Risk Management
How risks are identified, assessed, and controlled across the business or project.
20 free credits on signup — no card needed
About this Document
What a risk management plan is
A risk management plan is the standing document that sets out how an organisation will deal with uncertainty — not once, but continuously. It describes the way risks are spotted, sized up, responded to, owned, and watched over time. Where a single risk assessment is a photograph of the dangers facing one project or activity at one moment, a risk management plan is the operating manual for the whole practice: the method everyone follows, the people accountable, the records that are kept, and the rhythm at which the organisation revisits its risks.
The point of the plan is not to eliminate risk — that is impossible, and chasing it usually destroys value. The point is to take risk deliberately rather than accidentally: to know which uncertainties could knock the organisation off course, to decide in advance how much of each is acceptable, and to make sure someone is actually doing something about the ones that matter. A good plan turns a vague unease about what might go wrong into a short, ranked, owned list of things being actively managed.
A strong plan does three things. It makes risk visible, so that what was hidden in people's heads is written down and shared. It makes risk comparable, so a flood of worries can be ranked and the trivial separated from the serious. And it makes risk owned, so that every significant risk has a named person answerable for keeping it under control.
The risk management process
Risk management is best understood as a repeating loop with four working stages, wrapped in clear governance. The loop never really ends; the plan simply describes how often it turns.
1. Identify. Surface the things that could go wrong — and, increasingly, the upside opportunities a mature plan also tracks. Identification draws on many sources: workshops with the people who do the work, lessons from past incidents, checklists for the industry, audits, customer complaints, supplier warnings, and scanning the outside environment for shifts in regulation, technology, or the market. The aim is breadth first: capture candidate risks without yet arguing about how serious they are. Each one is written as a clear cause-and-effect statement so it can be acted on, not a one-word label like "cyber".
2. Assess. Size each risk so the list can be ranked. The standard method scores two dimensions — likelihood (how probable the risk is over the period in view) and impact (how badly it would hurt if it happened) — usually on a simple scale such as 1 to 5. Multiplying or combining the two gives a risk score that places the risk on a grid. This is where a sprawling list collapses into a short set of priorities: a low-likelihood, low-impact risk can be noted and left, while a high-likelihood, high-impact risk demands immediate attention. Assessment is a judgement, not a measurement, so it is done openly and revisited as facts change.
3. Respond. Decide what to do about each significant risk. There are four classic responses:
- Avoid — change the plan so the risk no longer applies, for example by not entering a market, dropping a risky feature, or choosing a safer approach. Avoidance removes the risk but usually also removes whatever reward came with it.
- Reduce (mitigate) — take action to lower the likelihood, the impact, or both: add a control, build in redundancy, train people, test earlier. This is the most common response and the workhorse of the plan.
- Transfer — shift the financial consequence to someone else, typically through insurance, a contract clause, a warranty, or outsourcing to a party better placed to carry it. Transfer moves the cost, not the responsibility — the organisation still owns the relationship and the fallout.
- Accept — consciously decide to live with the risk, because it is small, because reducing it would cost more than it is worth, or because it is the unavoidable price of pursuing the goal. Acceptance is a legitimate choice only when it is deliberate and recorded, ideally with a contingency set aside.
4. Monitor. Keep the responses working and the picture current. Risks change: some grow, some fade, new ones appear, and controls that looked solid quietly decay. Monitoring means tracking the status of each risk and its actions, watching for early-warning indicators, reporting the live picture to the people who need it, and feeding what is learned back into a fresh round of identification. A plan that is written once and filed is not managing risk; it is merely describing it on the day it was written.
The risk register and the risk matrix
Two artefacts carry the working content of the plan.
The risk register is the living list — usually a table — of every risk being managed. A practical register gives each risk an identifier and a clear description, its likelihood and impact scores, the combined risk score, the chosen response and the specific actions under it, a named owner, a target date or review date, and a status. The register is the single source of truth: if a risk is not on it, the organisation is not managing that risk, it is only worrying about it. Keeping the register short and current matters more than making it exhaustive — a register no one updates is worse than none, because it creates false confidence.
