ISO 31000:2018 defines risk as “the effect of uncertainty on objectives.” That definition matters because it anchors risk management to something concrete: outcomes the organization is trying to achieve.
Risk management is not an abstract compliance exercise. It is the structured process of understanding what could prevent you from reaching your objectives and deciding what to do about it.
The risk management process, as codified in ISO 31000 and reinforced by COSO ERM and PMI’s PMBOK, follows a logical sequence: establish context, identify risks, analyze them, evaluate their significance, treat the ones that exceed tolerance, and monitor continuously.
These steps are often presented as a linear sequence, but in practice the process is iterative: new information at any stage can send you back to an earlier stage. That is by design, not a failure.
This guide provides a detailed flow chart of the risk management process, explains the decision logic at each stage, specifies the tools and outputs that make each step operational, and shows how the process connects to enterprise governance.
For a high-level overview of the five core steps, see: Five Steps of the Risk Management Process
The Risk Management Process Flow Chart
The flow chart below follows ISO 31000:2018’s process structure. Two activities, Communication and Consultation, and Monitoring and Review, run continuously alongside all other steps. They are not stages you complete and move past. They operate in parallel throughout the entire process.
| Step | Stage | Key Activities | Key Output |
| || | Communication and Consultation | Engage stakeholders throughout all stages. Share risk information. Gather perspectives on risk perception and tolerance. | Stakeholder engagement plan. Risk communication protocols. Shared understanding of risk context and criteria. |
| 1 | Establish Context | Define scope and objectives. Identify internal/external factors. Set risk criteria (likelihood scales, impact scales, risk appetite, tolerance thresholds). | Documented scope statement. Risk criteria framework. Context analysis (internal + external environment). |
| 2 | Risk Identification | Identify what could happen, why, and what the consequences would be. Use cause-event-consequence structure. Apply multiple techniques. | Comprehensive risk list in cause-event-consequence format. Preliminary risk register. |
| 3 | Risk Analysis | Determine likelihood and impact of each risk. Assess existing controls. Calculate inherent and residual risk levels. Use qualitative and/or quantitative methods. | Risk scores (inherent and residual). Control effectiveness ratings. Ranked risk list. |
| 4 | Risk Evaluation | Compare risk analysis results against risk criteria. Determine which risks require treatment. Prioritize treatment actions. | Decision: treat, monitor, or accept each risk. Prioritized treatment list. |
| 5 | Risk Treatment | Select and implement response: Avoid, Reduce, Transfer, Accept, or Share. Assign owners. Define actions, timelines, resources, and residual risk targets. | Treatment plans with owners, actions, and timelines. Updated risk register. Contingency and fallback plans. |
| || | Monitoring and Review | Track risk status continuously. Evaluate treatment effectiveness. Identify new risks. Update risk register. Report to stakeholders. Adjust as conditions change. | Risk status reports. KRI dashboards. Updated risk register. Lessons learned. Improved process. |
The “||” notation for Communication/Consultation and Monitoring/Review indicates these run in parallel with all five sequential steps. This is a defining characteristic of ISO 31000: communication and monitoring are not endpoints. They are continuous activities.
Each Step in Detail
Step 1: Establish the Context
Before you can identify risks, you need to define what you are managing risk for and within what boundaries. Establishing context means answering three questions: What are the objectives we are trying to protect or achieve? What internal and external factors could influence risk? What criteria will we use to decide whether a risk is acceptable?
The external context includes regulatory requirements, market conditions, competitive landscape, macroeconomic environment, and stakeholder expectations. The internal context includes organizational strategy, governance structure, resource capacity, culture, and existing controls.
The risk criteria define the scales for likelihood and impact assessment, the risk appetite (how much risk the organization is willing to take to achieve objectives), and tolerance thresholds that trigger escalation or mandatory treatment.
This step is often skipped or done superficially, which undermines everything that follows. If you assess risks against undefined criteria, your assessments are subjective and inconsistent.
