• Contact sales

Start free trial

How to Make a Risk Management Plan (Template Included)


You identify them, record them, monitor them and plan for them: risks are an inherent part of every project. Some project risks are bound to become problem areas—like executing a project over the holidays and having to plan the project timeline around them. But there are many risks within any given project that, without risk assessment and risk mitigation strategies, can come as unwelcome surprises to you and your project management team.

That’s where a risk management plan comes in—to help mitigate risks before they become problems. But first, what is project risk management ?

What Is Risk Management?

Risk management is an arm of project management that deals with managing potential project risks. Managing your risks is arguably one of the most important aspects of project management.

The risk management process has these main steps:

  • Risk Identification: The first step to manage project risks is to identify them. You’ll need to use data sources such as information from past projects or subject matter experts’ opinions to estimate all the potential risks that can impact your project.
  • Risk Assessment: Once you have identified your project risks, you’ll need to prioritize them by looking at their likelihood and level of impact.
  • Risk Mitigation: Now it’s time to create a contingency plan with risk mitigation actions to manage your project risks. You also need to define which team members will be risk owners, responsible for monitoring and controlling risks.
  • Risk Monitoring: Risks must be monitored throughout the project life cycle so that they can be controlled.

If one risk that’s passed your threshold has its conditions met, it can put your entire project plan in jeopardy. There isn’t usually just one risk per project, either; there are many risk categories that require assessment and discussion with your stakeholders.

That’s why risk management needs to be both a proactive and reactive process that is constant throughout the project life cycle. Now let’s define what a risk management plan is.

What Is a Risk Management Plan?

A risk management plan defines how your project’s risk management process will be executed. That includes the budget , tools and approaches that will be used to perform risk identification, assessment, mitigation and monitoring activities.

risk management plan business analyst

Get your free

Risk Management Plan Template

Use this free Risk Management Plan Template for Word to manage your projects better.

A risk management plan usually includes:

  • Methodology: Define the tools and approaches that will be used to perform risk management activities such as risk assessment, risk analysis and risk mitigation strategies.
  • Risk Register: A risk register is a chart where you can document all the risk identification information of your project.
  • Risk Breakdown Structure: It’s a chart that allows you to identify risk categories and the hierarchical structure of project risks.
  • Risk Assessment Matrix: A risk assessment matrix allows you to analyze the likelihood and the impact of project risks so you can prioritize them.
  • Risk Response Plan: A risk response plan is a project management document that explains the risk mitigation strategies that will be employed to manage your project risks.
  • Roles and responsibilities: The risk management team members have responsibilities as risk owners. They need to monitor project risks and supervise their risk response actions.
  • Budget: Have a section where you identify the funds required to perform your risk management activities.
  • Timing: Include a section to define the schedule for the risk management activities.

How to Make a Risk Management Plan

For every web design and development project, construction project or product design, there will be risks. That’s truly just the nature of project management. But that’s also why it’s always best to get ahead of them as much as possible by developing a risk management plan. The steps to make a risk management plan are outlined below.

1. Risk Identification

Risk identification occurs at the beginning of the project planning phase, as well as throughout the project life cycle. While many risks are considered “known risks,” others might require additional research to discover.

You can create a risk breakdown structure to identify all your project risks and classify them into risk categories. You can do this by interviewing all project stakeholders and industry experts. Many project risks can be divided up into risk categories, like technical or organizational, and listed out by specific sub-categories like technology, interfaces, performance, logistics, budget, etc. Additionally, create a risk register that you can share with everyone you interviewed for a centralized location of all known risks revealed during the identification phase.

You can conveniently create a risk register for your project using online project management software. For example, use the list view on ProjectManager to capture all project risks, add what level of priority they are and assign a team member to own identify and resolve them. Better than to-do list apps, you can attach files, tags and monitor progress. Track the percentage complete and even view your risks from the project menu. Keep risks from derailing your project by signing up for a free trial of ProjectManager.

Risk management feature in ProjectManager

2. Risk Assessment

In this next phase, you’ll review the qualitative and quantitative impact of the risk—like the likelihood of the risk occurring versus the impact it would have on your project—and map that out into a risk assessment matrix

First, you’ll do this by assigning the risk likelihood a score from low probability to high probability. Then, you’ll map out your risk impact from low to medium to high and assign each a score. This will give you an idea of how likely the risk is to impact the success of the project, as well as how urgent the response will need to be.

To make it efficient for all risk management team members and project stakeholders to understand the risk assessment matrix, assign an overall risk score by multiplying your impact level score with your risk probability score.

3. Create a Risk Response Plan

A risk response is the action plan that is taken to mitigate project risks when they occur. The risk response plan includes the risk mitigation strategies that you’ll execute to mitigate the impact of risks in your project. Doing this usually comes with a price—at the expense of your time, or your budget. So you’ll want to allocate resources, time and money for your risk management needs prior to creating your risk management plan.

4. Assign Risk Owners

Additionally, you’ll also want to assign a risk owner to each project risk. Those risk owners become accountable for monitoring the risks that are assigned to them and supervising the execution of the risk response if needed.

Related: Risk Tracking Template

When you create your risk register and risk assessment matrix, list out the risk owners, that way no one is confused as to who will need to implement the risk response strategies once the project risks occur, and each risk owner can take immediate action.

Be sure to record what the exact risk response is for each project risk with a risk register and have your risk response plan it approved by all stakeholders before implementation. That way you can have a record of the issue and the resolution to review once the entire project is finalized.

5. Understand Your Triggers

This can happen with or without a risk already having impacted your project—especially during project milestones as a means of reviewing project progress. If they have, consider reclassifying those existing risks.

Even if those triggers haven’t been met, it’s best to come up with a backup plan as the project progresses—maybe the conditions for a certain risk won’t exist after a certain point has been reached in the project.

6. Make a Backup Plan

Consider your risk register and risk assessment matrix a living document. Your project risks can change in classification at any point during your project, and because of that, it’s important you come up with a contingency plan as part of your process.

Contingency planning includes discovering new risks during project milestones and reevaluating existing risks to see if any conditions for those risks have been met. Any reclassification of a risk means adjusting your contingency plan just a little bit.

7. Measure Your Risk Threshold

Measuring your risk threshold is all about discovering which risk is too high and consulting with your project stakeholders to consider whether or not it’s worth it to continue the project—worth it whether in time, money or scope .

Here’s how the risk threshold is typically determined: consider your risks that have a score of “very high”, or more than a few “high” scores, and consult with your leadership team and project stakeholders to determine if the project itself may be at risk of failure. Project risks that require additional consultation are risks that have passed the risk threshold.

To keep a close eye on risk as they raise issues in your project, use project management software. ProjectManager has real-time dashboards that are embedded in our tool, unlike other software where you have to build them yourself. We automatically calculate the health of your project, checking if you’re on time or running behind. Get a high-level view of how much you’re spending, progress and more. The quicker you identify risk, the faster you can resolve it.

Free Risk Management Plan Template

This free risk management plan template will help you prepare your team for any risks inherent in your project. This Word document includes sections for your risk management methodology, risk register, risk breakdown structure and more. It’s so thorough, you’re sure to be ready for whatever comes your way. Download your template today.

Risk management plan template for Word

Best Practices for Maintaining Your Risk Management Plan

Risk management plans only fail in a few ways: incrementally because of insufficient budget, via modeling errors or by ignoring your risks outright.

Your risk management plan is one that is constantly evolving throughout the course of the project life cycle, from beginning to end. So the best practices are to focus on the monitoring phase of the risk management plan. Continue to evaluate and reevaluate your risks and their scores, and address risks at every project milestone.

Project dashboards and other risk tracking features can be a lifesaver when it comes to maintaining your risk management plan. Watch the video below to see just how important project management dashboards, live data and project reports can be when it comes to keeping your projects on track and on budget.

In addition to your routine risk monitoring, at each milestone, conduct another round of interviews with the same checklist you used at the beginning of the project, and re-interview project stakeholders, risk management team members, customers (if applicable) and industry experts.

Record their answers, adjust your risk register and risk assessment matrix if necessary, and report all relevant updates of your risk management plan to key project stakeholders. This process and level of transparency will help you to identify any new risks to be assessed and will let you know if any previous risks have expired.

How ProjectManager Can Help With Your Risk Management Plan

A risk management plan is only as good as the risk management features you have to implement and track them. ProjectManager is online project management software that lets you view risks directly in the project menu. You can tag risks as open or closed and even make a risk matrix directly in the software. You get visibility into risks and can track them in real time, sharing and viewing the risk history.

Risk management popup in ProjectManager

Tracking & Monitor Risks in Real Time

Managing risk is only the start. You must also monitor risk and track it from the point that you first identified it. Real-time dashboards give you a high-level view of slippage, workload, cost and more. Customizable reports can be shared with stakeholders and filtered to show only what they need to see. Risk tracking has never been easier.

Screenshot of the project status report in ProjectManager, ideal for risk management

Risks are bound to happen no matter the project. But if you have the right tools to better navigate the risk management planning process, you can better mitigate errors. ProjectManager is online project management software that updates in real time, giving you all the latest information on your risks, issues and changes. Start a free 30-day trial and start managing your risks better.

Click here to browse ProjectManager's free templates

Deliver your projects on time and under budget

Start planning your projects.

Business Analyst Learnings


What is a risk management plan.

A good risk management plan aims to steadily steer an organization through the many uncertainties and blind spots in an organization's lifetime. This may involve planning for unexpected outcomes if something goes wrong; for instance, planning for steps to take if your supplier goes bankrupt. 

Risk management entails identifying, evaluating, and formulating risk management strategies. These risks may include the following:

Longevity risk

Inflation risk

The sequence of return risk

Interest rate risk, etc.

A risk management plan should document your strategies for dealing with business-related risks, natural disasters, unexpected financial loss, loss of suppliers and customers, and a decrease in market share, among many other factors.

The Importance Of Risk Management Plans

Business organizations are always taking risks. To reduce the impact of these risks, companies should have a risk management plan in place. 

A risk management plan can benefit a company in the following ways:

1. Safeguarding Company Resources

If a company develops an effective risk management plan, it will most likely be prepared for the inevitable financial problems. Furthermore, a risk management plan safeguards the business' resources and enables the company to prioritize risk mitigation while accounting for every possible outcome. Thus, an organization can focus on other essential aspects of the business.

2. Promoting A Company's Brand 

A risk management plan promotes a company's brand and builds trust among employees, customers, and other businesses. It also helps equip businesses with the necessary skills for identifying, evaluating, and planning for potential risks. In the long run, the organization becomes resourceful and responsible to the public.

3. To Enhance Consistency & Efficiency of Operations In A Company

During risk management planning, a company may discover that it relies on a single source to supply a major product; if the source dries up, the business may find it hard to operate. Relying on one source to supply the commodity can weaken a company's stability. However, if the business observes risk management principles, it should find alternative sources for the product in question to ensure efficient and consistent operations.

4. It Creates Happy & More Satisfied Customers

Risk management planning can boost all aspects of operations in an organization. These include the improvement of goods and services and the business' finances. It allows the business to run effectively, leading to consumer satisfaction.

5. It Enables Your Business To Have A Healthy Bottom Line

Having a risk management plan enables businesses to discover inefficiencies and cost-saving opportunities. Furthermore, the company will know how to deal with risks. These issues may bolster a company's bottom line if identified and resolved early enough.

The Five-Step Process For Creating A Risk Management Plan

The risk management process involves the different strategies a business should take before or in a crisis. It takes five steps to manage risk in an organization:

1. Risk Identification

The first step in the risk management process is identifying your business risks. These risks may be environmental, legal, and regulatory, among others. You can easily identify these risks in your business by seeking expert advice, reviewing previous projects, or through research. 

2. Risk Assessment

After identifying the present risks, you'll need to evaluate their likelihood of occurring and their impact on your organization. Most companies use a heat map that shows high or low-impact risks when assessing risks. The scale helps to identify the areas that need to be prioritized.

3. Risk Control and Mitigation

Companies have the option of either avoiding, controlling, or transferring risks. If a company accepts a risk, it is determined that the risk is inherent and beneficial. A business can't avoid risks in an organization. However, the business should be able to acknowledge and accommodate the risks by providing strategies and guidelines. 

4. Risk Elimination

A business should eliminate every risk possible. During the risk control phase, businesses document the possible outcomes of each risk and create a plan to eliminate the risks. Once approved, the plan sets in motion employing new policies and training of new personnel.

5. Risk Monitoring

The risks that organizations face change with time. Therefore, risk management should not be a one-off process. You should examine whether the initiatives and changes are effective. If not, you should start the process again. 

Manage Risks in Your Company 

Most companies that formalize the risk management process become more resilient and adaptable to changes. They can make informed decisions based on the organization's operating environment. 

Risk management is essential to any business since it informs organizations of looming risks, allowing them to mitigate potential threats. If a business entity lacks a risk management strategy, it may not know how to deal with uncertainties and may face massive losses. A company will beat the test of time with a solid risk management plan. Risk Management is only one aspect of running a successful business. Compliance and cyber security are other crucial aspects of your business's success.  

Business Analyst Learnings

This business analyst blog contains practical insights into business analysis, software testing and business process management. I will be sharing business analyst tips, CBAP Certification tips, lessons learnt and insights into all the things I've learnt during my BA career.


Requirements Discovery List How to Start Your BA Career BA Template Toolkit BA Email Toolkit


Subscribe to Blog by Email

Sign up with your email address to receive news and updates.

We respect your privacy.

  • Business Process Improvement
  • Stakeholder Management
  • CBAP Certification
  • Requirements Elicitation
  • Software Testing
  • Critical Thinking in Business Analysis
  • Missing requirements
  • Soft Systems Methodology
  • Free Business Analyst Training Online
  • Requirements Elicitation Technique
  • Use Case Diagram
  • Root Cause Analysis
  • How to design questionnaires
  • Role and Permissions Matrix
  • State transition diagram
  • Pareto analysis and decision-making
  • Problem tracking technique
  • Document Analysis

  Business Analyst Glossary  | Privacy Policy & Disclosures  | Advertisements  | Submitting A Post | BAL Services

Australian Business Number (ABN): 27 735 714 328

What is business risk?

A balloon flying dangerously close to a cactus.

You know about death and taxes. What about risk? Yes, risk is just as much a part of life as the other two inevitabilities. This became all the more apparent during COVID-19, as each of us had to assess and reassess our personal risk calculations as each new wave of the pandemic— and pandemic-related disruptions —washed over us. It’s the same in business: executives and organizations have different comfort levels with risk and ways to prepare against it.

Where does business risk come from? To start with, external factors can wreak havoc on an organization’s best-laid plans. These can include things like inflation , supply chain  disruptions, geopolitical upheavals , unpredictable force majeure events like a global pandemic or climate disaster, competitors, reputational  issues, or even cyberattacks .

But sometimes, the call is coming from inside the house. Companies can be imperiled by their own executives’ decisions or by leaks of privileged information, but most damaging of all, perhaps, is the risk of missed opportunities. We’ve seen it often: when companies choose not to adopt disruptive innovation, they risk losing out to more nimble competitors.

The modern era is rife with increasingly frequent sociopolitical, economic, and climate-related shocks. In 2019 alone, for example, 40 weather disasters caused damages exceeding $1 billion each . To stay competitive, organizations should develop dynamic approaches to risk and resilience. That means predicting new threats, perceiving changes in existing threats, and developing comprehensive response plans. There’s no magic formula that can guarantee safe passage through a crisis. But in situations of threat, sometimes only a robust risk-management plan can protect an organization from interruptions to critical business processes. For more on how to assess and prepare for the inevitability of risk, read on.

Learn more about McKinsey’s Risk and Resilience  Practice.

