Follow the 5 Steps of the Risk Management Process to Build a Plan for Your Business

By: on October 9, 2020

FEMA reports that 40 to 60% of small businesses never reopen their doors after a natural disaster. AppRiver’s Cyberthreat Index of Business Survey reports that 48% of small to midsize businesses say a major data breach would likely shut down their business permanently.

Scary stuff.

But if you’re prepared, you’re not doomed. A strong risk management plan can help your business mitigate and plan for such risks and keep you on the other end of those statistics.

And you don’t need to be stressed about creating this plan. The risk management process doesn’t necessarily need to be conducted by a risk manager or an expensive risk management consultant. You can create an informed and strong plan by following the steps we’ll outline below.

In this article, we’ll go over the five steps of the risk management process and explain the purpose of each, offer questions to ask yourself to get started, and share tips. This is a high-level overview, intended to help you create a simple risk management plan for your small business.

Note: Risk management can get extremely complex with exercises such as advanced impact calculations and in-depth root-cause analysis. If you have a larger businesses, are in a high-risk industry such as finance, or are a publicly-held company, you may need an enterprise risk management software solution to manage a mature risk management strategy.

What is risk management?

Before we dive into the process, let’s take a step back and define risk management: Risk management is the act of identifying, evaluating, planning for, and then ultimately responding to threats to your business. The goal is to be prepared for what may happen and have a plan in place to react appropriately.

If you’re new to risk management practices or feel like you need a refresher, we recommend checking out “Why Risk Management Is Important and How Software Can Help.” In it, we explain exactly what a risk management plan is and take you through an example of a business owner developing a risk register and plan.

What are the five steps of the risk management process?

The five steps of the risk management process are identification, assessment, mitigation, monitoring, and reporting risks. By following the steps outlined below, you will be able to create a basic risk management plan for your business.

Here’s are the five steps of a risk management process:

5 steps of the risk management process graphic

Adapted from Gartner’s Risk Management Process Primer for 2020 report (full report available to Gartner clients)

Step 1: Risk identification

To start this process, list out any and all events that would have a negative impact on your business. Expect to add risks to your list over days, maybe even a couple weeks, and know that you won’t think of all possible risks.

Be sure to ask leaders in other departments to identify risks, too. You want your plan to be as holistic and comprehensive as possible.

Here are some questions to ask yourself to help identify risks:

  • Are there any new or recently updated legal and/or compliance laws we need to prepare to manage?
  • Does this risk have an impact on other parts of the business? (If yes, be sure to include the risks to that department.)
  • What events have caught us off guard in the past?
Tip: Give yourself a timebox for identifying risks, otherwise you’ll get stuck in analysis paralysis and never move on to the next steps. Keep in mind that this entire process is an ongoing one, so you’ll continue to add risks over time.

Step 2: Risk assessment

Now that you have a list of potential or existing threats and risks, it’s time to assess the likelihood of the event happening and the level of impact. Doing this risk analysis helps determine the priority levels of each risk so you don’t over- or under-allocate resources for mitigation in the next step.

Your assessment can be performed using a matrix like the one below. For each identified risk, determine both the likelihood of it happening and the level of negative impact it would have on your business. Write each risk in the corresponding box. This exercise is also best done in collaboration with leaders of each department.

risk assessment matrix example

Tip: Your first matrix should be a working document—use a format that makes it easy to move risks around. A virtual whiteboard or a shared document works well. Risk events may need to move around the matrix as you learn more about their impact or likelihood based on feedback from other department leads.

Step 3: Risk mitigation

Risk mitigation is where you will create and begin to implement the plan for the best way to reduce the likelihood and/or impact of each risk. You may not be able to come up with a mitigation plan for each and every risk, but it’s important to try to identify what changes in your current processes can be adjusted to reduce risk.

Start with the risks you placed in the red boxes of your assessment matrix. Create a mitigation plan document where you name an owner for each risk, and describe the steps to be taken if/when the risk event happens. You’ll do this for each risk.

Here are some questions to consider as you craft the mitigation plan:

  • How can we implement mitigation measures into our business systems and processes?
  • Is the plan clearly stated so that anyone in the business could understand what action needs to be taken for each risk event?
  • Is this action plan an appropriate level of response for this risk?

