The five steps of the risk management process form the foundation of every resilient organization — yet most firms fail to execute them consistently. In March 2023, a mid-size Australian financial services firm discovered that a single unmonitored vendor connection had been leaking client data for nine months.
The breach affected 14,000 customers, triggered a $4.88 million average recovery cost per IBM’s 2024 global benchmark, and resulted in regulatory sanctions under the Australian Prudential Regulation Authority. The root cause was not a technology failure.
It was a process failure: the firm had a risk register, but no living risk management process that would have flagged a dormant vendor as an active threat.
Key Takeaways: The Risk Management Process
1. The five steps of the risk management process are: establish context, identify risks, analyze and evaluate risks, treat risks, and monitor and review. Skipping any step weakens the entire chain.
2. ISO 31000:2018 and COSO ERM 2017 are the two globally recognized frameworks that define best practice for the risk management process. Align your program to at least one.
3. Only 11% of organizations view their risk management process as a strategic tool (AICPA/NC State 2025). Close the gap by connecting risk identification directly to strategic planning.
4. Every identified risk needs both an inherent risk rating (before controls) and a residual risk rating (after controls). This distinction drives every treatment decision in the risk management process.
5. Key Risk Indicators (KRIs) with defined thresholds and escalation rules are what make the monitoring step of the risk management process operational rather than ceremonial.
6. The IIA Three Lines Model assigns clear accountability: first line owns risk, second line oversees the risk management process framework, third line provides independent assurance.
7. Effective risk treatment plans require a documented owner, target date, resource allocation, and expected residual risk level. Without these, the risk management process stalls at paper.
We see variations of this story constantly. An organization builds a register, checks a compliance box, and assumes it has risk management handled.
Then something breaks, and the post-mortem reveals the same pattern: risks were listed but not analyzed, analyzed but not treated, treated but not monitored.
The risk management process exists to prevent exactly that kind of cascade — by imposing a structured, repeatable sequence that forces each risk through identification, analysis, treatment, and ongoing review. Done well, it is the difference between absorbing disruption and being undone by it.
This guide walks through the five steps of the risk management process as defined by ISO 31000:2018 and aligned with the COSO ERM 2017 framework.
We have written it for practitioners who need to build, refresh, or defend a program — not for students reading a textbook. Every section includes a framework reference, a data point, and a practical tool you can use on Monday morning.
What the Risk Management Process Is and Why It Matters
Before we walk through the five steps, we need to get the definition right, because “risk management” is one of those phrases people use to mean different things.
The risk management process is the structured, repeatable sequence of activities an organization uses to identify risks to its objectives, assess how severe and likely those risks are, decide how to respond, and monitor whether those responses are working.
It is not a document. It is not a risk register. It is the operational engine that connects risk information to decision-making.
ISO 31000:2018 — the international standard for risk management — places the risk management process inside a broader framework that links it to governance, culture, and strategic direction.
The COSO ERM 2017 framework goes further, explicitly tying risk to strategy and performance. Both standards agree on a fundamental point: risk management that operates as a standalone compliance activity, disconnected from how the organization actually makes decisions, will never deliver meaningful protection.
The data confirms this. Forrester’s 2025 Business Risk Survey found that firms without board-level enterprise risk management visibility were 20% more likely to suffer six or more critical risk events in a single year.
Conversely, AICPA and NC State University’s 2025 State of Risk Oversight report found that only 11% of organizations treat their risk management process as an extensive strategic tool. That gap between exposure and integration is where most failures live.
Step 1 of the Risk Management Process: Establish Context and Scope
The risk management process has a step most organizations skip, and it costs them. Before we identify a single risk, we need to define the boundaries: what is in scope, what criteria will we use to measure likelihood and impact, and what level of risk are we willing to accept?
Internal Context in the Risk Management Process
Internal context includes our organization’s strategic objectives, governance structure, resource capabilities, culture, and contractual obligations.
A risk that is catastrophic for a thinly capitalized start-up might be acceptable for a diversified institution with a mature business continuity management program. Internal context also defines risk appetite — the amount and type of risk the board is willing to accept in pursuit of objectives — and risk tolerance, the acceptable variation from appetite in operational practice. Without these defined, the risk management process cannot produce consistent treatment decisions.
External Context in the Risk Management Process
External context covers the regulatory environment, competitive dynamics, macroeconomic forces, technological change, and social and environmental factors.
The Aon 2025 Global Risk Management Survey — drawing on 3,000+ risk leaders across 60 countries — ranked cyber attack, business interruption, and economic slowdown as the top three global enterprise risks. That external picture directly shapes which risks deserve attention in our risk management process.