What is risk control?

Risk controls are measures taken to identify, manage, and eliminate threats. Companies can create these controls through a range of risk management strategies and exercises. Once a risk is identified and analyzed, risk controls can be designed to reduce the potential consequences. Eliminating a risk—always the preferable solution—is one method of risk control. Loss prevention and reduction are other risk controls that accept the risk but seek to minimize the potential loss (insurance is one method of loss prevention). A final method of risk control is duplication (also called redundancy). Backup servers or generators are a common example of duplication, ensuring that if a power outage occurs no data or productivity is lost.

But in order to develop appropriate risk controls, an organization should first understand the potential threats.

What are the three components to a robust risk management strategy?

A dynamic risk management plan can be broken down into three components : detecting potential new risks and weaknesses in existing risk controls, determining the organization’s appetite for risk taking, and deciding on the appropriate risk management approach. Here’s more information about each step and how to undertake them.

1. Detecting risks and controlling weaknesses

A static approach to risk is not an option, since an organization can be caught unprepared when an unlikely event, like a pandemic, strikes. So it pays to always be proactive. To keep pace with changing environments, companies should answer the following three questions for each of the risks that are relevant to their business.

  • How will a risk play out over time? Risks can be slow moving or fast moving. They can be cyclical or permanent. Companies should analyze how known risks are likely to play out and reevaluate them on a regular basis.
  • Are we prepared to respond to systemic risks? Increasingly, risks have longer-term reputational or regulatory consequences, with broad implications for an industry, the economy, or society at large. A risk management strategy should incorporate all risks, including systemic ones.
  • What new risks lurk in the future? Organizations should develop new methods of identifying future risks. Traditional approaches that rely on reviews and assessments of historical realities are no longer sufficient.

2. Assessing risk appetite

How can companies develop a systematic way of deciding which risks to accept and which to avoid? Companies should set appetites for risk that align with their own values, strategies, capabilities, and competitive environments—as well as those of society as a whole. To that end, here are three questions companies should consider.

  • How much risk should we take on? Companies should reevaluate their risk profiles frequently according to shifting customer behaviors, digital capabilities, competitive landscapes, and global trends.
  • Are there any risks we should avoid entirely? Some risks are clear: companies should not tolerate criminal activity or sexual harassment. Others are murkier. How companies respond to risks like economic turmoil and climate change depend on their particular business, industry, and levels of risk tolerance.
  • Does our risk appetite adequately reflect the effectiveness of our controls? Companies are typically more comfortable taking risks for which they have strong controls in place. But the increased threat of severe risks challenges traditional assumptions about risk control effectiveness. For instance, many businesses have relied on automation to increase speed and reduce manual error. But increased data breaches and privacy concerns can increase the risk of large-scale failures. Organizations, therefore, should evolve their risk profiles accordingly.

3. Deciding on a risk management approach

Finally, organizations should decide how they will respond when a new risk is identified. This decision-making  process should be flexible and fast, actively engaging leaders from across the organization and honestly assessing what has and hasn’t worked in past scenarios. Here are three questions organizations should be able to answer.

  • How should we mitigate the risks we are taking? Ultimately, people need to make these decisions and assess how their controls are working. But automated control systems should buttress human efforts. Controls guided, for example, by advanced analytics can help guard against quantifiable risks and minimize false positives.
  • How would we respond if a risk event or control breakdown happens? If (or more likely, when) a threat occurs, companies should be able to switch to crisis management mode quickly, guided by an established playbook. Companies with well-rehearsed crisis management capabilities weather shocks better, as we saw with the COVID-19 pandemic.
  • How can we build true resilience? Resilient companies not only better withstand threats—they emerge stronger. The most resilient firms can turn fallout from crises into a competitive advantage. True resilience stems from a diversity of skills and experience, innovation, creative problem solving, and the basic psychological safety that enables peak performance.

Change is constant. Just because a risk control plan made sense last year doesn’t mean it will next year. In addition to the above points, a good risk management strategy involves not only developing plans based on potential risk scenarios but also evaluating those plans on a regular basis.

Learn more about McKinsey’s  Risk and Resilience  Practice.

What are five actions organizations can take to build dynamic risk management?

In the past, some organizations have viewed risk management as a dull, dreary topic, uninteresting for the executive looking to create competitive advantage. But when the risk is particularly severe or sudden, a good risk strategy is about more than competitiveness—it can mean survival. Here are five actions leaders can take to establish risk management capabilities .

  • Reset the aspiration for risk management.  This requires clear objectives and clarity on risk levels and appetite. Risk managers should establish dialogues with business leaders to understand how people across the business think about risk, and share possible strategies to nurture informed risk-versus-return decision making—as well as the capabilities available for implementation.
  • Establish agile  risk management practices.  As the risk environment becomes more unpredictable, the need for agile risk management grows. In practice, that means putting in place cross-functional teams empowered to make quick decisions about innovating and managing risk.
  • Harness the power of data and analytics.  The tools of the digital revolution  can help companies improve risk management. Data streams from traditional and nontraditional sources can broaden and deepen companies’ understandings of risk, and algorithms can boost error detection and drive more accurate predictions.
  • Develop risk talent for the future.  Risk managers who are equipped to meet the challenges of the future will need new capabilities and expanded domain knowledge in model risk management , data, analytics, and technology. This will help support a true understanding of the changing risk landscape , which risk leaders can use to effectively counsel their organizations.
  • Fortify risk culture.  Risk culture includes the mindsets and behavioral norms that determine an organization’s relationship with risk. A good risk culture allows an organization to respond quickly when threats emerge.

How do scenarios help business leaders understand uncertainty?

Done properly, scenario planning prompts business leaders to convert abstract hypotheses about uncertainties into narratives about realistic visions of the future. Good scenario planning can help decision makers experience new realities  in ways that are intellectual and sensory, as well as rational and emotional. Scenarios have four main features  that can help organizations navigate uncertain times.

  • Scenarios expand your thinking.  By developing a range of possible outcomes, each backed with a sequence of events that could lead to them, it’s possible to broaden our thinking. This helps us become ready for the range of possibilities the future might hold—and accept the possibility that change might come more quickly than we expect.
  • Scenarios uncover inevitable or likely futures.  A broad scenario-building effort can also point to powerful drivers of change, which can help to predict potential outcomes. In other words, by illuminating critical events from the past, scenario building can point to outcomes that are very likely to happen in the future.
  • Scenarios protect against groupthink.  In some large corporations, employees can feel unsafe offering contrarian points of view for fear that they’ll be penalized by management. Scenarios can help companies break out of this trap by providing a “safe haven” for opinions that differ from those of senior leadership and that may run counter to established strategy.
  • Scenarios allow people to challenge conventional wisdom.  In large corporations in particular, there’s frequently a strong bias toward the status quo. Scenarios are a nonthreatening way to lay out alternative futures in which assumptions underpinning today’s strategy can be challenged.

Learn more about McKinsey’s Strategy & Corporate Finance  Practice.

What’s the latest thinking on risk for financial institutions?

In late 2021, McKinsey conducted survey-based research with more than 30 chief risk officers (CROs), asking about the current banking environment, risk management practices, and priorities for the future.

According to CROs, banks in the current environment are especially exposed to accelerating market dynamics, climate change, and cybercrime . Sixty-seven percent of CROs surveyed cited the pandemic as having significant impact on employees and in the area of nonfinancial risk. Most believed that these effects would diminish in three years’ time.

Circular, white maze filled with white semicircles.

Introducing McKinsey Explainers : Direct answers to complex questions

Climate change, on the other hand, is expected to become a larger issue over time. Nearly all respondents cited climate regulation as one of the five most important forces in the financial industry in the coming three years. And 75 percent were concerned about climate-related transition risk: financial and other risks arising from the transformation away from carbon-based energy systems.

And finally, cybercrime was assessed as one of the top risks by most executives, both now and in the future.

Learn more about the risk priorities of banking CROs here .

What is cyber risk?

Cyber risk is a form of business risk. More specifically, it’s the potential for business losses of all kinds  in the digital domain—financial, reputational, operational, productivity related, and regulatory related. While cyber risk originates from threats in the digital realm, it can also cause losses in the physical world, such as damage to operational equipment.

Cyber risk is not the same as a cyberthreat. Cyberthreats are the particular dangers that create the potential for cyber risk. These include privilege escalation (the exploitation of a flaw in a system for the purpose of gaining unauthorized access to resources), vulnerability exploitation (an attack that uses detected vulnerabilities to exploit the host system), or phishing. The risk impact of cyberthreats includes loss of confidentiality, integrity, and availability of digital assets, as well as fraud, financial crime, data loss, or loss of system availability.

In the past, organizations have relied on maturity-based cybersecurity approaches to manage cyber risk. These approaches focus on achieving a particular level of cybersecurity maturity by building capabilities, like establishing a security operations center or implementing multifactor authentication across the organization. A maturity-based approach can still be helpful in some situations, such as for brand-new organizations. But for most institutions, a maturity-based approach can turn into an unmanageably large project, demanding that all aspects of an organization be monitored and analyzed. The reality is that, since some applications are more vulnerable than others, organizations would do better to measure and manage only their most critical vulnerabilities.

What is a risk-based cybersecurity approach?

A risk-based approach is a distinct evolution from a maturity-based approach. For one thing, a risk-based approach identifies risk reduction as the primary goal. This means an organization prioritizes investment based on a cybersecurity program’s effectiveness in reducing risk. Also, a risk-based approach breaks down risk-reduction targets into precise implementation programs with clear alignment all the way up and down an organization. Rather than building controls everywhere, a company can focus on building controls for the worst vulnerabilities.

Here are eight actions that comprise a best practice for developing  a risk-based cybersecurity approach:

  • fully embed cybersecurity in the enterprise-risk-management framework
  • define the sources of enterprise value across teams, processes, and technologies
  • understand the organization’s enterprise-wide vulnerabilities—among people, processes, and technology—internally and for third parties
  • understand the relevant “threat actors,” their capabilities, and their intent
  • link the controls in “run” activities and “change” programs to the vulnerabilities that they address and determine what new efforts are needed
  • map the enterprise risks from the enterprise-risk-management framework, accounting for the threat actors and their capabilities, the enterprise vulnerabilities they seek to exploit, and the security controls of the organization’s cybersecurity run activities and change program
  • plot risks against the enterprise-risk appetite; report on how cyber efforts have reduced enterprise risk
  • monitor risks and cyber efforts against risk appetite, key cyber risk indicators, and key performance indicators

How can leaders make the right investments in risk management?

Ignoring high-consequence, low-likelihood risks can be catastrophic to an organization—but preparing for everything is too costly. In the case of the COVID-19 crisis, the danger of a global pandemic on this scale was foreseeable, if unexpected. Nevertheless, the vast majority of companies were unprepared: among billion-dollar companies in the United States, more than 50 filed for bankruptcy in 2020.

McKinsey has described the decisions to act on these high-consequence, low-likelihood risks as “ big bets .” The number of these risks is far too large for decision makers to make big bets on all of them. To narrow the list down, the first thing a company can do is to determine which risks could hurt the business versus the risks that could destroy the company. Decision makers should prioritize the potential threats that would cause an existential crisis  for their organization.

To identify these risks, McKinsey recommends using a two-by-two risk grid, situating the potential impact of an event on the whole company against the level of certainty about the impact. This way, risks can be measured against each other, rather than on an absolute scale.

Organizations sometimes survive existential crises. But it can’t be ignored that crises—and missed opportunities—can cause organizations to fail. By measuring the impact of high-impact, low-likelihood risks on core business, leaders can identify and mitigate risks that could imperil the company. What’s more, investing in protecting their value propositions can improve an organization’s overall resilience.

Articles referenced:

  • “ Seizing the momentum to build resilience for a future of sustainable inclusive growth ,” February 23, 2023, Børge Brende and Bob Sternfels
  • “ Data and analytics innovations to address emerging challenges in credit portfolio management ,” December 23, 2022, Abhishek Anand , Arvind Govindarajan , Luis Nario  and Kirtiman Pathak
  • “ Risk and resilience priorities, as told by chief risk officers ,” December 8, 2022, Marc Chiapolino , Filippo Mazzetto, Thomas Poppensieker , Cécile Prinsen, and Dan Williams
  • “ What matters most? Six priorities for CEOs in turbulent times ,” November 17, 2022, Homayoun Hatami  and Liz Hilton Segel
  • “ Model risk management 2.0 evolves to address continued uncertainty of risk-related events ,” March 9, 2022, Pankaj Kumar, Marie-Paule Laurent, Christophe Rougeaux, and Maribel Tejada
  • “ The disaster you could have stopped: Preparing for extraordinary risks ,” December 15, 2020, Fritz Nauck , Ophelia Usher, and Leigh Weiss
  • “ Meeting the future: Dynamic risk management for uncertain times ,” November 17, 2020, Ritesh Jain, Fritz Nauck , Thomas Poppensieker , and Olivia White
  • “ Risk, resilience, and rebalancing in global value chains ,” August 6, 2020, Susan Lund, James Manyika , Jonathan Woetzel , Edward Barriball , Mekala Krishnan , Knut Alicke , Michael Birshan , Katy George , Sven Smit , Daniel Swan , and Kyle Hutzler
  • “ The risk-based approach to cybersecurity ,” October 8, 2019, Jim Boehm , Nick Curcio, Peter Merrath, Lucy Shenton, and Tobias Stähle
  • “ Value and resilience through better risk management ,” October 1, 2018, Daniela Gius, Jean-Christophe Mieszala , Ernestos Panayiotou, and Thomas Poppensieker

A balloon flying dangerously close to a cactus.

Want to know more about business risk?

Related articles.

A person crossing the street holding a coffee cup

What matters most? Six priorities for CEOs in turbulent times

A net with illuminated points

Creating a technology risk and cyber risk appetite framework

Telescope on a ship with two birds flying over the water in the background

Risk and resilience priorities, as told by chief risk officers

ERM Software Logo

What Is A Risk Management Plan?

Last Updated: September 19, 2023

Risk management is all about planning: planning for what might go wrong if x happens; planning y as a reaction for when something does, in fact, go wrong. Depending on what you’re working on at your business, you are up against a unique variety of potential risks.

In order for your business to succeed, it’s important to continuously evolve – and there are always ways to improve and expand your business. We’ve come to know these temporary initiatives with distinct deliverables as “projects.”

Some common examples of projects an organization may take on include:

  • Building or closing a facility
  • Re-branding
  • Developing or discontinuing a product or service
  • Migrating to a new software
  • Expanding or reducing service to a particular industry
  • Training a new group of employees

Taking a risk-based approach to new projects means thinking about the implications of any new project on all other areas of your organization. The best place to start is by creating a risk management plan to steer your team and organization in the right direction throughout the course of the project.

This guide will explain “what is a risk management plan?” Describe the purpose of a risk management plan, share what should be included in a risk management plan and provide examples of everything along the way.

Table of Contents

What is a risk management plan?

A risk management plan is a term used to describe a key project management process. A risk management plan enables project managers to see ahead to potential risks and reduce their negative impact. A new project welcomes in new opportunities but also potential risks so a risk management plan is a must for risk project managers.

In order to effectively manage the project and lead their project team to a successful outcome, they may develop and defer to a project risk management plan throughout the duration of the project.

what is a risk management plan main image

What is the purpose of a risk management plan?

The purpose of a risk management plan is to help you identify, evaluate and plan for possible risks that may arise within the project management process. Think of it as a blueprint walking you through every stage of construction, including potential areas where demolition may be needed, external contractors may be hired, or budget may be stretched.

What is included in a risk management plan?