The risk matrix (or heat map) is the visual companion to the register. It is a grid with likelihood on one axis and impact on the other, divided into bands — commonly green for low, amber for medium, and red for high. Plotting each risk on the grid by its two scores turns a column of numbers into a picture that anyone can read at a glance: the red zone in the top-right corner is where the attention and money should go. The matrix is also a decision tool — many plans set rules such as "any risk in the red zone must have a named owner and a response within a week" so the colour drives action, not just discussion.
The two work together: the register holds the detail and the trail of action; the matrix communicates the shape of the risk landscape and forces a sense of proportion.
Risk appetite, ownership, and governance
A plan that lists risks but never says how much risk is acceptable leaves every response to argument. The answer is risk appetite — a stated boundary, set by leadership, describing how much risk the organisation is willing to take in pursuit of its goals. Appetite is usually expressed differently for different areas: low or zero tolerance for safety and legal compliance, but a healthy appetite for commercial or innovation risk where reward justifies it. Appetite is the yardstick that decides whether a given risk needs reducing or can be accepted, and it stops risk management collapsing into either reckless gambling or timid paralysis.
Every risk on the register needs a single owner — a named person, not a committee or a department, who is accountable for keeping that risk within appetite and for driving its response. Ownership should sit with whoever has the authority and information to actually act on the risk, which is rarely the risk team itself.
Around the owners sits the governance: the structure that keeps the whole practice honest. Typical elements are a sponsor or executive accountable for risk overall, a risk manager or coordinator who maintains the plan and register and runs the cycle, a regular forum (a risk review meeting or committee) where the top risks are examined, and a reporting line that surfaces the most serious risks to leadership or the board. Governance also sets the cadence — how often the register is reviewed and the matrix refreshed — because the discipline of a fixed rhythm is what keeps the plan alive between crises.
Common mistakes to avoid
- Treating the plan as a one-off document. The single most common failure is writing the register once, at the start, and never opening it again. Risk management is a loop; a plan with no review cadence is paperwork, not management.
- Confusing a risk assessment with a risk management plan. An assessment is a point-in-time snapshot of one activity's risks; the plan is the ongoing framework that governs how all risks are handled over time. Doing the first and calling it the second leaves the organisation unmanaged between assessments.
- Vague risk statements. "Reputation" or "IT" is not a risk; it is a topic. A usable risk names a cause and a consequence — for example, "a supplier outage halts production for more than a day" — so it can be scored and acted on.
- Scoring theatre. Assigning likelihood and impact numbers that no one believes, or that are tuned to land on a comfortable colour, corrupts the whole matrix. Scores are honest judgements, made openly, or they are worthless.
- Responses with no owner or no action. A risk marked "mitigate" with no named person and no concrete steps is not being mitigated. Every significant risk needs an owner and specific, dated actions.
- Accepting risk by default. Risk that is accepted because nobody decided otherwise is not acceptance, it is neglect. Acceptance is only valid when it is deliberate, recorded, and within the stated appetite.
- Ignoring opportunity. A mature plan tracks upside uncertainty too — chances that could go better than expected — not just threats. Managing only the downside leaves value on the table.
- No risk appetite. Without a stated boundary for how much risk is acceptable, every response decision becomes a fresh argument and the plan drifts toward either over-control or complacency.
Required Sections
Risk Overview
Scope boundaries, objectives, and governance framework
Roles & Responsibilities
Who owns risk identification, assessment, and response
Risk Identification
Methods and sources used to surface risks
Risk Assessment
Likelihood and impact scoring methodology
Risk Register
Catalogued risks with owners, ratings, and status
Mitigation Controls
Treatment strategies and controls applied to rated risks
Monitoring & Review
Ongoing tracking, escalation triggers, and review cadence
Optional Sections
Risk Appetite
Tolerance thresholds that guide risk acceptance decisions
Contingency Plans
Pre-approved responses if risks materialise
Incident History
Past risk events and lessons learned
Compliance Mapping
Risks mapped to regulatory or policy obligations
Frequently Asked Questions
What is the difference between a risk management plan and a risk assessment?
How are likelihood and impact used to score a risk?
What are the four ways to respond to a risk?
What is a risk register and what should it contain?
What is a risk matrix or heat map?
What is risk appetite and why does a plan need it?
Ready to create your document?
Use our free template or generate a custom version tailored to your needs.
20 free credits on signup — no card needed
This document is for informational purposes and serves as a general guide.
Last reviewed: June 4, 2026