The risk management process is the operational backbone of any enterprise risk management program. It is the repeatable, structured sequence of activities through which organizations identify what could go wrong, determine how serious it could be, decide what to do about it, and then verify that their decisions are working.
ISO 31000:2018 defines this process as the “systematic application of policies, procedures and practices to the activities of communicating and consulting, establishing the context, and assessing, treating, monitoring, reviewing, recording and reporting risk.”
In practice, most organizations distill this into five core steps: risk identification, risk analysis, risk evaluation, risk treatment, and monitoring and review (ISO – ISO 31000:2018 Risk Management Guidelines).
The numbers make the case for getting this process right. Forrester’s 2025 Business Risk Survey found that nearly 75 percent of enterprises experienced at least one critical risk event in the past year, with cyberattacks and IT failures accounting for most of those events.
Firms without board-level ERM visibility were 20 percent more likely to suffer six or more critical events (Secureframe – 50+ Risk Management Statistics 2026). Meanwhile, AICPA and NC State University’s 2025 State of Risk Oversight report found that only 35 percent of financial leaders report having comprehensive ERM processes in place.
This guide walks through each of the five steps with practical detail: what happens in each step, what tools and techniques apply, what the outputs are, and how the steps connect. For a broader overview of risk management frameworks, see our guide on what is the risk management process.
Before the Five Steps: Establishing Context
ISO 31000 positions “establishing the context” as a prerequisite that shapes how the entire five-step process operates.
Context setting involves defining the scope of the risk management activity (are you assessing a single project, a department, or the entire organization?), understanding the external environment (regulatory requirements, market conditions, stakeholder expectations), and understanding the internal environment (organizational culture, governance structure, risk appetite, available resources).
Context also includes defining risk criteria: the standards against which you will judge whether a risk is acceptable or not. These criteria flow from your organization’s risk appetite and risk tolerance statements.
Without clearly defined criteria, the evaluation step later in the process becomes subjective and inconsistent.
Riskonnect’s analysis of ISO 31000 emphasizes that organizations should resist the urge to dive directly into risk assessment without first spending time establishing a robust framework, because the framework provides the stability needed to sustain a program rather than just execute a one-time project (Riskonnect – The Basics of ISO 31000).
Communication and consultation run throughout all five steps. ISO 31000 treats these as continuous activities, not separate steps.
Every risk identification workshop, every analysis discussion, every treatment decision, and every monitoring report involves communication with stakeholders. For guidance on structuring the governance layer around this process, see our article on key components of a risk management policy.
Step 1: Risk Identification
Risk identification answers the question: what could affect our ability to achieve our objectives? The goal is to build a comprehensive inventory of risks, including their sources, causes, events, and potential consequences.
ISO 31000 specifies that organizations should identify risk sources, areas of impact, events and their causes, and potential consequences (PECB – ISO 31000 Risk Management Principles and Guidelines).
What You Identify
Each risk should be expressed in terms of cause, event, and consequence. A common structure is: “Because of [cause], [risk event] may occur, which would lead to [consequence].”
For example: “Because of inadequate backup power testing (cause), a generator failure during a grid outage (event) may occur, which would lead to 12 hours of production downtime and approximately $450,000 in lost revenue (consequence).”
This level of specificity prevents vague entries like “power failure” from cluttering the risk register. For detailed guidance on writing risk descriptions, see our article on risk description examples.
Techniques and Tools
Brainstorming and workshops. Structured sessions with cross-functional teams are the most common starting point. The value comes from diverse perspectives: operations staff see risks that finance staff miss, and vice versa.
Use a skilled facilitator who understands risk management terminology and can push participants beyond obvious risks.
SWOT analysis (Strengths, Weaknesses, Opportunities, Threats). Useful for strategic risk identification, particularly at the beginning of a planning cycle. Weaknesses and threats translate directly into risk statements.
Checklists and historical data. Industry-specific risk checklists, incident databases, audit findings, and lessons-learned registers from previous projects or disruptions. These prevent the team from overlooking risks that have materialized before.
