Risk Management Process

The risk management process is an ongoing process or framework of first identifying risks, treating, and then managing risks. There are five basic steps that are taken to manage risk; also referred to as the risk management process.

  1. Identify the risk
  2. Analyse the risk
  3. Evaluate and rank the risk
  4. Treat the risk
  5. Monitor and Review the Risk

Risk management can be defined as a process utilised to identify, evaluate, and prioritise risk (defined in ISO 31000 as the effect of uncertainty on objectives); it is a coordinated and economical use of resources to minimise, monitor, and control the probability or impact of unfortunate events (Hubbard, Douglas 2009 ISBN: 9781119198536) or to maximise the realisation of opportunities.

Strategies to manage risk typically include avoiding the risk itself, decreasing the negative effect or likelihood of the threat, transferring all/part of the threat to another party, and retaining some or all potential or actual consequences of a particular risk.

Managing Risk

Managing risk is an important task. Once you have determined what risks exist and assessed their importance, you must choose a strategy for dealing with each risk if/when it becomes a reality.

Once the risks have been identified and assessed, mitigation management techniques will fall into one or more of the following four categories:


Simple elimination of the risk factor. E.g. refusal to purchase a property or business to avoid legal liability.  Whereas avoidance may seem like the answer to all risks, the avoidance of risk also means losing potential gain that retention of the threat may have enabled.

Is it possible to save time without compromising on quality? Find out how.


This technique involves the optimisation and mitigation of the risk.  

  • Risk reduction or optimisation involves lowering the seriousness of the loss or the prospect of it occurring. E.g., sprinklers put out a fire reducing the risk of loss; however, the water damage caused by this method, should the sprinklers to the area not be switched off once the fire is extinguished, could cause a more significant loss through water damage and, as a result, may indeed not be suitable
  • Accepting that risks can be positive or negative.  Optimisation of risks requires finding a balance between the harmful and beneficial aspects of the activity in question; and reducing risk and effort. Practical application of Health, Safety and Environment (HSE) management standards mean that organisations can achieve tolerable levels of risk.


Controlling the risk or risk retention involves accepting loss, or the benefit of gain, from a risk when the incident occurs. Risk-retention can be considered a suitable strategy for small risks where the cost of insuring against it would be higher over time than the number of total losses sustained.

Risks that do not fall within Avoidance or Acceptance are retained by default. Significant and catastrophic risks that cannot be insured against or the premiums are too high are included here. Any amount of potential loss (risk) that goes beyond the amount insured is retained risk. This is also true of a situation where the chance of a substantial loss is so minute that it would obstruct the organisation’s goals excessively.


This technique involves paying someone else to assume some or all the risk and its effects, positive or negative.  

The term “transfer’ is often used; however, it can be a little misleading.  It is mistakenly believed that you can transfer risk to a third party through insurance or outsourcing. However, if the insurer or contractor were to go bankrupt or end up in court, the original risk is likely to go back to the first party, you. In general, the buyer of the insurance contract retains legal responsibility for the losses “transferred”, which means that insurance may be described more accurately as an after-the-event mechanism for compensation. 

For these techniques to work, you must choose your strategies and plan their implementation as early as possible.  

The risk management process can be lengthy and complicated.  Risk Warden makes assessing and managing risk efficient and effortless. As a result, achieving a compliant, risk-managed environment has never been easier – no matter how big or small your organisation.  

Sign up now for a free Risk Warden account to experience just how easy it can be.