As this step is rather complex, let’s use a medical office as an example for risk mitigation efforts:

Risk Mitigation plan
Sick patients could infect healthy patients while in the waiting room together. Have a separate waiting room for sick patients.
Staff could mix up patients who have the same name. Establish a rule that all staff always confirm the full name and date of birth of each patient every time they interact.
A patient could have a severe medical episode, such as a heart attack or stroke, when in the office. Partner with a nearby hospital to have a process for emergency transfers.

Design your risk mitigation plans to be a natural part of business operations, wherever possible. To do this, collaborate with the other leaders in your business to coordinate mitigation efforts as seamlessly as possible into daily operations and strategic planning meetings.

Tip: It’s easy to over-prioritize mitigation plans to the detriment of current business operations. You’re not going to be able to implement every plan right away. Try to balance how you implement mitigation plans with ensuring that the burden of risk management doesn’t impact operations. You also don’t want to force an overhaul of an entire process just to mitigate a risk you placed in the green zone in the matrix. That’d be overkill.

Step 4: Risk monitoring

Now that you have identified, assessed, and made a mitigation plan, you need to monitor for both the effectiveness of your plan and the occurrence of risk events. Monitoring the status of risks, monitoring the effectiveness of mitigation plans implemented, and consulting with key stakeholders are all parts of the risk monitoring step. Risk monitoring should happen throughout the risk management process.

Here are some questions to ask yourself as you monitor risks:

  • How do I keep the other department leaders engaged in helping monitor risk?
  • How can I empower my team to identify and escalate risk incidents?
  • Have there been any changes where a risk previously assessed as a high threat should be moved lower? Or vice versa?
Tip: Don’t adopt a “wait and see” approach when it comes to risk monitoring—you may not know exactly when a risk event has occurred. Events such as cyberattacks and regulation changes can sometimes come to light months, even years, later, despite the security controls and risk control plan in place. Make sure that your risk management plan includes continuous monitoring so you aren’t caught off guard with a failed audit when continuous monitoring could’ve helped you take action earlier.

Step 5: Risk reporting

You need to document, analyze, and share the progress of your risk management plan. Reporting on risks serves two key purposes: It helps you analyze and evaluate your risk management plan and helps keep stakeholders engaged in mitigating risks by sharing the progress made.

When you first start out, reporting can be done by manually entering the status of each risk into your mitigation plan on a regular basis. Then email the report, or at least the highlights, to the other department leads.

Risk reporting is where risk management software really shines as it can gather all the data points and create an easy-to-read dashboard. If reporting on risk is an important facet of managing your risk, we strongly recommend considering investing in software.

Here’s a look at what risk reporting looks like in the enterprise risk management (ERM) system, Essential ERM.

screenshot of risk reporting in Essential ERM software

Risk reporting dashboard in Essential ERM (Source)

Here are some questions to help you when reporting on risks:

  • Are these the right metrics to understand the progress of the plan?
  • What’s the best way to distribute risk reports so that stakeholders are informed but not overwhelmed with the data?
  • How often should I share reports? Quarterly? Annually?
Tip: To garner support for and foster a risk management-focused culture, try to build a narrative for how the company is managing risks. Think about how to blend risk reporting with other functions of the business to tell one cohesive story. Throwing a bunch of stats and colored boxes at stakeholders can be overwhelming and intimidating. But everyone loves a story, especially one that they’re a part of.

Reduce the risk of picking an ill-suited system

Now that you know the five steps of the risk management process (identify, assess, mitigate, monitor, and report risks) you should feel confident in building out a risk management plan for your business.

If you’re ready to take your risk management plan and reporting to the next level, it’s time to check out risk management software.

We’ve got several free resources to help you along your software purchasing journey:


Note: The applications selected in this article are examples to show a feature in context and are not intended as endorsements or recommendations. They have been obtained from sources believed to be reliable at the time of publication.

You may also like:

Why Risk Management Is Important and How Software Can Help

Project Management Communication Skills When in Crisis

Your Project Status Report Checklist: What to Include When You Report to Stakeholders

Compare Risk Management Software