If you have not defined risk appetite, you have no principled basis for deciding which risks require treatment and which can be accepted. For more on how risk appetite connects to enterprise governance, see: Enterprise Risk Management Framework
Step 2: Risk Identification
Risk identification is the process of finding, recognizing, and describing risks. ISO 31000 defines it as identifying sources of risk, areas of impact, events, their causes, and their potential consequences. The goal is to generate a comprehensive list, not a perfect one. You will refine assessments later. At this stage, breadth matters more than precision.
Use multiple identification techniques to avoid blind spots: brainstorming with the project or business team, SWOT analysis for strategic risks, historical data review from similar past projects or operations, expert interviews with subject matter specialists, pre-mortem analysis (imagining the project has failed and working backward to identify causes), and checklist reviews against standard risk categories (financial, operational, strategic, compliance, technology, reputational, external).
Document each risk using the cause-event-consequence structure: “Because of [cause], [risk event] may occur, which would lead to [consequence on objective].” This structure forces specificity and prevents vague entries like “market risk” that are too generic to assess or treat. For more on risk description best practices, see: How to Describe a Risk
Step 3: Risk Analysis
Risk analysis determines the nature, sources, and level of each identified risk. It involves assessing the likelihood of occurrence, the potential impact if the risk materializes, the effectiveness of existing controls, and the resulting level of risk (inherent risk before controls, residual risk after controls).
Two approaches are available. Qualitative analysis uses defined scales (typically 1–5) for likelihood and impact, with descriptions anchoring each level (e.g., 1=Rare: less than 5% probability within the assessment period; 5=Almost Certain: greater than 90%). The result is a risk score (Likelihood × Impact) that enables prioritization.
Quantitative analysis uses numerical data: Monte Carlo simulation, decision tree analysis, sensitivity analysis (tornado charts), and expected monetary value calculations. Quantitative methods are most valuable for complex, high-stakes decisions where the cost of getting risk wrong is significant.
A standard 5×5 risk assessment matrix:
| Likelihood \ Impact | Negligible (1) | Minor (2) | Moderate (3) | Major (4) |
| Almost Certain (5) | 5 – Medium | 10 – High | 15 – Critical | 20 – Critical |
| Likely (4) | 4 – Low | 8 – Medium | 12 – High | 16 – Critical |
| Possible (3) | 3 – Low | 6 – Medium | 9 – High | 12 – High |
| Unlikely (2) | 2 – Low | 4 – Low | 6 – Medium | 8 – Medium |
| Rare (1) | 1 – Low | 2 – Low | 3 – Low | 4 – Low |
ISO 31000 also emphasizes assessing existing controls: are they designed to address the risk? Are they operating effectively? The gap between inherent risk (before controls) and residual risk (after controls) reveals how much protection your current controls actually provide. For a comprehensive assessment methodology, see: A Step-by-Step Guide to Risk Assessment
Step 4: Risk Evaluation
Risk evaluation is the decision point in the process. It compares the results of risk analysis against the risk criteria established in Step 1 to determine which risks need treatment and which can be accepted or simply monitored. The decision logic is:
| Risk Level | Decision | Action Required |
| Critical (15-20) | Immediate treatment required. Escalate to senior management. May require stopping the activity until risk is reduced. | Develop and implement treatment plan immediately. Assign senior risk owner. Report to steering committee / board. |
| High (9-12) | Treatment required within defined timeframe. Active management needed. | Develop treatment plan with owner, timeline, and resources. Monitor weekly. Report monthly. |
| Medium (5-8) | Treatment recommended where cost-effective. Monitor for escalation. | Implement cost-effective controls. Assign owner. Monitor monthly. Review quarterly. |
| Low (1-4) | Accept. Monitor through routine processes. No dedicated treatment required. | Document in risk register. Review quarterly. No active management needed unless conditions change. |
Evaluation is also where you consider risk interdependencies. Two medium risks that are correlated (both triggered by the same cause) may together create a high combined risk that warrants treatment even though individually they would not. For more on how evaluation drives treatment decisions, see: Scenario-Based Risk Assessment
Step 5: Risk Treatment