This step also requires defining risk criteria: the scales for likelihood and impact, the format of our risk heatmap, and the thresholds that separate acceptable from unacceptable residual risk.
Setting these criteria upfront prevents the inconsistencies that undermine so many risk assessment programs later.
| Context Element | What to Define | Why It Matters for the Risk Management Process |
|---|---|---|
| Risk Appetite | Board-approved statement of acceptable risk types and levels | Sets the threshold for all treatment decisions in the risk management process |
| Risk Criteria | Likelihood scales (1-5), impact categories (financial, reputational, operational), rating matrix | Ensures consistent risk analysis across all assessors and business units |
| Scope Boundaries | Which entities, processes, projects, or geographies are in scope | Prevents both scope creep and blind spots in the risk management process |
| Stakeholder Map | Internal and external stakeholders with their information needs | Drives the communication and consultation thread running through the risk management process |
Step 2 of the Risk Management Process: Risk Identification
With context established, we move to the step where the risk management process makes first contact with reality. Risk identification is the systematic effort to find, recognize, and describe every risk that could affect the achievement of our objectives.
And here is where most organizations are weaker than they realize: only 18% of ERM leaders express high confidence in their ability to identify emerging risks, according to Forrester’s 2025 survey.
Risk Identification Techniques in the Risk Management Process
No single technique captures the full threat landscape. Effective risk identification in the risk management process combines multiple methods:
- Workshops and structured brainstorming — cross-functional groups surface risks that functional silos miss. We schedule these quarterly at minimum.
- Process-owner interviews — frontline staff see operational vulnerabilities that management reports obscure. Our risk management process must capture that intelligence.
- Historical incident review — past loss events are strong predictors of future risk categories. Mining our own incident database is non-negotiable.
- PESTLE analysis (Political, Economic, Social, Technological, Legal, Environmental) — maps external context onto risk categories systematically.
- Bow-tie analysis — visualizes causes, the risk event, and consequences in a single diagram, making control gaps visible at a glance.
- Control self-assessment — process owners evaluate their own controls, surfacing weaknesses before the third line discovers them in audit.
The Risk Register as a Risk Management Process Output
Every identified risk must be documented in a risk register. The risk register is the central operational artifact of the risk management process — a living document capturing the risk description, root cause, potential consequences, inherent risk rating, controls in place, residual risk rating, risk owner, treatment status, and review date.
We cannot stress this enough: the register is a living document. If it is only updated annually, it is not part of a real risk management process — it is a compliance artifact.
A critical discipline at this step is distinguishing inherent risk (risk level before controls) from residual risk (risk level after controls are applied and operating effectively).
This distinction drives the entire logic of the risk management process: if residual risk still exceeds our risk appetite, additional treatment is required. Confusing the two is one of the most common pitfalls we see in practice.
Step 3 of the Risk Management Process: Risk Analysis and Evaluation
Risk identification tells us what could go wrong. Risk analysis and evaluation — the third step in the risk management process — tells us how bad it could be and which risks deserve our resources first. These two activities are often combined in practice because they flow directly into each other, but they serve distinct purposes.
Risk Analysis Methods in the Risk Management Process
Risk analysis assesses two dimensions for each identified risk: likelihood (probability of occurrence) and impact (severity of consequences if the risk materializes). Together, these produce an inherent risk rating that we plot on a risk heatmap or probability-impact matrix.
The risk management process supports three analytical approaches, and mature programs use all three depending on the risk:
- Qualitative analysis — uses descriptive scales (Low/Medium/High or 1–5) for rapid assessment across a broad risk universe. Accessible but requires calibrated definitions and facilitator consistency.
- Quantitative analysis — scenario analysis, Monte Carlo simulation, and value-at-risk modeling translate risk into financial terms. The COSO ERM framework specifically encourages quantitative methods for material risks where data supports it, because they enable more precise resource allocation.
- Semi-quantitative approaches — combine numerical scales with financial impact estimates. For most organizations, this is the practical sweet spot in the risk management process.
Risk Evaluation: Prioritizing Within the Risk Management Process
Risk evaluation compares analysis results against our pre-defined risk criteria. The output is a prioritized list: risks exceeding our risk appetite demand treatment; risks within appetite may be accepted and monitored.
This is where the risk management process produces its most consequential decisions — where to allocate finite resources.
At this stage, we also assess control effectiveness. A preventive control reduces likelihood; a detective control identifies when a risk event has occurred; a corrective control limits impact after the fact.
Mapping controls to risks and evaluating both design effectiveness and operating effectiveness is central to producing accurate residual risk ratings.
The IIA’s Three Lines Model assigns this assurance role to the third line — internal audit — which provides independent verification that the risk management process is functioning as designed.
