Risk management process
Risk management helps you to detect and address the risks facing your business. It is a key part of the strategic management of any organisation.
Steps in the risk management process
Risk management process typically involves six core components:
- recognition or identification of risks
- evaluation and assessment of risks (and how likely they are to occur)
- responding to significant risks
- reporting and monitoring risk performance
- contingency and recovery planning
- reviewing risk management approach and controls
Identification and evaluation of risks are generally known as risk assessment. This activity is critical to determining suitable risk responses. It can also be legally required in some business areas, eg health and safety. See how to evaluate business risks.
Risk responses can include tolerance, treatment, transfer or termination of risks. If a risk presents an opportunity, a suitable response may be to exploit it. Discover strategies to manage business risk.
Risks are incredibly diverse. They can affect any aspect of your business and have short, medium or long term impact. To manage risks effectively, it is crucial to fully understand the types of risk your business faces.
Benefits of risk management
Risk management process helps you in achieving your business success. It also allows you to:
- make informed decisions, plan and prioritise
- allocate capital and resources appropriately
- prevent wastage of time and effort in fire-fighting potential problems
- foresee what may go wrong, pre-empt, prevent or react promptly to risks
- improve outcomes for your business
- discover opportunities
- reduce business liability
Risk management gives you the strategic basis and the operational framework for handling a crisis within your business. It is a cornerstone of business continuity and crisis management.
Risk management standards
A number of standards exist to help organisations implement risk management systematically and effectively. Commonly used risk management standards include:
- ISO 31000, risk management guidelines
- IEC 31010, supporting standard for ISO 31000
- COSO enterprise risk management - integrated framework
- GRD Capability Model, also known as OCEG 'Red Book'
Standards are normally voluntary, although adherence to a standard may be required by regulators or by contract. See more on quality management standards.
Enterprise risk management
You should manage risk proportionately to the complexity and type of your business. If you run a large company, you may want to consider an integrated, enterprise risk management approach to managing risk across the whole organisation and its networks.