Risk Identification

Identifying the risks that may be associated with taking on a new project or continuing an existing one should be the first step to developing your risk management plan. Failure to conduct risk identification and identify risks ahead of time can lead to a number of negative financial outcomes that don’t reduce the impact of the risk, especially those that are high risk:

  • Inadequate employee training can lead to incompetence’s, which can lead to disgruntled customers and ultimately loss of business.
  • Building a new facility in a flood-prone area without purchasing flood insurance can lead to substantial sunken costs.
  • Investing R&D into a new product that fails to excite the market takes a toll on your business valuation, which can turn investors away.

The list goes on. Ultimately, formalizing the process of identifying new risks lets you take a step back and notice systemic risks that may not have otherwise been uncovered had the proper time not been invested in this key part of risk analysis.

Project risk assessment

Next, for a project manager, it’s important to think about the implications of any new or existing project on all other areas of your organization. Conducting a project management risk assessment on that project will help reveal those implications ahead of time so you can effectively prevent undue risk. It’s important to be sure to assess risk in a uniform fashion. One of the best ways for a risk owner to do this is by prioritizing data and risk metric collection.

Risk assessment matrix

A risk assessment matrix is the best way for a risk project manager to collect and aggregate data used during your risk assessment. It’s created to help you identify the overlapping activities that crowd your risk management plan. The risk assessment matrix is essential in determining and defining the level and the implications of any particular risk.

Start by addressing a particular business area. Then, include a description of a risk that may be associated with that business area. Continue on by completing a risk analysis: identify the source of the risk, what could go wrong, and the impact of the risk. Then, you’ll need to decide the likelihood and assurance of the risk occurring.

Many organizations use a high-medium-low scale when assessing risk, but this actually isn’t best practice. High-medium and low scales make it difficult and time-consuming to quantify, aggregate, and objectively rank information. With only three options to choose from, they’ll likely feel conflicted about which one to choose. In reality, best practice favors a 1-10 scale, with 10 having the most unfavorable consequences to the organization.

This is something that helps to prioritize risks. You find out more about the risk prioritization process here.

Let’s take a look at the line items to assess a risk associated with re-opening an office amidst the pandemic:

  • Risk: Inadequate policies to prevent the spread of the virus to employees and/or visitors.
  • Risk analysis: what can go wrong?
  • Employees become uncomfortable wearing their mask for too long and decide to remove it while conversing with colleagues. Virus is then spread throughout the workforce.
  • Customer refuses to wear a mask out of principle and must be asked to leave the premises, causing a scene.
  • Employees and/or customers do not stay 6 feet apart from one another.

risk management plan business analyst

Risk Appetite Response Plan

After you’ve identified and assessed your risks the next step of any risk analysis project focuses on determining how you will respond to those risks. Risk response involves developing strategic options that can increase positive outcomes and reduce risk.

Your risk response plan should determine which actions you take in order to experience the most positive outcome and also consider your own risk appetite and tolerance levels . Critical elements that will help define your risk response are risk mitigation and risk monitoring.

Risk Mitigation

The efforts you take (or plan on taking) to control the risk being assessed should be included within your risk assessment matrix. This part of the project management risk process is referred to as mitigation . Risk mitigation is defined as the process of reducing a risk event and minimizing the likelihood of a potential risk.

Considering the above scenario, here are a few mitigations that might be developed and included within your matrix and overall plan:

  • Enforcing strict consequences for employees who are caught not wearing their mask. Dedicating particular areas outside where employees can go to take a break from wearing their mask at lunch.
  • Hanging signs on the front door that refuse people entry without a mask. Stationing employees at the front door who do not let anyone in without a mask.
  • Placing dots six feet apart from one another to instruct people on where to stand in line and prevent crowding.

As you can see these help to create a contingency plan against negative impact.

What is a Risk Register?

A Risk Register is a document that contains all of the information we’ve mentioned thus far: the risks you’ve identified and assessed, as well as the results and risk response plan. Many people choose to create a Risk Register to steer them throughout every project, particularly throughout the monitoring phase.

Risk Monitoring

Monitoring risk over the course of the project should be an ongoing and proactive part of risk analysis. It involves project management to conduct consistent testing by the risk owner throughout the project, metric collection, and incidents remediation to certify that your efforts are on track to be completed, aligned with your strategic goals, and allowing your mitigating controls to remain effective. Continually monitoring your risks also allows you to identify and address emerging trends to determine whether or not you’re making progress on more long-term initiatives.

Risk monitoring helps you create key connections between risks, business units, mitigation activities, and more. This way, you’re able to paint a more cohesive picture of your organization as a whole. Completing your monitoring activities within LogicManager, a comprehensive ERM platform , you inherently break down organizational silos and ultimately eliminate the chances of missing critical pieces of information.

Learn more about how our interconnected platform can help you streamline your risk monitoring activities here .

Reporting On Your Risk Management Plan

If you’re a project manager, it’s likely that you have a more holistic, bird’s eye view of the project’s progress than the rest of your project team. While they’re focused on completing day-to-day tasks to complete a larger initiative, you’re looking at the bigger picture.

One of the best ways to communicate that bigger picture to your project team is through reports. Presenting information about your project – as well as everyone’s alignment with your risk management plan – demonstrates effectiveness and strong leadership, and can rally the support of various stakeholders.

Examples of reports for your risk management plan

It’s important that these risk reports are engaging and easily digestible so that your project team has a clear understanding of where their efforts and the work of their team members stands. LogicManager’s risk reports are built on powerful taxonomy technology that centralizes information and breaks down silos. Our software comes with a wide range of reports that enable you to do anything from checking the status of outstanding tasks and reviewing incidents, to proving compliance and ensuring policies are up to date.

Achieve your risk management plan with LogicManager

As a Project Manager, risk is just one of your many duties; but it’s an integral one. Identifying the risks that may threaten the successful completion of your capital, strategic and tactical goals is the only way to ensure everything stays on trajectory.

But you’re also responsible for prioritizing and tracking the status of the project (and possibly many others) all the while respecting your project team’s time, the quality of the results, and your budget. Reporting is a must as you communicate the risks, opportunities, and needs of projects to stakeholders like your project team, senior management, and the board.

Without project risk management software , staying on time, on budget, and on scope is difficult.

  • Spreadsheets and emails make information hard to collect, update and share.
  • Engaging the proper business units and subject matter experts requires an unnecessary amount of effort without an automated system.
  • Knowing where to start a project risk assessment is a headache without a framework of project risk management tools.
  • Reporting is inefficient when you have to hunt down information across disparate systems.

It’s a hard job, but LogicManager makes it easy by erasing all your pain points at once.

  • Prioritize your organization’s most critical projects and identify potential risks with intuitive and objective project risk assessments.
  • Create and link mitigation activities to the risks, resources, and processes they impact with taxonomy technology.
  • Confidently embark on new projects with one standardized framework.
  • Enhance collaboration and communication across the enterprise with automated workflows, notifications, and reminders.
  • Maintain your responsibilities and track the status of your projects with easily accessible to-do lists.
  • Align with industry best practices like ISO by leveraging ready-made libraries of standards and regulations.
  • Track project incidents and outline steps towards maturity with integrated incident management capabilities.
  • Effectively communicate status, timeline, and risks to the board with ready-made, highly configurable reports, and dashboards.

Ready to make project risk management easy with LogicManager? Request a demo today and see how our software can help you prioritize your projects, streamline communication, and ensure successful completion.

Build a Business Case for ERM Ebook

7 Ways to Build the Business Case for ERM Software

Why stick to spreadsheets for ERM? Learn how to build a compelling business case for ERM software in this complimentary ebook.

Share This Post

Related content.

VMS Integration puzzle pieces

Your Content Goes [...]

Complimentary eBook: 7 Ways to Build the Business Case for ERM Software

In the rapidly changing business landscape, why stick to spreadsheets for ERM? Get the eBook now to build your compelling business case for ERM software and propel your organization forward in the See-Through Economy.

risk management plan business analyst

My Favorites List

Submit your Favorites List and our experts will reach out to you with more information. You will also receive this list as an e-mail which you can share with others. Here are the solutions you've added to your list so far:


The Defense Acquisition Encyclopedia

Sponsored by

risk management plan business analyst

Risk & Safety Management

A Risk Management Plan (RMP) is a written process record, including how risks are found, evaluated, and dealt with. It also includes monitoring risk control, a cost-benefit analysis, and a look at the financial effects.  A project manager prepares an RMP to address risks and their potential impact on a program and consists of ways to reduce them. The RMP tells the government and contractor team how they plan on reducing risks to a certain level by a certain time.

Definition: A Risk Management Plan (RMP) is a detailed document that explains an organization’s risk management process.

Understanding Risk Management

Risk management is a continuous process that is accomplished throughout the life cycle of a system and should begin at the earliest stages of program planning. It is an organized methodology for continuously identifying and measuring the unknowns; developing mitigation options; selecting, planning, and implementing appropriate risk mitigations; and tracking the implementation to ensure successful risk reduction. Effective risk management depends on risk management planning; early identification and analysis of risks; early implementation of corrective actions; continuous monitoring and reassessment; and communication, documentation, and coordination. It’s most effective if it is fully integrated with the program’s  Systems Engineering ,  Program Management , and  Test & Evaluation  processes.

Purpose of a Risk Management Plan (RMP)

An RMP aims to establish a well-managed risk management process that provides a repeatable process that minimizes risk while balancing cost, schedule, and performance goals.

Risk Management Plan (RMP) Objectives

A well-written RMP aims to provide a repeatable process that reduces risk on a project or program and meets organizational Risk Management Objectives . The following are a few objectives of a risk management plan that an organization can aim for.

  • Reduce Schedule Impacts
  • Reduce development cost
  • Increase system performance
  • Ensure proper communication
  • Determine risk priorities

Risk Management Plan (RMP) Main Topics

The risk management plan should address the following continuous key activities as shown above:

  • Risk Identification: Risk Identification is the activity that examines each element of the program to identify associated root causes that can cause failure, begin their documentation, and set the stage for their management.
  • Risk Analysis: Risk analysis is the activity of examining each identified risk to refine the description of the risk, isolate the cause, determine the effects, aid in setting risk mitigation priorities.
  • Risk Mitigation Planning: Risk Mitigation (it used to be called  Risk Handling ) is the process that identifies, evaluates, selects, and implements options in order to set risk at acceptable levels given program constraints and objectives.
  • Risk Mitigation Plan Implementation: A Risk Mitigation Plan Implementation is meant to ensure successful  Risk Mitigation  occurs and is based upon a program  Risk Mitigation Plan (RMP) .
  • Risk Tracking: Risk Tracking (sometimes referred to as Risk Monitoring) is an activity of systematically tracking and evaluating the performance of risk mitigation actions against established metrics throughout the acquisition process and develops further risk mitigation options or executes risk mitigation plans, as appropriate.

Risk Management Plan (RMP) Development Steps

An RMP should be structured to identify, assess, and mitigate risks that have an impact on overall program life-cycle cost, schedule, and/or performance. It should also define the overall program approach to capture and manage root causes. It should be created before and after you create the Integrated Master Schedule (IMS) , as it will be looking at the tasks in the Project Schedule and other factors for potential risk items.

Risk Management Plan (RMP) Templates

Starting with a good template is always recommended when developing an RMP. Utilizing a template will ensure you address all an RMP’s key areas. Below are a few of the RMP templates that I have used in the past.

Template:  Risk Management Plan

Template: project risk management.

  • Template: Risk Management Plan

10 Steps in Developing a Risk Management Plan (RMP)

  • Step 1: Establish the basic approach and working structure
  • Step 2: Develop and document an overall risk management process (See Above)
  • Step 3: Establish the purpose and objective
  • Step 4: Assign responsibilities for specific areas
  • Step 5: Describe the assessment/analysis process
  • Step 6: Document sources of information
  • Step 7: List potential risk and their impacts
  • Step 8: Develop mitigation strategies
  • Step 9: Establish reporting/tracking procedures
  • Step 10: Write Plan

Risk Management Plan (RMP) Format

The risk management plan should follow a standardized format from the organization. An example RMP format: [1]

  • Introduction
  • Program Summary
  • Risk Management Strategy and Process
  • Responsible/Executing Organization
  • Risk Management Process and Procedures
  • Risk Identification
  • Risk Assessment Matrix
  • Risk Analysis
  • Risk Mitigation Planning
  • Risk Mitigation Implementation
  • Risk Tracking

AcqNotes Tutorial

Risk Management Process in the Risk Management Plan (RMP)

The risk management process consists of eight (8) steps and should be detailed in the Risk Management Plan.

  • Step 1: Document the Risk Approach :  The  Program Manager (PM) and contractor shall document the approach for managing risk as an integral part of the Systems Engineering Process .
  • Step 2: Identity and Document Risks :  Risks are identified through a systematic analysis process that includes system hardware and software, system interfaces (to include human interfaces), and the intended use of the application and operational environment.
  • Step 3: Assess and Document Risk: The severity category and probability level of the potential mishap(s) for each risk across all system modes are assessed.
  • Step 4: Identity and Document Risk Mitigation Measures:  Potential risk mitigation(s) shall be identified, and the expected risk reduction(s) of the alternative(s) shall be estimated and documented in the  Hazard Tracking System (HTS) . The goal should always be to eliminate the hazard if possible. When a hazard cannot be eliminated, the associated risk should be reduced to the lowest acceptable level within the constraints of cost, schedule, and performance by applying the system safety design order of precedence. The system safety design order of precedence identifies alternative mitigation approaches and lists them in order of decreasing effectiveness.
  • Step 5: Reduce Risk:   Mitigation measures are selected and implemented to achieve an acceptable risk level. Consider and evaluate the cost, feasibility, and effectiveness of candidate mitigation methods as part of the  Systems Engineering Process  and  Integrated Product Team (IPT)  processes. Present the current hazards, their associated severity and probability assessments, and status of risk reduction efforts at technical reviews.
  • Step 6: Verify, Validate, and Document Risk Reduction:  Verify the implementation and validate the effectiveness of all selected risk mitigation measures through appropriate analysis, testing, demonstration, or inspection. Document the verification and validation in the HTS.
  • Step 7: Accept Risk and Document:   Before exposing people, equipment, or the environment to known system-related hazards, the risks shall be accepted by the appropriate authority as defined in DoDI 5000.02. The system configuration and associated documentation that supports the formal risk acceptance decision shall be provided to the Government for retention through the life of the system.
  • Step 8: Manage Life-Cycle Risk:  After the system is fielded, the system program office uses the system safety process to identify hazards and maintain the HTS throughout the system’s life-cycle. This life-cycle effort considers any changes to include, but not limited to, the interfaces, users, hardware and software, mishap data, mission(s) or profile(s), and system health data. Procedures shall be in place to ensure risk management personnel are aware of these changes, e.g., by being part of the configuration control process.

Risk Mitigation Strategies in the Risk Management Plan (RMP)

Understanding Risk Mitigation in Step 4 of the Risk Management Process is critical in developing an RMP. For each risk that is identified, the type of mitigation strategy must be determined and the details of the mitigation described in the RMP. The intent of the risk mitigation plan is to ensure successful risk mitigation occurs. To address various risks, a business can have a variety of risk management strategies in their RMP. The most appropriate strategy is selected from these mitigation options:

  • Risk Avoidance:  This is when it’s decided to perform other activities that don’t carry the identified risk by eliminating the root cause and/or consequence.  It seeks to reconfigure the project such that the risk in question disappears or is reduced to an acceptable value.
  • Risk Controlling:  This is when you control the risk by managing the cause and/or consequence. Risk control can take the form of installing data-gathering or early warning systems that provide information to assess more accurately the impact, likelihood, or timing of a risk. If a warning of risk can be obtained early enough to take action against it, then information gathering may be preferable to more tangible and possibly more expensive actions.
  • Risk Transfer/Sharing:  This is when you share the risk with a third party like an insurance company or subcontractor.
  • Risk Assumption:  Is accepting the loss, or benefit of gain, from a risk when it occurs. Risk assumption is a viable strategy for small risks where the cost of insuring against the risk would be greater over time than the total losses sustained.