Step 4 of the Risk Management Process: Risk Treatment
Analysis tells us which risks are outside appetite. Treatment — the fourth step of the risk management process — is where we decide what to do about them. ISO 31000 defines four treatment options, and in practice, we apply them in combination:
| Treatment | What It Means in the Risk Management Process | Typical Application |
|---|---|---|
| Avoid | Eliminate the activity or condition creating the risk entirely | Exiting a market, discontinuing a product, cancelling a project |
| Reduce (Mitigate) | Take action to lower likelihood or impact to within risk appetite | New controls, training, process redesign, technology safeguards |
| Transfer (Share) | Shift financial consequences to a third party | Insurance, contractual allocation, outsourcing with SLA guarantees |
| Accept (Retain) | Consciously decide to live with the risk within appetite | Low-priority risks; build contingency reserves, monitor via KRIs |
Designing Effective Risk Treatments in the Risk Management Process
Selecting a treatment category is the easy part. Designing the actual treatment is where the risk management process succeeds or fails.
Each treatment decision must result in a documented risk treatment plan that specifies: the action to be taken, the responsible owner, the resources required, the target completion date, and the residual risk level expected after implementation. Without this specificity, our risk management process produces decisions that exist only on paper.
The IIA Three Lines Model clarifies accountability: first-line managers own and operate controls in their operations; second-line risk and compliance functions set the risk management process framework, aggregate reporting, and challenge first-line assessments; third-line internal audit provides independent assurance on whether treatments are working.
One treatment category deserves special attention: business continuity management. For risks with catastrophic potential, the risk management process must connect to a tested business continuity plan with defined Recovery Time Objectives and Recovery Point Objectives, aligned to ISO 22301:2019.
Step 5 of the Risk Management Process: Monitoring, Review, and Reporting
If there is one step that separates organizations with a genuine risk management process from those with a compliance exercise, it is this one.
Monitoring and review is what makes the risk management process continuous rather than periodic. Risks change as our organizations change — new strategies create new exposures, completed projects retire old ones, and external events reshape the threat landscape weekly.
Key Risk Indicators in the Risk Management Process
Key Risk Indicators (KRIs) are forward-looking metrics that signal when a risk is trending toward a threshold.
Unlike KPIs, which measure what has happened, KRIs in the risk management process measure what is about to happen — giving us time to intervene before a risk event materializes. Here is a starter set:
| KRI in the Risk Management Process | Threshold | Review Cadence |
|---|---|---|
| Overdue risks in the register (>30 days without review) | Zero tolerance | Weekly |
| % of high-rated risks with assigned treatment owners | 100% | Monthly |
| Risk events occurred vs. anticipated in the risk management process | <10% deviation | Monthly |
| Days from risk identification to treatment decision | <15 business days | Monthly |
| % of controls tested and confirmed effective | >85% | Quarterly |
| Residual risk ratings trending downward | Positive trend over 2 quarters | Quarterly |
Reporting and Communication in the Risk Management Process
Reporting is what keeps governance alive. Our risk management process produces reporting at three levels: operational reports for process owners (detailed, frequent), management reports for the second line (aggregated, monthly), and board dashboards (material risks, trend analysis, KRI breaches, quarterly).
Board reporting should follow the What / So What / Now What framework: what is the current risk profile, why does it matter strategically, and what decisions are required.
ISO 31000 places communication and consultation not as a final step but as a continuous thread running through every phase of the risk management process.
The people closest to operational risks report them; the people with strategic responsibility act on them. When that two-way flow works, the risk management process becomes self-reinforcing.
Risk Management Process: Your Questions Answered
What are the five steps of the risk management process?
The five steps of the risk management process under ISO 31000:2018 are: (1) establish context and scope, (2) risk identification, (3) risk analysis and evaluation, (4) risk treatment, and (5) monitoring, review, and reporting.
Communication and consultation runs continuously across all five steps of the risk management process. Each step feeds into the next and loops back when new information emerges.
What is the first step in the risk management process?
The first step in the risk management process is establishing the internal and external context. This means defining strategic objectives, stakeholder expectations, regulatory requirements, risk appetite, and the criteria that will be used throughout the risk management process to measure likelihood and impact.
Many organizations skip this step and jump straight to risk identification, which leads to unfocused and inconsistent risk assessments.
What is the difference between inherent and residual risk in the risk management process?
Inherent risk is the level of risk before any controls are applied. Residual risk is what remains after controls are in place and operating effectively.
The risk management process assesses both: inherent risk frames gross exposure, and residual risk determines whether additional treatment is needed. If residual risk still exceeds the organization’s risk appetite, the risk management process requires that the treatment plan be strengthened.
How does ISO 31000 structure the risk management process?