Process mapping and flowcharting. Walking through business processes step by step to identify where failures, delays, or errors could occur. Particularly effective for operational risk identification.
Scenario analysis. Developing plausible future scenarios (economic downturn, cyberattack, supply chain disruption, regulatory change) and identifying the risks that would emerge in each scenario. This technique surfaces risks that brainstorming alone might miss.
Output
The primary output is a risk register documenting each identified risk with its cause-event-consequence structure, risk owner, date identified, and initial categorization.
Risk categories typically include strategic, financial, operational, compliance, and reputational risks. For guidance on building an effective risk register, see our article on key elements of a risk register.
Step 2: Risk Analysis
Risk analysis develops an understanding of each identified risk. ISO 31000 states that risk analysis involves consideration of the causes and sources, their positive and negative consequences, and the likelihood that those consequences will occur, given existing controls. The purpose is to generate inputs for risk evaluation and for decisions about whether and how risks need to be treated.
Qualitative Analysis
Qualitative analysis uses descriptive scales (such as low, medium, high, or critical) to assess likelihood and impact. It is faster, requires fewer data inputs, and works well for risks that are difficult to quantify precisely. The standard tool is a likelihood-impact matrix (often called a risk matrix or risk heatmap), which plots each risk on a grid to produce a risk rating.
A typical 5×5 matrix uses likelihood categories from Rare to Almost Certain and impact categories from Negligible to Catastrophic. The intersection produces a risk score. For example, a risk rated “Likely” likelihood and “Major” impact might score 20 on a 25-point scale, placing it in the critical zone.
Quantitative Analysis
Quantitative analysis assigns numerical values to likelihood (probability) and impact (financial loss, duration, or other measurable units). This approach is essential for financial risks, large capital investments, and any situation where decision-makers need to compare risk costs against treatment costs in dollar terms.
Monte Carlo simulation. Runs thousands of scenarios using probability distributions for key variables to produce a range of possible outcomes with confidence intervals. Particularly valuable for project cost and schedule risk, investment portfolio risk, and financial forecasting.
For example, a Monte Carlo analysis of a construction project might show a 90 percent probability that the project will complete within $12.5 million, versus the deterministic estimate of $10.8 million.
Expected Monetary Value (EMV). Multiplies the probability of each risk event by its financial impact to produce a single expected value. EMV = Probability × Impact. A risk with a 15 percent probability and a $2 million impact has an EMV of $300,000. This technique works well for comparing risks against each other and for building contingency budgets.
Sensitivity analysis (tornado charts). Identifies which variables have the greatest influence on outcomes. Particularly useful for complex projects or financial models where multiple risk factors interact.
The AICPA and NC State University’s 2025 report found that 61 percent of senior finance leaders agree that the volume and complexity of corporate risks have changed “mostly” or “extensively” over the past five years, reinforcing the need for rigorous analytical methods. For detailed guidance on quantitative approaches, see our article on quantitative risk management.
Inherent vs. Residual Risk
Analysis should assess both inherent risk (the risk level before any controls are applied) and residual risk (the risk level after existing controls are considered). This distinction is critical because it reveals whether current controls are effective.
A risk with high inherent risk but low residual risk suggests strong existing controls. A risk with high inherent risk and high residual risk signals that current controls are inadequate and additional treatment is needed.
Step 3: Risk Evaluation
Risk evaluation compares the results of risk analysis against the risk criteria established during context setting. The purpose is to decide which risks need treatment, which can be accepted, and what the priority order for treatment should be. ISO 31000 describes this as determining “whether the residual risk is tolerable” (Risk Engineering – The ISO 31000 Standard).
Evaluation Decisions
For each risk, evaluation produces one of several decisions: the risk is within appetite and no further treatment is needed (accept); the risk exceeds tolerance and requires immediate treatment (treat urgently); the risk falls between appetite and tolerance and requires treatment planning (treat with defined timeline); or further analysis is needed before a decision can be made (escalate for additional information).
