Quick Summary: A formal risk assessment is a structured, documented process for identifying, analyzing, evaluating, and treating risks associated with a specific activity, project, system, or organization.
It uses defined methodologies, reproducible analytical techniques, and written records to produce risk findings that can inform decisions, satisfy regulators, and withstand independent scrutiny.
This guide explains what formal risk assessment is, how it differs from informal approaches, the seven-step process, the major frameworks used in the United States, real-world industry applications, and the common mistakes that undermine otherwise well-designed programs.
What Is a Formal Risk Assessment?
A formal risk assessment is a deliberate, methodical evaluation of the risks facing an organization, project, system, or activity. It follows a defined process, uses documented analytical tools, produces written records of findings and decisions, and yields outputs that are repeatable, auditable, and defensible.
The word “formal” is doing a lot of work in that definition. It distinguishes this type of assessment from the informal risk thinking that happens in every organization every day.
When a project manager mentally weighs the risks of a vendor delay, or a CFO estimates the likelihood of a revenue shortfall, that is informal risk assessment. It is useful, but it is also undocumented, person-dependent, inconsistent, and impossible to verify or review.
A formal risk assessment externalizes that thinking: it makes the process explicit, the data visible, the reasoning transparent, and the conclusions documented.
The result is a risk finding that a board member, regulator, auditor, or legal counsel can examine and understand without having to trust the subjective judgment of a single individual.
In the United States, formal risk assessment is required by law or regulation in a wide range of industries.
Banks must demonstrate formal credit, market, and liquidity risk assessments to their prudential regulators.
Federal agencies must conduct information security risk assessments under FISMA using the NIST Risk Management Framework. Hospitals must perform formal safety risk assessments under Joint Commission standards.
Publicly traded companies must disclose material risks formally assessed in their SEC filings. Nuclear facilities, chemical plants, and pipeline operators face OSHA Process Safety Management requirements that mandate formal hazard and risk assessments.
Outside these regulated environments, formal risk assessment is still a governance best practice that distinguishes organizations with mature risk management capabilities from those that rely on intuition and hope.
Formal vs. Informal Risk Assessment: What Is the Difference?
The distinction between formal and informal risk assessment is not primarily about sophistication or complexity. It is about process discipline, documentation, and accountability.
| Dimension | Formal Risk Assessment | Informal Risk Assessment |
| Methodology | Structured, documented, follows a defined framework (ISO 31000, NIST, COSO) | Ad hoc, experience-based, undocumented or lightly documented |
| Documentation | Full written record: scope, data sources, analysis, findings, decisions | Minimal — may exist only in meeting notes or verbal discussion |
| Repeatability | Consistent results when repeated with same inputs | Results vary significantly based on who conducts it |
| Defensibility | Strong — documented rationale protects organization legally and regulatorily | Weak — difficult to demonstrate due diligence after an incident |
| Regulatory acceptance | Required or preferred by regulators across banking, healthcare, energy, and government | Generally insufficient for regulated environments |
| Resource requirement | Higher upfront investment in time, expertise, and process design | Lower upfront cost; higher downstream risk of inadequate identification |
| Stakeholder confidence | High — external auditors, boards, and regulators can review the process | Limited — relies on trust in individual judgment rather than verifiable process |
The practical consequence of this distinction becomes clearest after something goes wrong. When an incident occurs, regulators and legal counsel will ask: what did you know, when did you know it, what process did you use to assess the risk, and what did you decide to do about it?
A formal risk assessment with documented findings and treatment decisions answers those questions. An informal one does not.
That said, formal risk assessment is not always the right tool for every situation. Low-stakes, time-sensitive decisions often require the faster judgment that informal assessment provides. The key is matching the level of formality to the significance of the decision and the regulatory environment in which the organization operates.
See also: Definition of Financial Risk Assessment: A Complete Guide for U.S. Organizations on RiskPublishing.com
The Purpose of Formal Risk Assessment
The purpose of formal risk assessment goes beyond identifying what could go wrong. It serves several distinct organizational functions that are worth understanding separately.
Informing Decisions Under Uncertainty
Every significant decision involves uncertainty. A company deciding whether to enter a new market, acquire a competitor, launch a product, implement a technology system, or extend credit to a customer is making a judgment call about risks it cannot fully know in advance. Formal risk assessment replaces guesswork with structured analysis — translating uncertainty into probability ranges, consequence estimates, and risk ratings that decision-makers can actually use.