Risk treatment selects and implements actions to modify risk. ISO 31000 identifies several treatment options:
| Treatment Option | What It Does | When to Use |
| Avoid | Eliminates the risk by not starting or continuing the activity that gives rise to it. | When the risk is unacceptable and alternatives exist that achieve the same objective without the risk. |
| Reduce (Mitigate) | Reduces the likelihood, the consequence, or both through additional controls, processes, or safeguards. | Most common treatment. Used when the risk cannot be avoided but can be brought within tolerance through cost-effective measures. |
| Share / Transfer | Distributes or shifts the risk to another party through insurance, contracts, partnerships, or outsourcing. | When another party can absorb or manage the risk more effectively. Classic insurance scenario for low-probability, high-impact risks. |
| Accept | Retains the risk by informed decision. May include contingency plans (active acceptance) or no specific action (passive acceptance). | When the cost of any other treatment exceeds the risk exposure, or when the risk is within tolerance after all other treatments are applied. |
Each treatment action should have: a named owner, specific steps, a timeline, required resources, a target residual risk level, and a trigger condition for contingency activation. Document all treatments in the risk register. For a detailed guide to treatment strategies, see: What Are the 3 Components of Risk Management
Continuous: Communication, Consultation, Monitoring, and Review
ISO 31000 treats these as continuous activities, not final steps. Communication and consultation ensures stakeholders understand the basis on which risk decisions are made and why particular treatments are selected.
It includes sharing risk information, gathering perspectives on risk perception, and building shared ownership of risk management across the organization.
Monitoring and review ensures the process stays effective as conditions change. It includes tracking identified risks, evaluating whether treatments are working as intended, scanning for new or emerging risks, updating the risk register, and feeding lessons learned back into the process.
Key risk indicators (KRIs) with defined thresholds provide the early warning system that makes monitoring proactive rather than reactive. For guidance on designing KRI dashboards, see: How to Use a Key Risk Indicators Dashboard
Roles in the Risk Management Process
| Role | Responsibilities in the Process |
| Board / Executive Leadership | Set risk appetite and tolerance. Approve the risk management framework. Oversee enterprise risk profile. Make decisions on risks exceeding organizational tolerance. |
| Risk Management Team / CRO | Design and maintain the risk management process. Facilitate risk assessments. Aggregate risk data across the organization. Report to leadership. Provide methodology and tools. |
| Risk Owners | Named individuals accountable for specific risks. Monitor assigned risks. Execute treatment plans. Report status. Escalate when risks approach or breach tolerance. |
| Project / Line Managers | Identify and assess risks within their area. Implement treatments. Update the risk register. Participate in risk reviews. Communicate risk status to the risk management team. |
| Internal Audit (Third Line) | Provide independent assurance on the effectiveness of risk management processes and controls. Review risk register accuracy. Audit treatment implementation. |
This role structure aligns with the Three Lines Model: operational management (first line) owns and manages risks, the risk management function (second line) provides oversight and methodology, and internal audit (third line) provides independent assurance. For more on how project managers fit into this structure, see: Role of Project Manager During Risk Assessment
Five Mistakes That Break the Flow
1. Skipping context establishment. Without defined risk criteria and appetite, every assessment is subjective and inconsistent. Two managers will score the same risk differently because they are working from different, unstated assumptions about what “moderate impact” means.
2. Identifying risks only once. The flow chart is iterative. New risks emerge as conditions change. Organizations that treat identification as a one-time kickoff exercise consistently underperform. Risk identification should occur at every milestone, every scope change, and every significant shift in the external environment.
3. Analyzing without evaluating. Analysis produces risk scores. Evaluation produces decisions. Many organizations calculate scores but never formally decide which risks require treatment, which can be accepted, and which need escalation. Without that decision step, the process generates data but not action.
