example of assessment of risk in business plan

More From Forbes

Fundamentals of risk assessment: methods and tools used to assess business risks.

• Share to Facebook
• Share to Twitter
• Share to Linkedin

CEO of Schwenk AG & Crisis Control Solutions LLC , a leading expert in risk and crisis management for the automotive industry.

In the intricate tapestry of the modern business landscape, every thread is intertwined with an element of risk. From startups navigating the treacherous waters of market entry to conglomerates expanding their global footprint, understanding and adeptly managing these risks has become a distinguishing factor between fleeting success and enduring resilience.

As the pace of innovation surges and the global marketplace transforms, the significance of comprehensive risk assessment is only magnified. As a top expert in risk and crisis management, I've served major clients as well as numerous smaller firms in Europe and the U.S. Here's my guide for businesses.

Key Components Of Risk Assessment

Risk assessment stands as a cornerstone in strategic business decision-making, demanding a structured and meticulous approach to ensure effectiveness.

1. Identify

At the heart of this process is the task of identifying risks. This involves recognizing and describing potential pitfalls that a business might face. Recognizing these risks early ensures that businesses can allocate resources and strategize aptly without being caught unprepared.

Best High-Yield Savings Accounts Of September 2023

Best 5% interest savings accounts of september 2023, 2. quantify.

Following the identification phase, businesses need to quantify the risks, gauging both their potential impact and likelihood.

Employ tools such as statistical models, analyses of historical data and simulated scenarios as they can all provide valuable insights in this dimension. It's through this quantification that businesses can discern which threats merit immediate attention and which can be set aside for later.

3. Prioritize

Once quantified, the next logical step is to prioritize these risks. Here, businesses rank and evaluate the identified risks, determining which should be addressed first based on their significance.

Instruments like risk matrices , which juxtapose the likelihood of a risk against its impact, play a crucial role in this assessment phase. Not every risk poses an immediate threat, and thus it's essential to ensure the most significant risks are addressed immediately, streamlining resources for maximum efficacy.

4. Evaluate

Subsequent to prioritization, a comprehensive evaluation of these risks is essential. This phase requires businesses to weigh the magnitude of each risk against their inherent risk appetite.

Compare industry benchmarks, past experiences or predetermined thresholds to decide the most appropriate way to address each threat. This step is pivotal in ensuring that risk management efforts are in harmony with a company's overarching objectives and risk tolerance levels.

5. Mitigate And Manage

Mitigating and managing risks forms the next stage. Strategic decisions come into play, determining how each identified risk should be addressed. Depending on the nature and magnitude of the risk, businesses might opt to transfer the risk through mechanisms like insurance, change their business processes to avoid it entirely, put in place safeguards to diminish its effect, or even accept it outright.

Effective risk management, in this regard, becomes a dual-edged sword; while it safeguards against potential adversities, it can also pave the way for opportunities, enabling growth and improvement.

6. Monitor And Review

Risks are inherently dynamic, fluctuating with time and circumstances. Regular audits, feedback mechanisms and even third-party reviews ensure that strategies employed remain effective and that emergent risks are identified promptly.

This continuous monitoring helps businesses stay nimble, adjusting their strategies to the evolving landscape of risks, better ensuring both survival and prosperity in an uncertain world.

Methods Of Risk Assessment

1. qualitative assessments.

The qualitative assessment is predominantly based on descriptive, nonnumerical data, and it shines in scenarios where garnering accurate numerical data is challenging. One of its significant advantages is its capacity to harness the power of expertise, intuition and experience to scrutinize risks.

There are several techniques under this umbrella. For instance, SWOT analysis delves into both the internal and external elements that might influence a project or business. It identifies the strengths, weaknesses, opportunities and threats.

The expert judgment method seeks insights from those with specialized expertise. Another technique, the Delphi method , orchestrates a structured dialogue among a panel of experts. This communication continues in multiple rounds until a consensus emerges.

2. Quantitative Assessments

The quantitative assessment employs numerical data. By leveraging statistical, financial or numerical analyses, it provides a more systematic and data-centric perspective on potential risks.

Techniques in this category include the Monte Carlo simulation , which uses an algorithm that hinges on constant random sampling to deduce numerical outcomes. Decision trees provide a visual representation of decisions and their possible results. Additionally, sensitivity analysis explores how varying values of one variable can influence another.

3. Additional Assessments

Scenario analysis empowers businesses by laying out an array of potential future situations. It aids in sketching the best-case, worst-case and the most-probable scenarios, enabling firms to visualize and weigh the potential risks and rewards.

Stress testing dives deep into analyzing potential vulnerabilities in any given system. It designs models that emulate challenging, often drastic conditions. A classic example of its application is in the financial realm , where banks deploy this method to unearth potential weak points in their financial statements.

The comparative risk assessment offers a comparative perspective. By juxtaposing potential risks against a benchmark or another risk, businesses can determine which threats deserve immediate attention, especially when resources are sparse and setting priorities becomes vital.

A hybrid method epitomizes adaptability. Realizing that no single technique can capture the entirety of risks, many entities interweave both qualitative and quantitative strategies. This amalgamated approach furnishes a richer, more detailed depiction of the risk environment surrounding a business.

Navigating Risk

To make an informed decision on which assessment method to employ, decision-makers should consider the nature of the risk, available data and desired depth of analysis.

Whether leaning toward qualitative methods that harness expertise and intuition or quantitative techniques that provide data-centric insights, the key is to choose a method (or combination thereof) that aligns with the specific context and objectives of the business, ensuring both its survival and prosperity amid uncertainties.

In essence, managing risk boils down to four strategies: avoiding it, mitigating its impact, transferring it, or simply accepting it. The chosen approach depends on the nature and magnitude of the risk in question.

Forbes Business Council is the foremost growth and networking organization for business owners and leaders. Do I qualify?

• Editorial Standards
• Reprints & Permissions

Uncovering Hidden Risks: A Comprehensive Guide to Business Plan Risk Analysis

A modern business plan that will lead your business on the road to success must have another critical element. That element is a part where you will need to cover possible risks related to your small business. So, you need to focus on  managing risk  and use  risk management processes  if you want to succeed as an entrepreneur.

How can you manage risks?

