Step 1
Determine what you are trying to achieve
A risk cannot exist without an objective. Set the scope of the assessment and the environment you are evaluating, a facility, a system, a vendor, a process, and the goals attached to it.
Foundational guide · ~10 min read · Updated June 2026
What is risk management?
Risk managementis the process of identifying, assessing, and controlling risks to an organisation's objectives. ISO 31000 defines risk itself as the "effect of uncertainty on objectives." A working programme runs as a loop, find risks, score them, treat them, and monitor the results, so the organisation can act under uncertainty and stay prepared.
- Standard
- ISO 31000
- Process
- 5 steps
- Strategies
- 4
- Goal
- Acceptable risk
01 · Definition
What is risk management?
Risk management is the process of identifying, assessing, and controlling risks. It is crucial to the success of an organisation because it shapes decision-making and how the business responds to incidents. An effective risk management plan lets you navigate an environment of uncertainty and be prepared when a negative risk is encountered.
Done well, it produces a positive impact across the board: on business goals, brand reputation, employee safety, and the bottom line. The work is not a one-time exercise but a continuous cycle, and the rest of this guide walks through what risk is, the five-step process for assessing it, the four strategies for treating it, and how software makes the whole thing scale.
"Risk is the effect of uncertainty on objectives."
02 · The foundation
What is risk?
To manage risk, it helps to define it. The international standard from the International Organization for Standardization defines risk as the "effect of uncertainty on objectives." Unpacked, that means a risk is both uncertain and has an effect on something, so risks are intrinsically linked to objectives.
Consider the risk of an office fire: the risk only exists if you have an office and the objective of keeping that space safe. Without an objective, there cannot be a risk. And while fires happen, it is uncertain what could cause one, when it might occur, or how much damage it would do. Objectives come in a top-down hierarchy, from broad goals like making a profit down to specifics like securing an individual file, and each carries its own uncertainties.
03 · The process
The five-step risk assessment process
The key component of risk management is performing risk assessments. The process is intuitive and logical; the discipline is that assessments are systematic, recorded, and regularly reviewed.
Step 2
Find your risks
Identify what has the potential to affect those objectives, and which assets are exposed. Check for security or compliance gaps against the standards, regulations, and best practices that apply to you.
Step 3
Analyze the data
Score the risks with scales that fit your business: asset value, likelihood, impact, and any third-party data. Prioritise by impact against the resources you have and the other risks you face.
Step 4
Create your action plan
Decide how to treat each risk, assign tasks to the right people, and gather the information needed to close gaps and improve risk scores. This is where assessment turns into action.
Step 5
Monitor and review
Measure whether the actions worked, monitor at regular intervals, and report on risk across your assets. The record also becomes your audit evidence and shows risk trending down over time.
The fifth step matters more than it looks: regular reporting shows how risk decreases or compliance improves over time, and provides the evidence of your assessment that an auditor will ask for. For a deeper look at this step, see what a risk assessment is.
04 · Treatment
The four risk strategies
There are four main strategies for addressing a risk. None is inherently better than another; the choice depends on your industry, objectives, and the particular risk. Most programmes work through them in this order.
1
Avoid
Eliminate the risk by not undertaking the activity that creates it. Useful when a process offers little benefit, or when the potential downside of an opportunity outweighs the reward.
2
Reduce
Lower the likelihood or impact when you cannot abandon the activity. Phishing training reduces likelihood; reliable backups reduce the impact of ransomware. The most common strategy.
3
Transfer
Shift the risk to another party, most often through insurance. Cyber insurance covers internet-based risk; property insurance covers theft or weather. You pay a premium to move the exposure.
4
Accept
Knowingly take on a risk that has low probability or minor impact, when treating it is not feasible or worthwhile. Revisit accepted risks in future assessments as resources change.
05 · Scaling up
Risk management and ERM
The same process scales from a single asset to the whole organisation. When it is applied enterprise-wide, managing strategic, operational, financial, and compliance risks together against the organisation's objectives and risk appetite, it is called enterprise risk management (ERM).
ERM is the programme-level practice; day-to-day risk management is how the work gets done within it. The frameworks differ in emphasis, ISO 31000 for the risk discipline, COSO ERM for the enterprise view, but the underlying loop is the same. For the enterprise framing, see what enterprise risk management is, and for the broader discipline that wraps risk, compliance, and governance together, see what GRC is.
06 · Who needs it
Who needs risk management?