Utilize the Risk Reporting Matrix

Best practices for writing a good risk management plan (rmp).

The key to writing a good plan is to provide the necessary information so the program team knows the goals, objectives, and the program office’s risk management process. Although the plan may be specific in some areas, such as the assignment of responsibilities for government and contractor participants and definitions, it may be general in other areas to allow users to choose the most efficient way to proceed. A few of the best practices in writing a RMP are: [1]

  • Build a strong culture that is aware of risks
  • Make sure there are strong lines of risk communications
  • Set clear policies for taking care of risks
  • Establish Transparent risk monitoring processes
  • Simple to understand and read, avoid complexities

Risk Management Plan (RMP) Updates

The Program Management Office (PMO) should periodically review and update the RMP at major acquisition events. At the end of each Acquisition Phase , risk planning should be used in preparation for the next phase. [1]

Risk Management Plan (RMP) in Other Acquisition Documents

The plan is integral to overall program planning and should be addressed in the program Acquisition Strategy , and/or the Systems Engineering Plan (SEP) . [1]

AcqLinks and References:

  • DoD Risk, Issue, and Opportunity Management Guide for Defense Acquisitions- Jan 2017
  • (Old) DoD Risk Issue and Opportunity Management Guidance for Defense Acquisition Programs – June 2015
  • [1] DoD Risk Management Guidebook – Section 8 – Aug 06  (Outdated)
  • Risk Assessment Checklist
  • Risk Assessment Worksheet and Management Plan
  • Continuous Risk Management Guidebook by Carnegie Melon
  • Template: Project Rick Management Template

Updated: 2/16/2024

Rank: G36.2

Leave a Reply

You must be logged in to post a comment.

  • Business Essentials
  • Leadership & Management
  • Credential of Leadership, Impact, and Management in Business (CLIMB)
  • Entrepreneurship & Innovation
  • *New* Digital Transformation
  • Finance & Accounting
  • Business in Society
  • For Organizations
  • Support Portal
  • Media Coverage
  • Founding Donors
  • Leadership Team

risk management plan business analyst

  • Harvard Business School →
  • HBS Online →
  • Business Insights →

Business Insights

Harvard Business School Online's Business Insights Blog provides the career insights you need to achieve your goals and gain confidence in your business skills.

  • Career Development
  • Communication
  • Decision-Making
  • Earning Your MBA
  • Negotiation
  • News & Events
  • Productivity
  • Staff Spotlight
  • Student Profiles
  • Work-Life Balance
  • Alternative Investments
  • Business Analytics
  • Business Strategy
  • Business and Climate Change
  • Design Thinking and Innovation
  • Digital Marketing Strategy
  • Disruptive Strategy
  • Economics for Managers
  • Entrepreneurship Essentials
  • Financial Accounting
  • Global Business
  • Launching Tech Ventures
  • Leadership Principles
  • Leadership, Ethics, and Corporate Accountability
  • Leading with Finance
  • Management Essentials
  • Negotiation Mastery
  • Organizational Leadership
  • Power and Influence for Positive Impact
  • Strategy Execution
  • Sustainable Business Strategy
  • Sustainable Investing
  • Winning with Digital Platforms

What Is Risk Management & Why Is It Important?

Hand holding a stack of blocks that spell risk, which are preventing a stack of dominos from toppling into human figurines

  • 24 Oct 2023

Businesses can’t operate without risk. Economic, technological, environmental, and competitive factors introduce obstacles that companies must not only manage but overcome.

According to PwC’s Global Risk Survey , organizations that embrace strategic risk management are five times more likely to deliver stakeholder confidence and better business outcomes and two times more likely to expect faster revenue growth.

If you want to enhance your job performance and identify and mitigate risk more effectively, here’s a breakdown of what risk management is and why it’s important.

Access your free e-book today.

What Is Risk Management?

Risk management is the systematic process of identifying, assessing, and mitigating threats or uncertainties that can affect your organization. It involves analyzing risks’ likelihood and impact, developing strategies to minimize harm, and monitoring measures’ effectiveness.

“Competing successfully in any industry involves some level of risk,” says Harvard Business School Professor Robert Simons, who teaches the online course Strategy Execution . “But high-performing businesses with high-pressure cultures are especially vulnerable. As a manager, you need to know how and why these risks arise and how to avoid them.”

According to Strategy Execution , strategic risk has three main causes:

  • Pressures due to growth: This is often caused by an accelerated rate of expansion that makes staffing or industry knowledge gaps more harmful to your business.
  • Pressures due to culture: While entrepreneurial risk-taking can come with rewards, executive resistance and internal competition can cause problems.
  • Pressures due to information management: Since information is key to effective leadership , gaps in performance measures can result in decentralized decision-making.

These pressures can lead to several types of risk that you must manage or mitigate to avoid reputational, financial, or strategic failures. However, risks aren’t always obvious.

“I think one of the challenges firms face is the ability to properly identify their risks,” says HBS Professor Eugene Soltes in Strategy Execution .

Therefore, it’s crucial to pinpoint unexpected events or conditions that could significantly impede your organization’s business strategy .

Related: Business Strategy vs. Strategy Execution: Which Course Is Right for Me?

According to Strategy Execution , strategic risk comprises:

  • Operations risk: This occurs when internal operational errors interrupt your products or services’ flow. For example, shipping tainted products can negatively affect food distribution companies.
  • Asset impairment risk: When your company’s assets lose a significant portion of their current value because of a decreased likelihood of receiving future cash flows . For instance, losing property assets, like a manufacturing plant, due to a natural disaster.
  • Competitive risk: Changes in the competitive environment can interrupt your organization’s ability to create value and differentiate its offerings—eventually leading to a significant loss in revenue.
  • Franchise risk: When your organization’s value erodes because stakeholders lose confidence in its objectives. This primarily results from failing to control any of the strategic risk sources listed above.

Understanding these risks is essential to ensuring your organization’s long-term success. Here’s a deeper dive into why risk management is important.

4 Reasons Why Risk Management Is Important

1. protects organization’s reputation.

In many cases, effective risk management proactively protects your organization from incidents that can affect its reputation.

“Franchise risk is a concern for all businesses,“ Simons says in Strategy Execution . “However, it's especially pressing for businesses whose reputations depend on the trust of key constituents.”

For example, airlines are particularly susceptible to franchise risk because of unforeseen events, such as flight delays and cancellations caused by weather or mechanical failure. While such incidents are considered operational risks, they can be incredibly damaging.

In 2016, Delta Airlines experienced a national computer outage, resulting in over 2,000 flight cancellations. Delta not only lost an estimated $150 million but took a hit to its reputation as a reliable airline that prided itself on “canceling cancellations.”

While Delta bounced back, the incident illustrates how mitigating operational errors can make or break your organization.

2. Minimizes Losses

Most businesses create risk management teams to avoid major financial losses. Yet, various risks can still impact their bottom lines.

A Vault Platform study found that dealing with workplace misconduct cost U.S. businesses over $20 billion in 2021. In addition, Soltes says in Strategy Execution that corporate fines for misconduct have risen 40-fold in the U.S. over the last 20 years.

One way to mitigate financial losses related to employee misconduct is by implementing internal controls. According to Strategy Execution , internal controls are the policies and procedures designed to ensure reliable accounting information and safeguard company assets.

“Managers use internal controls to limit the opportunities employees have to expose the business to risk,” Simons says in the course.

One company that could have benefited from implementing internal controls is Volkswagen (VW). In 2015, VW whistle-blowers revealed that the company’s engineers deliberately manipulated diesel vehicles’ emissions data to make them appear more environmentally friendly.

This led to severe consequences, including regulatory penalties, expensive vehicle recalls, and legal settlements—all of which resulted in significant financial losses. By 2018, U.S. authorities had extracted $25 billion in fines, penalties, civil damages, and restitution from the company.

Had VW maintained more rigorous internal controls to ensure transparency, compliance, and proper oversight of its engineering practices, perhaps it could have detected—or even averted—the situation.

Related: What Are Business Ethics & Why Are They Important?

3. Encourages Innovation and Growth

Risk management isn’t just about avoiding negative outcomes. It can also be the catalyst that drives your organization’s innovation and growth.

“Risks may not be pleasant to think about, but they’re inevitable if you want to push your business to innovate and remain competitive,” Simons says in Strategy Execution .

According to PwC , 83 percent of companies’ business strategies focus on growth, despite risks and mixed economic signals. In Strategy Execution , Simons notes that competitive risk is a challenge you must constantly monitor and address.

“Any firm operating in a competitive market must focus its attention on changes in the external environment that could impair its ability to create value for its customers,” Simons says.

This requires incorporating boundary systems —explicit statements that define and communicate risks to avoid—to ensure internal controls don’t extinguish innovation.

“Boundary systems are essential levers in businesses to give people freedom,” Simons says. “In such circumstances, you don’t want to stifle innovation or entrepreneurial behavior by telling people how to do their jobs. And if you want to remain competitive, you’ll need to innovate and adapt.”

Strategy Execution | Successfully implement strategy within your organization | Learn More

Netflix is an example of how risk management can inspire innovation. In the early 2000s, the company was primarily known for its DVD-by-mail rental service. With growing competition from video rental stores, Netflix went against the grain and introduced its streaming service. This changed the market, resulting in a booming industry nearly a decade later.

Netflix’s innovation didn’t stop there. Once the steaming services market became highly competitive, the company shifted once again to gain a competitive edge. It ventured into producing original content, which ultimately helped differentiate its platform and attract additional subscribers.

By offering more freedom within internal controls, you can encourage innovation and constant growth.

4. Enhances Decision-Making

Risk management also provides a structured framework for decision-making. This can be beneficial if your business is inclined toward risks that are difficult to manage.

By pulling data from existing control systems to develop hypothetical scenarios, you can discuss and debate strategies’ efficacy before executing them.

“Interactive control systems are the formal information systems managers use to personally involve themselves in the decision activities of subordinates,” Simons says in Strategy Execution . “Decision activities that relate to and impact strategic uncertainties.”

JPMorgan Chase, one of the most prominent financial institutions in the world, is particularly susceptible to cyber risks because it compiles vast amounts of sensitive customer data . According to PwC , cybersecurity is the number one business risk on managers’ minds, with 78 percent worried about more frequent or broader cyber attacks.

Using data science techniques like machine learning algorithms enables JPMorgan Chase’s leadership not only to detect and prevent cyber attacks but address and mitigate risk.

How to Formulate a Successful Business Strategy | Access Your Free E-Book | Download Now

Start Managing Your Organization's Risk

Risk management is essential to business. While some risk is inevitable, your ability to identify and mitigate it can benefit your organization.

But you can’t plan for everything. According to the Harvard Business Review , some risks are so remote that no one could have imagined them. Some result from a perfect storm of incidents, while others materialize rapidly and on enormous scales.

By taking an online strategy course , you can build the knowledge and skills to identify strategic risks and ensure they don’t undermine your business. For example, through an interactive learning experience, Strategy Execution enables you to draw insights from real-world business examples and better understand how to approach risk management.

Do you want to mitigate your organization’s risks? Explore Strategy Execution —one of our online strategy courses —and download our free strategy e-book to gain the insights to build a successful strategy.

risk management plan business analyst

About the Author

The Functional BA

The Functional BA

Unraveling the world of business analysis

How Business Analysts can manage project risks

risk management plan business analyst

Risk management is used to spot areas of uncertainty that could affect value. Risk management analyzes and assesses those uncertainties, and develops and manages the associated risks.

If risks are not identified and managed effectively they could adversely affect the value of the solution.

If adequate controls have not been put in place, the business analyst should create plans for avoiding, reducing, or modifying the risks, and if necessary, implement these plans.

Risk management is a recurring activity that should happen throughout the lifecycle of the initiative. The business analyst should work with the stakeholders to help identify new risks and to monitor identified risks.

Risk management has some components, which include:

1. Risk Identification : Risks are identified through expert judgment, stakeholder input, experimentation, past experiences, and historical analysis of similar initiatives.

The objective is to identify a complete set of applicable risks. Each risk should be described in a risk register that helps with the analysis and management of those risks.

risk management plan business analyst

2. Analysis : Analysis of a risk involves understanding and assessing the risk level. The likelihood of occurrence can be expressed as low, medium, and high.

The outcome of a risk is it’s impact on the potential solution value. The risk impact can be described in terms of cost, duration, solution scope, solution quality, reputation, compliance, or social responsibility.

The level of a given risk is expressed as a combination of occurrence and the impact. Usually, it is a simple multiplication of probability and impact. The risks levels are used to prioritize the risks.

risk management plan business analyst

3. Evaluation : to assess the risk, the risk analysis results are compared to the solution to decide if the risk level is acceptable or not. Overall risk level may be calculated by adding up all the individual risk levels.

4. Treatment : based on the risk assessment level the following approaches may be considered:

  • Avoid : either the source of the risk is removed or plans are amended to ensure that the risk does not occur.
  • Transfer : the culpability for dealing with the risk is moved to, or shared with, a third party.
  • Mitigate : the probability of the risk occurring is reduced.
  • Accept : the risk is accepted and might be mitigated if it does occur.
  • Increase : the organization might decide to take on more risk in order to go after an opportunity.

Once the approach for managing a specific risk is selected, a risk response plan is developed and given to a risk owner with the responsibility and authority for managing the risk.

If the risk avoidance approach is selected, the risk owner should ensure that the probability or the impact of the risk is removed.

But if the risk cannot be totally removed then a risk mitigation plan should be created and the risk should be continuously monitored.

Risk management has its strengths and limitations, which include:

• Risk management can be used to manage the strategic, tactical and operational risks of the solution. • The successful risk responses on one initiative can be used for similar initiatives. • Recurring risk management helps to assess the risks and the appropriateness of the planned responses.


• Managing all the solution risks might be improbable so identifying the most important ones might be the only feasible solution. • There is the possibility that important risks are not identified.

Share this:

Privacy overview.

Logo entrepreneurship in a box

Uncovering Hidden Risks: A Comprehensive Guide to Business Plan Risk Analysis

Risk Management Process - Business Plan

A modern business plan that will lead your business on the road to success must have another critical element. That element is a part where you will need to cover possible risks related to your small business. So, you need to focus on  managing risk  and use  risk management processes  if you want to succeed as an entrepreneur.

How can you manage risks?

You can always plan and  predict  future things in a certain way that will happen, but your impact is not always in your hands. There are many  external factors  when it comes to the business world. They will always influence the realization of your plans. Not only the realization but also the results you will achieve in implementing the specific plan. Because of that, you need to look at these factors through the prism of the risk if you want to implement an appropriate management process while implementing your business plan.

By conducting a thorough risk analysis, you can manage risks by identifying potential threats and uncertainties that could impact your business. From market fluctuations and regulatory changes to competitive pressures and technological disruptions, no risk will go unnoticed. With these insights, you can develop contingency plans and implement risk mitigation strategies to safeguard your business’s interests.

This guide will provide practical tips and real-life examples to illustrate the importance of proper risk analysis. Whether you’re a startup founder preparing a business plan or a seasoned entrepreneur looking to reassess your risk management approach, this guide will equip you with the knowledge and tools to navigate the complex landscape of business risks.

Why is Risk Analysis Important for Business Planning?

