to deal with the threat at his/her level.

Review cycle

Read more

Review cycle

Keep evaluating inputs at each step of the risk management process - Identify, assess, respond and review. The observations are markedly different in each cycle. Identify reasonable interventions and remove unnecessary ones.

Supportive culture

Read more

Supportive culture

Brainstorm and enable a culture of questioning, discussing. This will motivate people to participate more.

Continual improvement

Read more

Continual improvement

Be capable of improving and enhancing your risk management strategies and tactics. Use your learning and knowledge to access the way you look at and manage ongoing risk.


So, what is risk? You could ask a number of people, or different organisations and get many different answers. Many of the definitions will depend upon when they have been written as the thoughts and ideas behind risk have changed over the last 30 years, but most significantly over the last 10 years.

Why and what is Risk Management?

Every organisation, big or small, is susceptible to risk – operational, legal, environmental, reputational, brand, liability, financial, and reputational.

Most organisations are concerned with risks that may affect them in a negative way.

This presentation examines the basic elements of an organisational risk management system, including the benefits of implementing risk management, risk assessment, prioritisation, and adopting risk management response strategies.

Risk management helps an organisation find a disciplined and systematic way to identify, evaluate, analyse, monitor, and mitigate the risks that threaten the achievement of the organisation’s strategic objectives.

Risk management is intentionally a proactive and not reactive process.

Different situations and events within an organisation can simultaneously result in both good and bad consequences. And each of these may require a different risk management strategy.

What are the benefits of Risk Management?

There are four major benefits of adopting a risk management system within an organisation.

First, a risk management system enhances an existing management system, both day to day and in long-term situations.

Second, a risk management system can streamline everyday running operations within an organisation. Employees who know and understand the correct procedures and policies within a risk management system are more able to complete tasks safely and assist in all aspects of a management system.

Third, good risk management improves financial management. Losses, lawsuits, and injuries all cost money. So a successful risk management system helps organisations to avoid these additional and unwanted costs.

And finally, a risk management system helps provide consistent and enhanced services. Every time a loss occurs, or a property is damaged, reports need to be written, depositions taken, and so on – activities that take time away from an employee’s ability to provide services.

How do you manage risk?

If an organisation has a designated “Risk Manager” that person is a valuable resource. Most organisations, however, do not have a full or even part-time Risk Manager, so it falls to everyone in the organisation, in one way or another, to become a Risk Manager.

In any event, whilst senior management can implement the strategy and lead a successful risk management system, the actual implementation of an organisation’s risk management system is the responsibility of all of key parties. This includes department directors, employees, volunteers, and elected officials.

When assessing risks, an organisation should stay focused on the risks over which they have some degree of control. For example, lightning striking and hurting someone at a public park is possible but what control do you have over this event? You have no control over lightning strikes, but you can control the likelihood of an injury by posting signs informing individuals to go inside if they hear thunder.


There are several organisations that have structured the principles and guidelines for the process of risk management. The steps involved remain the same more or less. There are small variations involved in the cycle in different kinds of risk.

The risks involved, for example, in Project Management are different in comparison to the risks involved in finance. This accounts for certain changes in the entire risk management process. However, the ISO Standards has laid down certain steps for the process and it is almost universally applicable to all kinds of risk. The guidelines can be applied throughout the life of any organisation and a wide range of activities, including strategies and decisions, operations, processes, functions, projects, products, services and assets.

As per ISO 31000 (Risk Management - Principles and Guidelines on Implementation), risk management process consists of the following steps and sub-steps:

Establishing the context

Establishing the context means all the possible risks are identified and the possible ramifications are analysed thoroughly. Various strategies are discussed, and decisions are made for dealing with the risk. The break-up of various activities in this stage is as follows:

  • Identification of a risk in one particular domain
  • Planning out the entire management process
  • Mapping the manifestations of the risk, identification of objectives of risk etc...
  • Outlining a framework
  • Designing an analysis of risks involved at each stage
  • Deciding upon the risk solution/s

Once the context has been established successfully, the next step is identification of threats or potential risks. This identification can be at the level of the source or the problem level itself.

Source analysis means that the source of risks is analysed, and appropriate mitigation measures are put in place. This risk source could be either internal or external to the system. Examples of the risk source could be employees of the company, operational inefficiency in a certain process etc.

Problem analysis, on the other hand, means the effect rather than the cause of the risk is analysed. For example, a drop in production leads to a threat of losing money.

The choice of the method varies across industry, organisational culture, and other factors.


Once the risks have been identified, they are then assessed on their likelihood of occurrence and the impact. This process can be simple as in case of assessment of tangible risks and difficult like in the assessment of intangible risks. This assessment is more or less a guessing game and the best educated guess decides the success of the plan.

Either a qualitative method, based on best estimate of likelihood and consequence using local knowledge and experience, or a quantitative method, based upon probability distributions and predictions of loss,
can be used.


View resources related to Risk Management

View more

Ask a question

As Risk Management can be such a complex area, sometimes there isn't answer for everything readily available.
 Reach out to us and we'll do our best to find one.

Get in touch