The goal is not to eliminate uncertainty. That is impossible. The goal is to replace uninformed uncertainty with informed uncertainty: to know what you do not know, quantify it to the extent possible, and make decisions with eyes open rather than closed.
Allocating Resources Efficiently
Organizations face more risks than they have resources to treat. Formal risk assessment provides the basis for prioritization: directing time, money, and management attention toward the risks that are most significant given their likelihood, consequence, and the organization’s risk appetite. Without a formal assessment, resource allocation tends to favor the loudest voices or most recent incidents rather than the most material risks.
Satisfying Regulatory and Governance Requirements
As discussed above, formal risk assessment is a legal or regulatory requirement across much of the U.S. economy. But even where it is not explicitly required, good governance demands it.
Boards of directors have fiduciary duties that include risk oversight. A board that cannot demonstrate it has received and reviewed formal risk assessments for material organizational risks is a board that is not meeting its governance obligations.
The SEC’s enhanced risk disclosure requirements, the Federal Reserve’s stress testing frameworks, and the OCC’s Heightened Standards for large banks all reflect a regulatory expectation that risk assessment is a formal, documented discipline rather than an informal practice.
Building Organizational Resilience
Organizations that conduct formal risk assessments consistently, and act on what they find, build institutional knowledge about where they are vulnerable, what conditions trigger risk escalation, and which controls actually work.
This knowledge accumulates over time. It makes the organization genuinely more resilient — not because it eliminates risks, but because it understands them well enough to respond effectively when they materialize.
The Seven Steps of a Formal Risk Assessment
ISO 31000:2018, the international standard for risk management and the most widely referenced framework in U.S. enterprise risk management programs, defines risk assessment as comprising three activities: risk identification, risk analysis, and risk evaluation. In practice, a complete formal risk assessment program adds four additional elements that are essential for a functional process.
| # | Step | What Happens | Key Tools / Outputs |
| 1 | Define scope and objectives | Set boundaries: what is being assessed, who is affected, what decisions the assessment must inform | Scope statement; stakeholder list; assessment brief |
| 2 | Identify risks | Systematically surface all potential events that could negatively affect the objective or activity | Risk register; workshops; checklists; historical incident data; SWOT/PESTLE |
| 3 | Analyze risks | Assess the likelihood and consequence of each identified risk, both inherent (pre-control) and residual (post-control) | Likelihood-impact matrix; VaR models; stress tests; Monte Carlo simulation; expert judgment |
| 4 | Evaluate risks | Compare assessed risk levels against the organization’s risk appetite and tolerance thresholds | Risk heatmap; appetite threshold comparison; prioritized risk list |
| 5 | Treat risks | Select and implement risk responses: accept, mitigate, transfer, or avoid | Risk treatment plan; control design; hedging; insurance; process redesign |
| 6 | Monitor and review | Track residual risks and the effectiveness of controls through ongoing KRI monitoring and periodic reassessment | KRI dashboard; periodic review reports; audit findings; lessons learned log |
| 7 | Communicate and consult | Ensure findings and decisions are shared with relevant stakeholders throughout the process, not just at the end | Risk reports; board pack; regulatory submissions; staff briefings |
Step 1: Define Scope and Objectives
Every formal risk assessment begins by establishing what is being assessed and why. This sounds obvious but is frequently skipped or rushed, which creates problems downstream. A poorly scoped assessment either produces findings that are too broad to be actionable or misses significant risks that fall outside an arbitrarily defined boundary.
Scope definition should answer foundational questions about the assessment itself. What activity, system, project, or organizational unit is being assessed? What decisions will the assessment inform?
Equally important are the parameters that shape the analysis. Who are the affected stakeholders, what is the time horizon, what risk categories are in scope, and who has authority to approve the scope and the findings?
Step 2: Identify Risks
Risk identification is the most creative and least mechanical step in the process. The goal is to surface all the events or conditions that could cause the organization to fail to achieve its objectives — before they happen. This requires both structured techniques and unstructured thinking.