Risk analysis is essential to business planning as it allows you to proactively identify and assess potential risks that could impact your business objectives. When you conduct a comprehensive risk analysis, you can gain a deeper understanding of the threats your business may face and can take proactive measures to mitigate them.

One of the key benefits of risk analysis is that it enables you to prioritize risks based on their potential impact and likelihood of occurrence . This helps you allocate resources effectively and develop contingency plans that address the most critical risks.

Additionally, risk analysis allows you to identify opportunities that may arise from certain risks , enabling you to capitalize on them and gain a competitive advantage.

It is important to adopt a systematic approach to effectively analyze risks in your business plan. This involves identifying risks across various market, operational, financial, and legal areas. By considering risks from multiple perspectives, you can develop a holistic understanding of your business’s potential challenges.

What is a Risk for Your Small Business?

In dictionaries, the risk is usually defined as:

The possibility of dangerous or bad consequences becomes true .

When it comes to businesses,  entrepreneurs , or in this case, the business planning process, it is possible that some aspects of the business plan will not be implemented as planned. Such a situation could have dangerous or harmful consequences for your small business.

It is simple. If you don’t implement something you have in your business plan, there will be some negative consequences for your small business.

Here is how you can  write the business plan in 30 steps .

Types of Risks in Business Planning

When conducting a business risk assessment for your business plan, it is essential to consider various types of risks that could impact your venture. Here are some common types of risks to be aware of:

1. Market risks

These risks arise from fluctuations in the market, including changes in consumer preferences, economic conditions, and industry trends. Market risks can impact your business’s demand, pricing, and market share.

2. Operational risk

Operational risk is associated with internal processes, systems, and human resources. These risks include equipment failure, supply chain disruptions, employee errors, and regulatory compliance issues.

3. Financial risks

Financial risks pertain to managing financial resources and include factors such as cash flow volatility, debt levels, currency fluctuations, and interest rate changes.

4. Legal and regulatory risks

Legal and regulatory risks arise from changes in laws, regulations, and compliance requirements. Failure to comply with legal and regulatory obligations can result in penalties, lawsuits, and reputational damage.

5. Technological risks

Technological risks arise from rapid technological advancements and the potential disruptions they can cause your business. These risks include cybersecurity threats, data breaches, and outdated technology infrastructure.

Basic Characteristics of Risk

Before you start with the development of your small  business risk  management process, you will need to know and consider the essential characteristics of the possible risk for your company.

What are the basic characteristics of a possible risk?

The risk for your company is partially unknown.

Your  entrepreneurial work  will be too easy if it is easy to predict possible risks for your company. The biggest problem is that the risk is partially unknown. Here we are talking about the future, and we want to prepare for that future. So, the risk is partially unknown because it will possibly appear in the future, not now.

The risk to your business will change over time.

Because your businesses operate in a highly dynamic environment, you cannot expect it to be something like the default. You cannot expect the risk to always exist in the same shape, form, or consequence for your company.

You can predict the risk.

It is something that, if we want, we can predict through a  systematic process . You can easily predict the risk if you install an appropriate risk management process in your small business.

The risk can and should be managed.

You can always focus your resources on eliminating or reducing risk in the areas expected to appear.

risk management in business plan

Risk Management Process You Should Implement

The risk management process cannot be seen as static in your company. Instead of that, it must be seen as an interactive process in which information will continuously be updated and analyzed. You and your small business members will act on them, and you will review all risk elements in a specified period.

Adopting a systematic approach to identifying and assessing risks in your business plan is crucial. Here are some steps to consider:

1. Risk Identification

First, you must identify risk areas . Ask and respond to the following questions:

  • What are my company’s most significant risks?
  • What are the risk types I will need to follow?

In business, identifying risk areas is the process of pinpointing potential threats or hazards that could negatively impact your business’s ability to conduct operations, achieve business objectives, or fulfill strategic goals.

Just as meteorologists use data to predict potential storms and help us prepare, you can use risk identification to foresee possible challenges and create plans to deal with them.

Risk can arise from various sources, such as financial uncertainty, legal liabilities, strategic management errors, accidents, natural disasters, and even pandemic situations. Natural disasters can not be predicted or avoided, but you can prepare if they appear.

For example, a retail business might identify risks like fluctuating market trends, supply chain disruptions, cybersecurity threats, or changes in consumer behavior. As you can see, the main risk areas are related to types of risk: market, financial, operational, legal and regulatory, and technological risks.

You can also use business model elements to start with something concrete:

  • Value proposition,
  • Customers ,
  • Customers relationships ,
  • Distribution channels,
  • Key resources and
  • Key partners.

It is not necessarily that there will be risk in all areas and that the risk will be with the same intensity for all areas. So, based on your business environment, the industry in which your business operates, and the business model, you will need to determine in which of these areas there is a possible risk.

Also, you must stay informed about external factors impacting your business, such as industry trends, economic conditions, and regulatory changes. This will help you identify emerging risks and adapt your risk management strategies accordingly.

The idea for this step is to create a table where you will have identified potential risks in each important area of your business.

Business Risks Identification

2. Risk Profiling

Conduct a detailed analysis of each identified risk, including its potential impact on your business objectives and the likelihood of occurrence. This will help you develop a comprehensive understanding of the risks you face.

Qualitative Risk Analysis

The qualitative risk analysis process involves assessing and prioritizing risks based on ranking or scoring systems to classify risks into low, medium, or high categories. For this analysis, you can use customer surveys or interviews.

Qualitative risk analysis is quick, straightforward, and doesn’t require specialized statistical knowledge to conduct a business risk assessment. The main negative side is its subjectivity, as it relies heavily on thinking about something or expert judgment.

This method is best suited for initial risk assessments or when there is insufficient quantitative analysis data .

For example, if we consider the previously identified risk of a sudden shift in consumer preferences, a qualitative analysis might rate its likelihood as 7 out of 10 and its impact as 8 out of 10, placing it in the high-priority quadrant of our risk matrix. But, qualitative analysis can also use surveys and interviews where you can ask open questions and use the qualitative research process to make this scaling. This is much better because you want to lower the subjectivism level when doing business risk assessment.

Quantitative Risk Analysis

On the other side, the quantitative risk analysis method involves numerical and statistical techniques to estimate the probability and potential impact of risks. It provides more objective and detailed information about risks.

Quantitative risk analysis can provide specific, data-driven insights, making it easier to make informed decisions and allocate resources effectively. The negative side of this method is that it can be time-consuming, complex, and requires sufficient data.

You can use this approachfor more complex projects or when you need precise data to inform decisions, especially after a qualitative analysis has identified high-priority risks.

For example , for the risk of currency exchange rate fluctuations, a quantitative analysis might involve analyzing historical exchange rate data to calculate the probability of a significant fluctuation and then using your financial data to estimate the potential monetary impact.

Both methods play crucial roles in effectively managing risks. Qualitative risk analysis helps to identify and prioritize risks quickly, while quantitative analysis provides detailed insights for informed decision-making.

3. Business Risk Assessment Matrix

Once you have identified potential risks and analyzed their likelihood and potential impact, you can create a business risk assessment matrix to evaluate each risk’s likelihood and impact. This matrix will help you prioritize risks and allocate resources accordingly.

A business risk assessment matrix, sometimes called a probability and impact matrix, is a tool you can use to assess and prioritize different types of risks based on their likelihood (probability) and potential damage (impact). Here’s a step-by-step process to create one:

  • Step 1: Begin by listing out your risks . For our example, let’s consider four of the risks we identified earlier: a sudden shift in consumer preferences (Market Risk), currency exchange rate fluctuations (Financial Risk), an increase in the minimum wage (Legal), and cybersecurity threats (Technological Risk).
  • Step 2: Determine the likelihood of each risk occurring . In the process of risk profiling, we’ve determined that a sudden shift in consumer preferences is highly likely, currency exchange rate fluctuations are moderately likely, an increase in the minimum wage, and cybersecurity threats are less likely but still possible.
  • Step 3: Assess the potential impact of each risk on your business if it were to occur . In our example, we might find that a sudden shift in consumer preferences could have a high impact, currency exchange rate fluctuations a moderate impact, an increase in minimum wage minor impact, and cybersecurity threats a high impact.
  • Step 4: Plot these risks on your risk matrix . The vertical axis represents the likelihood (high to low), and the horizontal axis represents the consequences (high to low).

Risk Assessment Matrix

By visualizing these risks in a risk assessment matrix format, you can more easily identify which risks require immediate attention and which ones might need long-term strategies.

4. Develop Risk Indicators for Each Risk You Have Identified

The question is, how will you measure the business risks for your company?

Risk indicators are metrics used to measure and predict potential threats to your business. Simply, a risk indicator is a measure that should tell you whether the risk appears or not in a particular area you have defined previously. They act like a business’s early warning system. When these indicators change, it’s a signal that the risk level may be increasing.

For example, for distribution channels, an indicator can be a delay in delivery for a minimum of three days. This indicator will tell you something is wrong with that channel, and you must respond appropriately.

Now, let’s consider some risk indicators for the risks we have already identified and analyzed:

Risk Indicators

If you conduct all the steps until now, you can have a similar table with risk indicators in your business plan. You should monitor these indicators regularly, and if you notice a significant change, such as a drop in sales or an increase in attempted breaches, it’s time to investigate and take some action steps. This might involve updating your product line, hedging against currency risk, budgeting for higher wages, or improving your cybersecurity measures.

Remember, risk indicators can’t predict the future with certainty. But they can give you valuable insights that can help you prepare for potential threats.

5. Define Possible Action Steps

The question is, what can you do regarding the risk if the risk indicator tells you that there is a potential risk?

Once the risk has appeared and is located, it is time to take concrete action steps. The goals of this step are not only to reduce or eliminate the impact of the risk for your company but also to prevent them in the future and reduce or eliminate their influence on the business operations or the execution of your business plan.

For example, for distribution channels with delivery delayed more than three days, possible activities can be the following:

  • Apologizing to the customers for the delay,
  • Determining the reasons for the delay,
  • Analysis of the reasons,
  • Removing the reasons,
  • Consideration of alternative distribution channels, etc.

In this part of the business plan for each risk area and indicator, try to standardize all possible actions. You can not expect that they will be final. But, you can cover some basic guidelines that must be implemented if the risk appears. Here is an example of how this part will look in your business plan related to risks we have already identified through the risk assessment process.

Action Steps When Risk Appear

6. Monitoring

Because this risk management process is dynamic , you must apply the monitoring process. In such a way, you can ensure the elimination of a specific kind of risk in the future, and you will allocate your resources to new possible risks.

After implementing the actions, you need to ask yourself the following questions:

  • Are the actions taken regarding the risk the proper measures?
  • Can you improve something regarding the risk management process? Is there a need for new risk indicators?

Techniques and Tools for Business Plan Risk Assessment

Various risk analysis methods, techniques, and tools are available to conduct an effective risk analysis for your business plan. Here are some commonly used ones:

1. SWOT analysis

A SWOT (Strengths, Weaknesses, Opportunities, Threats) analysis can help you identify internal strengths and weaknesses and external opportunities and threats. This analysis provides valuable insights into possible business risks and opportunities.

2. PESTEL analysis

A PESTEL (Political, Economic, Sociocultural, Technological, Environmental, Legal) analysis assesses the external factors that could impact your business. This analysis will help you identify risks and opportunities arising from these factors.

3. Scenario analysis

Consider different scenarios that could impact your business, such as best-case, worst-case, and most likely scenarios, as a part of your risk assessment process. You can anticipate potential risks and develop appropriate response strategies by analyzing these scenarios.

4. Monte Carlo simulation

Monte Carlo simulation uses random sampling and probability distributions to model various scenarios and assess their potential impact on your business. This technique provides you with a more accurate understanding of risk exposure.

5. Risk register

A risk register is a risk analysis tool that helps you record and track identified risks and their relevant details, such as impact, likelihood, mitigation strategies, and responsible parties. This tool ensures that risks are appropriately managed and monitored.

6. Business Impact Analysis (BIA)

Business impact analysis helps you understand the potential effects of various disruptions on your business operations and objectives. It’s about identifying what could go wrong and understanding how it could impact your bottom line. So, you can conduct business impact analysis as a part of your risk assessment inside your business plan.

7. Failure Mode and Effects Analysis (FMEA)

Using FMEA in your risk assessment process, you can proactively address potential problems, ensuring your business operations run as smoothly as you planned. It’s all about preparing for the worst while striving for the best.

8. Risk-Benefit Analysis (RBA)

The risk-benefit analysis allows you to make informed decisions, balancing the potential for gain against the potential for loss. It helps you choose the best path, even when the way forward isn’t entirely clear. This tool is a systematic approach to understanding the specific business risk and benefits associated with a decision, process, or project.

9. Cost-Benefit Analysis

By conducting a cost-benefit analysis as a part of your risk assessments, you can make data-driven decisions that consider both the possible risks (costs) and rewards (benefits). This approach provides a clear picture of the potential return on investment, enabling more effective and confident decision-making.

These techniques and tools allow you to conduct a comprehensive risk analysis for your business plan.

Mitigating and Managing Risks in a Business Plan

Identifying risks in your business plan is only the first step. To ensure the success of your venture, it is crucial to develop effective risk mitigation and management strategies. Here are some critical steps to consider:

  • Risk avoidance : Some risks may be too high to justify taking. In such cases, consider avoiding these risks altogether by adjusting your business plan or exploring alternative strategies.
  • Risk transfer : Transferring risks to third parties, such as insurance companies or outsourcing partners, can help mitigate their impact on your business. Evaluate opportunities for risk transfer and consider appropriate insurance coverage.
  • Risk reduction : Implement measures to reduce the likelihood and impact of identified risks. This may involve improving internal processes, implementing safety protocols, or diversifying your supplier base .
  • Risk acceptance : Some risks may be unavoidable or negatively impact your business. In such cases, accepting the risks and developing contingency plans can help minimize their impact.

In conclusion, a comprehensive risk analysis is essential for identifying, assessing, and managing different types of risk that could impact your success.

Conducting a thorough risk analysis can safeguard your business’s interests, capitalize on opportunities, and increase your chances of long-term success.

Dragan Sutevski

Related Posts

Risk Management Guide

Risk Management Guide: Everything You Need to Know About Business Risk

Risk Management is Crucial for Healthcare

Why Prioritizing Risk Management is Crucial for Healthcare Businesses

Start typing and press enter to search.


How it works

For Business

Join Mind Tools

Article • 12 min read

Risk Management and Risk Analysis

Assessing and managing risks.

By the Mind Tools Content Team

Risk is made up of two parts: the probability of something going wrong, and the negative consequences if it does.

Risk can be hard to spot, however, let alone to prepare for and manage. And, if you're hit by a consequence that you hadn't planned for, costs, time, and reputations could be on the line. Similarly, overestimating or overreacting to risks can create panic, and do more harm than good.

This makes Risk Analysis an essential tool. It can help you to identify and understand the risks that you could face in your role. In turn, this helps you to manage these risks, and minimize their impact on your plans.

By approaching risk in a logical manner you can identify what you can and cannot control , and tackle potential problems with measured and appropriate action. This can then help to alleviate feelings of stress and anxiety, both in and outside of work.

In this article and video, we look at how you can identify and estimate risks. You will then learn how a strategy of avoiding, sharing, accepting, and controlling can help you to manage risk effectively.

What Is Risk Analysis?

Risk Analysis is a process that helps you to identify and manage potential problems that could undermine key business initiatives or projects. However, it can also be applied to other projects outside of business, such as organizing events or even buying a home!

To carry out a Risk Analysis, you must first identify the possible threats that you face, then estimate their likely impacts if they were to happen, and finally estimate the likelihood that these threats will materialize.

