In 2023, a mid-sized U.S. manufacturer lost $14 million in a single quarter after a key supplier collapsed without warning. The company had no formal risk assessment process, no supplier concentration monitoring, and no contingency plan.
They survived, but barely. Six months later, a competitor with a structured risk management program identified the same supplier weakness three months before the collapse, qualified an alternate supplier, and continued operations without disruption. The difference was not luck. It was risk management.
Risk management is one of those disciplines that every organization claims to practice but few execute well. It is not a compliance checkbox or an annual report to the board.
Done properly, it is a continuous process that shapes how an organization makes decisions, allocates resources, and responds to uncertainty.
This guide covers what risk management actually involves, the leading frameworks that structure it (ISO 31000 and COSO ERM), the process from identification through monitoring, response strategies, how to build a plan that works, and the common failures that undermine even well-intentioned programs.
What Is Risk Management?
ISO 31000:2018 defines risk as the “effect of uncertainty on objectives.” That definition is worth sitting with. Risk is not inherently negative.
It is uncertainty, and uncertainty can produce outcomes that are better or worse than expected. Risk management, then, is the coordinated set of activities that an organization uses to direct and control how it deals with uncertainty.
It includes identifying what could go wrong (and what could go right), evaluating how likely and how severe those outcomes might be, deciding what to do about them, and monitoring whether the chosen approach is working.
The goal is not to eliminate risk. That is neither possible nor desirable. Organizations that take no risks do not grow, innovate, or compete.
The goal is to take the right risks at the right level, with full awareness of the potential consequences, and with plans in place when things do not go as expected.
Every strategic decision, from launching a new product to entering a new market to approving a capital investment, involves risk. The question is whether you are managing that risk deliberately or hoping for the best.
For a deeper look at how enterprise risk management extends these principles across an entire organization, see our dedicated guide.
Why Risk Management Matters
The case for risk management is both practical and strategic. On the practical side, organizations with structured risk management programs experience fewer surprises, lower loss severity, and faster recovery when disruptions occur.
According to a 2023 survey by the Risk and Insurance Management Society (RIMS), organizations with mature ERM programs reported 25% lower total cost of risk compared to organizations with ad hoc approaches. That translates directly to the bottom line.
On the strategic side, risk management is about informed decision-making. When leadership understands the risk profile of a proposed initiative, including the range of possible outcomes, the key assumptions, and the downside scenarios, they make better decisions.
They invest with confidence, price risk appropriately, and avoid the kind of catastrophic misjudgments that destroy companies.
Enron, Lehman Brothers, Wirecard, and Silicon Valley Bank all had one thing in common: catastrophic failures of risk governance. The risks were visible. The management and oversight systems were not functioning.
Risk management also supports regulatory compliance. In the United States, publicly traded companies face SEC requirements for risk disclosure, and industry-specific regulators (banking, insurance, healthcare, energy) mandate formal risk management programs.
But compliance should be a byproduct of good risk management, not the primary driver. Organizations that build their risk programs around compliance alone tend to produce checkbox exercises that look good on paper but fail under stress.
Risk Management Frameworks: ISO 31000 and COSO ERM
Two frameworks dominate the risk management landscape globally: ISO 31000 and COSO ERM. Understanding both is essential for building or improving any risk management program. For a detailed comparison, see our article on COSO ERM vs. ISO 31000 risk management standards.
ISO 31000:2018
ISO 31000 is an international standard published by the International Organization for Standardization. It provides principles, a framework, and a process for managing risk.
It is intentionally non-prescriptive: it does not tell you exactly what to do, but provides a structure within which organizations can design their own approach.
According to Central Banking’s 2025 Risk Management Benchmarks, 85.7% of central banks globally use ISO 31000 as a guide, making it the most widely adopted risk management standard in the world.
ISO 31000 is built on three interconnected elements. The principles define what effective risk management looks like: it should be integrated into all organizational activities, structured and comprehensive, customized to the organization’s context, inclusive of stakeholder input, dynamic and responsive to change, based on the best available information, and subject to continual improvement.
The framework provides the architecture: leadership commitment, design of the framework, implementation, evaluation, and improvement.
The process is the operational core: communication and consultation, establishing scope and context, risk assessment (which encompasses identification, analysis, and evaluation), risk treatment, and monitoring and review. For more on how this process works in practice, see our guide on how to develop an enterprise risk management framework.
COSO ERM: Enterprise Risk Management – Integrating with Strategy and Performance
The COSO ERM framework, updated in 2017, was developed by the Committee of Sponsoring Organizations of the Treadway Commission in partnership with PwC.
It takes a different approach than ISO 31000, focusing specifically on integrating risk management with strategic planning and performance management.