Structured techniques include reviewing historical incident databases, conducting workshops using risk taxonomy frameworks, applying checklists aligned to the industry and risk category, and examining comparable organizations’ experience. Unstructured techniques include scenario thinking, red team exercises, and asking experienced practitioners what keeps them up at night.
A common failure mode is identifying risks in a defensive, backward-looking way — cataloging only risks that have materialized before or that appear on standard industry checklists. Emerging risks, technology risks, interdependency risks, and tail events tend to be underrepresented in assessment-as-usual processes.
Step 3: Analyze Risks
Risk analysis quantifies the identified risks: how likely is each to occur, how severe would the consequences be, and what is the combined effect of both dimensions on the organization’s risk exposure?
Inherent risk is the risk level before any controls are in place. Residual risk is the level after existing controls are accounted for, and both matter.
A risk that appears tolerable on a residual basis may have a very high inherent risk — which means the organization is highly dependent on those controls continuing to function effectively. If the controls fail, the exposure is severe.
Quantitative analysis techniques add rigor to this step: scenario analysis models the impact of specific adverse events, stress testing evaluates performance under extreme conditions, sensitivity analysis isolates the effect of individual risk drivers, and Monte Carlo simulation generates probability distributions across thousands of simulated outcomes.
See also: Monte Carlo Simulation in Risk Assessment: A Practical Tutorial on RiskPublishing.com
Step 4: Evaluate Risks
Risk evaluation compares the analyzed risk levels against the organization’s pre-defined risk appetite and tolerance thresholds. This is the governance step where analysis becomes decision.
Risks that exceed appetite thresholds require treatment regardless of how individually manageable they might seem in isolation. Risks within tolerance can be accepted and monitored.
The risk evaluation output — typically a risk heatmap or prioritized register — is what goes to the board, risk committee, or senior management. It should be clear, current, and directly actionable: these risks require immediate treatment, these are approaching limits, these are within tolerance and being monitored.
Step 5: Treat Risks
Risk treatment is where the assessment translates into operational action. Each risk above the tolerance threshold requires a response: accept (with documented rationale), mitigate (through controls, process changes, or diversification), transfer (through insurance, contracts, or derivatives), or avoid (by exiting the activity entirely).
Treatment plans should be SMART: specific about what control or action is being implemented, assigned to a named owner, given a realistic completion date, measurable in terms of expected risk reduction, and linked to a follow-up review date. Treatment plans that exist on paper but are never implemented are worse than no plan — they create a documented record of known risk and documented inaction.
Step 6: Monitor and Review
Risk assessment is not an event — it is a continuous process. Risks change as the environment changes, as the organization evolves, and as controls are implemented or degraded.
Effective monitoring uses key risk indicators (KRIs) to provide early warning signals before a risk breaches its tolerance threshold.
See also: Key Risk Indicators: How to Build an Early Warning System on RiskPublishing.com
Step 7: Communicate and Consult
Communication and consultation should run throughout the process, not just at the end. Stakeholders who feel they were consulted during the assessment are more likely to accept its findings and support the treatment decisions that follow. Stakeholders who receive a completed assessment they had no input into tend to challenge its assumptions, dispute its conclusions, or simply ignore it.
For board and executive reporting, the key is translating technical risk analysis into clear, decision-relevant language. Boards do not need to see Monte Carlo output distributions. They need to understand which risks are material, which are outside appetite, what is being done about them, and what decisions they need to make.
Formal Risk Assessment Frameworks Used in the United States
Several well-established frameworks provide the structure for formal risk assessment programs. The right choice depends on the industry, the type of risk being assessed, and the regulatory environment.
| Framework | Developed By | Primary Application | U.S. Prevalence |
| ISO 31000:2018 | International Organization for Standardization | Enterprise-wide risk management; any industry or sector | High — widely referenced in corporate governance and ERM programs |
| COSO ERM (2017) | Committee of Sponsoring Organizations of the Treadway Commission | Corporate governance; internal control; financial reporting risk | Very High — standard for public companies; aligns with SEC and SOX requirements |
| NIST SP 800-30 / RMF | National Institute of Standards and Technology | Information security and cybersecurity risk assessment | Very High — required for federal agencies; widely adopted in private sector IT |
| NIST CSF 2.0 | National Institute of Standards and Technology | Cybersecurity risk management across critical infrastructure | Very High — adopted across financial services, healthcare, energy sectors |
| FTA / FMEA | Aerospace/defense industry origins; now cross-sector | Engineering reliability; safety-critical systems | High in defense, aerospace, automotive, nuclear, and chemical industries |
| HAZOP | ICI / chemical process industry | Process safety risk assessment | High in oil and gas, chemical manufacturing, and pharmaceutical sectors |
Most U.S. organizations with mature risk management programs use more than one framework. An enterprise risk management program might adopt ISO 31000 as the overarching governance structure, COSO ERM for the financial reporting and internal control dimensions, NIST CSF for cybersecurity risk, and HAZOP or FMEA for operational process safety risks. The frameworks are complementary rather than mutually exclusive.