4. Treating risks without monitoring outcomes. Implementing a control is not the same as reducing risk. The control may not work as intended, conditions may change, or the risk may evolve. Without monitoring and review, you do not know whether your treatments are effective.
5. Communicating risk only when it becomes a crisis. By then, the flow chart has failed. Communication runs in parallel with every step. Stakeholders should know about significant risks before they materialize, not after. PMI data shows that $75 million of every $1 billion in project spending is at risk due to ineffective communications.
Connecting the Flow Chart to ERM Frameworks
The ISO 31000 process flow chart is designed to operate within two broader structures: the ISO 31000 Framework (which governs how risk management is designed, implemented, and improved across the organization) and the ISO 31000 Principles (eight principles that define effective risk management: integrated, structured and comprehensive, customized, inclusive, dynamic, uses best available information, considers human and cultural factors, and facilitates continual improvement).
COSO ERM provides a complementary perspective, organizing risk management around five components: Governance and Culture, Strategy and Objective-Setting, Performance (which encompasses the process steps covered in this flow chart),
Review and Revision, and Information, Communication, and Reporting. Organizations using COSO can map this flow chart directly into the Performance component. For a comparison of both frameworks, see: COSO ERM vs ISO 31000 Standards and What Is Enterprise Risk Management
Putting It Into Practice
Print the flow chart table from this guide. Walk through it with your current risk management activities: Are you doing each step? Are you doing them in sequence? Are communication and monitoring happening continuously, or only at the end? Where are the gaps?
For most organizations, the biggest improvement comes from formalizing the steps they are already doing informally: writing down risk criteria instead of assuming them, documenting risks in a register instead of keeping them in people’s heads, assigning owners instead of assuming someone is watching, and reviewing effectiveness instead of assuming treatments are working.
The flow chart is not complicated. The discipline of following it consistently is what separates organizations that manage risk from those that just talk about it.
For more guidance, explore the Risk Publishing library: What Is a Risk Register? | Key Risk Indicators Examples | Eight Steps for Conducting a Project Risk Assessment
Sources
1. ISO 31000:2018, Risk Management Guidelines
2. COSO, Enterprise Risk Management: Integrating with Strategy and Performance
3. PMI, A Guide to the Project Management Body of Knowledge (PMBOK)
4. TechTarget, The Three Stages of the ISO 31000 Risk Management Process
5. Riskonnect, The Basics of ISO 31000 Risk Management, February 2025
6. MetricStream, ISO 31000 Framework Explained: A Comprehensive Guide
7. Protecht Group, ISO 31000 Risk Management Framework: Your Complete Guide USA, July 2025
8. PECB, ISO 31000 Risk Management Principles and Guidelines, July 2025
9. Practical Risk Training, ISO 31000 Risk Management Process
10. Risk Engineering, The ISO 31000 Standard: Risk Management Principles and Guidelines, October 2025
11. NAVEX, 7 Essential Risk Management Frameworks, August 2025
12. PMI, Pulse of the Profession 2025
External Resources
ISO 31000:2018 Risk Management Guidelines
TechTarget: ISO 31000 Risk Management Process
Riskonnect: Basics of ISO 31000
Protecht Group: ISO 31000 Complete Guide (USA)
NAVEX: Essential Risk Management Frameworks
MetricStream: ISO 31000 Framework Guide
Related Articles on Risk Publishing
Five Steps of the Risk Management Process
A Step-by-Step Guide to Risk Assessment
Scenario-Based Risk Assessment
Enterprise Risk Management Framework
COSO ERM vs ISO 31000 Standards
What Is Enterprise Risk Management
How to Use a Key Risk Indicators Dashboard
Role of Project Manager During Risk Assessment
What Are the 3 Components of Risk Management
Eight Steps for Conducting a Project Risk Assessment
Have questions about implementing the risk management process in your organization? Contact Risk Publishing for consulting support in Enterprise Risk Management, Business Continuity Management, and Project Management.
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.