We want to find out more about who uses this part of our website and what they think of it. You can help us by completing a short survey. Go to survey Risk management is a step-by-step process for controlling health and safety risks caused by hazards in the workplace. You
can do it yourself or appoint a competent person to help you. Look around your workplace and think about what may cause harm (these are called hazards). Think about: Look back at your accident and ill health records as these can help you identify less obvious hazards. Take account of non-routine operations, such as maintenance,
cleaning or changes in production cycles. Think about hazards to health, such as manual handling, use of chemicals and causes of work-related stress. For each hazard, think about how employees, contractors, visitors or members of the public might be harmed. Some workers have particular requirements, for example young workers,
migrant workers, new or expectant mothers and people with disabilities. Involve your employees as they will usually have good ideas. Once you have identified the hazards, decide how likely it
is that someone could be harmed and how serious it could be. This is assessing the level of risk. Decide: Look at what you're already doing, and the controls you already have in place. Ask
yourself: If you need further controls, consider:Help us improve our website
Identify
hazards
Vulnerable workers
Talk to workers
Assess the risks
Control the risks
- redesigning the job
- replacing the materials, machinery or process
- organising your work to reduce exposure to the materials, machinery or process
- identifying and implementing practical measures needed to work safely
- providing personal protective equipment and making sure workers wear it
Put the controls you have identified in place. You're not expected to eliminate all risks but you need to do everything 'reasonably practicable' to protect people from harm. This means balancing the level of risk against the measures needed to control the real risk in terms of money, time or trouble.
You can find more detailed guidance on controls relevant to your business.
Record your findings
If you employ 5 or more people, you must record your significant findings, including.
- the hazards (things that may cause harm)
- who might be harmed and how
- what you are doing to control the risks
To help you, we have a risk assessment template and examples. Do not rely purely on paperwork as your main priority should be to control the risks in practice.
Review the controls
You must review the controls you have put in place to make sure they are working. You should also review them if:
- they may no longer be effective
- there are changes in the workplace that could lead to new risks such as changes to:
- staff
- a process
- the substances or equipment used
Also consider a review if your workers have spotted any problems or there have been any accidents or near misses.
Update your risk assessment record with any changes you make.
FEMA reports that 40 to 60% of small businesses never reopen their doors after a natural disaster. AppRiver’s Cyberthreat Index of Business Survey reports that 48% of small to midsize businesses say a major data breach would likely shut down their business permanently.
Scary stuff.
But if you’re prepared, you’re not doomed. A strong risk management plan can help your business mitigate and plan for such risks and keep you on the other end of those statistics.
And you don’t need to be stressed about creating this plan. The risk management process doesn’t necessarily need to be conducted by a risk manager or an expensive risk management consultant. You can create an informed and strong plan by following the steps we’ll outline below.
In this article, we’ll go over the five steps of the risk management process and explain the purpose of each, offer questions to ask yourself to get started, and share tips. This is a high-level overview, intended to help you create a simple risk management plan for your small business.
Note: Risk management can get extremely complex with exercises such as advanced impact calculations and in-depth root-cause analysis. If you have a larger businesses, are in a high-risk industry such as finance, or are a publicly-held company, you may need an enterprise risk management software solution to manage a mature risk management strategy.
What is risk management?
Before we dive into the process, let’s take a step back and define risk management: Risk management is the act of identifying, evaluating, planning for, and then ultimately responding to threats to your business. The goal is to be prepared for what may happen and have a plan in place to react appropriately.
If you’re new to risk management practices or feel like you need a refresher, we recommend checking out “Why Risk Management Is Important and How Software Can Help.” In it, we explain exactly what a risk management plan is and take you through an example of a business owner developing a risk register and plan.
The five steps of the risk management process are identification, assessment, mitigation, monitoring, and reporting risks. By following the steps outlined below, you will be able to create a basic risk management plan for your business.
Here’s are the five steps of a risk management process:
Step 1: Risk identification
To start this process, list out any and all events that would have a negative impact on your business. Expect to add risks to your list over days, maybe even a couple weeks, and know that you won’t think of all possible risks.
Be sure to ask leaders in other departments to identify risks, too. You want your plan to be as holistic and comprehensive as possible.
Here are some questions to ask yourself to help identify risks:
- Are there any new or recently updated legal and/or compliance laws we need to prepare to manage?
- Does this risk have an impact on other parts of the business? (If yes, be sure to include the risks to that department.)
- What events have caught us off guard in the past?
Tip: Give yourself a timebox for identifying risks, otherwise you’ll get stuck in analysis paralysis and never move on to the next steps. Keep in mind that this entire process is an ongoing one, so you’ll continue to add risks over time.
Step 2: Risk assessment
Now that you have a list of potential or existing threats and risks, it’s time to assess the likelihood of the event happening and the level of impact. Doing this risk analysis helps determine the priority levels of each risk so you don’t over- or under-allocate resources for mitigation in the next step.
Your assessment can be performed using a matrix like the one below. For each identified risk, determine both the likelihood of it happening and the level of negative impact it would have on your business. Write each risk in the corresponding box. This exercise is also best done in collaboration with leaders of each department.