The framework consists of five interrelated components: governance and culture, strategy and objective-setting, performance (risk identification, assessment, and response), review and revision, and information, communication, and reporting. Within these five components, COSO defines 20 principles that describe the specific actions and practices required.
COSO’s strength is its emphasis on connecting risk to strategy. It requires organizations to evaluate risk in the context of their strategic objectives and performance targets, not as a standalone exercise.
This makes it particularly valuable for boards, audit committees, and senior leadership who need to understand how risk affects the achievement of organizational goals. According to TechTarget’s comparison of the two frameworks, many organizations use a hybrid approach, leveraging ISO 31000’s broad principles while applying COSO’s detailed governance and performance components where needed.
Which Framework Should You Use?
The answer depends on your organization’s size, industry, regulatory environment, and risk maturity. ISO 31000 is more flexible and broadly applicable, making it a natural fit for organizations that need a scalable, principles-based approach.
COSO ERM is more structured and governance-focused, making it better suited for organizations with strong internal audit functions, SEC reporting obligations, or a need to closely align risk management with strategic planning.
Many mature organizations use elements of both. The important thing is to adopt a recognized framework and implement it consistently, rather than building something from scratch with no external benchmark.
The Risk Management Process: Step by Step
Regardless of which framework you adopt, the operational process of managing risk follows a consistent lifecycle. ISO 31000 structures this as: communicate and consult, establish context, assess risk (identify, analyze, evaluate), treat risk, and monitor and review. Here is how each step works in practice.
Step 1: Establish Context and Scope
Before you can assess risk, you need to define what you are assessing risk against. This means establishing the internal and external context of the organization (or the specific project, decision, or initiative). What are the strategic objectives?
What is the regulatory environment? What are the key stakeholders and their expectations? What is the organization’s risk appetite, the level of risk it is willing to accept in pursuit of its objectives?.
For guidance on defining risk appetite, see our article on risk appetite statements with examples. Without clear context, risk identification becomes a scattershot exercise that generates long lists of risks with no connection to what actually matters.
Step 2: Risk Identification
Risk identification is the process of finding, recognizing, and describing risks. The objective is to generate a comprehensive list of risks that could affect the achievement of objectives, including risks from sources that are not within the organization’s direct control.
Effective identification uses multiple techniques: workshops with cross-functional teams, analysis of historical loss data, review of industry incident databases, process mapping and failure mode analysis, scenario analysis, and stakeholder interviews.
The output of risk identification is a risk register: a structured document that records each identified risk, its causes, potential consequences, existing controls, and the risk owner. A risk register is a living document, not a filing exercise.
It should be updated continuously as new risks emerge and existing risks evolve. For practical guidance on how to structure risk descriptions, see our article on how to describe a risk using the cause-risk-effect format.
Step 3: Risk Analysis
Risk analysis is about understanding the nature, sources, and drivers of each risk, and estimating its likelihood and potential impact. Analysis can be qualitative (using descriptive scales such as low/medium/high), semi-quantitative (assigning numerical scores to qualitative categories), or fully quantitative (using statistical models, probability distributions, and techniques like Monte Carlo simulation).
Most organizations use a combination of qualitative and quantitative approaches. A 5×5 risk matrix (likelihood on one axis, impact on the other) is the most common qualitative tool.
For high-value or high-consequence decisions, quantitative methods such as scenario-based risk assessment and Monte Carlo simulation provide probability ranges and confidence intervals that qualitative ratings cannot. The right level of analysis depends on the decision being supported, the data available, and the resources justified by the risk’s potential impact.
Step 4: Risk Evaluation
Risk evaluation compares the results of risk analysis against the organization’s risk criteria (risk appetite, tolerance, and thresholds) to determine which risks require treatment and which can be accepted. This is a prioritization exercise.
Not every risk needs a mitigation plan. Some risks are within acceptable limits. Others are so severe that they require immediate action. The evaluation step forces the organization to make explicit decisions about which risks it is willing to live with and which it is not.
Step 5: Risk Treatment (Response Strategies)
Risk treatment is the process of selecting and implementing options to modify risk. ISO 31000 identifies several treatment options, and in practice, organizations commonly apply five response strategies.
Avoidance means deciding not to start or continue with the activity that gives rise to the risk. If a proposed expansion into a politically unstable country carries unacceptable risk of asset seizure, the organization avoids the risk by not entering that market.
Reduction (mitigation) means taking actions to reduce either the likelihood of the risk occurring or the severity of its consequences.
Installing fire suppression systems, diversifying supply chains, implementing cybersecurity controls, and conducting employee training are all forms of risk reduction. This is the most common treatment strategy and the one most organizations default to.
Transfer means shifting the financial consequence of the risk to a third party. Insurance is the most common transfer mechanism.
