Skip to content

Our Privacy Statement & Cookie Policy

All Thomson Reuters websites use cookies to improve your online experience. They were placed on your computer when you launched this website. You can change your cookie settings through your browser.


Risk management: The framework

· 18 minute read

· 18 minute read

Navigate the vital role of risk management in a dynamic business landscape, covering types, steps, and elements for effective resilience.

Jump to:

 What is risk management?

 Steps to the risk management process

 Key elements to a risk management plan

 Final Words


How likely did a worldwide pandemic seem back in 2019? Very few businesses planned for it. However, the changes it has brought have shaken up the ways numerous enterprises operate. Those disruptions also have exposed companies to new forms of risk, including digitally driven fraud, labor shortages, and rising materials costs. With the growing number and scale of challenges that they’re facing, businesses in nearly every sector are seeing the critical necessity of developing a risk management framework.

To get a handle on the concept of risk management, start with the term “risk” itself. Very simply, it refers to the potential impact of an event or decision. The resulting risk event can occur due to an external challenge (such as a pandemic or a natural disaster) or an internal choice. As any business leader knows, a risk isn’t always a potential threat. Taking certain types of risks can be crucial to growth and sustaining profitability. These “enterprise risks” can include new products and markets, investment strategies, new technologies, and acquisitions, among others. They’re risks because they might not succeed. But given the potential payoff, these risks are pursued very consciously and carefully (or at least they should be).

However, risks are more likely to have negative impacts. And if an enterprise doesn’t plan for those impacts, a risk event can disrupt its workflows, cost millions of dollars, and perhaps even cause it to shut down.

This is why risk management is an essential discipline for nearly every kind of business. Risk management establishes the specific ways an enterprise will handle any possible risk–including risks that might seem unlikely. A risk management plan can’t eliminate all risks. Nonetheless, crafting a clear, detailed framework that identifies and monitors risks can help a business determine the best action plan for each type of risk. It also can help the enterprise strike a cost-benefit balance between risk reduction and the allocation of corporate resources. In addition, risk management can play a crucial role in broader decision-making about the company’s business objectives.

What is risk management?

Risk management is the process of identifying, assessing, and controlling potential risks or uncertainties that could negatively impact an organization’s objectives. It helps businesses anticipate potential obstacles and reduce their impact, thus facilitating smoother operations, financial stability, and strategic decision-making. In other words, risk management provides a response plan roadmap for navigating potential risks in a proactive rather than reactive manner.

Risks are typically categorized as either operational risks or enterprise risks. Operational risks, which are risks associated with the execution of an organization’s operations, can originate from a variety of sources, including human error, third parties, cybersecurity threats such as data breaches or ransomware attacks, external events such as natural disasters, and government regulations. These risks can hurt a business in numerous ways. The pandemic, for instance, made it difficult for many companies to obtain the necessary components (such as semiconductors) to manufacture their products. The pandemic also brought unforeseen financial risks to many businesses, including labor shortages and rising materials costs.

Risk management professionals also identify technical risks, which are associated with changes in technology and equipment. Technological advances can present new opportunities and potentially disruptive threats. The most obvious example here is artificial intelligence. AI has the potential to positively and significantly alter numerous business practices, including data gathering, marketing, customer service, and, yes, risk management. Banks, for instance, are using AI-based tools to spot unauthorized transactions and verify customer identities.

Types of risks

The specifics of risk management vary from business to business and from industry to industry. However, there are some types of risks common to numerous organizations.

Enterprise risk. These risks are typically “positive,” in the sense that they can pay off handsomely for companies. New products and markets can bring new revenue streams and profit centers. That said, the payoff isn’t guaranteed. There are many project risks to consider. Sales might be slow to develop; components for the new product might be tangled up in snarled supply chains; existing competitors might be too dominant.

Fraud risk. Always a significant risk, fraud has become even more dangerous as fraudsters make use of sophisticated digital techniques to outwit IT gatekeepers. Fraudulent activity by customers, vendors, other third parties, and hackers represents a major risk in itself. It also interconnects with other types of negative risks, including cybersecurity, credit, and (often) reputational risks.