Tip: Your first matrix should be a working document—use a format that makes it easy to move risks around. A virtual whiteboard or a shared document works well. Risk events may need to move around the matrix as you learn more about their impact or likelihood based on feedback from other department leads.
Step 3: Risk mitigation
Risk mitigation is where you will create and begin to implement the plan for the best way to reduce the likelihood and/or impact of each risk. You may not be able to come up with a mitigation plan for each and every risk, but it’s important to try to identify what changes in your current processes can be adjusted to reduce risk.
Start with the risks you placed in the red boxes of your assessment matrix. Create a mitigation plan document where you name an owner for each risk, and describe the steps to be taken if/when the risk event happens. You’ll do this for each risk.
Here are some questions to consider as you craft the mitigation plan:
- How can we implement mitigation measures into our business systems and processes?
- Is the plan clearly stated so that anyone in the business could understand what action needs to be taken for each risk event?
- Is this action plan an appropriate level of response for this risk?
As this step is rather complex, let’s use a medical office as an example for risk mitigation efforts:
Risk | Mitigation plan |
Sick patients could infect healthy patients while in the waiting room together. | Have a separate waiting room for sick patients. |
Staff could mix up patients who have the same name. | Establish a rule that all staff always confirm the full name and date of birth of each patient every time they interact. |
A patient could have a severe medical episode, such as a heart attack or stroke, when in the office. | Partner with a nearby hospital to have a process for emergency transfers. |
Design your risk mitigation plans to be a natural part of business operations, wherever possible. To do this, collaborate with the other leaders in your business to coordinate mitigation efforts as seamlessly as possible into daily operations and strategic planning meetings.
Tip: It’s easy to over-prioritize mitigation plans to the detriment of current business operations. You’re not going to be able to implement every plan right away. Try to balance how you implement mitigation plans with ensuring that the burden of risk management doesn’t impact operations. You also don’t want to force an overhaul of an entire process just to mitigate a risk you placed in the green zone in the matrix. That’d be overkill.
Step 4: Risk monitoring
Now that you have identified, assessed, and made a mitigation plan, you need to monitor for both the effectiveness of your plan and the occurrence of risk events. Monitoring the status of risks, monitoring the effectiveness of mitigation plans implemented, and consulting with key stakeholders are all parts of the risk monitoring step. Risk monitoring should happen throughout the risk management process.
Here are some questions to ask yourself as you monitor risks:
- How do I keep the other department leaders engaged in helping monitor risk?
- How can I empower my team to identify and escalate risk incidents?
- Have there been any changes where a risk previously assessed as a high threat should be moved lower? Or vice versa?
Tip: Don’t adopt a “wait and see” approach when it comes to risk monitoring—you may not know exactly when a risk event has occurred. Events such as cyberattacks and regulation changes can sometimes come to light months, even years, later, despite the security controls and risk control plan in place. Make sure that your risk management plan includes continuous monitoring so you aren’t caught off guard with a failed audit when continuous monitoring could’ve helped you take action earlier.
Step 5: Risk reporting
You need to document, analyze, and share the progress of your risk management plan. Reporting on risks serves two key purposes: It helps you analyze and evaluate your risk management plan and helps keep stakeholders engaged in mitigating risks by sharing the progress made.
When you first start out, reporting can be done by manually entering the status of each risk into your mitigation plan on a regular basis. Then email the report, or at least the highlights, to the other department leads.
Risk reporting is where risk management software really shines as it can gather all the data points and create an easy-to-read dashboard. If reporting on risk is an important facet of managing your risk, we strongly recommend considering investing in software.
Here’s a look at what risk reporting looks like in the enterprise risk management (ERM) system, Essential ERM.
Here are some questions to help you when reporting on risks:
- Are these the right metrics to understand the progress of the plan?
- What’s the best way to distribute risk reports so that stakeholders are informed but not overwhelmed with the data?
- How often should I share reports? Quarterly? Annually?
Tip: To garner support for and foster a risk management-focused culture, try to build a narrative for how the company is managing risks. Think about how to blend risk reporting with other functions of the business to tell one cohesive story. Throwing a bunch of stats and colored boxes at stakeholders can be overwhelming and intimidating. But everyone loves a story, especially one that they’re a part of.
Reduce the risk of picking an ill-suited system
Now that you know the five steps of the risk management process (identify, assess, mitigate, monitor, and report risks) you should feel confident in building out a risk management plan for your business.
If you’re ready to take your risk management plan and reporting to the next level, it’s time to check out risk management software.
We’ve got several free resources to help you along your software purchasing journey:
- Read real-life user reviews on popular risk management software tools.
- Learn more about buying a risk management solution in our Buyers Guide.
- Start a live chat or give us a call at (844) 687-6771 to talk with a software advisor.
- Read what our advisors have to say about the sizes and types of businesses buying risk management software.
Note: The applications selected in this article are examples to show a feature in context and are not intended as endorsements or recommendations. They have been obtained from sources believed to be reliable at the time of publication.