Other examples include outsourcing to a contractor who assumes liability, hedging financial exposures through derivatives, and contractual indemnification clauses. Transfer does not eliminate the risk; it shifts who bears the financial impact.
Sharing means distributing the risk among multiple parties. Joint ventures, partnerships, consortiums, and syndicated insurance arrangements are examples of risk sharing. Each party takes a portion of the risk exposure.
Acceptance means acknowledging the risk and choosing to retain it without additional treatment. This is appropriate when the cost of treatment exceeds the expected loss, or when the risk falls within the organization’s stated risk appetite. Acceptance should be a deliberate decision, not a default caused by inaction.
For a deep dive on how these strategies apply in a project context, including risk registers, KRI dashboards, and PMBOK alignment, see our practitioner’s guide to risk mitigation in project management.
Step 6: Monitor, Review, and Report
Risk management is not a one-time exercise. The risk environment changes continuously: new risks emerge, existing risks evolve, controls degrade, and the external environment shifts.
Monitoring and review ensure that the risk management process remains effective. This includes tracking key risk indicators (KRIs) against established thresholds, conducting periodic risk reassessments, testing controls to ensure they are operating as designed, reviewing incidents and near-misses for lessons learned, and reporting risk information to leadership and the board.
Effective risk reporting follows the “What, So What, Now What” structure: what is the risk, what does it mean for the organization, and what action is required. For more on monitoring through leading indicators, see our guide on enterprise risk management key risk indicators.
Building a Risk Management Plan
A risk management plan is the document that operationalizes your risk management program. It translates the chosen framework and process into specific actions, roles, schedules, and deliverables.
A well-structured plan typically includes the scope and objectives of the risk management program, the framework and methodology being applied, roles and responsibilities (including the board, risk committee, risk owners, and the risk management function), risk appetite and tolerance statements, the risk assessment methodology (criteria, scales, tools), a schedule for risk assessments and reviews, reporting requirements and escalation procedures, and integration points with other management systems (strategic planning, budgeting, internal audit, compliance, business continuity).
The plan should be a practical working document, not a shelf piece. Its value is measured by whether it drives consistent action across the organization. For guidance on structuring this document in detail, see our article on how to prepare a risk management plan.
Risk Governance: Roles and the Three Lines Model
Risk management requires clear accountability. The Institute of Internal Auditors’ Three Lines Model (updated in 2020) provides the most widely adopted governance structure.
The first line comprises the operational managers and teams who own and manage risks as part of their day-to-day activities. They are responsible for implementing controls, monitoring risk within their area, and escalating emerging risks.
The second line comprises risk management and compliance functions that provide expertise, frameworks, tools, and oversight. They set the standards, challenge the first line’s risk assessments, and aggregate risk information for leadership reporting.
The third line is internal audit, which provides independent assurance on the effectiveness of both the first and second lines.
The board and senior leadership sit above the three lines. They set the risk appetite, approve the risk management framework, and oversee its implementation. For more on how integrated risk governance improves organizational performance, see our article on risk management integration.
Risk Management and Business Continuity
Risk management and business continuity management (BCM) are closely related but distinct disciplines. Risk management focuses on identifying and treating risks before they materialize.
Business continuity management focuses on ensuring the organization can continue operating when a disruption occurs, regardless of its cause.
The two disciplines share the risk assessment process: the risks identified in your ERM program feed directly into your business impact analysis (BIA) and business continuity planning.
ISO 22301, the international standard for business continuity management systems, aligns naturally with ISO 31000. Organizations that integrate both standards create a continuous loop: risk management identifies and reduces threats, while business continuity planning ensures the organization can survive and recover from the threats that slip through. For a practical walkthrough, see our guide on business continuity plan risk assessment.
Common Mistakes That Undermine Risk Management
Treating risk management as a compliance exercise. When the primary motivation is satisfying a regulator or passing an audit, the program produces paperwork instead of insight.
Risk registers fill up with boilerplate descriptions, assessments use arbitrary scores, and no one changes their behavior based on the results. Compliance should be a byproduct of good risk management, not its purpose.
Focusing only on downside risk. Both ISO 31000 and COSO ERM explicitly recognize that risk includes upside opportunity. Organizations that only catalog threats miss the other half of the equation: the risks worth taking.
A risk management program that makes the organization overly cautious is failing, just as much as one that allows reckless exposure.
Disconnecting risk management from decision-making. If the risk register is not referenced when strategic decisions are made, it is not serving its purpose. Risk information must flow into the decisions where it matters: investment approvals, project gate reviews, budget allocations, and strategic planning cycles.
