Organizations benefit from incorporating risk management into their strategic planning, and decision-making at all levels. Effective risk management helps to anticipate and address future circumstances proactively, adapting as needed to support the organization’s objectives.

What is risk management?

The International Organization for Standardization (ISO) defines risk as “the effect of uncertainty on objectives”, referring to the potential impact from possible future events on the organization’s ability to achieve its objectives.

An event may be a change or a lack of change – “event” simply means a situation. An event may have beneficial and/or detrimental effects on different objectives. For example, consider “high employee retention” as a potential event. This event is beneficial for operational continuity but may not necessarily support budgetary objectives for cost control.

Optimally, risk management is a continuous cycle of activities to monitor the operating environment and direct how an organization identifies, assesses and responds to or “treats” risks relevant to the organization’s objectives. The preliminary step to engage in effective risk management is to define or select a risk management methodology. At its most basic level, risk management involves these activities:

1. Identify potential future events by monitoring internal and external environments.
2. Assess the likelihood and impact of these potential future events, resulting in risk scores.
3. Treat these risks, using the scores to help prioritize and select actions.

Identify risks

Compile a list of the potential events which may impact your organization’s ability to meet its objectives in the short and long term. External events include either stable or changed customer demand, competitive landscape, supplier products/services cost and availability, geopolitical environment, natural disasters, market forces, technology innovation, standards, economics and regulations. To anticipate external events, monitor legal and industry news for your own industry, plus that of essential suppliers and key customers. To anticipate internal events, stay attuned to your staffing, technology, policies, business-critical processes, acquisitions, go to market strategies, executive direction, and organizational roles and responsibilities.

Assess risks

Evaluate the identified risks to determine their relative importance. Risk is often calculated as a potential event’s likelihood (probability) multiplied by the impact if that event occurs. This means you can address the risk associated with potential events by activities which modify the likelihood, impact, or both:

Using a consistent methodology for scoring risk supports effective risk comparison and treatment planning. While determining likelihood and impact may be somewhat subjective, a defined methodology/framework that includes thresholds and offers examples for various likelihood and impact levels helps align risk assessment decisions. Modify this basic equation as needed, such as adjusting scores by the priority of the associated organizational objective. Options for risk scoring include:

• Financial: assign monetary values to likelihood and impact
• Quantitative: assign numeric values such as a scale of 1-10 or 1-100 to likelihood and impact
• Qualitative: assign values such as low, medium, high, and critical to likelihood and impact

Treat risks

Focus on selecting and completing actions to improve the probability of achieving objectives, considering the impact of future possible events. Respond to risk using the appropriate treatment or response option:

• Transfer: engage a supplier, such as outsourcing a high-risk function or buying insurance
• Mitigate: implement controls which reduce the likelihood or impact of possible adverse events
• Accept: take no action when risk scores fall within executive risk tolerance guidance
• Avoid: prevent adverse events by excluding the source of risk, such as choosing not to offer certain product types or not to operate in particular markets
• Enhance: implement actions which increase the likelihood or impact of positive potential events

After completing risk treatments, recalculate the risk score using the new likelihood and impact values. The risk level after implementing risk treatments is the “residual risk”.

Summary of risk management

Clarify your organization objectives. Monitor the internal and external environments to identify potential future events. Assess risk scores by evaluating the likelihood and impact of possible events, adjusting these scores in the context of organizational controls to calculate residual risk levels. Select and implement risk treatments to bring residual risk in line with executive guidance.

Enterprise risk management should use a continuous feedback loop. For example, you may discover new future possible events that require consideration or that an event’s likelihood/impact score needs to change as a result of applying risk treatments and learning that organizational controls are stronger or weaker than initially anticipated. 

References and resources

• EU ENISA Compendium of Risk Management Frameworks
• US NIST Risk Management Framework (RMF)
• US NIST IR 8286 Integrating Cybersecurity and Enterprise Risk Management (ERM) guidance
• ISO 31000:2018 series of international standards provides risk management guidelines
• Enterprise Risk Management Resource Center, including an overview