You can always plan and  predict  future things in a certain way that will happen, but your impact is not always in your hands. There are many  external factors  when it comes to the business world. They will always influence the realization of your plans. Not only the realization but also the results you will achieve in implementing the specific plan. Because of that, you need to look at these factors through the prism of the risk if you want to implement an appropriate management process while implementing your business plan.

By conducting a thorough risk analysis, you can manage risks by identifying potential threats and uncertainties that could impact your business. From market fluctuations and regulatory changes to competitive pressures and technological disruptions, no risk will go unnoticed. With these insights, you can develop contingency plans and implement risk mitigation strategies to safeguard your business’s interests.

This guide will provide practical tips and real-life examples to illustrate the importance of proper risk analysis. Whether you’re a startup founder preparing a business plan or a seasoned entrepreneur looking to reassess your risk management approach, this guide will equip you with the knowledge and tools to navigate the complex landscape of business risks.

Why is Risk Analysis Important for Business Planning?

Risk analysis is essential to business planning as it allows you to proactively identify and assess potential risks that could impact your business objectives. When you conduct a comprehensive risk analysis, you can gain a deeper understanding of the threats your business may face and can take proactive measures to mitigate them.

One of the key benefits of risk analysis is that it enables you to prioritize risks based on their potential impact and likelihood of occurrence . This helps you allocate resources effectively and develop contingency plans that address the most critical risks.

Additionally, risk analysis allows you to identify opportunities that may arise from certain risks , enabling you to capitalize on them and gain a competitive advantage.

It is important to adopt a systematic approach to effectively analyze risks in your business plan. This involves identifying risks across various market, operational, financial, and legal areas. By considering risks from multiple perspectives, you can develop a holistic understanding of your business’s potential challenges.

What is a Risk for Your Small Business?

In dictionaries, the risk is usually defined as:

The possibility of dangerous or bad consequences becomes true .

When it comes to businesses,  entrepreneurs , or in this case, the business planning process, it is possible that some aspects of the business plan will not be implemented as planned. Such a situation could have dangerous or harmful consequences for your small business.

It is simple. If you don’t implement something you have in your business plan, there will be some negative consequences for your small business.

Here is how you can  write the business plan in 30 steps .

Types of Risks in Business Planning

When conducting a business risk assessment for your business plan, it is essential to consider various types of risks that could impact your venture. Here are some common types of risks to be aware of:

1. Market risks

These risks arise from fluctuations in the market, including changes in consumer preferences, economic conditions, and industry trends. Market risks can impact your business’s demand, pricing, and market share.

2. Operational risk

Operational risk is associated with internal processes, systems, and human resources. These risks include equipment failure, supply chain disruptions, employee errors, and regulatory compliance issues.

3. Financial risks

Financial risks pertain to managing financial resources and include factors such as cash flow volatility, debt levels, currency fluctuations, and interest rate changes.

4. Legal and regulatory risks

Legal and regulatory risks arise from changes in laws, regulations, and compliance requirements. Failure to comply with legal and regulatory obligations can result in penalties, lawsuits, and reputational damage.

5. Technological risks

Technological risks arise from rapid technological advancements and the potential disruptions they can cause your business. These risks include cybersecurity threats, data breaches, and outdated technology infrastructure.

Basic Characteristics of Risk

Before you start with the development of your small  business risk  management process, you will need to know and consider the essential characteristics of the possible risk for your company.

What are the basic characteristics of a possible risk?

The risk for your company is partially unknown.

Your  entrepreneurial work  will be too easy if it is easy to predict possible risks for your company. The biggest problem is that the risk is partially unknown. Here we are talking about the future, and we want to prepare for that future. So, the risk is partially unknown because it will possibly appear in the future, not now.

The risk to your business will change over time.

Because your businesses operate in a highly dynamic environment, you cannot expect it to be something like the default. You cannot expect the risk to always exist in the same shape, form, or consequence for your company.

You can predict the risk.

It is something that, if we want, we can predict through a  systematic process . You can easily predict the risk if you install an appropriate risk management process in your small business.

The risk can and should be managed.

You can always focus your resources on eliminating or reducing risk in the areas expected to appear.

Risk Management Process You Should Implement

The risk management process cannot be seen as static in your company. Instead of that, it must be seen as an interactive process in which information will continuously be updated and analyzed. You and your small business members will act on them, and you will review all risk elements in a specified period.

Adopting a systematic approach to identifying and assessing risks in your business plan is crucial. Here are some steps to consider:

1. Risk Identification

First, you must identify risk areas . Ask and respond to the following questions:

• What are my company’s most significant risks?
• What are the risk types I will need to follow?

In business, identifying risk areas is the process of pinpointing potential threats or hazards that could negatively impact your business’s ability to conduct operations, achieve business objectives, or fulfill strategic goals.

Just as meteorologists use data to predict potential storms and help us prepare, you can use risk identification to foresee possible challenges and create plans to deal with them.

Risk can arise from various sources, such as financial uncertainty, legal liabilities, strategic management errors, accidents, natural disasters, and even pandemic situations. Natural disasters can not be predicted or avoided, but you can prepare if they appear.

For example, a retail business might identify risks like fluctuating market trends, supply chain disruptions, cybersecurity threats, or changes in consumer behavior. As you can see, the main risk areas are related to types of risk: market, financial, operational, legal and regulatory, and technological risks.

You can also use business model elements to start with something concrete:

• Value proposition,
• Customers ,
• Customers relationships ,
• Distribution channels,
• Key resources and
• Key partners.

It is not necessarily that there will be risk in all areas and that the risk will be with the same intensity for all areas. So, based on your business environment, the industry in which your business operates, and the business model, you will need to determine in which of these areas there is a possible risk.

Also, you must stay informed about external factors impacting your business, such as industry trends, economic conditions, and regulatory changes. This will help you identify emerging risks and adapt your risk management strategies accordingly.

The idea for this step is to create a table where you will have identified potential risks in each important area of your business.

2. Risk Profiling

Conduct a detailed analysis of each identified risk, including its potential impact on your business objectives and the likelihood of occurrence. This will help you develop a comprehensive understanding of the risks you face.

Qualitative Risk Analysis

The qualitative risk analysis process involves assessing and prioritizing risks based on ranking or scoring systems to classify risks into low, medium, or high categories. For this analysis, you can use customer surveys or interviews.