Formal Risk Assessment in Practice: Industry Applications
Financial Services
Banks and financial institutions conduct some of the most intensive formal risk assessment programs in the U.S. economy, driven by requirements from the OCC, Federal Reserve, FDIC, and SEC. Credit risk assessments underpin every lending decision and capital allocation, while market risk assessments govern trading desk limits and portfolio composition.
Liquidity risk assessments inform funding strategies and contingency funding plans. Operational risk assessments identify control weaknesses before they become incidents.
The Federal Reserve’s annual stress testing requirements for large banks represent formal risk assessment at institutional scale: banks must demonstrate, through documented quantitative analysis, that their capital positions remain adequate under severely adverse macroeconomic scenarios.
Healthcare
U.S. hospitals and health systems operate in a regulated environment that mandates formal risk assessment across multiple domains. The Joint Commission requires healthcare organizations to conduct proactive risk assessments (Failure Mode and Effects Analysis, or FMEA) for high-risk processes.
CMS Conditions of Participation require infection control risk assessments, life safety risk assessments, and quality improvement programs grounded in formal analysis.
Healthcare risk managers also conduct formal assessments for cybersecurity risks (HIPAA Security Rule requires a formal risk analysis), patient safety events, and construction and renovation projects that could affect infection control or life safety.
Information Technology and Cybersecurity
NIST SP 800-30 provides the standard methodology for formal information security risk assessments used by federal agencies under FISMA and widely adopted in the private sector. The NIST Cybersecurity Framework (CSF 2.0) provides a governance structure for managing cybersecurity risks that incorporates formal assessment as a core activity.
The SEC’s cybersecurity disclosure rules, finalized in 2023, now require public companies to disclose material cybersecurity risks and incidents in their annual reports and 8-K filings — making formal cybersecurity risk assessment a financial reporting requirement, not just an IT governance concern.
Construction and Infrastructure
Construction projects use formal risk assessment to manage a complex set of physical, contractual, financial, and schedule risks. Techniques such as quantitative schedule risk analysis (using Monte Carlo simulation) and cost risk modeling are standard practice on major infrastructure projects, providing probabilistic estimates of schedule and budget outcomes rather than single-point estimates that invariably prove optimistic.
See also: Definition of Exposure in Risk Assessment: A Practical Guide on RiskPublishing.com
Common Pitfalls in Formal Risk Assessment
Confusing Documentation with Analysis
The most common failure mode in formal risk assessment programs is producing documentation without conducting genuine analysis. A risk register that lists 50 risks all rated “medium” likelihood and “medium” impact, with identical control descriptions copied from a template, is not a risk assessment. It is a compliance artifact.
Genuine analysis is evident in the specificity of risk descriptions (naming the actual events, conditions, and mechanisms of harm rather than generic categories), the differentiation of risk ratings based on evidence, and the connection between findings and treatment decisions. If the risk assessment findings do not inform any decisions or change any behaviors, the process is generating paperwork rather than insight.
Treating Risk Assessment as a One-Time Project
Organizations frequently conduct formal risk assessments as one-time projects — in response to a regulatory examination, an audit finding, or a board request — and then file the results. Six months later, the risk landscape has shifted, new risks have emerged, and controls that appeared adequate have degraded, but the assessment has not been updated.
A risk assessment is a point-in-time snapshot that has a shelf life. Its value decays as conditions change. Effective programs build in formal review cycles, triggered both by the calendar and by material changes in the organization’s risk environment.