Using a one-size-fits-all approach. Not every risk requires the same depth of analysis. Applying a full quantitative assessment to a low-impact operational risk wastes resources. Applying only a high-level qualitative rating to a bet-the-company strategic decision is negligent. Match the rigor of your analysis to the significance of the decision.
Failing to assign risk ownership. A risk without an owner is a risk that no one is managing. Every risk on the register needs a named individual (not a department) who is accountable for monitoring that risk and implementing the agreed treatment plan.
Neglecting to update. Risk registers and assessments that are updated once a year are already stale by the time they are completed. Effective risk management requires continuous monitoring and event-driven reassessment. When the operating environment changes, the risk profile changes with it.
Technology and Emerging Trends in Risk Management
Risk management is evolving rapidly. Several trends are reshaping how organizations identify, assess, and respond to risk. Artificial intelligence and machine learning are automating elements of risk identification and monitoring.
Natural language processing can scan internal reports, news feeds, and regulatory filings to detect emerging risks. Predictive models can identify patterns in operational data that signal increasing risk before an incident occurs.
These tools do not replace human judgment, but they dramatically expand the speed and coverage of risk monitoring.
Governance, risk, and compliance (GRC) platforms are consolidating risk management workflows into integrated systems that connect risk registers, control testing, incident tracking, compliance monitoring, and board reporting.
These platforms improve consistency and reduce the manual effort required to maintain a risk management program. For a discussion of how cybersecurity integrates with enterprise risk management, see our article on enterprise risk management and cyber security.
Environmental, social, and governance (ESG) risk is increasingly material for organizations of all sizes. Climate risk, supply chain human rights risk, and governance transparency are moving from voluntary disclosure to regulatory mandate.
The SEC’s climate disclosure rules and the EU’s Corporate Sustainability Reporting Directive are examples of this trend. Organizations that integrate ESG risk into their existing ERM programs will be better positioned than those that treat ESG as a separate reporting exercise.
Getting Started: Practical Steps for Implementation
Step 1: Secure leadership commitment. Risk management programs that lack visible support from the CEO and the board will struggle to gain traction. Leadership sets the tone, approves the risk appetite, and models risk-aware decision-making.
Step 2: Adopt a recognized framework. Choose ISO 31000, COSO ERM, or a hybrid. Do not build a proprietary framework from scratch unless you have very specific needs that no existing standard addresses.
Step 3: Define your risk appetite. This is the most important and most frequently skipped step. Without a clear risk appetite, there is no basis for deciding which risks to accept and which to treat.
Step 4: Conduct an initial risk assessment. Identify the risks that matter most to your organization’s objectives. Focus on the top 15 to 20 risks initially, rather than trying to catalog everything. Depth is more valuable than breadth at this stage. For a structured approach, see our eight steps for conducting a project risk assessment.
Step 5: Assign risk owners and treatment plans. Every material risk needs an owner, a treatment strategy, a timeline, and success criteria. Document these in your risk register.
Step 6: Establish monitoring and reporting. Define KRIs and thresholds for your top risks. Set a reporting cadence to leadership and the board. Use the “What, So What, Now What” format. For KRI design guidance, see our article on key risk indicators with examples.
Step 7: Review and improve continuously. Schedule formal reviews at least quarterly. Conduct event-driven reassessments when the environment changes. Test your business continuity plans annually. Mature your program incrementally; do not try to implement a world-class ERM program overnight.
The Bottom Line
Risk management is not a department, a form, or an annual exercise. It is a discipline that, when practiced well, changes how an organization thinks, decides, and operates. The organizations that manage risk effectively are not risk-averse.
They are risk-aware. They take risks deliberately, with open eyes, structured analysis, and contingency plans. They use frameworks like ISO 31000 and COSO ERM not as compliance artifacts but as operating systems for navigating uncertainty.
The cost of not managing risk is always higher than the cost of managing it. The question is whether you pay that cost proactively through investment in risk management capabilities, or reactively through losses, regulatory penalties, reputational damage, and missed opportunities. The choice is yours, but the evidence is clear.
Looking for more practical risk management guidance? Explore riskpublishing.com for actionable frameworks on enterprise risk management, business continuity management, and project risk management that you can implement today.
Sources and Further Reading
1. ISO 31000:2018, Risk Management – Guidelines: iso.org
2. COSO, Enterprise Risk Management – Integrating with Strategy and Performance (2017): coso.org
3. TechTarget, ISO 31000 vs. COSO: Comparing Risk Management Standards: techtarget.com
4. Central Banking, Risk Management Benchmarks 2025: centralbanking.com
5. Wolters Kluwer, Risk Management Principles – Understanding ISO 31000 and COSO ERM: wolterskluwer.com
6. The IIA, The Three Lines Model (2020): theiia.org
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.