Qualitative risk analysis is quick, straightforward, and doesn’t require specialized statistical knowledge to conduct a business risk assessment. The main negative side is its subjectivity, as it relies heavily on thinking about something or expert judgment.

This method is best suited for initial risk assessments or when there is insufficient quantitative analysis data .

For example, if we consider the previously identified risk of a sudden shift in consumer preferences, a qualitative analysis might rate its likelihood as 7 out of 10 and its impact as 8 out of 10, placing it in the high-priority quadrant of our risk matrix. But, qualitative analysis can also use surveys and interviews where you can ask open questions and use the qualitative research process to make this scaling. This is much better because you want to lower the subjectivism level when doing business risk assessment.

Quantitative Risk Analysis

On the other side, the quantitative risk analysis method involves numerical and statistical techniques to estimate the probability and potential impact of risks. It provides more objective and detailed information about risks.

Quantitative risk analysis can provide specific, data-driven insights, making it easier to make informed decisions and allocate resources effectively. The negative side of this method is that it can be time-consuming, complex, and requires sufficient data.

You can use this approachfor more complex projects or when you need precise data to inform decisions, especially after a qualitative analysis has identified high-priority risks.

For example , for the risk of currency exchange rate fluctuations, a quantitative analysis might involve analyzing historical exchange rate data to calculate the probability of a significant fluctuation and then using your financial data to estimate the potential monetary impact.

Both methods play crucial roles in effectively managing risks. Qualitative risk analysis helps to identify and prioritize risks quickly, while quantitative analysis provides detailed insights for informed decision-making.

3. Business Risk Assessment Matrix

Once you have identified potential risks and analyzed their likelihood and potential impact, you can create a business risk assessment matrix to evaluate each risk’s likelihood and impact. This matrix will help you prioritize risks and allocate resources accordingly.

A business risk assessment matrix, sometimes called a probability and impact matrix, is a tool you can use to assess and prioritize different types of risks based on their likelihood (probability) and potential damage (impact). Here’s a step-by-step process to create one:

• Step 1: Begin by listing out your risks . For our example, let’s consider four of the risks we identified earlier: a sudden shift in consumer preferences (Market Risk), currency exchange rate fluctuations (Financial Risk), an increase in the minimum wage (Legal), and cybersecurity threats (Technological Risk).
• Step 2: Determine the likelihood of each risk occurring . In the process of risk profiling, we’ve determined that a sudden shift in consumer preferences is highly likely, currency exchange rate fluctuations are moderately likely, an increase in the minimum wage, and cybersecurity threats are less likely but still possible.
• Step 3: Assess the potential impact of each risk on your business if it were to occur . In our example, we might find that a sudden shift in consumer preferences could have a high impact, currency exchange rate fluctuations a moderate impact, an increase in minimum wage minor impact, and cybersecurity threats a high impact.
• Step 4: Plot these risks on your risk matrix . The vertical axis represents the likelihood (high to low), and the horizontal axis represents the consequences (high to low).

By visualizing these risks in a risk assessment matrix format, you can more easily identify which risks require immediate attention and which ones might need long-term strategies.

4. Develop Risk Indicators for Each Risk You Have Identified

The question is, how will you measure the business risks for your company?

Risk indicators are metrics used to measure and predict potential threats to your business. Simply, a risk indicator is a measure that should tell you whether the risk appears or not in a particular area you have defined previously. They act like a business’s early warning system. When these indicators change, it’s a signal that the risk level may be increasing.

For example, for distribution channels, an indicator can be a delay in delivery for a minimum of three days. This indicator will tell you something is wrong with that channel, and you must respond appropriately.

Now, let’s consider some risk indicators for the risks we have already identified and analyzed:

If you conduct all the steps until now, you can have a similar table with risk indicators in your business plan. You should monitor these indicators regularly, and if you notice a significant change, such as a drop in sales or an increase in attempted breaches, it’s time to investigate and take some action steps. This might involve updating your product line, hedging against currency risk, budgeting for higher wages, or improving your cybersecurity measures.

Remember, risk indicators can’t predict the future with certainty. But they can give you valuable insights that can help you prepare for potential threats.

5. Define Possible Action Steps

The question is, what can you do regarding the risk if the risk indicator tells you that there is a potential risk?

Once the risk has appeared and is located, it is time to take concrete action steps. The goals of this step are not only to reduce or eliminate the impact of the risk for your company but also to prevent them in the future and reduce or eliminate their influence on the business operations or the execution of your business plan.

For example, for distribution channels with delivery delayed more than three days, possible activities can be the following:

• Apologizing to the customers for the delay,
• Determining the reasons for the delay,
• Analysis of the reasons,
• Removing the reasons,
• Consideration of alternative distribution channels, etc.

In this part of the business plan for each risk area and indicator, try to standardize all possible actions. You can not expect that they will be final. But, you can cover some basic guidelines that must be implemented if the risk appears. Here is an example of how this part will look in your business plan related to risks we have already identified through the risk assessment process.

6. Monitoring

Because this risk management process is dynamic , you must apply the monitoring process. In such a way, you can ensure the elimination of a specific kind of risk in the future, and you will allocate your resources to new possible risks.

After implementing the actions, you need to ask yourself the following questions:

• Are the actions taken regarding the risk the proper measures?
• Can you improve something regarding the risk management process? Is there a need for new risk indicators?

Techniques and Tools for Business Plan Risk Assessment

Various risk analysis methods, techniques, and tools are available to conduct an effective risk analysis for your business plan. Here are some commonly used ones:

1. SWOT analysis

A SWOT (Strengths, Weaknesses, Opportunities, Threats) analysis can help you identify internal strengths and weaknesses and external opportunities and threats. This analysis provides valuable insights into possible business risks and opportunities.

2. PESTEL analysis

A PESTEL (Political, Economic, Sociocultural, Technological, Environmental, Legal) analysis assesses the external factors that could impact your business. This analysis will help you identify risks and opportunities arising from these factors.

3. Scenario analysis

Consider different scenarios that could impact your business, such as best-case, worst-case, and most likely scenarios, as a part of your risk assessment process. You can anticipate potential risks and develop appropriate response strategies by analyzing these scenarios.

