| Key Takeaways |
| The risk management process is a structured, five-step method for identifying, analysing, evaluating, treating, and monitoring risks. ISO 31000:2018 provides the definitive framework, applicable to any organisation regardless of size, sector, or risk type. |
| Only 35% of organisations have complete risk management processes in place, yet 61% of executives acknowledge that risk complexity has increased substantially (AICPA/NC State 2025). The gap between recognising risk and systematically managing it is the central challenge. |
| Risk identification uses multiple techniques in combination: brainstorming, SWOT, checklists, process mapping, expert interviews, and scenario analysis. Every risk should be documented using the cause-event-consequence structure in the risk register. |
| Risk analysis can be qualitative (descriptive scales), semi-quantitative (scored matrices), or quantitative (Monte Carlo simulation, loss distributions). The right method depends on data availability, risk materiality, and decision requirements. |
| Risk treatment is a deliberate decision, not a default action. ISO 31000 defines four options: avoid, reduce (modify), transfer (share), and accept (retain). Selection depends on residual risk vs appetite, cost-benefit analysis, and control feasibility. |
| Monitoring closes the loop through KRIs with RAG thresholds, quarterly risk register reviews, and annual framework assessments. Without monitoring, the process becomes a one-time exercise rather than a management system. |
Nearly 75% of enterprises experienced at least one critical risk event in the past year, with cyberattacks and IT failures accounting for the majority of critical events globally (Forrester 2025).
Yet only 35% of organisations report having complete enterprise risk management processes in place, and only 11% view risk management as a strategic tool that delivers competitive advantage (AICPA/NC State 2025).
Figure 1: The risk management maturity gap. 61% of executives see rising risk complexity, but only 35% have complete processes and 11% see strategic value (AICPA/NC State 2025).
The gap exists not because risk management is complex in theory, but because organisations struggle to execute a disciplined, repeatable process.
This guide walks through each of the five steps as defined by ISO 31000:2018, with worked examples, decision tools, technique comparisons, and a 90-day implementation roadmap.
The process applies to every risk type—strategic, operational, financial, compliance, cyber—and every organisational context.
The Five Steps at a Glance
Figure 2: The five-step risk management process (ISO 31000:2018, Clause 6) with communication & consultation running as a continuous parallel activity.
Before diving into individual steps, a critical design principle: the process is iterative, not linear. Step 5 (monitoring) feeds back into Step 1 (identification) as conditions change.
Two parallel activities—communication and consultation, and recording and reporting—run continuously alongside all five steps. See the risk management lifecycle guide for a deeper treatment of the cycle’s architectural principles.
Step 1: Risk Identification
Risk identification answers one question: what can go wrong? The goal is comprehensive coverage, not perfection. Missing a material risk at this stage means it will not be analysed, evaluated, or treated—a gap that no subsequent step can compensate for.
Use the cause-event-consequence structure for every risk entry: “Because of [cause], [risk event] may occur, which would lead to [consequence on objective].”
This structure forces specificity and prevents vague entries like “market risk” that are too generic to assess. Every identified risk goes into the risk register with a unique ID, owner, description, and date identified.
Risk Identification Techniques
Figure 3: Risk identification techniques mapped by effectiveness vs implementation effort. Scenario analysis and brainstorming deliver highest value.
| Technique | Effort | Best For | Output | When to Use |
| Brainstorming workshops | Low | Broad risk discovery across teams | Initial risk list (50–200 risks) | Project kick-off; annual refresh |
| SWOT analysis | Low | Strategic risks; competitive positioning | Risk-opportunity pairs | Strategic planning cycle |
| Checklist review | Low | Compliance; industry-standard risks | Gap analysis against standards | Regulatory change; new market entry |
| Process mapping | High | Operational risks; control gaps | End-to-end process risk inventory | Process redesign; RCSA |
| Expert interviews | Medium | Specialist/technical risks | Deep-dive on specific risk domains | Complex technologies; M&A due diligence |
| Pre-mortem analysis | Low | Project risks; cognitive debiasing | Failure mode catalogue | Before major decisions or launches |
| Historical data review | Medium | Recurring risks; loss trends | Pattern analysis from past incidents | Established operations with loss data |
| Scenario analysis | High | Emerging, strategic, and tail risks | Plausible future state narratives | Board strategy sessions; stress testing |
Combine multiple techniques to avoid blind spots.
