Risk management 101: Process, examples, strategies

Key Takeaway: Risk management is the process of identifying, assessing, and mitigating risks to protect business objectives and support better decisions. In 2026, programs must extend beyond financial and operational risk to cover AI governance and third-party ecosystems. New mandates like DORA and the IIA's 2025 Standards now expect documented, board-visible risk programs.

Effective risk management takes a proactive, preventative stance: identify what could go wrong, determine the appropriate response, and feed those decisions back into strategy. Most programs focus on risk reduction, but the same discipline applies to opportunities — helping the organization decide whether a possibility is worth pursuing.

Earn 8 CPEs at GRC Now 2026 | July 8-9

SAVE MY VIRTUAL SPOT

How risk management has evolved

Risk management has matured to the point where most organizations now run specialized subsets: enterprise risk management, cybersecurity risk management, operational risk management, and supply chain risk management (SCRM). Standards bodies have kept pace. The U.S. National Institute of Standards and Technology (NIST) released CSF 2.0 on February 26, 2024, adding a standalone "Govern" function, and the International Standards Organization (ISO) maintains ISO 31000 as the globally recognized principles-based standard. ISO/IEC 42001 is emerging as the logical next certification step for AI governance.

Traditional vs. holistic risk management. Traditional risk management focused narrowly on insurable, financial, and operational hazards — often siloed by function. Modern enterprise risk management takes a portfolio view, integrating strategic, reputational, compliance, cyber, AI, and third-party risk under board oversight. COSO ERM (2017 update) and ISO 31000 both reflect this shift, and the IIA's Global Internal Audit Standards (effective January 9, 2025) explicitly expect internal audit to assess ERM maturity across the enterprise.

Why risk management matters beyond compliance

Companies that adopt and continuously improve their risk management programs see better decision-making, a higher probability of meeting objectives, and a stronger security posture. The business case sharpened in 2025 and 2026:

• Business resilience. Operational disruption — cyber, third-party, geopolitical — is now a board-level concern.
• Regulatory compliance. EU DORA requirements (applicable January 17, 2025), the U.K. FCA/PRA operational resilience deadline (March 31, 2025), and the SEC cybersecurity disclosure rules raised the documentation bar.
• Financial stability. The FBI's 2025 IC3 report registered ransomware losses at $32.32 million, a 259% year-over-year increase.
• Improved decision-making. A documented risk register and KRIs let leadership weigh trade-offs against tolerance thresholds.
• Competitive advantage. Per PwC's 2026 research, 37% of organizations rank third-party risk and AI governance as top priorities.

What are risks?

Risks are the things that could go wrong with a given initiative, function, process, or project. Potential risks exist everywhere — getting out of bed carries the risk of stubbing your toe, and traveling carries the risk of a delayed flight or an empty fuel tank. We accept those risks because the benefit usually outweighs them.

Companies should think about risk the same way: not as something to avoid blindly, but as a factor to integrate into day-to-day decisions.

• What are the opportunities available to us?
• What could be gained from those opportunities?
• What is the business's risk tolerance or risk appetite — that is, how much risk is the company willing to take on?
• How will this relate to or affect the organization's goals and objectives?
• Are these opportunities aligned with business goals and objectives?

With that frame, conversations about risks progress through "What could go wrong?" and "What if?" Identifying risks starts with management and key stakeholders defining the organization's objectives. With a risk management program in place, those objectives can then be scrutinized for the risks tied to achieving them. Many organizations anchor their analysis around financial risks, but risks affecting operations, reputation, security, and quality often matter just as much.

Risks are hypotheticals — they have not occurred or been "realized" yet. When we discuss the impact of risks, we always mean the potential impact. Once a risk has been realized, it becomes an incident, problem, or issue that the company must address through its contingency plans. That is why most risk management activity focuses on avoidance, mitigation, or prevention.

Risk appetite vs. risk tolerance. These get used interchangeably and shouldn't be. Risk appetite is the broad amount and type of risk an organization is willing to pursue in service of its strategy, set by the board. Risk tolerance is the specific, measurable boundary for an individual risk category, set by management — for example, "zero unencrypted PII in production" or "RTO under four hours for tier-1 systems." COSO ERM and ISO 31000 both require these be documented and cascaded into KRIs.

What different types of risks are there?

The landscape of risks facing modern organizations is broad. Targeted disciplines like ORM and SCRM have emerged to address operations- and supply-chain-specific exposures, and specific risk management strategies have developed to provide action plans tailored to unique problems.