4. Monte Carlo simulation

Monte Carlo simulation uses random sampling and probability distributions to model various scenarios and assess their potential impact on your business. This technique provides you with a more accurate understanding of risk exposure.

5. Risk register

A risk register is a risk analysis tool that helps you record and track identified risks and their relevant details, such as impact, likelihood, mitigation strategies, and responsible parties. This tool ensures that risks are appropriately managed and monitored.

6. Business Impact Analysis (BIA)

Business impact analysis helps you understand the potential effects of various disruptions on your business operations and objectives. It’s about identifying what could go wrong and understanding how it could impact your bottom line. So, you can conduct business impact analysis as a part of your risk assessment inside your business plan.

7. Failure Mode and Effects Analysis (FMEA)

Using FMEA in your risk assessment process, you can proactively address potential problems, ensuring your business operations run as smoothly as you planned. It’s all about preparing for the worst while striving for the best.

8. Risk-Benefit Analysis (RBA)

The risk-benefit analysis allows you to make informed decisions, balancing the potential for gain against the potential for loss. It helps you choose the best path, even when the way forward isn’t entirely clear. This tool is a systematic approach to understanding the specific business risk and benefits associated with a decision, process, or project.

9. Cost-Benefit Analysis

By conducting a cost-benefit analysis as a part of your risk assessments, you can make data-driven decisions that consider both the possible risks (costs) and rewards (benefits). This approach provides a clear picture of the potential return on investment, enabling more effective and confident decision-making.

These techniques and tools allow you to conduct a comprehensive risk analysis for your business plan.

Mitigating and Managing Risks in a Business Plan

Identifying risks in your business plan is only the first step. To ensure the success of your venture, it is crucial to develop effective risk mitigation and management strategies. Here are some critical steps to consider:

• Risk avoidance : Some risks may be too high to justify taking. In such cases, consider avoiding these risks altogether by adjusting your business plan or exploring alternative strategies.
• Risk transfer : Transferring risks to third parties, such as insurance companies or outsourcing partners, can help mitigate their impact on your business. Evaluate opportunities for risk transfer and consider appropriate insurance coverage.
• Risk reduction : Implement measures to reduce the likelihood and impact of identified risks. This may involve improving internal processes, implementing safety protocols, or diversifying your supplier base .
• Risk acceptance : Some risks may be unavoidable or negatively impact your business. In such cases, accepting the risks and developing contingency plans can help minimize their impact.

In conclusion, a comprehensive risk analysis is essential for identifying, assessing, and managing different types of risk that could impact your success.

Conducting a thorough risk analysis can safeguard your business’s interests, capitalize on opportunities, and increase your chances of long-term success.

Related Posts

How to Write a Business Plan in 36 Steps

Risk Tolerance in Entrepreneurship: A Guide to Successful Business

Business Goals Questions to Develop SMART Goals

Risk Management Guide: Everything You Need to Know About Business Risk

Start typing and press enter to search.

Call Us (877) 968-7147 Login

Most popular blog categories

• Payroll Tips
• Accounting Tips
• Accountant Professional Tips

How to Conduct a Risk Analysis for Your Small Business

Small business owners take risks every day. But if you put too much at stake, your business bottom line could suffer. To make sure your decisions are sound, conduct a risk analysis for your small business.

What is a risk analysis in business?

A risk is a situation that can either have huge benefits or cause serious damage to a small business’s financial health. Sometimes a risk can result in the closure of a business. Before taking risks at your business, you should conduct a risk analysis.

A risk assessment for small business is a strategy that measures the potential outcomes of a risk. The assessment helps you make smart business decisions and avoid financial issues.

Jason Olsen, serial entrepreneur and founder of Studios 360, Prestman Auto, and Automobia, explained in his article :

The key is to not only use optimism for reasons to take action, but also to utilize risk factors you uncover to guide your decisions. Yes, you must have courage to bet on your ideas, but you must also have the ability to take a thoughtful, calculated approach. It’s nearly impossible to remove all risk in any scenario, but what’s important is to make sure these troublesome areas are always considered and understood.”

Internal vs. external risks

Usually, a risk is either internal or external. Internal risks occur inside of your operations, while external risks occur outside of your business.

Internal risks are often more specific to your business and easier to control than external risks. Examples of internal risks include:

• Financial risks
• Marketing risks
• Operational risks
• Workforce risks

Though you can project external risks, they are usually out of your control. You might need to take a reactive approach to managing external risks. These risks include:

• Changing economy
• New competitors
• Natural disasters
• Government regulations
• Consumer demand changes

How to do a risk assessment

There is no one way to assess business risk. The assessment is not 100% accurate when it comes to judging your level of risk. A small business risk analysis gives you a picture of the possible outcomes your business decisions could have. Use the following steps to do a financial risk assessment.

Step 1: Identify risks

The first step to managing business risks is to identify what situations pose a risk to your finances. Consider the damage a risk could have on your business. Then, think about your goals and the rewards that could come out of taking the risk. Depending on your business, location, and industry, risks will vary.

Step 2: Document risks

Once you have a list of potential business risks, define them in a document. Develop a process to weigh the effect of each risk. Look at how much damage the risk could potentially cause and how hard it would be to recover. Set up a scoring system for risks, from mild to severe.

Step 3: Appoint monitors

Identify individuals at your business who will keep an eye on and manage risks. The risk monitor might be you, a partner, or an employee. Decide how risks should be reported and handled. When you have procedures for risk management, issues can be taken care of smoothly.

Step 4: Determine controls

After understanding potential risks, figure out controls you can use to reduce them. Look at patterns over time to predict your income cycle. And, assess the impact risks have on your business. Look at the significance of a risk as well as its likelihood of occurring at your business.

Step 5: Review periodically

Your business risk assessment is not a one-time commitment. Review risk management processes annually to see how you handle risks. Also, look out for new risks that might not have been relevant in the previous assessment.

Use a risk ratio to gauge risk

A risk ratio shows the relationship between your business’s debts and equity. Business debt creates risk. By comparing debt, or leverage, to equity, you get a better understanding of your business’s level of risk. This can help you set more targeted business debt management goals.

Debt-to-equity ratio

There are different kinds of financial leverage ratios. One common leverage ratio formula is the debt-to-equity ratio . For this ratio, divide your total debt by your total equity. Business equity is equal to your assets minus liabilities and shows your ownership in the business.