Risk Analysis can be complex, as you'll need to draw on detailed information such as project plans, financial data, security protocols, marketing forecasts, and other relevant information. However, it's an essential planning tool, and one that could save time, money, and reputations.

What is Risk Management?

Definition : Risk management is a strategy of avoiding risk, sharing it, accepting it, and controlling it as effectively as you can. Once you've identified the value of the risks you face, you can then start to look at ways of managing them.

When to Use Risk Analysis

Risk analysis is useful in many situations:

  • When you're planning projects, to help you to anticipate and neutralize possible problems.
  • When you're deciding whether or not to move forward with a project.
  • When you're improving safety and managing potential risks in the workplace.
  • When you're preparing for events such as equipment or technology failure, theft, staff sickness, or natural disasters.
  • When you're planning for changes in your environment, such as new competitors coming into the market, or changes to government policy.

How to Use Risk Analysis

To carry out a risk analysis, follow these steps:

1. Identify Threats

The first step in Risk Analysis is to identify the existing and possible threats that you might face. These can come from many different sources. For instance, they could be:

  • Human – Illness, death, injury, or other loss of a key individual.
  • Operational – Disruption to supplies and operations, loss of access to essential assets, or failures in distribution.
  • Reputational – Loss of customer or employee confidence, or damage to market reputation.
  • Procedural – Failures of accountability, internal systems, or controls, or from fraud.
  • Project – Going over budget, taking too long on key tasks, or experiencing issues with product or service quality.
  • Financial – Business failure, stock market fluctuations, interest rate changes, or non-availability of funding.
  • Technical – Advances in technology, or from technical failure.
  • Natural – Weather, natural disasters, or disease.
  • Political – Changes in tax, public opinion, government policy, or foreign influence.
  • Structural – Dangerous chemicals, poor lighting, falling boxes, or any situation where staff, products, or technology can be harmed.

Note: It is vital that you consider any and all risks to your team members. Managers and leaders have a duty of care , and so will have legal and moral obligations to keep their employees safe.

You can use a number of different approaches to carry out a thorough analysis:

  • Run through a list such as the one above to see if any of these threats are relevant.
  • Think about the systems, processes, or structures that you use, and analyze risks to any part of these. What vulnerabilities can you spot within them?
  • Ask others who might have different perspectives. If you're leading a team, ask for input from your people, and consult others in your organization, or those who have run similar projects.

Tools such as SWOT Analysis , Failure Mode and Effects Analysis , PMESII-PT , and PEST Analysis can also help you uncover threats, while Scenario Analysis helps you to explore possible future threats.

Tip: Be mindful not to confuse Risk Analysis with Risk Assessment. The latter is the process of formally analyzing and mitigating the risks and hazards of an activity by an employee for their health and safety.

2. Estimate Risk

Once you've identified the threats you're facing, you need to calculate both the likelihood of these threats being realized, and their possible impact.

One way of doing this is to make your best estimate of the probability of the event occurring, and then to multiply this by the amount it will cost you to set things right if it happens. This gives you a value for the risk:

Risk Value = Probability of Event x Cost of Event

As a simple example, imagine that you've identified a risk that your rent may increase substantially.

You think that there's an 80 percent chance of this happening within the next year, because your landlord has recently increased rents for other businesses. If this happens, it will cost your business an extra $500,000 over the next year.

So the risk value of the rent increase is:

0.80 (Probability of Event) x $500,000 (Cost of Event) = $400,000 (Risk Value)

You can also use a Risk Impact/Probability Chart to assess risk. This will help you to identify which risks you need to focus on.

Tip: Don't rush this step. Gather as much information as you can so that you can accurately estimate the probability of an event occurring, and the associated costs. Use past data as a guide if you don't have an accurate means of forecasting.

Tip: Look for cost-effective approaches – it's rarely sensible to spend more on eliminating a risk than the cost of the event if it occurs. It may be better to accept the risk than it is to use excessive resources to eliminate it.

Be sensible in how you apply this, though, especially if ethics or personal safety are in question.

Avoid the Risk

In some cases, you may want to avoid the risk altogether. This could mean not getting involved in a business venture, passing on a project, or skipping a high-risk activity. This is a good option when taking the risk involves no advantage to your organization, or when the cost of addressing the effects is not worthwhile.

Remember that when you avoid a potential risk entirely, you might miss out on an opportunity. Conduct a "What If?" Analysis to explore your options when making your decision.

Risk Management Framework

A Risk Management Framework serves as the bedrock on which a company's risk culture is built, offering a structured approach to protect its assets. Adopting an effective Risk Management Framework is crucial to protecting an organization's financial future.

The Five Elements of a Risk Management Framework

1. risk identification.

An exhaustive catalog of potential risks is produced, encompassing IT, operational, regulatory, legal, political, strategic, and credit risks.

2. Risk Measurement

The magnitude and likelihood of specific and aggregate risk exposures is measured. This assessment aids in determining the impact of risks on the organization's overall risk profile, allowing for informed prioritization.

3. Risk Mitigation

Once risks are identified and measured, strategies for risk reduction or elimination can be devised. Options include asset or liability sales, insurance, derivatives hedging, and diversification.

4. Risk Reporting and Monitoring

Regular and automated reporting on both specific and aggregate risk measures is essential for maintaining optimal risk levels. Real-time accessibility through dashboards enhances proactive risk management.

5. Risk Governance

Establishing a structured process to help employees adhere to the Risk Management Framework is vital. This involves defining roles, segregating duties, assigning authority, and overseeing risk-related matters at all levels within the organization.

A robust Risk Management Framework provides the framework for risk management but relies on active participation and adherence from all stakeholders to be truly effective.

Share the Risk

You could also opt to share the risk – and the potential gain – with other people, teams, organizations, or third parties.

For instance, you share risk when you insure your office building and your inventory with a third-party insurance company, or when you partner with another organization in a joint product development initiative.

Accept the Risk

Your last option is to accept the risk. This option is usually best when there's nothing you can do to prevent or mitigate a risk, when the potential loss is less than the cost of insuring against the risk, or when the potential gain is worth accepting the risk.

For example, you might accept the risk of a project launching late if the potential sales will still cover your costs.

Before you decide to accept a risk, conduct an Impact Analysis to see the full consequences of the risk. You may not be able to do anything about the risk itself, but you can likely come up with a contingency plan to cope with its consequences.

However, it's important to bear in mind that everyone's definition of "acceptable risk" is different, so be sure to communicate with others before you make a decision, and use tools like the Prospect Theory to predict people's different reactions to risk.

Control the Risk

If you choose to accept the risk, there are a number of ways in which you can reduce its impact.

Business Experiments are an effective way to reduce risk. They involve rolling out the high-risk activity but on a small scale, and in a controlled way. You can use experiments to observe where problems occur, and to find ways to introduce preventative and detective actions before you introduce the activity on a larger scale.

  • Preventative action involves aiming to prevent a high-risk situation from happening. It includes health and safety training, firewall protection on corporate servers, and cross-training your team.
  • Detective action involves identifying the points in a process where something could go wrong, and then putting steps in place to fix the problems promptly if they occur. Detective actions include double-checking finance reports, conducting safety testing before a product is released, or installing sensors to detect product defects.

Plan-Do-Check-Act is a similar method of controlling the impact of a risky situation. Like a business experiment, it involves testing possible ways to reduce a risk. The tool's four phases guide you through an analysis of the situation, creating and testing a solution, checking how well this worked, and implementing the solution.

Alternatively, James Reason's Swiss Cheese Model of System Accidents explores how there is no single solution to minimizing risk, but rather uses a combination of methods to get the best results.

Risk Analysis is a proven way of identifying and assessing factors that could negatively affect the success of a business or project. It allows you to examine the risks that you or your organization face, and helps you decide whether or not to move forward with a decision.

You perform a Risk Analysis by identifying threats, and estimating the likelihood of those threats being realized.

Once you've worked out the value of the risks you face, you can start looking at ways to manage them effectively. This may include choosing to avoid the risk, sharing it, or accepting it while reducing its impact. Not only can this help you to make sensible decisions but it can also alleviate feelings of stress and anxiety.

It's essential that you're thorough when you're working through your Risk Analysis, and that you're aware of all of the possible impacts of the risks revealed. This includes being mindful of costs, ethics, and people's safety.

You've accessed 1 of your 2 free resources.

Get unlimited access

Discover more content

The seven transformations of leadership.

Developing Your Leadership Style

Expert Interviews

The Etiquette Edge

Beverly Langford

Add comment

Comments (1)

firstname lastname

Hi, there is no option to download the tools 'print this free worksheet, and then follow these steps'. Can you please advise me how to download this free risk assessment template?

risk management plan business analyst

Enhance your in-demand workplace skills

Top skills - leadership, management, communication and more - are available to develop using the 3,000+ resources available from Mind Tools.

Join Mind Tools today!

Sign-up to our newsletter

Subscribing to the Mind Tools newsletter will keep you up-to-date with our latest updates and newest resources.

Subscribe now

Business Skills

Personal Development

Leadership and Management

Most Popular

Newest Releases

Article akltlwa

An Overview of Creativity

Article a0hbmyf

The DO IT Technique

Mind Tools Store

About Mind Tools Content

Discover something new today

Get your ideas off the ground.

Turning Ideas Into Reality

How to Encourage Team Creativity

Fostering Innovation in Your Team

How Emotionally Intelligent Are You?

Boosting Your People Skills


What's Your Leadership Style?

Learn About the Strengths and Weaknesses of the Way You Like to Lead

Recommended for you

Building an effective team.

Creating a Productive and Efficient Group

Business Operations and Process Management

Strategy Tools

Customer Service

Business Ethics and Values

Handling Information and Data

Project Management

Knowledge Management

Self-Development and Goal Setting

Time Management

Presentation Skills

Learning Skills

Career Skills

Communication Skills

Negotiation, Persuasion and Influence

Working With Others

Difficult Conversations

Creativity Tools


Work-Life Balance

Stress Management and Wellbeing

Coaching and Mentoring

Change Management

Team Management

Managing Conflict

Delegation and Empowerment

Performance Management

Leadership Skills

Developing Your Team

Talent Management

Problem Solving

Decision Making

Why Having a Risk Management Plan is Important for Small Businesses

' src=

David Galic

10 min. read

Updated October 29, 2023

Taking the plunge and deciding to start your own small business isn’t something that’s for everyone. Have you ever wondered why that is? 

Why would some people prefer to work for others instead of themselves? One of the main reasons is security. If the business you are working for goes under, the worst thing that will happen is that you will be out of a job and looking for a new one. 

If the business you own and run fails, you stand to lose far more. Simply stated, starting a small business is a risky endeavor and one in which very few things are guaranteed.

All businesses, big and small, face a large variety of potential risks. However, one can say that every risk is amplified for small business owners, simply because every loss of money and financial pitfall can potentially cripple a small company, which can’t be said for large corporations. 

That’s why putting a risk management plan together should be one of the first steps that any would-be small business owner takes on their entrepreneurial road. 

What is risk management? 

Risk management is a process. This process includes identifying your business risks, evaluating them, and then deciding how to deal with them. 

Did you know that 42% of startups fail because there was no market demand for what they were trying to sell? This might sound like a risk that should have been identified in the earliest stages of the business, but you’d also be surprised at how many businesses don’t perform the proper market research that’s needed to identify such a risk. 

The process of putting together a risk management plan should result in the creation of a plan that your business will be able to follow in order to expose itself to the least amount of risk possible. This plan will enable your company to set up procedures that will help you avoid risks that are avoidable and minimize the impact of risks that are not. 

Risk management is also a cyclical process that never really ends. Risks need to be reevaluated continuously as your business changes and grows. Let’s take a more in-depth look at the process of putting together and implementing a good risk management plan. 

  • How to put together a strong risk management plan

If you want to boil it down to the most essential steps needed to put together a solid risk management plan for your small business, there are three main steps that need to be taken: identification, evaluation, and mitigation. 


This part of the process asks business owners to put together a list, as exhaustive as possible, of the potential risks that can affect their businesses. These risks can be related to your business strategies and how effective they are, risks related to your business’s day-to-day operations, regulatory risks related to laws and compliance, reputational risks, financial risks, and more. 


Once you have identified your risks, it’s time to analyze them. What’s most important to take into consideration during this phase of the process is how likely these risks are to occur and how severe the consequences will be if they do occur. Knowing the possible impact of your risks helps you make a decision on how to mitigate them. 

What’s your biggest business challenge right now?

Mitigation .

This is the stage of your plan in which you’re recommending concrete actions that need to be taken in relation to each risk that you have identified. 

Risk management is an ongoing process

As mentioned earlier, this process never really ends as long as your business is running. Your risk management plan and the way in which you are implementing it needs to be continuously monitored and tweaked over time in order to make sure that you are always protecting your business as thoroughly as possible. 

Now that you know how to put together a risk management plan, let’s take a look at some of the most common ways businesses can face their risks in the mitigation process. 

Common risk management tactics 

Once your small business has identified your risks and analyzed their potential impact, the mitigation part of the process requires you to make a decision on how to face and tackle each of the possible risks that you have identified and evaluated. 

Generally, there are four tactics that are most commonly employed:

Risk avoidance 

If you’ve evaluated a risk as being potentially volatile and you see a chance of it doing great financial damage to your business if you take the risk and it doesn’t pan out, then it’s probably a risk that is best avoided. For example, if you’re running an ice cream shop, you could be contemplating adding baked goods or other sweets to your menu. If you’ve done some research among customers and you haven’t seen much of an interest, it might be best to avoid taking that risk at this time. 

But as mentioned earlier, all risks should be periodically revisited. This means that while this idea might be an incredibly risky one at this time, it might not be as risky several years from now if your ice cream business is steadily growing and you’re seeing steady increases in revenue annually that make this type of decision to expand your offer less of a financial risk, simply because you have more money to spend on optimizing your business.  

Risk reduction

Reduction basically means doing everything you can to make a risk less risky. To use the same ice cream shop example, if you’re not ready to experiment and add other products that aren’t ice cream to your shop but you still want to take a certain amount of risk in the hopes of improving your sales, there are smaller risks that you can take to do that. 

For example, you could simply add new ice cream flavors and toppings to your offer. By doing so you have taken a risk by changing your menu, but you have not done anything drastic that could potentially put you into a disastrous financial hole if the move doesn’t pan out. 

Risk acceptance 

In the above example, you’ve reduced your risk by modifying your offer in a minor way, and by adding new flavors and topping to your menu, you’ve defined this risk as an acceptable one to take. Acceptance is the best way to deal with risks that can’t cause you much damage, even in worst-case scenarios.

Transference of risk

Whenever you hear someone talking about buying business insurance, they are talking about risk transference. When your small business purchases a policy from an insurer, they are essentially paying to transfer risk to a third party. No matter how big or small your business is, purchasing business insurance to mitigate various business risks is practically unavoidable. 

  • The role of insurance in risk management

Once you’ve identified and evaluated your risks, you’ll be able to better understand which risks should be transferred to an insurer. For starters, a majority of small businesses that are just starting out will usually buy a Business Owner’s Policy, known as a BOP. 

This is basically an insurance policy bundle that gives you three policies; general liability insurance, property insurance, and business interruption insurance. BOPs are popular because they give small businesses a good amount of basic coverage while paying significantly less than they would pay if they wanted to buy those three policies separately. 

Naturally, the price of your BOP depends on your business’s risk profile, but no matter what that price is, it’s still going to cost you less than having to buy general liability, property, and business interruption policies separately.  

Let’s take a look at some of the risks that a BOP would typically cover:

General liability 

Covers claims related to third-party property damage or bodily injury. If a customer injures themselves in your store and takes you to court as a result, this insurance policy would cover your legal costs and eventual settlements.