Common types of risks include strategic, compliance, financial, operational, reputational, security, and quality risks.

Strategic risk

Strategic risks have the potential to impact a company's strategic objectives, business plan, or strategy. Adjustments to objectives and strategy ripple to almost every function in the organization. Triggering events include major technology changes (such as switching to a new tech stack), large layoffs or reductions-in-force (RIFs), changes in leadership, competitive pressure, and legal changes.

Compliance risk

Compliance risks materialize from regulatory requirements such as Sarbanes-Oxley for publicly traded U.S. companies or GDPR for companies handling personal information from the EU. Sustainability disclosure is also becoming a compliance requirement across major jurisdictions, with 14 of 17 profiled jurisdictions targeting full ISSB Standards adoption. The consequence of noncompliance is generally a fine from the governing body — alongside reputational damage and remediation cost. These risks are realized when the organization does not maintain compliance with environmental, financial, security, or labor and civil regulations.

Financial risk

Financial risks are fairly self-explanatory — they affect an organization's profits. They draw significant attention because of the direct hit to the bottom line, and they materialize across financial transactions, financial statement preparation, new partnerships, and new deals.

Operational risk

Operational risks disrupt the daily operations involved in running a business — employees unable to do their jobs, products delayed, services interrupted. Operational risks come from internal or external sources: employee conduct, retention, technology failures, natural disasters, supply chain breakdowns, and more.

Reputational risk

Reputational risks look at a company's standing with the public and the media and identify what could damage it. Social media changed the dynamics by giving consumers direct access to brands, and consumers and investors alike now scrutinize companies on environmental, social, and civil rights impact. Reputational risk is realized when a company receives bad press, suffers a successful cyberattack or security breach, or otherwise loses public trust.

Security risk

Security risks cover threats to physical premises and to information systems. Security breaches, data leaks, and cyberattacks threaten the majority of businesses operating today, and the FBI's 2025 IC3 Report — $32.32 million in ransomware losses, up 259% year-over-year — underscores why security risk cannot be deprioritized.

Quality risk

Quality risks attach to the products or services a company provides. Low-quality output costs customers and revenue. Quality risk is realized when product quality drops for any reason — technology changes, outages, employee errors, or supply chain disruptions.

AI risk

AI introduces risk categories that traditional ERM does not cover: model bias, hallucinations, data leakage, IP exposure, and shadow-AI usage. Practitioners should apply the NIST AI Risk Management Framework (Govern, Map, Measure, Manage) and consider ISO/IEC 42001 certification as the next step after ISO 27001. COSO also released 2025 guidance on internal controls for generative AI, emphasizing use-case-specific control design.

The 5 principles of risk management

A complementary lens to the six-step process below is the five principles of risk management, frequently cited alongside ISO 31000:

1. Avoid — eliminate the risk where strategies allow.
2. Identify — assess the nature of the risk and the stakeholders involved.
3. Analyse — examine likelihood and impact.
4. Treat — manage the risk through accept, transfer, avoid, or mitigate.
5. Monitor — continuously detect changes in scoring, ownership, or environment.

These principles map directly to the operational steps below.

The 5 P's of risk management

The 5 P's are an alternative cultural framework, useful for CROs assessing risk culture maturity rather than as a replacement for ISO 31000 or COSO ERM:

1. Perception — how risk is understood across the organization.
2. Process — the methodology used to identify, analyze, and treat risk.
3. People — roles, accountability, and skills.
4. Principles — the values grounding risk decisions.
5. Practice — how risk thinking is embedded in daily operations.

Steps in the risk management process

The six risk management steps below give you and your organization a starting point to build or improve your practices. In order, the steps are:

1. Risk identification
2. Risk analysis or assessment
3. Controls implementation
4. Resource and budget allocation
5. Risk mitigation
6. Risk monitoring, reviewing, and reporting

If this is your organization's first time setting up a risk management program, consider commissioning a formal risk assessment from an experienced third party, with the goal of producing a risk register and prioritized recommendations on where to focus first. Annual or more frequent risk assessments are typically required when pursuing compliance and security certifications, making them a worthwhile investment.

Step 1: Risk identification

The first step is risk identification, which takes the organization's overarching goals and objectives as input — ideally through conversations with management and leadership. Identifying risks to company goals involves asking, "What could go wrong?" about the plans and activities aimed at meeting those goals. As the work moves from macro-level risks to function- and process-specific ones, risk teams should collaborate with critical stakeholders and process owners to capture their insight on what could materialize.

