Risk Management Process

screenshot of risk reporting in Essential ERM software

Follow the 5 Steps of the Risk Management Process to Build a Plan for Your Business

FEMA reports that 40 to 60% of small businesses never reopen their doors after a natural disaster. AppRiver’s Cyberthreat Index of Business Survey reports that 48% of small to midsize businesses say a major data breach would likely shut down their business permanently.

And you don’t need to be stressed about creating this plan. The risk management process doesn’t necessarily need to be conducted by a risk manager or an expensive risk management consultant. You can create an informed and strong plan by following the steps we’ll outline below.

In this article, we’ll go over the five steps of the risk management process and explain the purpose of each, offer questions to ask yourself to get started, and share tips. This is a high-level overview, intended to help you create a simple risk management plan for your small business.

Note: Risk management can get extremely complex with exercises such as advanced impact calculations and in-depth root-cause analysis. If you have a larger businesses, are in a high-risk industry such as finance, or are a publicly-held company, you may need an enterprise risk management software solution to manage a mature risk management strategy.

What is risk management?

Before we dive into the process, let’s take a step back and define risk management: Risk management is the act of identifying, evaluating, planning for, and then ultimately responding to threats to your business. The goal is to be prepared for what may happen and have a plan in place to react appropriately.

If you’re new to risk management practices or feel like you need a refresher, we recommend checking out “Why Risk Management Is Important and How Software Can Help.” In it, we explain exactly what a risk management plan is and take you through an example of a business owner developing a risk register and plan.

The Story of Risk Management Process

Each organization has a “mission” and a “vision” for its formation. And therefore, in general terms, it must address the problem of protecting itself against events that bring potential risk management strategies to the organization as a whole. Earlier, companies faced different types of risk management strategies in a specific or unconnected manner. But today, It also elaborates on the risk management strategies necessary for managing the same. Company risks are normally classified into three broad categories:

Each of these risks management processes may lead to direct or indirect damage to the organization, with economic implications in the short, medium, and long term. From this point of view, therefore, the attention given to Risk Management techniques, in terms of the quality and quantity of allocated resources, must be consistent. This not only stands true for the type of risk management strategies but also for the potential negative event that could occur and the gravity of its consequences.

A complete risk management process aims to protect:

Contingency Plan

The project risk plan balances the investment of the mitigation against the benefit for the project. The project team often develops an alternative method for accomplishing a project goal when a risk event has been identified that may frustrate the accomplishment of that goal. These plans are called contingency plans. The risk of a truck drivers strike may be mitigated with a contingency plan that uses a train to transport the needed equipment for the project. If a critical piece of equipment is late, the impact on the schedule can be mitigated by making changes to the schedule to accommodate a late equipment delivery.

Roof Left Unfinished for Late Equipment

On one project, the project team left a section of a roof unfinished to allow the installation of equipment after the building was done and the roof installed. The equipment was late, and the project would have been delayed if the building was not completed. The project team left a section of the roof unfinished to allow the equipment to be placed in the building with the use of a crane. The roof was then completed, and the project finished on time.

In this example, the equipment arriving on time to meet the project schedule was considered a high risk. One option was to delay the end of the project. The team developed a contingency plan to install the roof in two phases to allow the installation of the equipment, if it was late. The contingency plan was more expensive and contingency funds were placed in the budget to cover the possibility that the equipment would be late.

Contingency funds are funds set aside by the project team to address unforeseen events that cause the project costs to increase. Projects with a high-risk profile will typically have a large contingency budget. Although the amount of contingency allocated in the project budget is a function of the risks identified in the risk analysis process, contingency is typically managed as one line item in the project budget.

Some project managers allocate the contingency budget to the items in the budget that have high risk rather than developing one line item in the budget for contingencies. This approach allows the project team to track the use of contingency against the risk plan. This approach also allocates the responsibility to manage the risk budget to the managers responsible for those line items. The availability of contingency funds in the line item budget may also increase the use of contingency funds to solve problems rather than finding alternative, less costly solutions. Most project managers, especially on more complex projects, will manage contingency funds at the project level, with approval of the project manager required before contingency funds can be used.

Key Takeaways

  • Risk management is a creative process that involves identifying, evaluating, and mitigating the impact of the risk event.
  • Risk management can be very formal, with defined work processes, or informal, with no defined processes or methods. Formal risk evaluation includes the use of checklists, brainstorming, and expert input. A risk breakdown structure (RBS) can follow the work breakdown structure (WBS) to identify risk by activity.
  • Risk evaluation prioritizes the identified risks by the likelihood and the potential impact if the event happens.
  • Risk mitigation is the development and deployment of a plan to avoid, transfer, share, and reduce project risk. Contingency planning is the development of alternative plans to respond to the occurrence of a risk event.


  1. A risk ___________ plans eliminates or minimizes the impact of risk events.
  2. Risk management is a creative process that involves identifying, evaluating, and __________ the impact of risk events
  3. A process for risk assessment that is parallel to the WBS is a _________ _______ _______ (three words).
  4. Choose a project risk that could be related to the John’s move example that is not described in the text and describe a mitigation plan for that risk. You may choose from any part of the John’s move example that has been described in previous chapters.
  5. If you are planning a party at your residence, list three project risks and rate each of them for their potential impact and likelihood. Use high, medium, and low.
  6. Describe the similarities and differences between risk transfer and risk sharing.

Assume that you are involved in planning a wedding. What are three risks that might affect the ceremony or reception, and how would you mitigate the impact of those risks? For example, if you are planning an outdoor wedding, describe the backup plan in case of rain.