Quick start guide to risk management

1. Draft a risk management policy

The policy sets the tone and it should be the starting part for any risk management process. It should include things like

  • Risk appetite
  • Responsibilities
  • Frequency of risk assessments
  • Establish whether there is a risk sub-committee
  • Risk categories
  • Risk ranking criteria

The policy should be formally approved and adopted by the Board of Directors.

2. Identify risks

I find the best way to identify risks is in ‘risk workshops’. All staff should be present as risks may obvious to those working at the coal face that aren’t to senior management.

The workshops should be facilitated by a risk expert.

The output is the raw risks input to the risk register.

Don’t have a risk register?  Don’t worry…download a free template here!

[button link=”/downloads/risk-register/” color=”#3cb82e” size=”3″ style=”2″ dark=”0″ radius=”auto” target=”self”]Free download[/button]

3. Rank based on raw or inherent risk

Risks are then ranked using the criteria set-out in the risk policy.

There are different ways to do this. I use a scoring system of 1 to 5 for both likelihood and impact. The 2 scores are then multiplied together to give a score which is ranked low, medium or high.

4. Consider existing controls and measure residual risk

You then consider the existing controls to reduce the impact and/or likelihood, is to mitigate the risk. The risks are then scored again and ranked on mitigated or residual risk.

5. Prepare actions to reduce high risks to an acceptable level

Next you identify risks which are unacceptably high and plan action to reduce them to an acceptable level.

The acceptable level will be determined by the risk appetite set in the policy. Risk appetite is very much organisation specific.

6. Internal audit tests effectiveness of controls

Internal audit plays a key role in the risk management process.  It should test the effectiness of the controls cited as reducing identified risk to an acceptable level.  If the controls aren’t operating effectively then the risk register should be amended accordingly until the controls are fixed.

7. Repeat

Risk management is a continual process.  For that reason it should be a standing order on the agenda of board meetings.  The risk register should be reviewed and updated at regular intervals.

Having problems implementing risk management?  Fill in the form to the right and we’ll call you for a chat about it.

Download your free copy of our risk register template here:

[button link=”/downloads/risk-register/” color=”#3cb82e” size=”3″ style=”2″ dark=”0″ radius=”auto” target=”self”]Free download[/button]

Leave A Response

* Denotes Required Field