Commercial property insurance 

Weather damage, natural disasters, and fires are examples of unexpected and usually unavoidable risks that can cripple your business. If you purchase property coverage, your insurer will cover the cost of property, inventory, and equipment damage in the case of severe weather, vandalism, electrical fires, power outages, and other risks that are often out of your control.

Business interruption insurance

If your business burns down in an electrical fire, property insurance will help you rebuild and reopen. But what will you do until then? Business interruption insurance will cover expenses such as loss of income, wages, rent, and loans so that you can keep your business afloat while you’re getting back on your feet and not making any money. 

Insurance needs are different for every business

Just as there is an unlimited number of business risks, there is also a myriad of insurance products that were created to mitigate many of them. Obviously, no two businesses have the same risk profile. 

For example, a risk management plan for a law firm and one created for a real estate firm will be completely different. Even in the case of two retail businesses, for example,  the risks that these businesses face are dependant on how many employees they have, whether they sell online or in physical stores, what types of products they sell, and a slew of other factors.  

This is why it’s important to talk to an experienced broker that is familiar with your small business’s specific industry in order to get quality recommendations on coverage that will protect your business as holistically as possible from risks that are both severe and usually out of your control. 

  • The benefits of proper risk management

The most obvious benefit of putting together a good risk management plan is that it helps you to avoid risks that could negatively impact your business . However, another great thing about proper risk management is that it can result in positive effects on other aspects of your business as well, for example: 

Better finances 

When your business has a strong risk management plan and executes it well, you’re able to avoid some pitfalls that could have hurt your business’s bottom line if the risks hadn’t been identified and avoided or mitigated. Furthermore, banks and other financial institutions are much more likely and willing to offer loans to companies that are properly managing and transferring their risk. 

A stronger brand 

A business that manages its risks properly is often a successful, stable, and prosperous one. When a small business is proactive about managing its risk, it is sending a clear message to employees, partners, and customers that they are dealing with professionals who take its success and reputation seriously. 

Increased efficiency 

The risk evaluation process can also uncover areas of your business that are being run inefficiently. This then enables you to fix problems that might be leading to a decrease in the quality of the product or service you offer. Risk identification practices can often uncover inefficient financial processes as well and areas where you might be leaking money unnecessarily. 

A risk management plan is vital to the success of your business 

Performing risk analysis and putting together a risk management plan for your small business helps you to learn more about your business and also enables you to get to know yourself, your business partners, and your customers even better. 

These added benefits only amplify the importance of creating a plan for managing the many risks that can affect your business and most importantly, putting that plan into action and keeping it updated as your business grows and evolves over the years. 

LivePlan Logo

Make confident decisions by following a 4-step growth planning process

Content Author: David Galic

David Galic is the Senior Content Writer at Embroker, an industry-leading digital brokerage. Starting his career as a journalist, David has spent the last decade working with tech startups to provide small businesses with technology that makes their jobs and lives easier and more efficient.

risk management plan business analyst

Table of Contents

  • What is risk management? 
  • Common risk management tactics 
  • A risk management plan is vital to the success of your business 

Related Articles

risk management plan business analyst

6 Min. Read

Making sense of your financial statements

risk management plan business analyst

8 Min. Read

How to plan a business expansion

risk management plan business analyst

How to conduct a plan vs. actual analysis using spreadsheets

risk management plan business analyst

3 Min. Read

How to balance cash flow in a seasonal business

The LivePlan Newsletter

Become a smarter, more strategic entrepreneur.

Your first monthly newsetter will be delivered soon..

Unsubscribe anytime. Privacy policy .

LivePlan pitch example

Discover the world’s #1 plan building software

risk management plan business analyst

  • Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

Learn Business Analysis

Sponsored by BABLOCKS.COM

risk management plan business analyst

Requirements Risk • How to Manage Risks on Your Project

June 4, 2019 By Emal Bariali Leave a Comment

' src=

Today I want to talk to you about risk management and how you as a business analyst can help your project or help your company manage the risks that you see on a project.

Episode Transcript

Table of Contents

How to Manage Risks on Your Project

This video I’m going to talk to you about the actual steps you should be taking when you’ve identified a potential risk that you see coming down the line.

Imagine you’re in this situation.

A situation where you see something that’s happening in the analysis world and your portion of the work is going to affect the project negatively in the near future.

Document the Risk:

1. the risk.

The very first thing that I’m going to do is to raise a risk. There’s a very clear definition of what the risk is and there’s an actual specific format that I’m going to talk about in which you need to document and raise that risk. The whole concept behind a risk is that it’s something that’s on your radar and you want to make sure that the project manager is monitoring it. So they’re taking mitigation actions to make sure that it doesn’t ever come about.

  • What is the risk?
  • Is it something that’s going to affect the cost of the project?
  • Are we going to need more people?
  • Is it something that is schedule-related so is it likely to push out the schedule if we don’t take some sort of action?
  • Is it going to affect the scope or is it going to affect the quality of the product that we’re trying to deliver?

2. Likelihood of Risk

The likelihood tells you how likely it is that the risk is going to occur if you don’t take any further actions.

  • How likely is it that the risk will occur?
  • What is the likely hood that the risks I’ve described are actually going to happen?
  • Risks don’t always take place.

The whole concept behind a risk is that it’s something that’s on your radar and you want to make sure that the project manager is monitoring it. So they’re taking mitigation actions to make sure that it doesn’t ever come about.

3. Impact of Risk

And so this is more of a gradient of impact.

  • Whether it is a high, medium or low Impact?
  • What is going to be the impact on the project?
  • Is going to have a high impact on the schedule?
  • Is going to have a medium impact on the cost?

I want to talk about the difference between the mitigation options and the contingency plan. Both mitigation and contingency are things that the project should be doing. There are options for what the project can do. But they are somewhat different for one another.

4. Mitigation Plan

On a lot of projects, you’ll have a status called for example it is imminent or it’s uncertain it’s a certainty that this risk is going to happen. So it’s almost a one hundred percent chance that it’s going to happen if we don’t take any mitigating steps.

And that is the next column which is the mitigation plan.

So far we have the Description, Likelihood Impact and then the next thing that you have to do for the risks that you’re raising is to provide the project manager with some Mitigation Options.

The mitigation options are the things that you have to do now in order to prevent the risk from occurring.

So for example, if I go to the project manager and I say; I don’t have enough time to perform the analysis on this project.

One mitigation action that I can suggest to the project manager is to say: allocate one analyst on to the project so that we can get the work done properly within the schedule that you’re looking for.

It’s up to the project manager at that point to decide whether they have the availability of resources or whether they can make a case for having an extra analyst on the team. But what you’ve done in that case is that you’ve made it clear what the action is so that the risk of certain deadlines are mitigated.

So all the mitigation actions are things that happen to prevent the risk from happening and they all have to happen before the risk actually comes about.

The contingency plan is the flip side of that.

5. Contingency Plan

The next column is what’s called a contingency plan.

Contingency plans are the things that the project should be doing when the risk actually materializes.

Now it is the job of the project manager to maintain what’s called the risk register and so the project manager has risks that are outside your portion of the work that was in development. They have risks that come about and pop-up.

What you’re doing as an analyst is that you are raising that risk to the project manager so that the project manager has it on their radar. They have better visibility and they have some options of things they can do to prevent things from happening.

Featured Content

" "

Cost Management

" "

Artificial Intelligence

Meet BCG X banner

BCG X Product Library

Subscribe to receive bcg insights on the most pressing issues facing international business..

" "

International Trade

/ update, these four chokepoints are threatening global trade.

Right now, more than 50% of global maritime trade is at threat of disruption in four key areas of the world.

While the conflict in the Red Sea has been high in the news agenda, there are three other maritime passageways that risk becoming chokepoints due to either geopolitical or environmental factors.

risk management plan business analyst

1. The Suez Canal and Bab El-Mandeb Strait.

The Suez Canal, which connects the Red Sea to the Mediterranean, normally accounts for about 12% of global maritime trade.

  • Since the start of Houthi attacks on international shipping in late 2023, some 470 container vessels have already been re-routed. Sending ships around the Cape of Good Hope adds between 9 and 17 days of transit time.

2. The Strait of Hormuz.

This strait, between Iran to the north and UAE and Oman to the south, is significant for both energy and goods shipping.

  • Some 20%—30% of oil trade passes through this strait, and a significant amount of global shipping volumes.

If Iran were to be drawn more directly into the ongoing conflict in the Middle East, the free passage of vessels through the strait could be at risk.

3. The Straits of Malaca and Taiwan.

The Strait of Malaca, between Singapore, Malaysia and Indonesia, is the shortest shipping route between East Asia and the Middle East and Europe and accounts for 30% of global trade.

  • Two-thirds of China’s trade passes through the strait of Malacca each year, including 80% of its energy imports.

There is an ongoing dispute between China and several members of the ASEAN trade area over a large area in the South China sea.

  • Also in the region, the strait of Taiwan is another important shipping lane—40% of the world’s container fleet pass through it.

Both trade routes are subject to heightened geopolitical uncertainty.

4. The Panama Canal.

The canal, which links the Atlantic Ocean and the Pacific Ocean, accounts for 5% of total global container trade, and some 46% of the trade from the US East Coast to East Asia.

It is facing a severe drought due to the El Niño weather phenomenon.

The authority that manages the canal has responded to low water levels by temporarily reducing both the number of transits and ensuring the weight of the cargo is suitable.

The So What

“These geopolitical risks could turn into a physical impossibility of moving goods to certain destinations. In the short term it will extend lead times on goods. In the longer term, it is likely to make firms seek shorter supply chains because of the risk and higher capital costs associated with maritime transport,” says Michael McAdoo , a BCG partner and director, and one of the authors of BCG’s Future of Trade report.

“The financial impact is likely to impact producers most as they adapt their routes to market. But, as with almost any disruption, there are also opportunities, especially for freight companies to bring new solutions,” says Peter Jameson , a BCG managing director and partner who specializes in shipping.

  • Diversify shipping routes , and transport choices. Shippers should proactively work with their logistics providers to build new solutions. Options to consider include alternative shipping routes through the Arctic, combining ship and air (for example by shipping to Dubai and then flying to Europe), or using rail for parts of the journey to avoid choke points.
  • Escort vessels. The use of military or private escorts could be considered to protect ships carrying cargo. Some governments will have a strong national interest in protecting both trade and/or their national shipping companies.
  • Prioritize advanced communications. Leveraging advanced technologies, especially artificial intelligence, is key for proactive risk management, allowing for the anticipation of disruptions and rapid response. Ships should become even more connected to each other, sharing locations and observations. Customers will also benefit from real-time updates on the progress of cargo.
  • Build inventories and storage. Companies need to plan for resilience, and may need to update or expand infrastructure, including port capacity or storage facilities. Reassessing the design and capacity of warehouses, for example, could help create a hedge around potential disruptions. As happened at the height of the COVID pandemic, companies and governments will need to assess their strategic priorities.
  • Step up contingency planning. Companies should examine how different bottlenecks may emerge or could be alleviated, and pinpoint specific areas where they are structurally exposed. Digital twins and modelling can help here. They can also look for existing points of redundancy in existing supply chains to free up capacity. Strengthening financial strategies, including comprehensive insurance and prudent financial planning is also vital to safeguard against the economic setbacks of unexpected logistical challenges. Pricing strategies may also need to be reconsidered in order to protect margins.


Boston Consulting Group partners with leaders in business and society to tackle their most important challenges and capture their greatest opportunities. BCG was the pioneer in business strategy when it was founded in 1963. Today, we work closely with clients to embrace a transformational approach aimed at benefiting all stakeholders—empowering organizations to grow, build sustainable competitive advantage, and drive positive societal impact.

Our diverse, global teams bring deep industry and functional expertise and a range of perspectives that question the status quo and spark change. BCG delivers solutions through leading-edge management consulting, technology and design, and corporate and digital ventures. We work in a uniquely collaborative model across the firm and throughout all levels of the client organization, fueled by the goal of helping our clients thrive and enabling them to make the world a better place.

© Boston Consulting Group 2024. All rights reserved.

For information or permission to reprint, please contact BCG at [email protected] . To find the latest BCG content and register to receive e-alerts on this topic or others, please visit bcg.com . Follow Boston Consulting Group on Facebook and X (formerly Twitter) .

Related Content

What’s Next

Read more insights from BCG’s teams of experts.

" "

Right Now from BCG

Newsletter: Expert Analysis of Topics in the News

" "

Jobs, National Security, and the Future of Trade

As global trade patterns change due to disruption, regional trade blocs with protectionist leanings gain influence.

" "

Harnessing the Tectonic Shifts in Global Manufacturing

Trade disruptions have prompted many global companies to shift where they produce and source goods. But getting the desired results requires a difficult balancing act.

" "

Supply Chain Management

BCG helps organizations focus on building resilience and sustainability into their supply chains to mitigate disruptions and trade instability. We also help maximize the return on these critical investments.

U.S. Department of the Treasury

Treasury publishes 2024 national risk assessments for money laundering, terrorist financing, and proliferation financing.

Reports Confirm and Update Key Illicit Finance Concerns in Response to Evolving Threat and Risk Environment 

WASHINGTON –  Today, the U.S. Department of the Treasury published the 2024 National Risk Assessments on Money Laundering, Terrorist Financing, and Proliferation Financing. These reports highlight the most significant illicit finance threats, vulnerabilities, and risks facing the United States. 

The reports detail recent, significant updates to the U.S. anti-money laundering/counter-financing of terrorism framework and explain changes to the illicit finance risk environment. These include the ongoing fentanyl crisis, foreign and domestic terrorist attacks and related financing, increased potency of ransomware attacks, the growth of professional money laundering, and continued digitization of payments and financial services. These assessments also address how significant threats to global peace and security—such as Russia’s ongoing illegal, unprovoked, and unjustified war in Ukraine and Hamas’s October 7, 2023 terrorist attacks in Israel—have shaped the illicit finance risk environment in the United States.

Today’s publications are the fourth iterations of the money laundering and terrorist financing risk assessment, and the third update of the proliferation financing risk assessment, in less than a decade. The public and private sectors can use these updated risk assessments to better understand the current illicit finance environment and inform their own risk mitigation strategies. 

“Whether it’s terrorism, drug trafficking, Russian aggression, or corruption, illicit finance is the common thread across our nation’s biggest national security threats,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson. “Treasury, through our National Risk Assessments, is at the cutting edge of analyzing the global risk environment to protect the U.S. and international financial systems from abuse by illicit actors. We urge both the public and private sectors to engage with these reports, as well as our forthcoming National Strategy for Combatting Terrorist and Other Illicit Finance.”

Key findings:

  • Money Laundering : Criminals use both traditional and novel money laundering techniques, depending on availability and convenience, to move and conceal illicit proceeds and promote criminal activity that harms Americans. The crimes that generate the largest amount of illicit proceeds laundered in or through the United States remain fraud, drug trafficking, cybercrime, human trafficking and human smuggling, and corruption. The United States continues to face both persistent and emerging money laundering risks related to: (1) the misuse of legal entities; (2) the lack of transparency in certain real estate transactions; (3) the lack of comprehensive AML/CFT coverage for certain sectors, particularly investment advisers; (4) complicit merchants and professionals that misuse their positions or businesses; and (5) pockets of weaknesses in compliance or supervision at some regulated U.S. financial institutions. 
  • Terrorist Financing : The United States continues to face a wide range of terrorist financing threats and actors, both foreign and domestic. Consistent with the 2022 risk assessment, the most common financial connections between individuals in the United States and foreign terrorist groups entail individuals directly soliciting funds for or attempting to send funds to foreign terrorist groups utilizing cash, registered money services businesses, or in some cases, virtual assets. The 2024 report also discusses Hamas and the ways they exploit the international financial system, including through solicitation of funds from witting and unwitting donors worldwide. Additionally, domestic violent extremist movements have proliferated in recent years, posing an elevated threat to the United States and continued challenges for law enforcement.
  • Proliferation Financing : Russia and the Democratic People’s Republic of Korea (DPRK) presented heightened risk since the 2022 assessment. To support its unlawful war in Ukraine, Russia has expanded efforts to illegally acquire U.S.-origin goods with military applications using a variety of obfuscation techniques, such as the use of front companies and transshipment points around the world. Networks linked to the DPRK increasingly exploit the digital economy, including through hacking of virtual asset service providers and the overseas deployment of fraudulent information technology workers.