Debt-to-Equity Ratio = Total Debt / Total Equity

For example, you have $30,000 in debt and $15,000 in equity.

$30,000 / $15,000 = 2 times or 200%

This means for every dollar you have, you owe two dollars to creditors.

By finding the debt-to-equity ratio, you can see how much capital comes from debt. The more debt you have compared to equity, the bigger your risk level.

Purpose of risk assessments

Risk assessments are an important part of running your business. You can use your business risk assessment for making decisions and financing your business .

A simple risk analysis will help you avoid hazards that could damage your finances. The assessment informs you about the steps you need to take to protect your business. You can see what situations you need to address and avoid.

Beyond internal use, a financial risk assessment can help you prepare to talk with lenders. These individuals want to know your business’s level of risk before giving you money. They look at the likelihood of your business growing and how likely you are to pay back the loan.

Need help keeping track of your business debts, income, and expenses? Patriot’s online accounting software is easy to use and made for the non-accountant. We offer free, USA-based support. Try it for free today.

This article is updated from its original publication date of May 9, 2017.

Stay up to date on the latest accounting tips and training

You may also be interested in:

Need help with accounting? Easy peasy.

Business owners love Patriot’s accounting software.

But don’t just take our word…

Explore the Demo! Start My Free Trial

Relax—run payroll in just 3 easy steps!

Get up and running with free payroll setup, and enjoy free expert support. Try our payroll software in a free, no-obligation 30-day trial.

Relax—pay employees in just 3 steps with Patriot Payroll!

Business owners love Patriot’s award-winning payroll software.

Watch Video Demo!

Watch Video Demo

Business risk assessment: what it is & why you need it

Updated 20 June 2024 • 6 min read

What is a business risk assessment? 

A business risk assessment helps you identify, analyse and prioritise risks. Businesses use risk assessments to:

minimise or eliminate risks

protect against potential threats

improve decision-making.

Risk assessment for business plan

When you’re putting together a business plan , it’s important to include a business risk assessment. Completing this section helps business owners to: 

understand what risks they face

develop strategies for minimising or eliminating those risks

allocate resources effectively to manage risks

monitor and review risks on an ongoing basis.

This means that the business owner has a documented strategy in place to handle when things can — and do — go wrong. This gives them better control over the business and its trajectory, while also giving potential investors assurance that the business is well managed and their investment is sound.  

The different types of risks businesses face

While it may be difficult to catalogue every risk a business may face, you can do a risk assessment based on types of risk. These categories may include:  

Hazard-based

These are risks from dangerous workplace situations that could cause harm to people, property or the environment. Examples include fires, floods and chemical spills.

Opportunity-based

This risk comes from choosing one opportunity over another. When you dedicate your resources to one opportunity, there’s always the chance that a better one will come along or the current one won’t go as planned. Examples include investing in a new product line or moving to a new location.

Uncertainty-based

This risk is present when the outcome of a situation is uncertain. Examples of business risks include legal action, damage from natural disasters, and the loss of important customers or suppliers.

Operational 

This type of risk comes from the day-to-day running of your business. Examples of operational risk may include equipment failure, employee error or theft.

Reputational

A risk to your business' reputation can include negative media coverage, product recalls and data breaches. 

Cyber security

Cyber security is a risk for all businesses, including small and medium-sized organisations. Any data loss, leak or compromise can cost a business severely — both financially and in reputational damage. 

How to do a business risk assessment (plus template and example)

1. identify the different types of risks for your business..

To identify the risks to your business, consider what could go wrong and why that might happen. Consider holding brainstorming sessions with your employees or reviewing past incidents to get started.

2. Assess the likelihood and potential impact of each type of risk.

You’ll want to decide the likelihood and potential impact of each type of risk. For example, the risk may be unlikely to occur through to very likely to occur. Likewise, the impact of the risk may be negligible through to severe. Doing this assessment will help you decide what to prioritise and where to allocate resources.   

3. Prioritise the risks and develop strategies for mitigating them.

Once you’ve identified and assessed your risks, you’ll need to develop strategies to mitigate them and lessen their potential negative impact. This could involve taking out adequate business insurance or putting business continuity plans in place. 

Business risk assessment template

The Australian Taxation Office (ATO) has developed a business risk assessment template that you can use for your risk assessment.

The template includes questions to help you identify and assess risks.

Business risk assessment example

If you own a small business, you might not think you need to worry about conducting risk assessments. But all businesses can face risks that could significantly affect their operations. Consider the following example:

You own a small retail business with one store. Your primary source of income is from selling products online, but you also have a small number of customers who visit your store in person.

A customer tells you they see a mouse in your store. This is a reputational risk, as it could damage your business’ reputation if word gets out. It’s also an operational risk if it leads to damaged inventory.

In this case, you'd need to assess the likelihood of that risk and the potential damage it could do to your business reputation or operations. Based on this assessment, you can decide how best to deal with the risk.

This is just one example of the innumerable risks businesses can face. Conducting a thorough business risk assessment prepares you for just about anything that comes your way.

Tips for mitigating risk in your business

Risk is part of life — it can’t always be avoided, but there are strategies you can put in place to mitigate its impacts. Consider the following: 

Have adequate insurance coverage to help mitigate the financial impact of risks such as fire, theft or liability.

Develop contingency plans so that you can continue operating if an incident, such as a natural disaster or power outage, occurs.

Implement risk management processes and procedures. This could involve anything from regular risk assessments to employee training on identifying and dealing with potential risks.

Regularly monitor and review risks and make sure you have effective mitigation strategies in place.

Maintain good relationships with suppliers and customers. This can help to minimise the impact of risks such as supply chain disruptions. Also, ask for feedback on their experience with your products or services, so you can identify potential risks before they become major problems.

Have strong internal financial controls and IT security measures.

Stay up to date on changes in laws and regulations. This will help you avoid compliance-related issues, including risks specific to your industry and general risks all businesses face.

Disclaimer: This is general advice not meant to replace professional guidance. When seeking out someone to help advise you on business decisions, find somebody with the accreditations to assist you.

Minimise your IT risk with MYOB

With MYOB’s business management platform , you can look after your finances, invoices , payroll and more, while maintaining compliance and data security at all times. Our cloud-based software is scalable and affordable, catering for sole traders through to mid-sized enterprises . With MYOB, your IT is future fit — so you have one less thing to worry about.