A brainstorming workshop captures breadth; expert interviews add depth; historical data grounds the assessment in evidence. The RCSA process formalises this for operational risk by engaging first-line process owners in structured self-assessment.
Step 2: Risk Analysis
Risk analysis answers: how bad could it be, and how likely is it? The step involves assessing both the likelihood of the risk event occurring and its potential impact on objectives.
ISO 31000 also requires assessing existing controls: are they designed to address the risk? Are they operating effectively?
Figure 4: Qualitative vs quantitative risk analysis methods. Most organisations start qualitative, then add quantitative for material financial risks.
| Dimension | Qualitative | Semi-Quantitative | Quantitative |
| Data requirement | Low (expert judgement) | Medium (scored scales) | High (statistical distributions) |
| Speed | Fast (hours) | Medium (days) | Slow (weeks) |
| Output format | High / Medium / Low | Numerical scores (1–25) | Probability distributions; VaR; expected loss |
| Best for | Initial screening; broad portfolio | Risk register prioritisation; board reporting | Material financial risks; capital allocation |
| Standards alignment | ISO 31000 (all); COSO ERM | Risk matrix (ISO/IEC 31010) | Basel III SMA; Monte Carlo (ISO/IEC 31010) |
| Limitation | Subjective; inconsistent across assessors | Ambiguous middle scores; false precision | GIGO; requires statistical expertise |
| Typical tools | Facilitated workshops; Delphi method | 5×5 risk matrix; risk scoring templates | Monte Carlo simulation; bow-tie analysis |
Most organisations operate at the semi-quantitative level: a 5×5 risk matrix scoring likelihood and impact on ordinal scales.
Add quantitative methods (Monte Carlo, scenario analysis, loss distribution approaches) for your top 10–20 material risks where financial impact justifies the analytical investment.
Step 3: Risk Evaluation
Risk evaluation is the decision point in the process. Compare analysed risk levels against the risk criteria established before identification began. The decision logic: residual risk exceeds appetite → treat. Residual risk within appetite → accept and monitor. Residual risk borderline → further analysis or escalation.
Figure 5: 5×5 risk evaluation matrix with example risks plotted. Stars mark R1 (cyber breach), R2 (key person loss), R3 (supplier delay), and R4 (regulatory fine).
| Risk Zone | Score Range | Action Required | Reporting Frequency | Escalation Level |
| Critical | 17–25 | Immediate treatment; board notification within 24hrs | Weekly until reduced | Board / CEO |
| High | 10–16 | Treatment plan within 30 days; named owner | Monthly | CRO / Risk Committee |
| Medium | 5–9 | Treatment or acceptance decision; document rationale | Quarterly | Business unit head |
| Low | 1–4 | Accept; include in monitoring cycle; no active treatment | Semi-annually | Risk function |
Evaluation must also consider risk interdependencies. Two medium-rated risks triggered by the same cause (e.g., both dependent on a single supplier) may together create high combined exposure.
Clustering and aggregation analysis prevents the problem where individually acceptable risks collectively overwhelm the organisation.
Step 4: Risk Treatment
Treatment converts analysis into action. ISO 31000 defines four treatment options. The selection depends on residual risk vs appetite, feasibility, and cost-benefit analysis.