ISO 31000:2018 provides principles, a framework, and a process for managing risk. The risk management process itself consists of five sequential steps with two continuous activities (communication/consultation and monitoring/review).
ISO 31000 does not prescribe a rigid methodology; it establishes guidelines applicable to any organization. The COSO ERM framework complements it by explicitly linking the risk management process to strategy and performance.
What role does the risk register play in the risk management process?
The risk register is the primary working document of the risk management process. It records each identified risk’s description, cause, consequence, inherent rating, controls, residual rating, owner, and treatment status.
Updated continuously and reviewed at governance intervals, the risk register is the operational backbone of the risk management process. A register that is only updated annually is not part of a living risk management process.
How does the risk management process handle risk appetite?
Risk appetite — the amount and type of risk an organization accepts — sets the evaluation threshold in the risk management process. Risks within appetite may be accepted; risks that exceed appetite must be treated.
Risk appetite is a board-level governance decision, informed by the second-line risk function. Without it, the risk management process cannot produce consistent, defensible treatment decisions across business units.
How often should organizations review their risk management process?
ISO 31000 requires review at planned intervals and after significant internal or external changes. In practice, executing the five steps of the risk management process effectively includes quarterly operational risk register reviews, semi-annual executive reporting, and annual board-level program reviews.
Material risk events or major strategic shifts should trigger ad-hoc reviews of the relevant risk categories within the risk management process.
What is the risk management process in project contexts?
In project risk management, the risk management process follows the same five steps but is bounded by the project lifecycle. Project risk registers are created during planning, updated at phase gates, and reviewed at team meetings.
The primary difference from the enterprise risk management process is time horizon: project risks terminate at project closure, while enterprise risks are ongoing.
Where Risk Management Process Programs Stall — And How to Unstick Them
Most risk management process failures are predictable. Here are the seven traps we see repeatedly, their root causes, and the fixes that work:
| Pitfall | Root Cause | Remedy for the Risk Management Process |
|---|---|---|
| Treating risk identification as annual | Risk management process seen as compliance, not continuous | Quarterly workshops + always-on reporting; embed in project gates and change management |
| Confusing inherent with residual risk | Assessors untrained; no dual-rating in the risk management process template | Mandate dual ratings; train all assessors annually; third-line validates ratings |
| Appetite defined but not enforced | No KRI thresholds or escalation triggers in the risk management process | Quantitative KRI thresholds per risk category; automate breach alerts; board escalation required |
| Ownership without accountability | Risk owner named but not linked to objectives in the risk management process | Tie treatment milestones to performance objectives; quarterly governance reporting on owner status |
| Register mistaken for the process | Organization equates a document with the risk management process | Distinguish register (output) from process (system); audit the process, not just the register |
| Under-communicating with the board | Reporting buried in detail; no decision framing in the risk management process | What / So What / Now What on every board report; top 10 risks only; clear decision asks |
| Neglecting the feedback loop | No post-incident review feeding into the risk management process | Mandatory review for material events; register updated within 5 days; lessons shared cross-function |
The Next Wave: Where the Risk Management Process Is Heading (2026–2028)
The five steps of the risk management process are not static, and the organizations that adapt early will build durable advantage. Three shifts are actively reshaping how we identify, analyze, and treat risk.
AI-Augmented Risk Identification in the Risk Management Process
Machine learning models trained on incident data, financial indicators, and external threat intelligence are already being used by early adopters to surface emerging risks faster than any workshop process can.
Forrester’s 2025 data shows that only 6% of organizations currently use AI in risk identification, while 74% are actively investing in AI capabilities. The organizations that integrate AI into their risk management process now will have a material head start over those that wait.
Climate and ESG Risk Integration in the Risk Management Process
The Task Force on Climate-related Financial Disclosures (TCFD) framework has moved climate risk from a reputational footnote to a board-level financial disclosure obligation in most major jurisdictions.
Organizations are now expected to integrate physical climate risk and transition risk into their core risk management process alongside conventional financial and operational risks. This is not optional in regulated financial services.
Integrated Risk and Resilience in the Risk Management Process
The boundary between enterprise risk management and business continuity management is dissolving. Regulators are requiring organizations to demonstrate not just that risks are identified and treated, but that the organization can absorb and recover from shocks.
The risk management process must connect directly to business impact analysis, BCP testing, and crisis management — a fully integrated resilience architecture. The global ERM software market, projected to reach $9.2 billion by 2027, reflects this convergence.
Ready to build or strengthen your organization’s risk management process? Explore our Risk Management Lifecycle guide, download our Risk Register Template, or visit the complete guide to the risk assessment process. For advisory support on ERM implementation, contact our consulting services team or get in touch directly.
© 2026 riskpublishing.com
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.