Sign up today and try FREE for 30 days .

Disclaimer:  Information provided in this article is of a general nature and does not consider your personal situation. It does not constitute legal, financial, or other professional advice and should not be relied upon as a statement of law, policy or advice. You should consider whether this information is appropriate to your needs and, if necessary, seek independent advice. This information is only accurate at the time of publication. Although every effort has been made to verify the accuracy of the information contained on this webpage, MYOB disclaims, to the extent permitted by law, all liability for the information contained on this webpage or any loss or damage suffered by any person directly or indirectly through relying on this information.

Related Guides

How to define key performance indicators (kpis) for employees arrow right, how to perform a business gap analysis arrow right, business expenses guide for smbs arrow right.

Contact us on 0208 290 4560

• Business insurance
• How to Write a...

How to Write a Risk Assessment: Templates & Examples

Dec 15, 2021

Does your business have to carry out risk assessments?

Yes, is the short answer. The Health and Safety Executive (HSE) state that as an employer, you’re required by law to protect your employees, and others, from harm.

The Management of Health and Safety at Work Regulations 1999 sets a minimum requirement that businesses must

• identify what could cause injury or illness in your business (hazards)
• decide how likely it is that someone could be harmed and how seriously (the risk)
• take action to eliminate the hazard, or if this isn’t possible, control the risk

To meet your duty of care, you will need to carry out and document a risk assessment.

Find out if the rules apply to you if you are self-employed .

Whilst not necessarily required by law, it also makes sense to carry out risk assessments linked to the running of your business. Knowing the possible risks that could threaten your businesses survival puts you in the best possible position to deal with them should they arise.

How to write a risk assessment

If you’ve not written a risk assessment before, it can seem like a daunting task. But it doesn’t need to be. The HSE suggest taking a 5-step approach to writing a risk assessment.

• Identify hazards

Hazards can be thought of as things in the workplace which may cause harm. Take a walk around your workplace and identify things which have the potential cause harm – this could be things which could injure, or things which could pose a long-term threat to health– manual handling, loud noise, or workplace stress for example.

When it comes to hazards think about working practices, processes, substances, and activities which could cause harm. And when identifying the hazards, think about how they could cause harm to employees, contractors, visitors, or members of the public.

• Assess the risks

Once you have identified your risks, then think about the likelihood of them happening and how serious it would be if they did.

The HSE recommends thinking about:

• who might be harmed and how
• what you’re already doing to control the risks
• what further action you need to take to control the risks
• who needs to carry out the action
• when the action is needed by  
• Control the risks

Think about the steps you need to take to control the risks that you have identified.

The best possible outcome is that you can put controls in place which totally remove the identified risk. However, in many cases this just isn’t possible. So, you will need to think about the controls you can put in place to minimise the risks and the likelihood it will create harm.

Once you have identified the controls you need, put them into practice

• Record your findings

If you employ 5 or more people, then you must document the findings of your risk assessment.

You’ll need to include

• the hazards (things that may cause harm)
• what you are doing to control the risks

The HSE have created a risk assessment template to help you record your findings. And a quick Google search for ‘risk assessment template’ brings back multiple other template options which you may find useful and will mean you do not need to start from scratch.

• Review the controls

A risk assessment should not be thought of as a one time, box ticking exercise. It is important to that you review it on a regular basis. Make sure the controls you have identified remain appropriate and actually work in controlling the risks.

If anything changes in the way that you work (new staff, new processes, new premises etc) then make sure that you make a new assessment of the risks and work through the process listed above again.

COVID-19 is a good example of a new risk, requiring businesses to carry out COVID-19 specific risk assessments .

What type of risk assessment may your business need to carry out?

The obvious risk assessment that a business will need to carry out, and the one required by law referenced above, is linked to health and safety. Remember, you have a legal duty to protect your employees, and others, from harm

But there are also other risks which your business may face on a day-to-day basis, closely linked to your business success and survival.

So, you may need to carry out other risk assessments in areas such as:

• business continuity
• cyber security
• data security

You should be able to use the 5 principles above as a basis to writing any type of risk assessment.

Why your business should take risk seriously

Businesses face many risks in today’s environment. You just have to think of the shock which COVID-19 bought to the business world. And whilst it is one that we could not have foreseen, not giving enough time and effort to thinking about the risks your business faces and how you will respond if they should arise is a major risk to your business in itself.

At Anthony Jones we always say businesses should avoid falling into the trap of thinking ‘we would just….’ when it comes to risk management. The use of the word ‘just’ implies a level of simplicity in overcoming potential issues. But without prior thought, it is highly unlikely that you will have the answers to issues which may present themselves.

You also need to think about risk management when it comes to your insurance. Insurers are becoming increasingly selective, and we are seeing more requests for risk management information from insurers. They want to see how your business manages risk and how you are able to present this back can have a bearing on your ability to obtain the right insurance at the best possible price.

At Anthony Jones we focus on the areas of risk management with all of our clients. We work in partnership with Cardinus , a global risk and safety partner, to support our focus in this area. We can work with you to help you understand your business and attitude to risk and identify insurance covers which can offer protection. Get in touch with us on 020 8290 9080 or email us at [email protected] to discuss any of your business insurance requirements.

Get a Quote

You can call us during normal office hours, Monday to Friday, 9am to 5pm. Outside of office hours you can either email us or leave an answerphone message and we promise to get back to you the next working day.

General enquiries: 020 8290 4560 [email protected]

Sign up for news

Business Insurance Business Interruption Insurance Commercial Vehicle Insurance Cyber Insurance Fleet Management High Net Worth Insurance Intellectual Property Insurance Life & Critical Illness Cover Personal Insurance Transport & Logistics Vaping Insurance

Risk Management 101: Process, Examples, Strategies

Emily Villanueva

August 16, 2023

Effective risk management takes a proactive and preventative stance to risk, aiming to identify and then determine the appropriate response to the business and facilitate better decision-making. Many approaches to risk management focus on risk reduction, but it’s important to remember that risk management practices can also be applied to opportunities, assisting the organization with determining if that possibility is right for it.