As risks are identified, capture them in formal documentation — most organizations use a risk register, a database of risks, risk owners, mitigation plans, and risk scores.

Step 2: Risk analysis or assessment

Analyzing risks involves looking at the likelihood that a risk will be realized and the potential impact if it is. Quantifying these on a three- or five-point scale simplifies prioritization. Multiplying the likelihood score by the impact score produces an overall risk score that can be compared across the register.

Likelihood

Likelihood asks the assessor to consider how probable it is that a risk will actually occur. Lower scores indicate less chance the risk will materialize; higher scores indicate more.

Likelihood, on a 5×5 risk matrix, breaks out into:

1. Highly unlikely
2. Unlikely
3. Possible
4. Likely
5. Highly likely

Impact

Impact asks the assessor to consider how the business would be affected if the risk occurred. Lower scores signal less impact; higher scores signal more significant impact.

Impact, on a 5×5 risk matrix, breaks out into:

1. Negligible impact
2. Low impact
3. Moderate impact
4. High impact
5. Catastrophic impact

Risk assessment matrices help visualize the relationship between likelihood and impact, and remain one of the most useful tools in risk professionals' toolkits.

Organizations can use a 5×5 matrix as shown above, or a 3×3 matrix that breaks likelihood, impact, and aggregate scores into low, moderate, and high categories.

Step 3: Controls assessment and implementation

Once risks have been identified and analyzed, map the controls that address or partially address them. Any risks without associated controls — or with controls that are inadequate to mitigate them — should have new controls designed and implemented.

Step 4: Resource and budget allocation

This step often gets left out of risk management content. In practice, most businesses operate with limited resources and funds to dedicate to risk management and remediation. Developing and implementing new controls takes time and money, and employees face a learning curve when workflows change.

Using the risk register and corresponding risk scores, management can allocate resources and budget to priority areas with cost-effectiveness in mind. Each year, leadership should re-evaluate that allocation as part of the annual risk lifecycle.

Step 5: Risk mitigation

Risk mitigation involves building the action plan for handling open risks and then executing on it. Mitigation requires buy-in from various stakeholders, and because risks differ, action plans differ.

For example, vulnerabilities in information systems pose a risk to data security and could result in a data breach. The action plan might involve automatically installing security patches as soon as the IT infrastructure manager approves them. A separate risk — the possibility of cyberattacks resulting in data exfiltration — might call for cyber insurance because the organization decides security controls alone are not enough. Two related security risks; two very different mitigation strategies.

There are four generally accepted "treatment" strategies for risks:

• Risk acceptance: Risk is within tolerance, and the organization chooses to accept it.
• Risk transfer: The organization transfers the risk, or part of it, to a third-party provider or insurance company.
• Risk avoidance: The organization chooses not to move forward with the risk and avoids incurring it.
• Risk mitigation: The organization establishes an action plan for reducing or limiting the risk to acceptable levels.

If an organization is not mitigating a risk and instead chooses to accept, transfer, or avoid it, capture those details in the risk register — they may need to be revisited in future cycles.

Step 6: Risk monitoring, reviewing, and reporting

The final step is monitoring risks, reviewing the organization's risk posture, and reporting on risk management activities. Risks should be monitored on a regular basis to detect changes to scoring, mitigation plans, or owners. Regular risk assessments help, and a risk committee meeting on a defined cadence — typically quarterly — integrates risk management into scheduled operations and ensures continuous monitoring. These meetings also provide the mechanism for reporting risk matters to senior management, the board, and affected stakeholders.

Governance and continuous improvement are explicit components of every major framework. NIST CSF 2.0's "Govern" function (February 26, 2024) and the IIA's Global Internal Audit Standards (effective January 9, 2025) both reinforce board-level visibility and ongoing program improvement as core expectations. As the organization reviews and monitors risks and mitigation efforts, it should apply any lessons learned and feed past experiences back into future risk management plans.

Reporting cadence. Conduct a full enterprise risk assessment annually at minimum, review the risk register quarterly with the risk committee, and update it continuously as risks materialize. Trigger off-cycle reassessments for material events: M&A, new product or market entry, major technology changes, regulatory changes (DORA, NIST CSF 2.0 adoption), significant incidents, or leadership change.