Prioritization
Evaluation produces a prioritized list of risks. This is where organizational resources get allocated.
A risk that scores in the critical zone on the heatmap, has high EMV, and falls outside risk tolerance will receive more attention and budget than a risk in the moderate zone within appetite. The prioritized risk register becomes the working document for treatment planning.
Kimberly Kessler of AuditBoard noted in their 2025 risk management trends analysis that today’s risks are deeply interconnected, and seemingly small risks can create chain reactions with monumental consequences.
The 2024 collapse of Baltimore’s Key Bridge illustrated this: a possible loose electrical cable led to a power failure, which caused the ship collision, which created large-scale supply chain disruptions nationally (AuditBoard – Risk Management Trends 2025). This reinforces why evaluation must consider risk interdependencies, not just individual risk scores.
Five Steps at a Glance
| Step | Key Question | Core Techniques | Output | ISO 31000 Clause |
| 1. Identify | What could happen? | Workshops, SWOT, checklists, process maps, scenario analysis | Risk register with cause-event-consequence | Clause 6.4.2 |
| 2. Analyze | How likely and how severe? | Risk matrix, Monte Carlo, EMV, sensitivity analysis, bowtie | Risk ratings (inherent and residual) | Clause 6.4.3 |
| 3. Evaluate | Is this risk acceptable? | Comparison against risk criteria, appetite/tolerance thresholds | Prioritized risk register; accept/treat decisions | Clause 6.4.4 |
| 4. Treat | What do we do about it? | Avoid, reduce, share/transfer, accept; cost-benefit analysis | Treatment plans with owners, actions, deadlines, KRIs | Clause 6.5 |
| 5. Monitor | Is it working? What has changed? | KRI dashboards, control testing, audit, incident tracking | Updated risk register; board reports; lessons learned | Clause 6.6 |
Step 4: Risk Treatment
Risk treatment selects and implements options to modify risk. ISO 31000 identifies several treatment options, and it is important to understand that these are not mutually exclusive. A single risk might be treated with a combination of approaches.
The Four Treatment Strategies
Avoid. Eliminate the risk by not undertaking the activity that creates it. A company might avoid foreign exchange risk on a particular contract by declining to bid, or avoid a specific technology risk by choosing a proven alternative. Avoidance is appropriate when the risk outweighs the potential reward and no cost-effective treatment exists to reduce it to acceptable levels.
Reduce (Mitigate). Implement controls to reduce the likelihood of the risk event occurring, the severity of the consequences if it does occur, or both. This is the most common treatment strategy.
Examples include installing backup generators (reducing consequence severity of power outages), implementing multi-factor authentication (reducing likelihood of unauthorized access), cross-training staff (reducing consequence severity of key person dependency), and conducting preventive maintenance (reducing likelihood of equipment failure). For practical mitigation examples, see our article on risk mitigation in project management.
Share (Transfer). Transfer some or all of the risk to another party. Insurance is the most common form of risk transfer, but it also includes outsourcing, joint ventures, partnerships, hedging financial instruments, and contractual risk allocation (indemnification clauses, performance bonds).
Transfer does not eliminate the risk; it shifts the financial burden. The organization retains reputational risk and may retain operational risk even when financial risk is transferred.
Accept. Acknowledge the risk and decide not to take further action beyond monitoring. Acceptance is appropriate when the risk falls within appetite, when the cost of treatment exceeds the potential impact, or when the risk represents an opportunity the organization wants to pursue.
Acceptance should always be a conscious, documented decision with an identified risk owner, never a default resulting from inaction.
Treatment Plans
Each treated risk should have a documented treatment plan that includes the specific actions to be taken, the person accountable for implementation (risk owner), the timeline for implementation, the resources required, the expected reduction in risk level (target residual risk), and the key risk indicators (KRIs) that will signal whether the treatment is working.