Risk management as a discipline has evolved to the point that there are now common subsets and branches of risk management programs, from enterprise risk management (ERM) , to cybersecurity risk management, to operational risk management (ORM) , to  supply chain risk management (SCRM) . With this evolution, standards organizations around the world, like the US’s National Institute of Standards and Technology (NIST) and the International Standards Organization (ISO) have developed and released their own best practice frameworks and guidance for businesses to apply to their risk management plan.

Companies that adopt and continuously improve their risk management programs can reap the benefits of improved decision-making, a higher probability of reaching goals and business objectives, and an augmented security posture. But, with risks proliferating and the many types of risks that face businesses today, how can an organization establish and optimize its risk management processes? This article will walk you through the fundamentals of risk management and offer some thoughts on how you can apply it to your organization.

What Are Risks?

We’ve been talking about risk management and how it has evolved, but it’s important to clearly define the concept of risk. Simply put, risks are the things that could go wrong with a given initiative, function, process, project, and so on. There are potential risks everywhere — when you get out of bed, there’s a risk that you’ll stub your toe and fall over, potentially injuring yourself (and your pride). Traveling often involves taking on some risks, like the chance that your plane will be delayed or your car runs out of gas and leave you stranded. Nevertheless, we choose to take on those risks, and may benefit from doing so. 

Companies should think about risk in a similar way, not seeking simply to avoid risks, but to integrate risk considerations into day-to-day decision-making.

• What are the opportunities available to us?
• What could be gained from those opportunities?
• What is the business’s risk tolerance or risk appetite – that is, how much risk is the company willing to take on?
• How will this relate to or affect the organization’s goals and objectives?
• Are these opportunities aligned with business goals and objectives?

With that in mind, conversations about risks can progress by asking, “What could go wrong?” or “What if?” Within the business environment, identifying risks starts with key stakeholders and management, who first define the organization’s objectives. Then, with a risk management program in place, those objectives can be scrutinized for the risks associated with achieving them. Although many organizations focus their risk analysis around financial risks and risks that can affect a business’s bottom line, there are many types of risks that can affect an organization’s operations, reputation, or other areas.

Remember that risks are hypotheticals — they haven’t occurred or been “realized” yet. When we talk about the impact of risks, we’re always discussing the potential impact. Once a risk has been realized, it usually turns into an incident, problem, or issue that the company must address through their contingency plans and policies. Therefore, many risk management activities focus on risk avoidance, risk mitigation, or risk prevention.

What Different Types of Risks Are There?

There’s a vast landscape of potential risks that face modern organizations. Targeted risk management practices like ORM and SCRM have risen to address emerging areas of risk, with those disciplines focused on mitigating risks associated with operations and the supply chain. Specific risk management strategies designed to address new risks and existing risks have emerged from these facets of risk management, providing organizations and risk professionals with action plans and contingency plans tailored to unique problems and issues.

Common types of risks include: strategic, compliance, financial, operational, reputational, security, and quality risks.

Strategic Risk

Strategic risks are those risks that could have a potential impact on a company’s strategic objectives, business plan, and/or strategy. Adjustments to business objectives and strategy have a trickle-down effect to almost every function in the organization. Some events that could cause strategic risks to be realized are: major technological changes in the company, like switching to a new tech stack; large layoffs or reductions-in-force (RIFs); changes in leadership; competitive pressure; and legal changes.

Compliance Risk

Compliance risks materialize from regulatory and compliance requirements that businesses are subject to, like Sarbanes-Oxley for publicly-traded US companies, or GDPR for companies that handle personal information from the EU. The consequence or impact of noncompliance is generally a fine from the governing body of that regulation. These types of risks are realized when the organization does not maintain compliance with regulatory requirements, whether those requirements are environmental, financial, security-specific, or related to labor and civil laws.

Financial Risk

Financial risks are fairly self-explanatory — they have the possibility of affecting an organization’s profits. These types of risks often receive significant attention due to the potential impact on a company’s bottom line. Financial risks can be realized in many circumstances, like performing a financial transaction, compiling financial statements, developing new partnerships, or making new deals.

Operational Risk

Risks to operations, or operational risks, have the potential to disrupt daily operations involved with running a business. Needless to say, this can be a problematic scenario for organizations with employees unable to do their jobs, and with product delivery possibly delayed. Operational risks can materialize from internal or external sources — employee conduct, retention, technology failures, natural disasters, supply chain breakdowns — and many more.

Reputational Risk

Reputational risks are an interesting category. These risks look at a company’s standing in the public and in the media and identify what could impact its reputation. The advent of social media changed the reputation game quite a bit, giving consumers direct access to brands and businesses. Consumers and investors too are becoming more conscious about the companies they do business with and their impact on the environment, society, and civil rights. Reputational risks are realized when a company receives bad press or experiences a successful cyber attack or security breach; or any situation that causes the public to lose trust in an organization.

Security Risk

Security risks have to do with possible threats to your organization’s physical premises, as well as information systems security. Security breaches, data leaks, and other successful types of cyber attacks threaten the majority of businesses operating today. Security risks have become an area of risk that companies can’t ignore, and must safeguard against.

Quality Risk

Quality risks are specifically associated with the products or services that a company provides. Producing low-quality goods or services can cause an organization to lose customers, ultimately affecting revenue. These risks are realized when product quality drops for any reason — whether that’s technology changes, outages, employee errors, or supply chain disruptions.

Steps in the Risk Management Process

The six risk management process steps that we’ve outlined below will give you and your organization a starting point to implement or improve your risk management practices. In order, the risk management steps are: 

• Risk identification
• Risk analysis or assessment
• Controls implementation
• Resource and budget allocation
• Risk mitigation
• Risk monitoring, reviewing, and reporting

If this is your organization’s first time setting up a risk management program, consider having a formal risk assessment completed by an experienced third party, with the goal of producing a risk register and prioritized recommendations on what activities to focus on first. Annual (or more frequent) risk assessments are usually required when pursuing compliance and security certifications, making them a valuable investment.

Step 1: Risk Identification

The first step in the risk management process is risk identification. This step takes into account the organization’s overarching goals and objectives, ideally through conversations with management and leadership. Identifying risks to company goals involves asking, “What could go wrong?” with the plans and activities aimed at meeting those goals. As an organization moves from macro-level risks to more specific function and process-related risks, risk teams should collaborate with critical stakeholders and process owners, gaining their insight into the risks that they foresee.