Compliance risk. Every business has some kind of compliance issue, even if it’s simply making certain that it meets state and federal tax requirements. Many others have to meet the regulatory obligations that pertain to their particular industry. Publicly held corporations have to file detailed, accurate FCC reports in a timely manner. Failure to keep track of these processes and procedures could result in significant financial penalties. For a public company, compliance missteps also can damage the company’s reputation in the equities markets.

High-risk industries

These categories of risk can overlap in certain specific instances, as the discussion on fraud risk notes. So how might these risks impact a business if they become risk events? Some examples from specific industries:

Financial services industry. The risks that banks and other financial services organizations face include those related to fraud and compliance. These institutions have numerous rules, both national and international, that they need to follow to protect customer data and prevent money laundering, among other safeguards. Credit and reputational risk also can come into play. Another risk that has become a significant challenge for smaller banks in particular: rising interest rates. Climbing rates have cut into banks’ bottom lines as the cost of debt increases and savers leave brick-and-mortar banks to get higher returns on savings and CDs at online institutions with much lower overhead.

Healthcare industry. The healthcare sector has risk factors such as compliance and cybersecurity risks that involve the protection of patient data. Credit also is a risk given the challenges that healthcare systems often face in getting paid for their services by patients and insurers.

Manufacturing and construction industry. During the pandemic period, both of these industries struggled with operational risks—in particular, shortages of components and materials including semiconductors, lumber, and steel. Other operational risks that these industries are having to manage include a shortage of qualified skilled labor and changes in technology. An example of the latter is the Industrial Internet of Things (IIoT), a networked system of sensors and instruments that could create significant changes in how manufacturing facilities are run—and provide open doors for cybercriminals.

Steps to the risk management process

The risk management approach involves establishing specific ways an organization will handle potential risks, striking a balance between risk reduction and resource allocation. Establishing an effective risk management framework typically will involve the following lifecycle steps:

Identifying the risks

Risk identification focuses on spotting potential risks before they can cause disruption–and identifying disruptive events that could lead to beneficial results. It also helps them to uncover events that might seem unlikely—but which could suddenly and disastrously take place.

Assessing the risks

Risk assessment categorizes each potential risk and its possible impacts.

This step can help organizations understand the nature and extent of any risks they might face and guide decision-making about risk management, including the risks that organizations are willing and able to tolerate. A key part of risk assessment is risk analysis, which takes a deep dive into each risk in order to measure those impacts.

An effective risk mitigation strategy involves anticipating potential obstacles and reducing their impact, facilitating smoother operations and financial stability. One of the most useful tools in this step is a risk assessment matrix, which can be developed to visualize potential risk impacts. A risk assessment matrix measures the likelihood of a risk from low to high on one axis and the risk’s potential severity from low to high on the other axis. It often is color-coded, with potentially high-impact risks marked in red, moderate in yellow, and low-impact risks in green.

Prioritizing the risks

Prioritization is crucial in risk management, helping businesses focus resources on managing high-priority risks that could have a more significant impact. A risk assessment matrix thus can help an enterprise prioritize the risks it must manage, putting those with higher “scores” at the top of the list for risk prevention or reduction efforts. The business can then devote more resources to managing these risks and fewer to less pressing ones. Distinguishing high-priority and low-priority risks is crucial for any business but especially for companies whose resources of time, money, and personnel are constrained.

In devising an action plan for lower-priority risk, the business will want to determine its risk tolerance. Risk tolerance is the amount of risk an organization is willing to bear within a specific project, activity, or timeframe. Specifying risk tolerance helps determine the acceptable range of risk exposure for specific initiatives and align risk management efforts with its resources. In some cases, the company may decide that potential losses or risk events wouldn’t significantly hinder its operations. On the other hand, low-risk tolerance will require additional funding to protect the organization from any disruptive events.