VelocityEHS’s analysis of ISO 31000 emphasizes that treatment plans should also consider whether treatment options may introduce new risks that management will need to assess and control (VelocityEHS – ISO 31000). For guidance on designing effective KRIs, see our article on key risk indicators.
Step 5: Monitoring and Review
Monitoring and review ensures the risk management process remains current and effective. Risks change.
New risks emerge. Controls degrade. Business objectives shift. The competitive environment evolves. A risk register that was accurate six months ago may be dangerously outdated today.
What Gets Monitored
Risk levels. Are risks moving toward or away from tolerance thresholds? KRI dashboards provide early warning when risk levels approach or breach defined limits. For example, a KRI for credit risk might track the percentage of receivables over 90 days past due, with amber and red thresholds triggering escalation.
Control effectiveness. Are the controls implemented during treatment actually working? This requires testing, not just assumption. Control testing can be periodic (quarterly self-assessment, annual audit) or continuous (automated monitoring, exception reporting).
Splunk’s analysis notes that ISO 31000 treats monitoring and review as an ongoing activity to assure the process and improve its quality and effectiveness, with results fed into the organization’s performance management framework (Splunk – ISO/IEC 31000 for Risk Management).
Emerging risks. What new risks have appeared since the last assessment? Forrester’s 2025 research found that only 37 percent of risk decision-makers reported identifying emerging risks as their primary measure of success, suggesting most organizations focus on known risks at the expense of emerging ones.
Sources for emerging risk identification include industry reports, regulatory consultations, competitor incidents, and internal incident data.
Treatment plan progress. Are treatment actions being implemented on schedule? Are they achieving the expected reduction in risk level? Treatment plans without tracking become documents that sit in a shared drive and accomplish nothing.
The Three Lines Model in Monitoring
Effective monitoring distributes responsibility across the Three Lines Model. First line management monitors risks and controls within their daily operations (operational managers tracking KRIs, performing self-assessments). Second line risk management and compliance functions provide frameworks, challenge first line assessments, aggregate risk data, and report to senior management and the board. Third line internal audit provides independent assurance that the risk management process is operating effectively and that first and second line activities are reliable. For more on how governance structures support the risk process, see our article on enterprise risk management.
Board and Executive Reporting
Monitoring outputs feed into board and executive reporting. Effective risk reporting includes a summary of top risks with trend indicators (improving, stable, deteriorating), KRI status against thresholds, treatment plan progress, emerging risks requiring board attention, and any risk appetite or tolerance breaches.
The 2025 KPMG Risk and Resilience Survey found that nearly half of organizations have centralized risk and resilience structures, but only 26 percent have strong collaboration and a holistic, cross-functional view of risks. This gap between structure and execution is precisely what effective monitoring addresses.
Making the Five Steps Work in Practice
The Process Is Iterative, Not Linear
While the five steps are presented sequentially, the actual process is iterative and cyclical. New information discovered during analysis may trigger additional identification. Evaluation may reveal that a risk needs deeper analysis before a treatment decision can be made.
Monitoring may identify a new risk that sends you back to step one. ISO 31000 explicitly describes the process as iterative, and organizations that treat it as a one-time annual exercise miss the point entirely.
Match Rigor to Materiality
Not every risk requires Monte Carlo simulation. Not every risk deserves a full workshop. Apply rigorous quantitative analysis to high-impact, high-complexity risks where the data supports it.
Use qualitative methods for lower-impact risks or situations with limited data. The AICPA/NC State report noted that most ERM budgets are increasing by only one to four percent, barely keeping up with inflation, so resource allocation matters. Spend your analytical effort where it generates the most value.
Technology Enables but Does Not Replace Judgment
GRC platforms, risk management software, KRI dashboards, and automated monitoring tools are valuable. The global risk management software market is projected to reach $23.57 billion by 2028 according to Grand View Research, reflecting rapid adoption.
But technology automates process steps; it does not replace the professional judgment needed to interpret results, challenge assumptions, and make treatment decisions. The five-step process requires human expertise at every stage.