Treasury’s Office of Terrorist Financing and Financial Crimes led the assessment process and coordinated closely with offices and bureaus across the Department, relevant law enforcement and regulatory agencies, staff of the federal functional regulators, and across the intelligence and diplomatic communities.

In the coming weeks, Treasury will release the 2024 National Strategy for Combatting Terrorist and Other Illicit Finance, a strategic plan directly informed by the analysis contained in the risk assessments. In the strategy, Treasury will share recommendations for addressing the highlighted issues. This valuable feedback has aided Treasury in assessing and addressing illicit finance risk identified in prior iterations of the strategy to support improvements to the AML/CFT regime, including the launching of the new beneficial ownership reporting requirement that went into effect on January 1, 2024, and informing forthcoming proposed rules to address illicit finance vulnerabilities in the residential real estate sector and for certain investment advisers.

The 2024 National Money Laundering Risk Assessment

The 2024 National Terrorist Financing Risk Assessment

The 2024 National Proliferation Financing Risk Assessment

  • Growth and Jobs at Davos 2024: What to know
  • How using genAI to fuse creativity and technology could reshape the way we work

1. Generative AI boosts productivity, unevenly

In 2024, most chief economists surveyed by the Forum believe generative AI will increase productivity and innovation in high-income countries. But for low-income countries, just over a third think this will be the case.

Productivity boosts are expected in knowledge-heavy industries, including IT and digital communications, financial and professional services, medical and healthcare services, retail, manufacturing, engineering and construction, energy and logistics.

These potential benefits are in "sharp contrast with concerns about the risks of automation, job displacement and degradation", says the report.

Almost three-quarters (73%) of chief economists surveyed "do not foresee a net positive impact on employment in low-income economies".

risk management plan business analyst

2. Digital jobs keep growing

By 2030, the number of global digital jobs is expected to rise to around 92 million. These are generally higher-paid roles, according to the Forum's white paper, The Rise of Digital Jobs .

Digital jobs could help to balance skill shortages in higher-income countries, while boosting opportunities for younger workers in lower-income countries: "If managed well, global digital jobs present an opportunity to utilize talent around the world, widening the talent pool available to employers and providing economic growth pathways to countries across the income spectrum."

3. Unemployment levels could rise

The labour market showed resilience in 2023, with employment remaining high, said Gilbert Fossoun Houngbo, Director-General of the International Labour Organization (ILO), in the Davos session ' What to Expect From Labour Markets '.

But he said ILO projections in early January suggested the global unemployment rate could rise from 5.1% to 5.2% in 2024, with an extra two million workers expected to be looking for jobs.

In the US, the jobs market remained stronger than expected for the first month of the year, with more than 350,000 new jobs added. The unemployment rate for January was 3.7%, close to a 50-year low, according to The Guardian .

Houngbo said ILO data shows inequalities persist between low- and high-income countries, while young people are 3.5 times more at risk of being unemployed than the rest of the adult population and "many workers are struggling to pay bills, which is very worrisome".

The impact of AI on jobs was not going to be "an employment apocalypse", but that reskilling, upskilling and lifelong learning would be key to managing the transition to augmentation, he stressed.

4. More pop-up offices

LinkedIn has seen a drop in the number of fully remote job postings, from a peak of 20% in April 2022, to just 8% in December 2023, said co-founder Allen Blue, speaking in a Davos session ' The Role of the Office is Still TBC ' .

But employee interest in taking remote or hybrid jobs remains high, at around 46% of applications.

"The office is going to be in competition with working from home ... that’s a good thing for the office," he said, as management would need to innovate and create a workplace environment that "emphasizes dynamic human interaction".

Young people taking their first job want human connection, so they're more interested in hybrid than remote roles.

Martin Kocher, Austria's Federal Minister of Labour and Economy, said that some Austrian villages are actually paying for pop-up community office spaces, because people don’t want to work from home, and they can make use of other amenities close by.

He predicted the development of more pop-up office spaces away from company headquarters.

Have you read?

  • Davos 2024: 6 innovative ideas on reskilling, upskilling and building a future-ready workforce
  • From hierarchy to partnership: rethinking the employee/employer relationship in 2024

5. Skills will become even more important

With 23% of jobs expected to change in the next five years, according to the Future of Jobs Report, millions of people will need to move between declining and growing jobs.

Coursera CEO, Jeff Maggioncalda and Denis Machuel, CEO of Adecco Group AG, joined the Davos session ' The Race to Reskill ' to discuss the transferability of skills, and the potential of AI to help with personalized learning and productivity, which also levels the playing field for job opportunities globally.

But the key is in learning how to use AI and digital technologies, as Code.org Founder and CEO, Hadi Partovi, pointed out in the session ' Education Meets AI '.

When people think about job losses due to AI, he said, the risk isn't people losing their jobs to AI: "It's losing their job to somebody else who knows how to use AI. That is going to be a much greater displacement.

"It's not that the worker gets replaced by just a robot or a machine in most cases, especially for desk jobs, it's that some better or more educated worker can do that job because they can be twice as productive or three times as productive.

“The imperative is to teach how AI tools work to every citizen, and especially to our young people."

6. More women enter the workforce

In 2020, the World Bank found that potential gains from closing economic gender gaps could unlock a “gender dividend” of $172 trillion for the global economy.

But the Forum’s Global Gender Gap Report 2023 found that the Economic Participation and Opportunity gap has only closed by just over 60%.

Several sessions at Davos looked at how inclusion could benefit the economy , particularly by helping mothers return to the workforce, which could close skills gaps.

“There are 606 million women of working age in the world who are not working because of their unpaid care responsibilities, compared to 40 million men," Reshma Saujani, Founder and CEO of Moms First, explained in a session on the ‘ Workforce Behind the Workforce ’.

“At Moms First, we're working with over 130 companies in every sector, who are saying, ‘I don't have enough workers’. We are working with them to redesign their childcare packages and increase their subsidies.

“Childcare pays for itself. When you offer childcare to employees, you get higher worker productivity and lower rates of attrition, and greater rates of retention. We have to look at care as an economic issue that world leaders must actually do something about.”


  1. How To Create A Risk Management Plan + Template & Examples

    risk management plan business analyst

  2. Risk Management Plan

    risk management plan business analyst

  3. Risk Management Plan

    risk management plan business analyst

  4. The Three Steps Of Risk Management

    risk management plan business analyst

  5. How To Create A Risk Management Plan + Template & Examples (2022)

    risk management plan business analyst

  6. A Risk Management Plan Sample and the Basics of Risk Management

    risk management plan business analyst


  1. Risk Management In Forex: Will Make Or Break You

  2. Risk Management Plan Industri Farmasi

  3. Project Risk Management -lecture 9

  4. Risk Management #wealth #finance #riskmanagement #shorts

  5. Module.03 ,Topic A. 1. Risk Management Plan

  6. 11.5 Plan Risk Responses


  1. How to Measure Risk Management Plan Success in BA

    Risk management is a crucial part of any business analysis (BA) project, as it helps to identify, assess, and mitigate potential threats and uncertainties that could affect the project's ...

  2. How to Make a Risk Management Plan (Template Included)

    Download Word File A risk management plan usually includes: Methodology: Define the tools and approaches that will be used to perform risk management activities such as risk assessment, risk analysis and risk mitigation strategies.

  3. What Is A Risk Management Plan?

    Safeguarding Company Resources If a company develops an effective risk management plan, it will most likely be prepared for the inevitable financial problems. Furthermore, a risk management plan safeguards the business' resources and enables the company to prioritize risk mitigation while accounting for every possible outcome.

  4. How To Become A Risk Analyst

    Risk management frameworks govern how risk managers identify, assess, measure and monitor risk, report results and make recommendations. Risk analysis begins with identifying what could...

  5. What is business risk?

    (8 pages) You know about death and taxes. What about risk? Yes, risk is just as much a part of life as the other two inevitabilities. This became all the more apparent during COVID-19, as each of us had to assess and reassess our personal risk calculations as each new wave of the pandemic— and pandemic-related disruptions —washed over us.

  6. How To Create A Risk Management Plan + Template & Examples

    A risk management plan, or RMP, is a document describing how your project team will monitor and respond to unexpected or uncertain events that could impact the project. The risk management plan: analyzes the potential risks that exist in your organization or project identifies how you will respond to those risks if they arise

  7. What Is A Risk Management Plan? [Steps & Examples]

    A risk management plan is a term used to describe a key project management process. A risk management plan enables project managers to see ahead to potential risks and reduce their negative impact. A new project welcomes in new opportunities but also potential risks so a risk management plan is a must for risk project managers.

  8. What Is A Risk Management Plan? 2024 Comprehensive Guide

    That said, the barebones skeleton remains the same across its various uses. We've outlined different steps to a project risk management plan that can act as a template: 1. Risk Identification. The first step of any risk management plan is identifying all possible risk events that can negatively impact the project's lifecycle.

  9. Risk Management for Business Analysts (PMI-RMP/IIBA-ECBA)

    Last updated 11/2023 English English What you'll learn Planning Risk Management (PMBOK6 Aligned) Identifying Risk (PMBOK6 Aligned) Analyzing Risk (PMBOK6 Aligned) Responding to Risk (PMBOK6 Aligned) Introduction to Business Analysis (IIBA - ECBA) Business Analysis Planning and Monitoring (IIBA - ECBA)

  10. Risk Management for Business Analysts and Business Systems Analysts

    In this course, you will obtain a better understanding of your role as a business analyst in both project and requirements risk identification and management. You will learn to adopt a more proactive approach to risk management instead of fighting fires as they occur. Through hands-on exercises, you will discover tools and techniques to elicit ...

  11. Risk Analyst and Risk Manager: Finance Career Paths

    Broadly, businesses employ risk analysts and managers in activities aimed at reducing the likelihood of negative effects from a variety of sources, including event risks like natural disasters, operational risks like unethical human behavior, and financial risks, like credit and interest rate risk.

  12. Risk Management Plan (RMP)

    Definition: A Risk Management Plan (RMP) is a detailed document that explains an organization's risk management process. Understanding Risk Management. Risk management is a continuous process that is accomplished throughout the life cycle of a system and should begin at the earliest stages of program planning. It is an organized methodology for continuously identifying and measuring the ...

  13. A Guide to Risk Analysis: Example & Methods

    Risk analysis is a multi-step process aimed at mitigating the impact of risks on business operations. Leaders from different industries use risk analysis to ensure that all aspects of the business are protected from potential threats. Performing regular risk analysis also minimizes the vulnerability of the business to unexpected events.

  14. What Is Risk Management & Why Is It Important?

    Risk management is the systematic process of identifying, assessing, and mitigating threats or uncertainties that can affect your organization. It involves analyzing risks' likelihood and impact, developing strategies to minimize harm, and monitoring measures' effectiveness.

  15. How Business Analysts can manage project risks

    How Business Analysts can manage project risks Risk management is used to spot areas of uncertainty that could affect value. Risk management analyzes and assesses those uncertainties, and develops and manages the associated risks. If risks are not identified and managed effectively they could adversely affect the value of the solution.

  16. Creating a Risk Management Plan for Your Business

    Step 1: Develop a solid risk culture An essential component of any successful risk management plan is the establishment of strong risk culture. Risk culture is commonly known as the shared values, beliefs, and attitudes toward the handling of risks throughout the organization.

  17. Risk Management Process: A Guide to Business Plan Risk Analysis

    Risk analysis is essential to business planning as it allows you to proactively identify and assess potential risks that could impact your business objectives. When you conduct a comprehensive risk analysis, you can gain a deeper understanding of the threats your business may face and can take proactive measures to mitigate them.

  18. Risk Management and Risk Analysis

    Risk Analysis is a process that helps you to identify and manage potential problems that could undermine key business initiatives or projects. However, it can also be applied to other projects outside of business, such as organizing events or even buying a home!

  19. What Is Risk Analysis in Business?

    A risk analysis evaluates the possibility of an unforeseen adverse event that can affect crucial business initiatives and projects. Organizations conduct a risk analysis to establish when an adverse effect can occur, the effects of the risk on a business segment, and how the risk can be mitigated. A business analysis draws up a control plan to ...

  20. Discover Careers In Risk Management

    The Bureau of Labor Statistics does not provide salary information for risk managers. However, management analysts, advertising managers and financial examiners can expect respective job growth ...

  21. 4 Steps to Put Together an Effective Risk Management Plan

    A risk management plan is vital to the success of your business . Performing risk analysis and putting together a risk management plan for your small business helps you to learn more about your business and also enables you to get to know yourself, your business partners, and your customers even better.

  22. Requirements Risk • How to Manage Risks on Your Project

    Document the Risk: 1. The Risk. The very first thing that I'm going to do is to raise a risk. There's a very clear definition of what the risk is and there's an actual specific format that I'm going to talk about in which you need to document and raise that risk. The whole concept behind a risk is that it's something that's on your ...

  23. Blind spot elimination

    As organizations increasingly expect projects to generate business benefits, project managers and business analysts are increasingly playing each other's roles. This role shifting has sharply driven up project risk. This paper examines how project managers and business analysts can refrain from encroaching on each other's roles and responsibilities while improving the symbiotic nature of their ...

  24. These Four Chokepoints Are Threatening Global Trade

    Leveraging advanced technologies, especially artificial intelligence, is key for proactive risk management, allowing for the anticipation of disruptions and rapid response. Ships should become even more connected to each other, sharing locations and observations. Customers will also benefit from real-time updates on the progress of cargo.

  25. Treasury Publishes 2024 National Risk Assessments for Money Laundering

    Reports Confirm and Update Key Illicit Finance Concerns in Response to Evolving Threat and Risk Environment WASHINGTON - Today, the U.S. Department of the Treasury published the 2024 National Risk Assessments on Money Laundering, Terrorist Financing, and Proliferation Financing. These reports highlight the most significant illicit finance threats, vulnerabilities, and risks facing the United ...

  26. 6 work and workplace trends to watch in 2024

    Digital jobs could help to balance skill shortages in higher-income countries, while boosting opportunities for younger workers in lower-income countries: "If managed well, global digital jobs present an opportunity to utilize talent around the world, widening the talent pool available to employers and providing economic growth pathways to countries across the income spectrum."

  27. Facts About Business Administration Bachelor's Degrees

    The business world is an increasingly competitive environment, and it's important to stand out against the crowd. A Bachelor of Business Administration (B.B.A.) can be a great starting point for ...

  28. Q4 2023 Plan Universe Allocation & Return Analysis

    Multi-asset risk management and analytics. Risk. ... Q4 Plan Allocation Analysis. Corporate and Taft-Hartley defined benefit plans, which lagged all other plan types in performance, decreased their equity and increased their fixed income allocations during the year. ... preliminary data available on the 14th business day after the quarter end ...

  29. Toast cuts 550 employees, plans facility reorganization

    The Boston-based restaurant management company said Thursday it is cutting jobs as part of a restructuring plan "designed to promote overall operating expense efficiency."