Figure 6: Risk treatment decision logic. Selection depends on residual risk relative to appetite, control feasibility, and cost-benefit.
| Option | Action | When to Select | Example | Key Metric |
| Avoid | Eliminate the risk source or activity | Risk far exceeds appetite; no feasible controls | Cancel product launch in sanctioned jurisdiction | N/A (risk eliminated) |
| Reduce | Implement or improve controls to lower likelihood or impact | Controls are feasible and cost-effective; risk can be brought within appetite | Add dual-authorisation for payments >$50K; deploy endpoint detection | Residual risk score post-control |
| Transfer | Shift financial consequence to a third party | Impact is high but insurable; risk cannot be reduced by controls alone | Purchase cyber insurance; hedge FX exposure; outsource to specialist | Premium/fee vs retained deductible |
| Accept | Acknowledge and monitor without active treatment | Risk is within appetite; treatment cost exceeds potential benefit | Accept currency fluctuation <2% of revenue; tolerate minor process delays | Monitoring cost only |
Every treatment decision must be documented in the risk register with: the selected option, the rationale, the action owner, the deadline, evidence of implementation, and the expected residual risk after treatment.
The Three Lines Model assigns accountability: first line implements controls, second line validates design, third line (internal audit) provides independent assurance.
Step 5: Monitor and Review
Monitoring closes the loop. Without this step, the risk register becomes a historical document. Key Risk Indicators with green/amber/red thresholds provide the early warning system.
Risk register reviews (quarterly minimum) catch emerging risks and reassess existing ones. Framework reviews (annually) evaluate whether the process itself is working.
| Monitoring Activity | Frequency | Owner | Output |
| KRI dashboard review | Monthly | Risk function (2nd line) | RAG status; threshold breach alerts; trend analysis |
| Risk register refresh | Quarterly | Business units (1st line) + risk function | Updated scores; new risks added; closed risks archived |
| Treatment action tracking | Monthly | Action owners (1st line) | % actions on track; overdue items escalated |
| Loss and incident review | Quarterly | Risk function | Loss trends; root cause analysis; control gap identification |
| Framework effectiveness review | Annually | CRO / Risk Committee | Process maturity assessment; improvement plan for next cycle |
| Board risk report | Quarterly | CRO | Top-10 risk dashboard; emerging risks; treatment progress; KRI trends |
Effective monitoring recalibrates the process continuously. A KRI that stays green for four quarters is either well-controlled (validate with testing) or poorly calibrated (tighten the threshold).
A risk that stays red after treatment is either accepted at elevated level (document board approval) or indicates control failure (escalate). See leading vs lagging KRI analysis for threshold design guidance.
Standards Comparison: ISO 31000 vs COSO ERM vs NIST
Three major frameworks structure the risk management process. ISO 31000 provides the most universally applicable process; COSO ERM integrates risk with strategy and governance; NIST frameworks (CSF, AI RMF) address specific domains.
| Dimension | ISO 31000:2018 | COSO ERM (2017) | NIST Frameworks |
| Process steps | 5 steps + 2 parallel activities | 5 components, 20 principles | Domain-specific (CSF: 6 functions; AI RMF: 4 functions) |
| Scope | Any risk, any sector, any size | Enterprise-level; board and C-suite focus | Cybersecurity (CSF); AI (AI RMF); privacy (PF) |
| Certifiable? | No (guidelines) | No (framework) | No, but NIST CSF maps to auditable controls |
| Best for | Organisations wanting a universal, flexible process | Organisations integrating risk with strategy | Organisations needing cyber/AI/privacy-specific process |
| Process emphasis | Analytical rigour in assessment steps | Governance and culture as foundation | Technical control identification and implementation |
| Complementary use | Pair with COSO for governance + NIST for domain specifics | Pair with ISO 31000 for analytical process | Pair with ISO 31000/COSO for enterprise-level integration |
Implementation Roadmap
Deploying a functioning risk management process in 90 days requires structured phasing. The roadmap assumes executive sponsorship, a risk lead, and access to business unit stakeholders.
