A risk management process is the means by which an organization identifies, assesses and mitigates any threats or uncertainties that may negatively impact it.

Through the risk management process, the likelihood and potential impact of the identified risk are analyzed, and leadership develops strategies to lessen harm and monitor the effectiveness of any preventative actions taken.

There is risk involved in the operation of any business or organization. What’s important is to figure out how and why these risks arise — and how to avoid (or at least minimize) them.

Here are the seven steps of a risk management process:

1. Determine the organization’s risk tolerance/appetite.
2. Identify potential exposures.
3. Quantify each exposure.
4. Compare current levels of risk to the target level of risk.
5. Develop and implement an appropriate risk management strategy to manage the differences between the two.
6. Monitor the exposures and evaluate the effectiveness of the strategy.
7. Review and modify the strategy as needed.

Discover the latest trends in risk management with the AFP Risk Survey, supported by Marsh McLennan.

Step 1: Determine the organization’s risk tolerance/appetite.

The initial step in the risk management process is to determine the business’s risk tolerance, which is based on its risk appetite. Risk appetite is defined as the level of risk a business is willing to take on in order to achieve its objectives. Risk tolerance is how much a business is willing to deviate from the level set by its risk appetite.

The degree of risk tolerance varies across organizations. For example, a new company may be more aggressive when it comes to taking risks in order to gain a competitive advantage, whereas an established company might be more risk-averse with an eye toward maintaining its competitive advantage.

Once the organization’s risk tolerance has been established, it should be communicated through an official risk appetite policy or statement, which typically needs to be approved by the board of directors and should include a governance model for risk oversight.

Step 2: Identify potential exposures.

It’s important to identify risk exposures in all areas of the organization. Adherence to three key factors — likelihood, potential impact and velocity — will help you accomplish this.

As with risk tolerance, risk exposure differs from organization to organization according to the type of risk. For example, for some, financial risks such as interest rate variations and fluctuations in commodity prices will be considerable, and for others, it may be operational risk that concerns them. In order to effectively manage risk, timely and accurate information regarding the exposure is critical.

Once the risk exposures are identified, a risk profile can be created. The risk profile provides a quantitative analysis of the types of threats the company faces. The goal is to create an awareness of risk by assigning numerical values to variables that depict categories of threats and their associated hazards. Each risk profile is unique as it’s based on the assets the company wants to protect, the goals it wants to achieve, and its ability and willingness to handle risk. Plus, it can be used to evaluate the effectiveness of the risk reduction measures utilized.

Step 3: Quantify each exposure.

At this point the risk exposures have been identified, and now they need to be measured quantitatively and qualitatively. Once that information is available, senior management will decide if the company can tolerate the risk. If not, it will need to be reduced, transferred or eliminated.

The quantitative assessment is important because it measures the level of exposure and determines the likelihood of loss. The process can also provide more intricate details, such as the estimated timing and velocity of the risk, and the identity of the factors that can cause the risk to materialize. It can also provide you with a benchmark for assessing your risk mitigation strategies.

The qualitative assessment drills down even further into the strategy. When performing the qualitative assessment, you should examine the company’s basic operating procedures to help you figure out where mitigation strategies could be useful. Fundamental business processes should be reviewed to determine how they contribute to risk — and to help identify potential solutions. And finally, derivatives should be addressed. Are they structured and sized appropriately? And are proper accounting procedures and regulations being followed when they’re used as part of a financial risk mitigation strategy?

Step 4: Compare current levels of risk to the target level of risk.

Every organization, by virtue of being in operation, assumes a level of risk. The target risk is the pre-determined level of acceptable exposure. This level may be above or below the level of risk the company is currently assuming.

Inherent risk is the level of risk that exists before any controls are put in place to mitigate the risk. When controls are in place, the level of risk left is known as the residual risk:

Inherent risk – Controls = Residual Risk

When managing risk, your goal is to manage the gap between the residual risk and the target risk.

Step 5: Develop and implement an appropriate risk management strategy to manage the differences between the two.

Now you’re ready to develop your risk management strategy. For each exposure, there are four essential risk management approaches: retain, avoid, mitigate or transfer.

1. Retain. There are always going to be some risk exposures over which you have no control, e.g., weather, geopolitical events, global pandemic. In those cases, you have to have contingency and recovery plans in place. For example, an electrical utility company operating in a hurricane-prone area has to include disaster recovery and contingency planning in its risk management strategy because the risk of loss is non-transferable.
2. Avoid. A certain line of business, vendor or manufacturing process can hold certain risks, in which case a business might simply choose not to utilize them, thus avoiding the risk.
3. Mitigate. To mitigate a risk, you put certain controls in place to limit your risk exposure. This could look like the use of derivatives or balance sheet hedges to create a financial position that offsets the risk from an ongoing business process. Other approaches include supplier diversification, process and facility design, project management, education and compliance management.
4. Transfer. There is also the option of transferring the risk to another party, which is most commonly done through insurance. It can also be done by contractually requiring another party in your supply chain to bear the risk.

Using a mixture of these approaches in your overall risk management strategy is common, as is using a combination when managing a single risk, or you could even enter into a joint venture and share the risk.

Step 6: Monitor the exposures and evaluate the effectiveness of the strategy.

Each material risk exposure needs to be monitored. The most efficient way to achieve this is to assign ownership (the responsibility of monitoring it) to a department or individual.

The frequency at which it is monitored depends on four factors: likelihood, materiality, velocity and appetite for risk. Frequency can be increased or decreased, for example, if the underlying asset’s volatility increases or decreases — the same applies if management’s risk tolerance changes.

Step 7: Review and modify the strategy as needed.

Time changes everything — even the risks a business faces, or its tolerance for risk. For a risk management strategy to be effective, it needs to be able to adapt to these changes.

With the company’s overall risk tolerance level in mind, the risk strategy should be reviewed periodically to determine if any changes are needed. For example, if the company decides to transfer risk through the use of insurance, you will need to review its insurance coverage to ensure the coverage matches the current level of risk.

Why is risk management important?

Risk management is important because it helps organizations preemptively mitigate risks that threaten the achievement of the organization’s objectives. Without risk management, organizations could potentially face significant losses. Risk management is a key concern to treasury because virtually all treasury decisions.