Examples of risk management strategies

Depending on your company's industry, the types of risks it faces, and its objectives, you may need to employ several risk management strategies to handle the range of possibilities.

Examples include using existing frameworks and best practices, minimum viable product (MVP) development, contingency planning, root cause analysis and lessons learned, built-in buffers, risk-reward analysis, project risk management, and third-party risk assessments.

Use existing frameworks and best practices

Risk management professionals do not need to start from scratch. Several standards bodies and committees have developed frameworks and guidance that teams can adapt for their own organization.

Some of the more widely used risk management frameworks include:

• ISO 31000 family: The International Standards Organization's principles-based guidance, best for organizations seeking commercial certification.
• NIST Risk Management Framework (RMF): NIST's control-oriented guidance, compatible with CSF 2.0 and best for U.S. federal alignment, critical infrastructure, and technical/cyber risk. NIST finalized SP 800-53 Rev 5.2.0 on August 27, 2025.
• COSO Enterprise Risk Management (ERM): The Committee of Sponsoring Organizations' guidance, best for SOX-regulated public companies and integrating risk into strategy and board reporting.

Most mature programs operate a hybrid: COSO for governance and strategy, NIST for cyber controls, and ISO for global commercial assurance.

Minimum viable product (MVP) development

This product development approach delivers core features first, then assesses customer response and adjusts. Taking an MVP path reduces the likelihood of financial and project risks — like excessive spend or schedule slippage — by simplifying scope and shortening development time.

Contingency planning

Developing contingency plans for significant incidents and disaster events is a foundational way to prepare for worst-case scenarios. Plans should account for both response and recovery. Contingency plans specific to physical sites and critical business services help organizations meet operational resilience requirements and mitigate the risk of employee injury and operational outages.

Root cause analysis and lessons learned

Sometimes experience is the best teacher. When an incident occurs or a risk is realized, risk management processes should include a root cause analysis that surfaces what to do better next time. Feeding these lessons learned back into the program improves response to similar risks or incidents in the future.

Built-in buffers

For discrete projects, building buffers into time, resources, and funds is a viable mitigation strategy. Projects derail easily — going out of scope, over budget, or past the timeline — and whether a team can navigate project risks often determines project success. Buffers let project teams set expectations appropriately and absorb the impact when project risks materialize.

Risk-reward analysis

In a risk-reward analysis, companies and project teams weigh the possibility of something going wrong against the potential benefits. The analysis draws on historical data, research about the opportunity, and lessons learned. Sometimes the risk outweighs the reward; sometimes the reward outweighs the risk; sometimes it is unclear. A simple risk-reward analysis still keeps organizations from bad investments and bad deals.

Project risk management

Project risk management applies the same identify-analyze-mitigate-monitor cycle to events that could negatively impact a project. Common project risks include scope creep, resource constraints, dependency failures, and stakeholder misalignment. PMOs typically maintain a project-level risk register that feeds up to the enterprise risk register when issues cross a materiality threshold.

Third-party risk assessments

Another strategy is to conduct periodic third-party risk assessments — contracting with an experienced provider to perform one or more assessments. Third-party risk assessments are particularly helpful for a new risk management team or for a mature team that wants a new perspective on its program.

These engagements typically result in a report of risks, findings, and recommendations. A provider may also help draft or input into the risk register. As external resources, third-party risk assessors bring outside experience and a fresh perspective, often surfacing issues that the internal team would not have caught.

Regulatory pressure is also reshaping this area. Under DORA (applicable January 17, 2025), EU financial entities must maintain an ICT third-party register, conduct concentration-risk analysis, and meet specific contractual requirements with critical providers. The IIA's 2025 Third-Party Topical Requirement establishes mandatory audit coverage of TPRM, and the EBA's February 11, 2025 ICT guidelines reinforce continuous monitoring expectations.

Components of an effective risk management plan

An effective risk management plan has buy-in from leadership and key stakeholders, applies the risk management steps, has solid documentation, and is actionable. Management buy-in is often what determines whether a risk management function is effective, because risk management requires resources to conduct assessments, identification, mitigation, and reporting. Without that buy-in, risk teams end up going through the motions without the authority to drive change. Risk plans need to be integrated into organizational strategy, and stakeholder buy-in is what makes that happen.

Applying the risk management methodology is another key component. That means embedding the six steps above into the company's risk management lifecycle. Identifying and analyzing risks, establishing controls, allocating resources, conducting mitigation, and monitoring and reporting form the foundation.