Treating the risks

In treating risks, a business will follow its risk assessment process and focus on the highest-priority threats. In general, the business objective is to eliminate or at least avoid such risks. A form of risk avoidance could be beefing up cybersecurity policies and protocols would be an example of a strategy for avoiding or reducing risk—in this case, the risk of fraud or a data breach. So would stopping activities that render the company vulnerable to a potentially negative risk event. Business risks are an example of this: training employees to recognize phishing emails before they click on any link that would expose the company network to hackers.

For lower-priority risks, the risk management team and the executive decision-makers may determine that the costs of preventing or mitigating risks outweigh the potential impacts on the company’s bottom line. In such cases, the company should draw up a contingency or crisis management action plan for dealing with the risk should it become a full-blown risk event. For instance, a retailer may find itself facing public backlash regarding a garment design many consider controversial or offensive. An action plan for managing such crises often includes a public acknowledgment that the event has taken place and that the company is actively addressing the issue. Needless to say, the action plan should include the ways that the risk crisis is being resolved.

In some situations, the company may be able to use insurance to mitigate or hedge a risk as a form of risk transfer. In 2022, business-process automation software company Appian won a $2 billion judgment against a rival that it had sued for corporate espionage. Appeals are likely to drag on for years. But Appian took out an insurance policy that protects the company against the risks of a long, costly appeals process. As a result, Appian could be paid $500 million through its insurer even before all appeals are exhausted.

Again, a company can’t prevent all negative risk impacts. In operational risk management, the company will develop strategies for mitigating risks to reduce the impact of a potential risk event. In the case of enterprise risk management (ERM), the business objectives are the opposite: Increase the chances of a risk “occurring” because of the benefits it could provide.

Monitoring the risks

This is the process of keeping tabs on potential risks. Risk controls are essential in avoiding or reducing risks; for example, beefing up cybersecurity protocols is a strategy for controlling the risk of fraud or data breaches. Monitoring risks also involves determining whether tactics for preventing or mitigating risk are working the way they are intended. A risk monitoring plan needs to be continually reviewed since the sources of risk are ever-changing. That’s certainly true in the realms of technology and regulation. But talent pools and processes also change and evolve.

Organizations need to be prepared for disruptions to their business models and their hiring practices as well as for data breaches and natural disasters. Implementing recognized compliance standards from the International Organization for Standardization (ISO) can also contribute to establishing effective risk management practices within an organization.

Many organizations also need to monitor media coverage. This is necessary not only to manage crises and anticipate risk events but also to prevent fraud. For instance, a financial institution will want to avoid doing business with customers or vendors that have been sanctioned by regulators or law enforcement. Advance media screening can help identify these bad actors and thus protect the institution from massive fines and reputational damage.

Reporting on the risks

Communication is an essential part of any risk management plan. A risk communications policy should include regular reporting to senior management on how the identified risks are being managed along with any updates, which can include the assessment of newly identified risks. These reports represent one of the components of a risk management plan.


Risk & Compliance Report

A delicate balance between risk and reward

View report




Key elements to a risk management plan

Best risk management practices for managing risk include policies, processes, and procedures designed to reduce or eliminate potentially damaging risks. A risk management action plan details potential risks to an organization and the steps employees should take to keep those risks at acceptable levels. In crafting a risk management framework, the business identifies potential risks, evaluates the likelihood and potential impact of those risks, and develops strategies for either avoiding or (if avoidance is unfeasible) mitigating risks. Risk assessment benefits are a part of this process, detecting potential hazards and conducting risk analysis throughout the organization.

To further strengthen the risk management framework’s effectiveness, the organization should consider engaging all of its stakeholders to establish and maintain the plan. Stakeholders might include not only employees but also board members, clients, business partners, and vendors, as well as investors and regulators. Getting their input can be particularly useful in identifying and assessing risk since they can reveal possible threats the organization itself hadn’t considered. They also can help establish effective strategies for mitigating risk.

