PropoDoc provides self-help document templates and tools. It is not a law firm and does not provide legal advice. Learn more.
Skip to main content

Risk Management

How risks are identified, assessed, and controlled across the business or project.

Use Free Template
Create your custom version — free to start

20 free credits on signup — no card needed

guide
moderate
low Risk

About this Document

What a risk management plan is

A risk management plan is the standing document that sets out how an organisation will deal with uncertainty — not once, but continuously. It describes the way risks are spotted, sized up, responded to, owned, and watched over time. Where a single risk assessment is a photograph of the dangers facing one project or activity at one moment, a risk management plan is the operating manual for the whole practice: the method everyone follows, the people accountable, the records that are kept, and the rhythm at which the organisation revisits its risks.

The point of the plan is not to eliminate risk — that is impossible, and chasing it usually destroys value. The point is to take risk deliberately rather than accidentally: to know which uncertainties could knock the organisation off course, to decide in advance how much of each is acceptable, and to make sure someone is actually doing something about the ones that matter. A good plan turns a vague unease about what might go wrong into a short, ranked, owned list of things being actively managed.

A strong plan does three things. It makes risk visible, so that what was hidden in people's heads is written down and shared. It makes risk comparable, so a flood of worries can be ranked and the trivial separated from the serious. And it makes risk owned, so that every significant risk has a named person answerable for keeping it under control.

The risk management process

Risk management is best understood as a repeating loop with four working stages, wrapped in clear governance. The loop never really ends; the plan simply describes how often it turns.

1. Identify. Surface the things that could go wrong — and, increasingly, the upside opportunities a mature plan also tracks. Identification draws on many sources: workshops with the people who do the work, lessons from past incidents, checklists for the industry, audits, customer complaints, supplier warnings, and scanning the outside environment for shifts in regulation, technology, or the market. The aim is breadth first: capture candidate risks without yet arguing about how serious they are. Each one is written as a clear cause-and-effect statement so it can be acted on, not a one-word label like "cyber".

2. Assess. Size each risk so the list can be ranked. The standard method scores two dimensions — likelihood (how probable the risk is over the period in view) and impact (how badly it would hurt if it happened) — usually on a simple scale such as 1 to 5. Multiplying or combining the two gives a risk score that places the risk on a grid. This is where a sprawling list collapses into a short set of priorities: a low-likelihood, low-impact risk can be noted and left, while a high-likelihood, high-impact risk demands immediate attention. Assessment is a judgement, not a measurement, so it is done openly and revisited as facts change.

3. Respond. Decide what to do about each significant risk. There are four classic responses:

  • Avoid — change the plan so the risk no longer applies, for example by not entering a market, dropping a risky feature, or choosing a safer approach. Avoidance removes the risk but usually also removes whatever reward came with it.
  • Reduce (mitigate) — take action to lower the likelihood, the impact, or both: add a control, build in redundancy, train people, test earlier. This is the most common response and the workhorse of the plan.
  • Transfer — shift the financial consequence to someone else, typically through insurance, a contract clause, a warranty, or outsourcing to a party better placed to carry it. Transfer moves the cost, not the responsibility — the organisation still owns the relationship and the fallout.
  • Accept — consciously decide to live with the risk, because it is small, because reducing it would cost more than it is worth, or because it is the unavoidable price of pursuing the goal. Acceptance is a legitimate choice only when it is deliberate and recorded, ideally with a contingency set aside.

4. Monitor. Keep the responses working and the picture current. Risks change: some grow, some fade, new ones appear, and controls that looked solid quietly decay. Monitoring means tracking the status of each risk and its actions, watching for early-warning indicators, reporting the live picture to the people who need it, and feeding what is learned back into a fresh round of identification. A plan that is written once and filed is not managing risk; it is merely describing it on the day it was written.

The risk register and the risk matrix

Two artefacts carry the working content of the plan.

