The Risk Management Process, Applied Step by Step

By Salihah Budall, MSc., CFS, CRMP, CSSYB

The ISO 31000:2018 standard lays out the risk management process with clear sequential logic, and organisations that follow it typically produce outputs that are genuinely useful. The problem is that the process looks simple on paper and is consistently misapplied in practice, not because organisations lack commitment to it, but because the first stage demands a type of disciplined thinking that is uncomfortable and easy to skip when time pressure exists.

Understanding where the process breaks down, and why, is more valuable than a generic walkthrough of the stages. Every practitioner can recite the five steps. Far fewer organisations can demonstrate that their risk assessment outputs are actually influencing the decisions they were designed to inform.

Stage One: Establishing the Context

Context establishment means defining the scope of the risk assessment, the objectives it is intended to protect, the internal and external factors that could affect how risks materialise, and the criteria against which risks will be evaluated. This stage is where most organisations do the least work and pay the highest price for that omission.

When a risk assessment is conducted without documented context, the team doing the assessment has no shared reference point for distinguishing a relevant risk from an irrelevant one. Every participant brings their own implicit definition of what the organisation is trying to achieve, their own sense of what level of impact constitutes a high risk, and their own assumptions about the external environment. These implicit definitions diverge in ways that participants often do not recognise until the assessment is complete and the results are inconsistent in ways nobody can quite explain.

Establishing context takes time, and it requires the most senior decision-makers to engage with questions about objectives and risk tolerance that they may not have previously answered in explicit terms. This is why it gets compressed. A leadership team under operational pressure will agree quickly that the context is "obvious" and proceed to identification. The assessment that follows will be faster and will produce a longer list of risks. It will also be less useful, because the risks identified will be evaluated against unstated criteria that different team members interpret differently.

The context document that comes out of this stage should record: the scope of what is being assessed; the internal factors that are relevant (financial position, governance structure, capabilities, culture); the external factors (regulatory environment, market conditions, economic conditions, technology trends); and the risk criteria, meaning the scales and thresholds against which likelihood and impact will be measured. This last element is the one most frequently omitted and the one whose absence causes the most downstream problems.

Stage Two: Risk Identification

Risk identification is the process of finding, recognising, and describing risks. ISO 31000 emphasises that this stage should be comprehensive in its scope, meaning it should actively seek out risks that the organisation might be inclined to overlook, including risks that arise from opportunities and not just from threats.

The most effective risk identification processes use a combination of methods. Structured workshops with diverse participants catch risks that any single function would miss. Historical analysis of past incidents, near-misses, and complaints identifies risks that have already partially materialised and therefore have empirical evidence behind them. External benchmarking against risk registers from comparable organisations in the same sector identifies risks that peers have experienced and that could equally affect the organisation doing the assessment.

One technical point that practitioners frequently underemphasise: risk identification should document the source of each risk, the event that constitutes the risk materialising, and the consequences of that event as three distinct elements. A risk described only as "regulatory change" is incomplete. A risk described as "the regulatory authority revises licensing requirements (source), which forces us to halt operations for three months to achieve compliance (event), resulting in loss of client contracts and estimated revenue impact of J$4.5 million (consequence)" is actionable.

"Risk identification sessions that produce long lists of vague risks are almost as unhelpful as no assessment at all. The discipline is in describing each risk with enough specificity that someone who was not in the room can understand exactly what scenario you are concerned about and why it matters."

- Salihah Budall, MSc., CFS, CRMP, CSSYB

Stage Three: Risk Analysis

Risk analysis determines the nature, likelihood, and potential consequences of each identified risk. It is where the risk assessment shifts from inventory to evaluation and where the quality of the context establishment most directly affects the output.

Qualitative analysis assigns likelihood and impact scores using the scales defined in the context stage. Quantitative analysis attaches financial or numerical values to those scores, which is more valuable but requires more data and more time. Most small and medium organisations conduct primarily qualitative analysis, which is appropriate provided the scales are calibrated to the organisation's actual thresholds rather than borrowed from generic frameworks.

One failure mode to avoid: assigning likelihood and impact scores without documenting the reasoning. When a risk is rated as high likelihood, the assessment should note why: what evidence, experience, or data supports that rating? When the same risk is reassessed six months later, the reasoning provides the reference point for determining whether the rating should change. Without documented reasoning, every reassessment starts from scratch, and any trend information that would otherwise accumulate is lost.

Stage Four: Risk Evaluation

Risk evaluation compares the results of the risk analysis against the risk criteria defined in the context stage and produces a prioritised list of risks requiring treatment. This is where the risk criteria that organisations frequently omit from context establishment create their most visible problems: without agreed criteria, the prioritisation of risks becomes a negotiation rather than an assessment.

The output of risk evaluation should be a clear classification of each risk as either acceptable (within risk appetite) or requiring treatment (exceeding risk appetite). Some frameworks add a monitoring category for risks that are below the treatment threshold but warrant ongoing attention. The classification should be explicit, documented, and approved by whoever holds accountability for the risks in question.

Stage Five: Risk Treatment

Risk treatment is the selection and implementation of responses to risks that require action. ISO 31000 identifies four treatment options: modify the likelihood of the risk (prevention controls), modify the consequences if it occurs (mitigation controls), transfer the risk to another party (insurance or contract), or avoid the risk by not undertaking the activity that generates it.

Each treatment option involves trade-offs. Prevention controls reduce likelihood but consume resources that could be used elsewhere. Mitigation controls reduce impact but do not address root causes. Risk transfer through insurance imposes premium costs and introduces counterparty risk (the insurer's capacity and willingness to pay). Risk avoidance eliminates the risk but also eliminates whatever benefit the activity would have generated.

Choosing between these options requires a cost-benefit assessment that many organisations conduct implicitly rather than explicitly. Making that assessment explicit, documenting the reasoning, and connecting the chosen treatment to specific risks with specific owners and implementation timelines transforms risk treatment from an abstract commitment into a managed activity with accountability attached.

"The treatment plan is where risk management produces its most tangible return. Every control you design and implement is a decision about how much of your resources you are willing to commit to reducing a specific uncertainty. That is a financial decision, and it deserves the same rigour as any other capital allocation."

- Salihah Budall, MSc., CFS, CRMP, CSSYB

Monitoring, Review, and Communication

ISO 31000 frames monitoring and review as ongoing activities woven throughout the process rather than a final stage. This distinction matters practically. Control effectiveness should be checked continuously, not just at the next annual review. The operating environment should be scanned for changes that might alter the likelihood or impact of existing risks. New risks should be added as they emerge, not held for a scheduled identification session.

Communication runs parallel to all stages. Risk management produces value only if its outputs reach the people who make decisions. A risk assessment that sits in a quality management system folder and is accessed only by auditors is not managing risk; it is documenting the existence of a risk management function. The communication of risk information to decision-makers, in a format and at a frequency that actually changes their decisions, is the final and most important test of whether the process is working.

Practical Steps You Can Take This Week