Failing to Engage the Right Stakeholders
Risk assessment conducted by the risk management function in isolation from business line leadership tends to miss the risks that operational experience reveals. The people who actually run a business process, manage a customer relationship, or operate a system know things about its vulnerabilities that never make it into formal documentation. A risk assessment that does not capture that tacit knowledge is systematically incomplete.
Conversely, risk assessments that are entirely driven by business line self-assessment, without independent challenge from a second-line risk function, tend to underestimate risks and overstate control effectiveness. The right model combines operational input with independent analytical scrutiny.
Underestimating Interdependency and Aggregation
Risk assessments that evaluate each risk category or business unit independently can miss the interactions between risks that compound their aggregate impact. A credit risk deterioration and a liquidity risk event and a market risk shock that each appear manageable in isolation may be catastrophic when they occur simultaneously — as the 2008 financial crisis demonstrated at systemic scale.
Effective formal risk assessment includes explicit consideration of risk interdependencies: which risks tend to correlate positively under stress, which controls address multiple risks, and what the aggregate risk profile looks like across the entire organization rather than within individual silos.
Best Practices for Conducting a Formal Risk Assessment
Organizations that consistently produce high-quality formal risk assessments tend to share a set of operational disciplines that distinguish their programs from check-the-box exercises.
- Anchor to a recognized framework: Use ISO 31000, COSO ERM, or NIST as the structural foundation rather than building a proprietary methodology from scratch. Recognized frameworks provide credibility with regulators and auditors and incorporate lessons learned from broad implementation experience
- Define risk appetite before assessing risks: Risk evaluation is meaningless without pre-defined tolerance thresholds. Establish appetite and tolerance parameters at the board level before the assessment begins, not after
- Use quantitative techniques where the data supports them: Qualitative assessment is appropriate for initial screening; quantitative modeling is needed for the risks that matter most. Do not let data limitations become an excuse for avoiding quantification entirely
- Separate risk identification from risk rating: The people who identify risks should not be the same people who rate them without challenge. First-line self-assessment needs second-line independent review to correct optimism bias
- Connect assessment outputs to decisions: Every formal risk assessment should conclude with explicit decisions: which risks require treatment, what treatments are approved, who owns them, and by when. Assessment that ends with a report rather than decisions has not completed its purpose
- Build in validation: Periodically compare risk assessment predictions against actual outcomes. If the model consistently overestimates or underestimates risk severity in specific categories, find out why and recalibrate
- Maintain institutional memory: Document the assumptions behind each risk assessment so that future assessments can evaluate whether conditions have changed and update the analysis accordingly rather than starting from scratch
Frequently Asked Questions on Formal Risk Assessment
What is the simplest definition of a formal risk assessment?
A formal risk assessment is a documented, repeatable evaluation that identifies risks, scores their likelihood and impact against a defined methodology, and assigns controls with named owners and closure dates.
It follows a recognized framework such as ISO 31000:2018, COSO ERM, or NIST SP 800-30, produces evidence an auditor or regulator can replicate, and ties directly into the organization’s risk register.
The distinguishing feature is defensibility: every score, decision, and treatment can be traced back to a written rule.
What is the difference between formal and informal risk assessment?
An informal risk assessment is a quick judgment-based scan that helps a team make a fast decision but leaves no audit trail.
A formal risk assessment is documented, methodology-driven, and repeatable, so the same inputs produce the same scores regardless of who runs the analysis.
US regulators including the OCC, SEC, CMS, and OSHA expect formal assessments for any decision that affects capital, patient safety, worker safety, or public reporting.
Informal work supports day-to-day operations; formal work supports the cases where the decision has to survive an external review.
What are the seven steps of a formal risk assessment?
The ISO 31000:2018 sequence anchors most US formal risk assessment practice.
Establish context and scope, identify risks across all relevant categories, analyze likelihood and impact for each risk, evaluate the analyzed risks against the organization’s risk appetite, treat the risks that exceed appetite through the hierarchy of controls, monitor and review the controls and the residual risk, and communicate and consult with stakeholders throughout.
Skipping the context step or the monitor step is the most common audit finding in US programs.
Which US frameworks govern formal risk assessment in 2026?
Five frameworks dominate US formal risk assessment practice. ISO 31000:2018 supplies the universal sequence. COSO ERM (2017 update) is the SEC and audit committee reference for financial reporting and enterprise risk.