Good documentation is the next cornerstone. Without a risk register recording all identified risks and their scores and mitigation strategies, there is little for a risk team to act on. Maintaining and updating the risk register should be a priority — risk management software can help by providing a dashboard and a shared collaboration layer.

An effective plan also needs to be actionable. Any activities required to mitigate risks or establish controls should be feasible given the organization's resources. A team can produce the best-practice plan on paper and still find it unactionable because the capabilities, technology, funds, or staffing are not there. Recommending 24/7 continuous monitoring through a Security Operations Center (SOC) is fine on paper, but if the company has one IT person on staff, it is not a feasible action plan.

Reporting to the board. Effective board reporting uses a risk dashboard tied to strategic objectives, not an exhaustive risk register dump. Include the top 10–15 enterprise risks with trend arrows, KRIs against tolerance thresholds, status of mitigation actions, emerging risks (AI, geopolitical, third-party), and incident or loss data. The IIA's 2025 Standards explicitly require communication of risk and assurance findings to the board, and NIST CSF 2.0's Govern function reinforces board-level visibility as a control expectation.

Executing on an effective risk management plan requires the right people, processes, and technology. Some of the obstacles to a good program are mundane — communication gaps, poor version control, multiple risk registers floating around. Unified risk management software can give your organization a single view of risks, a repository for documentation like the risk register, and a space to collaborate on mitigation efforts and assessments.

Frequently asked questions

What is risk management?

Risk management is the process of identifying, assessing, and mitigating risks to minimize their impact on business objectives and improve decision-making. A mature program covers strategic, compliance, financial, operational, reputational, security, quality, and now AI and third-party risk under a single governance structure overseen by the board.

What are the 5 principles of risk management?

The five principles are avoid, identify, analyse, treat, and monitor. Avoid risk where strategies allow elimination. Identify the nature of the risk and the stakeholders involved. Analyse likelihood and impact. Treat through accept, transfer, avoid, or mitigate. Monitor continuously to detect changes. These principles map directly to the operational six-step process and align with ISO 31000.

What are the 7 key components of a risk management framework?

A risk management framework has seven components: (1) risk identification, (2) assessment and analysis, (3) mitigation, (4) monitoring and reviewing, (5) communication and reporting, (6) governance, and (7) continuous improvement. Governance — including board oversight and risk committees — was elevated to a standalone function in NIST CSF 2.0 (February 26, 2024), and the IIA's Global Internal Audit Standards (effective January 9, 2025) reinforce communication and continuous improvement as core expectations.

What are the 5 P's of risk management?

The 5 P's are Perception, Process, People, Principles, and Practice — a complementary framework that emphasizes the cultural and human side of risk management. It is useful for CROs assessing risk culture maturity, not as a replacement for ISO 31000 or COSO ERM.

Why is risk management important beyond compliance?

Risk management enables organizations to navigate uncertainty, maintain regulatory compliance, protect financial stability, improve decision-making, and build business resilience. With ransomware losses up 259% year-over-year per the FBI's 2025 IC3 report and 37% of organizations naming third-party risk and AI governance as top 2026 concerns (PwC Global Digital Trust Insights), risk programs are now a competitive differentiator rather than a cost center.

How is AI changing risk management?

AI introduces risk categories that traditional ERM does not cover: model bias, hallucinations, data leakage, IP exposure, and shadow-AI usage. Practitioners should apply the NIST AI Risk Management Framework (AI RMF) Playbook (Govern, Map, Measure, Manage) and treat ISO/IEC 42001 as the logical next certification step after ISO 27001. COSO's 2025 generative AI guidance emphasizes use-case-specific control design.

How do ISO 31000, NIST RMF, and COSO ERM compare?

ISO 31000 is principles-based and globally recognized, best for commercial certification. NIST RMF/CSF 2.0 is prescriptive and control-oriented, best for U.S. federal alignment and technical/cyber risk; NIST SP 800-53 Rev 5.2.0 was finalized August 27, 2025. COSO ERM integrates risk into strategy and performance, best for SOX-regulated public companies. Most mature programs run a hybrid across all three.

About the authors

Emily Villanueva, MBA, is a Senior Manager of Product Solutions at Optro. Emily joined Optro from Grant Thornton, where she provided consulting services specializing in SOX compliance, internal audit, and risk management. She also spent 5 years in the insurance industry specializing in SOX/ICFR, internal audits, and operational compliance. Connect with Emily on LinkedIn.