It’s essential to keep a risk management program flexible. The organization should review this list regularly and establish contingency plans for new and unforeseen risks once a year is a good rule of thumb, though larger organizations with more risk exposure would benefit from conducting more frequent updates.

Overall Summary

Once the risk management plan is written, it should include for the benefit of all stakeholders a summary of what the plan is addressing. The introductory summary shouldn’t be overly detailed about the potential risks—that’s what the report on the plan is for. But it can touch upon why such a plan is needed and the types of risks the company should prepare for.

The summary section can also include a discussion of the overarching approach or philosophy that the risk management team is using to manage risks. In addition, the team may wish to summarize how it is tracking risks and the approaches it’s using to manage them. It can go into more detail on all this in the risk documents it provides (see below).

Budget and schedule

There’s no way to avoid the fact that risk management requires resources of money and employee time. A risk management framework should acknowledge this by including a budget that includes estimates of those costs. This portion of the plan should also include a schedule of when risk management tasks are due to hit particular milestones.

Team roles and responsibilities

To have as effective a risk management plan as possible, an enterprise should establish a dedicated risk response team that oversees all aspects of risk management. The team members should assign themselves clearly defined roles and tasks, with the appropriate employees addressing particular risks (IT and cybersecurity, to give an obvious example). Team members should meet regularly to share updates on the risk areas they oversee and the progress they’re making on each risk management task with other teams, such as collaborating with the legal department.

The team can maximize the risk management program’s effectiveness by promoting it throughout all departments with potential vulnerability to risk. These typically include sales and marketing, finance, IT, and product development. Departments should collaborate on risk management strategies and share information since many risks involve more than one operational aspect of the business.

Risk documents

To be useful not only to the risk management team but also to company decision-makers (and, where deemed appropriate, other stakeholders), a risk management framework should include the following information, either in hard copy or digitally (preferably both):

  • The risk matrix or similar document ranks risks by high- and low-priority.
  • An analysis of the company’s risk tolerance and risk appetite. These terms overlap, but they also can describe two distinct ideas. Risk tolerance, as discussed earlier, describes what risks would be too expensive or unnecessary to prevent or mitigate. Risk appetite refers particularly to opportunity risks—how willing a company might be to pursue a potentially profitable opportunity.
  • A risk log or risk register serves as a kind of database of potential risks. It lists the risks, action plans, and team responsibilities in an organized format (such as a table or similar graphic) that makes it easy for everyone connected to the risk management plan (team members, top leadership, and other stakeholders) to be quickly informed about the risks the organization faces, their potential impacts, and how they’re being addressed. As such, a risk log can serve as a summary of the risk management plan report.

Communicating clearly about risk strategy

The reporting that the risk management team provides needs to be clear about the risks and their potential impacts. Unlike the risk management team itself, top company decision-makers don’t want (or need) too much detail. Often, the team needs these executives to take prompt action on a potential threat–or a threat that is no longer potential but all too real.

That said, it can be difficult to avoid using risk management terminology, especially if being concise is necessary. “Mitigating risk” might be an example. So might “operational risk management” and “enterprise risk management,” be distinct terms that might be confusing to many people. If needed, reports can include a definitions section or a key of specialized terms.

Final Words

As the pandemic demonstrated, the world has become increasingly unpredictable. The effects of an aging population, climate change, emerging technologies, and global criminal activity have given rise to a variety of new risks. A business needs to have a clear picture of all the possible risks it might face. It also must anticipate events that might seem unlikely–but still could disrupt the organization, perhaps fatally.

All this makes a thorough risk management framework more crucial than ever. Enterprises need to weigh current and emerging risks and their potential effect on business objectives and decision-making. Risk analysis will have to be rigorous. Businesses of all kinds will benefit from crafting a risk strategy that incorporates both enterprise risk management (which can reveal new opportunities) and operational risk management (which anticipates potential threats to the company’s operations).

Risk management isn’t a simple, once-and-done activity. However, there are emerging technologies that can help boost a risk strategy’s effectiveness and efficiency. These tools can thus help businesses operate more effectively—whatever the risks.

More answers