If you are wondering who needs an effective risk management plan, the answer is you, and everyone else. Risk is part of every industry because it is attached to every business. Given the potential impact of risks, the need to manage them is self-evident, and a solid plan also appeals to potential vendors, investors, and customers.
There is a second benefit. The commitment to regularly monitoring assets and processes drives efficiency and consistency in operations, which ultimately has a positive effect on the bottom line. Managing risk protects the downside and improves the business at the same time, a genuine win-win.
Can you eliminate risk entirely? You can remove certain aspects, such as the financial element by buying insurance, but some risk always remains, and you would not want to remove it all. Growth comes from new ideas and processes that carry risk, so the real challenge is balancing how much risk is acceptable for the expected reward.
07 · Tooling
How software helps
Risk management is straightforward in principle but becomes lengthy and detailed in practice. Software keeps the data organised and automates the repetitive parts, scoring, reporting, and following up with people to complete assessments, so the programme scales without breaking.
From spreadsheet to platform
Run the whole process in one place.
RiskWatch handles the five-step process end to end: scoped assessments, custom scoring, action plans with owners, and reporting that doubles as audit evidence, across physical, cyber, vendor, and compliance risk on one platform. You can run your first assessment on a 30-day free trial.
08 · Frequently asked
Risk management, answered
The questions people ask most when they start managing risk.
What is risk management?
Risk management is the process of identifying, assessing, and controlling risks to an organisation's objectives. It lets an organisation operate in an environment of uncertainty and be prepared when a negative risk materialises. A working risk management programme runs as a continuous loop: identify risks, assess and prioritise them, treat them, and monitor the results, improving decision-making and protecting goals, reputation, and safety along the way.
What is risk?
The international standard ISO 31000 defines risk as the "effect of uncertainty on objectives." Two ideas sit inside that: a risk is uncertain, and it has an effect on something you are trying to achieve. Risks are therefore inseparable from objectives, the risk of an office fire only matters because you have an office and the objective of keeping it safe. Without an objective, there is no risk.
What are the five steps of the risk management process?
A practical risk assessment follows five steps: (1) determine what you are trying to achieve and set the scope; (2) find your risks and the assets they affect; (3) analyse the data, scoring risks by value, likelihood, and impact; (4) create an action plan and assign treatments; and (5) monitor and review, measuring results and keeping records for trends and audit evidence. The process should be systematic, recorded, and regularly reviewed.
What are the four risk management strategies?
There are four ways to treat a risk: avoid it (eliminate the activity that creates it), reduce it (lower its likelihood or impact), transfer it (shift it to another party, usually via insurance), or accept it (knowingly take it on when it is low or not worth treating). No single strategy is universally best; the right choice depends on the industry, the objective, and the specific risk, and many programmes work through them in that order.
Is it possible to eliminate all risk?
No, and you would not want to. You can eliminate certain aspects of a risk, for example removing the financial element by buying insurance, but some risk always remains. More importantly, eliminating all risk would stop a company from growing: innovation and new processes inherently carry risk. The goal of risk management is not zero risk but keeping risk at an acceptable level while pursuing the objectives that justify it.
What is the difference between risk management and enterprise risk management (ERM)?
Risk management is the broad discipline of handling risk, often applied to a specific area, project, or asset. Enterprise risk management (ERM) applies the same thinking at the whole-organisation level, managing strategic, operational, financial, and compliance risks together against the enterprise's objectives and risk appetite. ERM is the programme-level practice; day-to-day risk management is how the work gets done within it.
Who needs risk management?
Effectively every organisation, because risk is attached to every business activity. Beyond protecting against losses, a solid risk management programme reassures vendors, investors, and customers, and the discipline of regularly monitoring assets and processes improves operational efficiency and consistency. It is one of the few practices that protects the downside and supports the bottom line at the same time.
Do I need software for risk management?
You can start with spreadsheets, but they strain quickly as the number of risks, assessors, and frameworks grows. Risk management software keeps data organised and automates the repetitive parts of the process, scoring, reporting, and chasing assessment completion, so the programme scales. RiskWatch customers typically cut their entire assessment process time substantially compared with a manual approach, and keep an audit-ready record as a by-product.
From the theory to a working program
Run your first risk assessment free.
Scoped assessments, custom scoring, action plans, and reporting that doubles as audit evidence, across physical, cyber, vendor, and compliance risk. 30-day free trial, no credit card.
No credit card required · 30-day free trial · Cancel anytime