NIST SP 800-30 and NIST CSF 2.0 anchor cybersecurity risk assessment for federal agencies, contractors, and firms under SEC cyber disclosure rules.
FISMA carries statutory weight for federal information systems. The HIPAA Security Rule governs healthcare information risk assessment, enforced by HHS Office for Civil Rights.
How often should a formal risk assessment be conducted?
Annual reassessment is the practical floor for most US organizations.
Trigger an off-cycle formal risk assessment after any material event: an incident, a regulatory change, an M&A transaction, a system migration, or a strategic pivot.
SEC, OCC, FINRA, and Federal Reserve examiners increasingly expect evidence of refresh cadence and documented trigger logic. Static three-year cycles that were acceptable a decade ago no longer survive enforcement review.
Who should conduct a formal risk assessment inside a US firm?
Under the Three Lines Model, the second line (enterprise risk management) owns the formal risk assessment methodology and the calibrated scoring scales.
The first line (business unit heads, process owners, IT system owners) conducts the actual assessment for their domain. The third line (internal audit) tests both the methodology and the application.
For specialized domains the team adds named subject-matter experts: a fire protection engineer for life safety, a Certified Information Systems Auditor for cybersecurity, a clinical risk specialist for healthcare.
Does formal risk assessment apply to every industry?
Yes, but the regulatory weight and methodology differ sharply by sector. Financial services run formal risk assessment under OCC, Federal Reserve, FDIC, SEC, and FINRA oversight.
Healthcare runs it under CMS, HHS OCR, and Joint Commission expectations. Federal agencies and contractors run it under FISMA and NIST.
Manufacturing, construction, energy, and chemical sectors run it under OSHA and EPA scrutiny. The seven-step ISO 31000 sequence stays constant; the framework overlays change.
What documentation should a formal risk assessment produce?
A complete formal risk assessment record carries the assessment date, the assessor’s name and qualifications, the scope and boundaries assessed, a risk catalog with assessed likelihood and impact scores, the calibrated scoring methodology, existing controls with effectiveness evaluation, recommended controls with owners and target dates, and the next reassessment schedule. The documentation is what regulators, internal audit, and plaintiff counsel request first after any incident. Thorough records are one of the few defenses that meaningfully change post-incident outcomes.
Final Thoughts
Formal risk assessment is the discipline that converts risk management from a concept into a practice. Without it, organizations operate on intuition, historical pattern recognition, and optimism — which work reasonably well until they do not.
The formality is not bureaucracy for its own sake. It is the mechanism that makes risk analysis reproducible, defensible, and usable by people who were not in the room when it was conducted. A formal risk assessment can be reviewed by a board member, challenged by an auditor, examined by a regulator, and scrutinized by a court — and in each case, it demonstrates that the organization took its risk obligations seriously and made reasoned decisions based on documented analysis.
The organizations that do formal risk assessment well share a common characteristic: they treat it as a management tool that informs how they run the business, not as a reporting obligation they fulfill to keep regulators satisfied. That orientation produces assessments with genuine analytical substance, findings that actually drive decisions, and risk management programs that deliver measurable value rather than stacks of paper.
Start with a recognized framework, build the process around real decisions rather than regulatory submissions, engage the people who actually know where the risks live, and commit to keeping the assessment current as conditions change. That is the whole program — and it is more than most organizations actually do.
Explore related risk management resources on RiskPublishing.com:
- Monte Carlo Simulation in Risk Assessment: A Practical Tutorial
- Key Risk Indicators: Building an Early Warning System
- Definition of Financial Risk Assessment: A Complete Guide
- Definition of Exposure in Risk Assessment: A Practical Guide
- Definition of Fire Risk Assessment: A Practical Guide
- Business Continuity Planning and Risk Management Frameworks
Sources and Further Reading
- ISO 31000:2018 Risk Management Guidelines
- COSO Enterprise Risk Management Framework (2017)
- NIST SP 800-30: Guide for Conducting Risk Assessments
- NIST Cybersecurity Framework 2.0
- SEC: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rules
- Federal Reserve: Stress Testing and Capital Planning
- OSHA: Process Safety Management of Highly Hazardous Chemicals (29 CFR 1910.119)
- The Joint Commission: Proactive Risk Assessment (FMEA)
- FISMA: Federal Information Security Modernization Act
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.