The risk register is the living list — usually a table — of every risk being managed. A practical register gives each risk an identifier and a clear description, its likelihood and impact scores, the combined risk score, the chosen response and the specific actions under it, a named owner, a target date or review date, and a status. The register is the single source of truth: if a risk is not on it, the organisation is not managing that risk, it is only worrying about it. Keeping the register short and current matters more than making it exhaustive — a register no one updates is worse than none, because it creates false confidence.

The risk matrix (or heat map) is the visual companion to the register. It is a grid with likelihood on one axis and impact on the other, divided into bands — commonly green for low, amber for medium, and red for high. Plotting each risk on the grid by its two scores turns a column of numbers into a picture that anyone can read at a glance: the red zone in the top-right corner is where the attention and money should go. The matrix is also a decision tool — many plans set rules such as "any risk in the red zone must have a named owner and a response within a week" so the colour drives action, not just discussion.

The two work together: the register holds the detail and the trail of action; the matrix communicates the shape of the risk landscape and forces a sense of proportion.

Risk appetite, ownership, and governance

A plan that lists risks but never says how much risk is acceptable leaves every response to argument. The answer is risk appetite — a stated boundary, set by leadership, describing how much risk the organisation is willing to take in pursuit of its goals. Appetite is usually expressed differently for different areas: low or zero tolerance for safety and legal compliance, but a healthy appetite for commercial or innovation risk where reward justifies it. Appetite is the yardstick that decides whether a given risk needs reducing or can be accepted, and it stops risk management collapsing into either reckless gambling or timid paralysis.

Every risk on the register needs a single owner — a named person, not a committee or a department, who is accountable for keeping that risk within appetite and for driving its response. Ownership should sit with whoever has the authority and information to actually act on the risk, which is rarely the risk team itself.

Around the owners sits the governance: the structure that keeps the whole practice honest. Typical elements are a sponsor or executive accountable for risk overall, a risk manager or coordinator who maintains the plan and register and runs the cycle, a regular forum (a risk review meeting or committee) where the top risks are examined, and a reporting line that surfaces the most serious risks to leadership or the board. Governance also sets the cadence — how often the register is reviewed and the matrix refreshed — because the discipline of a fixed rhythm is what keeps the plan alive between crises.

Common mistakes to avoid

  • Treating the plan as a one-off document. The single most common failure is writing the register once, at the start, and never opening it again. Risk management is a loop; a plan with no review cadence is paperwork, not management.
  • Confusing a risk assessment with a risk management plan. An assessment is a point-in-time snapshot of one activity's risks; the plan is the ongoing framework that governs how all risks are handled over time. Doing the first and calling it the second leaves the organisation unmanaged between assessments.
  • Vague risk statements. "Reputation" or "IT" is not a risk; it is a topic. A usable risk names a cause and a consequence — for example, "a supplier outage halts production for more than a day" — so it can be scored and acted on.
  • Scoring theatre. Assigning likelihood and impact numbers that no one believes, or that are tuned to land on a comfortable colour, corrupts the whole matrix. Scores are honest judgements, made openly, or they are worthless.
  • Responses with no owner or no action. A risk marked "mitigate" with no named person and no concrete steps is not being mitigated. Every significant risk needs an owner and specific, dated actions.
  • Accepting risk by default. Risk that is accepted because nobody decided otherwise is not acceptance, it is neglect. Acceptance is only valid when it is deliberate, recorded, and within the stated appetite.
  • Ignoring opportunity. A mature plan tracks upside uncertainty too — chances that could go better than expected — not just threats. Managing only the downside leaves value on the table.
  • No risk appetite. Without a stated boundary for how much risk is acceptable, every response decision becomes a fresh argument and the plan drifts toward either over-control or complacency.