Figure 7: 90-day phased implementation from foundation through assessment to live operations.
| Phase | Actions | Deliverables | Success Metrics |
| Days 1–30: Foundation | Establish governance (risk policy, committee, RACI); define risk appetite, tolerance, and criteria; build likelihood/impact scales with descriptions; select 2–3 pilot business units | Board-approved risk policy; risk appetite statement; calibrated 5×5 scales; pilot scope document | Policy signed in 30 days; scales tested against 10+ historical incidents |
| Days 31–60: Assessment | Run identification workshops for pilots (brainstorming + checklist); populate risk register; analyse top risks (qualitative + top-5 quantitative); evaluate against appetite; assign treatments | Populated register with 50+ risks; inherent and residual scores; treatment plans for top 10; assessment summary report | Register >90% complete for pilots; top-10 risks have named owners and deadlines |
| Days 61–90: Operations | Launch KRI dashboard (8–12 indicators per unit); deliver first risk report to board; start quarterly review cadence; plan rollout to remaining units; schedule annual framework review | Live KRI dashboard; first board risk report; quarterly calendar; full rollout plan with timeline | Dashboard live monthly; >80% of high-risk treatments on track; board formally accepts first report |
Pitfalls and How to Avoid Them
| Pitfall | Root Cause | Remedy |
| Process runs once, then files away | Treated as a project, not a system; no monitoring cadence | Embed quarterly reviews into governance calendar; assign refresh accountability |
| Risk register has 200+ entries | Every concern logged without materiality filter; no archiving | Apply threshold: only risks scoring ≥6 enter the active register; archive stable-green risks quarterly |
| Identification misses strategic risks | Workshops dominated by operational staff; no C-suite input | Run separate strategic risk workshop with leadership; use pre-mortem and scenario techniques |
| Analysis defaults to heatmap-only | No quantitative capability; “medium” scores pile up | Add quantitative analysis for top-10 financial risks; use scenario analysis for emerging risks |
| Treatment plans have no owners | Risks assigned to functions, not individuals | Every action needs a named person, a due date, and closure evidence |
| Process disconnected from decisions | Risk reports go to compliance, not to strategy meetings | Map top-10 risks to strategic objectives; include in board strategy agenda, not just risk committee |
Looking Ahead: Process Trends for 2026–2028
AI is embedding into every step of the process. Identification uses NLP for horizon scanning across news, regulatory feeds, and internal incident data. Analysis uses ML-based loss prediction and automated scenario generation.
Monitoring uses real-time anomaly detection to replace monthly dashboard reviews. The EU AI Act (August 2026 for high-risk systems) means the process must now assess AI itself as a risk source, using frameworks like the NIST AI Risk Management Framework.
Operational resilience is reshaping Step 4 (treatment). Under DORA and the UK PRA’s framework, firms must demonstrate they can maintain critical services during disruption. Treatment planning now includes impact tolerance testing and recovery playbooks, not just probability-reduction controls.
The global risk management software market ($15.4 billion in 2024, projected to $52 billion by 2033) reflects demand for tools that make the five-step process faster, more connected, and more data-driven.
Integrated GRC platforms that unify identification, assessment, monitoring, and reporting in a single data layer are replacing siloed spreadsheets. The process itself is stable; the speed and quality at which organisations execute it is what’s changing.
Implement the five-step process with confidence. Risk Publishing provides frameworks, templates, and consulting for risk assessment, risk register design, KRI dashboards, and ISO 31000 implementation. Visit riskpublishing.com/services or contact us.
References
1. ISO 31000:2018 — Risk Management Guidelines
2. ISO/IEC 31010:2019 — Risk Assessment Techniques
3. AICPA/NC State — 2025 State of Risk Oversight (16th Edition)
4. COSO — Enterprise Risk Management Framework (2017)
5. Forrester — The State of Enterprise Risk Management 2025
6. IIA — The Three Lines Model (2020)
7. Baker Tilly/IIA Foundation — Enhanced ERM and Strategic Decision-Making (2025)
8. Grand View Research — Risk Management Software Market (2024–2033)
9. NIST — AI Risk Management Framework (AI RMF 1.0)
10. Secureframe — 50+ Risk Management Statistics 2026
11. Aon — 2025 Global Risk Management Survey
12. Diligent — Enterprise Risk Management Trends 2026
13. Hiscox — Cyber Readiness Report 2025
14. PwC — Pulse Survey May 2025
15. Verizon — 2025 Data Breach Investigations Report
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.