Connect Risk Management to Business Continuity
The five-step process feeds directly into business continuity planning. Risks identified and analyzed in steps one through three inform the business impact analysis that drives BCP development.
Treatment strategies in step four may include business continuity measures such as alternate work locations, manual workarounds, or disaster recovery procedures.
TechTarget’s 2025 ERM trends analysis noted that in 2024 the United States experienced 27 weather and climate disasters with losses exceeding $1 billion, totaling $182.7 billion in damages according to NOAA (TechTarget – Enterprise Risk Management Trends 2025). These events reinforce why risk management and business continuity must be integrated. For more, see our guides on business continuity planning and business impact analysis.
Common Failures and How to Avoid Them
Treating the risk register as the end product. The risk register is a tool, not the objective. The objective is better decision-making and improved organizational resilience. A beautifully maintained risk register that nobody uses for decisions is a compliance artifact, not a risk management tool.
Identification bias. Teams tend to identify risks they have experienced before and miss novel risks. Scenario analysis, external benchmarking, and facilitated challenge sessions help counteract this bias. KPMG’s 2025 survey finding that more than two-thirds of organizations face moderate to strong barriers including siloed communication explains why identification often produces incomplete results.
Analysis paralysis. Spending so much time analyzing risks that treatment is delayed. Set time-boxed analysis periods proportional to risk materiality. A risk that clearly requires immediate treatment does not need three months of quantitative modeling first.
Orphaned treatment plans. Approving treatment actions without assigning clear owners, deadlines, and accountability mechanisms. Every treatment action needs a named individual (not a department) who is accountable for implementation.
Static monitoring. Reviewing the risk register quarterly in a committee meeting without real-time KRI monitoring between meetings. Effective monitoring is continuous, with formal reviews supplementing ongoing automated and manual tracking.
Where to Start
If your organization does not yet have a structured five-step process, begin with context. Define the scope of your risk management program, establish risk criteria aligned with your organizational objectives, and secure executive sponsorship.
Then work through identification, analysis, evaluation, and treatment for your top ten to fifteen risks. Get the process running before trying to make it comprehensive.
If you already have a process but it feels like a compliance exercise rather than a decision-making tool, focus on two areas: first, strengthen the connection between risk evaluation outputs and actual resource allocation decisions; second, build KRI-based monitoring that provides early warning between formal review cycles.
For practical frameworks, templates, and deeper exploration of each step, explore the full library at riskpublishing.com. Our content covers how to conduct a risk assessment, compliance risk assessment, operational risk management, and business continuity management, all grounded in ISO 31000 and COSO ERM best practice.
Sources:
1. ISO – ISO 31000:2018 Risk Management Guidelines: iso.org
2. PECB – ISO 31000 Risk Management Principles and Guidelines: pecb.com
3. Riskonnect – The Basics of ISO 31000 Risk Management: riskonnect.com
4. Secureframe – 50+ Risk Management Statistics 2026 (Forrester 2025, AICPA/NC State 2025, KPMG 2025): secureframe.com
5. Risk Engineering – The ISO 31000 Standard: risk-engineering.org
6. Splunk – ISO/IEC 31000 for Risk Management: splunk.com
7. VelocityEHS – ISO 31000 Implementation Guide: ehs.com
8. AuditBoard – Risk Management Trends 2025: auditboard.com
9. TechTarget – Enterprise Risk Management Trends 2025 (NOAA disaster data): techtarget.com
10. Protecht – ISO 31000 Risk Management Framework Complete Guide: protechtgroup.com
Internal Links Used:
• What is the Risk Management Process
• Key Components of a Risk Management Policy
• Key Elements of a Risk Register
• Quantitative Risk Management
• Risk Mitigation in Project Management
• Enterprise Risk Management / Risk Management Process
• Business Continuity Planning
• How to Conduct a Risk Assessment
• Operational Risk Management Strategies
• Business Continuity Management
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.