Required Sections

Risk Overview

Scope boundaries, objectives, and governance framework

Required

Roles & Responsibilities

Who owns risk identification, assessment, and response

Required

Risk Identification

Methods and sources used to surface risks

Required

Risk Assessment

Likelihood and impact scoring methodology

Required

Risk Register

Catalogued risks with owners, ratings, and status

Required

Mitigation Controls

Treatment strategies and controls applied to rated risks

Required

Monitoring & Review

Ongoing tracking, escalation triggers, and review cadence

Required

Optional Sections

Risk Appetite

Tolerance thresholds that guide risk acceptance decisions

Optional

Contingency Plans

Pre-approved responses if risks materialise

Optional

Incident History

Past risk events and lessons learned

Optional

Compliance Mapping

Risks mapped to regulatory or policy obligations

Optional

Frequently Asked Questions

What is the difference between a risk management plan and a risk assessment?
A risk assessment is a point-in-time snapshot: it examines a specific activity, project, or hazard at one moment and records what could go wrong and how serious it is. A risk management plan is the ongoing framework that governs how all risks are handled over time — the method for identifying, assessing, responding to, owning, and monitoring risk on a repeating cycle, plus the appetite and governance around it. The assessment is one input the plan uses; the plan is the standing practice that keeps risk under control between assessments. Doing an assessment and calling it a plan leaves the organisation unmanaged the rest of the year.
How are likelihood and impact used to score a risk?
Each risk is scored on two dimensions: likelihood, meaning how probable it is over the period in view, and impact, meaning how badly it would hurt if it happened. Both are rated on a simple scale, commonly 1 to 5, against definitions agreed in advance so a 3 means the same thing to everyone. Multiplying the two gives a risk score that places the risk on a matrix and lets a long list be ranked. The score is a structured judgement, not a precise measurement, so it is made openly and revisited as circumstances change. Its purpose is proportion: to separate the trivial from the serious so attention and money go where they matter most.
What are the four ways to respond to a risk?
The four classic responses are avoid, reduce, transfer, and accept. Avoid means changing the plan so the risk no longer applies, which usually also gives up the associated reward. Reduce (or mitigate) means taking action to lower the likelihood, the impact, or both — the most common response, through controls, redundancy, training, or earlier testing. Transfer means shifting the financial consequence to someone else, typically via insurance or a contract clause, though the responsibility and fallout stay with you. Accept means consciously deciding to live with the risk because it is small or because reducing it would cost more than it is worth — a valid choice only when it is deliberate and recorded.
What is a risk register and what should it contain?
A risk register is the living list, usually a table, of every risk an organisation is actively managing — its single source of truth. A practical register gives each risk an identifier and a clear cause-and-consequence description, its likelihood and impact scores, the combined risk score, the chosen response and the specific actions under it, a named owner, a target or review date, and a status. The discipline is to keep it short and current rather than exhaustive: a register no one updates is worse than none, because it creates false confidence. If a risk is not on the register, the organisation is not managing it; it is only worrying about it.
What is a risk matrix or heat map?
A risk matrix, often called a heat map, is a grid with likelihood on one axis and impact on the other, divided into colour bands — commonly green for low, amber for medium, and red for high. Plotting each risk by its two scores turns a column of numbers into a picture anyone can read at a glance, with the red top-right corner showing where attention and money should go. The matrix is also a decision tool: many plans attach rules to the colours, such as requiring any red risk to have a named owner and an active response within a set time, so the colour drives action rather than just discussion. It works alongside the register, which holds the underlying detail.
What is risk appetite and why does a plan need it?
Risk appetite is a stated boundary, set by leadership, describing how much risk the organisation is willing to take in pursuit of its goals. It is usually expressed by category — for example low or zero tolerance for safety and legal compliance but a healthy appetite for commercial risk where reward justifies it. Appetite is the yardstick that decides whether a given risk needs reducing or can be accepted. Without it, every response becomes a fresh argument and the plan drifts toward either reckless gambling or timid over-control. A clear appetite turns risk decisions from opinion into policy and keeps acceptance honest, since a risk can only be accepted if it sits within the stated boundary.

Ready to create your document?

Use our free template or generate a custom version tailored to your needs.

Use Free Template
Create your custom version — free to start

20 free credits on signup — no card needed

This document is for informational purposes and serves as a general guide.

Last reviewed: June 4, 2026