As risks are identified, they should be captured in formal documentation — most organizations do this through a risk register, which is a database of risks, risk owners, mitigation plans, and risk scores.

Step 2: Risk Analysis or Assessment

Analyzing risks, or assessing risks, involves looking at the likelihood that a risk will be realized, and the potential impact that risk would have on the organization if that risk were realized. By quantifying these on a three- or five-point scale, risk prioritization becomes simpler. Multiplying the risk’s likelihood score with the risk’s impact score generates the risk’s overall risk score. This value can then be compared to other risks for prioritization purposes.

The likelihood that a risk will be realized asks the risk assessor to consider how probable it would be for a risk to actually occur. Lower scores indicate less chances that the risk will materialize. Higher scores indicate more chances that the risk will occur.

Likelihood, on a 5×5 risk matrix, is broken out into:

• Highly Unlikely
• Highly Likely

The potential impact of a risk, should it be realized, asks the risk assessor to consider how the business would be affected if that risk occurred. Lower scores signal less impact to the organization, while higher scores indicate more significant impacts to the company.

Impact, on a 5×5 risk matrix, is broken out into:

• Negligible Impact
• Moderate Impact
• High Impact
• Catastrophic Impact

Risk assessment matrices help visualize the relationship between likelihood and impact, serving as a valuable tool in risk professionals’ arsenals.

Organizations can choose whether to employ a 5×5 risk matrix, as shown above, or a 3×3 risk matrix, which breaks likelihood, impact, and aggregate risk scores into low, moderate, and high categories.

Step 3: Controls Assessment and Implementation

Once risks have been identified and analyzed, controls that address or partially address those risks should be mapped. Any risks that don’t have associated controls, or that have controls that are inadequate to mitigate the risk, should have controls designed and implemented to do so.

Step 4: Resource and Budget Allocation

This step, the resource and budget allocation step, doesn’t get included in a lot of content about risk management. However, many businesses find themselves in a position where they have limited resources and funds to dedicate to risk management and remediation. Developing and implementing new controls and control processes is timely and costly; there’s usually a learning curve for employees to get used to changes in their workflow.

Using the risk register and corresponding risk scores, management can more easily allocate resources and budget to priority areas, with cost-effectiveness in mind. Each year, leadership should re-evaluate their resource allocation as part of annual risk lifecycle practices.

Step 5: Risk Mitigation

The risk mitigation step of risk management involves both coming up with the action plan for handling open risks, and then executing on that action plan. Mitigating risks successfully takes buy-in from various stakeholders. Due to the various types of risks that exist, each action plan may look vastly different between risks. 

For example, vulnerabilities present in information systems pose a risk to data security and could result in a data breach. The action plan for mitigating this risk might involve automatically installing security patches for IT systems as soon as they are released and approved by the IT infrastructure manager. Another identified risk could be the possibility of cyber attacks resulting in data exfiltration or a security breach. The organization might decide that establishing security controls is not enough to mitigate that threat, and thus contract with an insurance company to cover off on cyber incidents. Two related security risks; two very different mitigation strategies. 

One more note on risk mitigation — there are four generally accepted “treatment” strategies for risks. These four treatments are:

• Risk Acceptance: Risk thresholds are within acceptable tolerance, and the organization chooses to accept this risk.
• Risk Transfer : The organization chooses to transfer the risk or part of the risk to a third party provider or insurance company.
• Risk Avoidance : The organization chooses not to move forward with that risk and avoids incurring it.
• Risk Mitigation : The organization establishes an action plan for reducing or limiting risk to acceptable levels.

If an organization is not opting to mitigate a risk, and instead chooses to accept, transfer, or avoid the risk, these details should still be captured in the risk register, as they may need to be revisited in future risk management cycles.

Step 6: Risk Monitoring, Reviewing, and Reporting

The last step in the risk management lifecycle is monitoring risks, reviewing the organization’s risk posture, and reporting on risk management activities. Risks should be monitored on a regular basis to detect any changes to risk scoring, mitigation plans, or owners. Regular risk assessments can help organizations continue to monitor their risk posture. Having a risk committee or similar committee meet on a regular basis, such as quarterly, integrates risk management activities into scheduled operations, and ensures that risks undergo continuous monitoring. These committee meetings also provide a mechanism for reporting risk management matters to senior management and the board, as well as affected stakeholders.

As an organization reviews and monitors its risks and mitigation efforts, it should apply any lessons learned and use past experiences to improve future risk management plans.

Examples of Risk Management Strategies

Depending on your company’s industry, the types of risks it faces, and its objectives, you may need to employ many different risk management strategies to adequately handle the possibilities that your organization encounters. 

Some examples of risk management strategies include leveraging existing frameworks and best practices, minimum viable product (MVP) development, contingency planning, root cause analysis and lessons learned, built-in buffers, risk-reward analysis, and third-party risk assessments.

Leverage Existing Frameworks and Best Practices

Risk management professionals need not go it alone. There are several standards organizations and committees that have developed risk management frameworks, guidance, and approaches that business teams can leverage and adapt for their own company. 

Some of the more popular risk management frameworks out there include:

• ISO 31000 Family : The International Standards Organization’s guidance on risk management.
• NIST Risk Management Framework (RMF) : The National Institute of Standards and Technology has released risk management guidance compatible with their Cybersecurity Framework (CSF).
• COSO Enterprise Risk Management (ERM) : The Committee of Sponsoring Organizations’ enterprise risk management guidance.

Minimum Viable Product (MVP) Development

This approach to product development involves developing core features and delivering those to the customer, then assessing response and adjusting development accordingly. Taking an MVP path reduces the likelihood of financial and project risks, like excessive spend or project delays by simplifying the product and decreasing development time.

Contingency Planning

Developing contingency plans for significant incidents and disaster events are a great way for businesses to prepare for worst-case scenarios. These plans should account for response and recovery. Contingency plans specific to physical sites or systems help mitigate the risk of employee injury and outages.

Root Cause Analysis and Lessons Learned

Sometimes, experience is the best teacher. When an incident occurs or a risk is realized, risk management processes should include some kind of root cause analysis that provides insights into what can be done better next time. These lessons learned, integrated with risk management practices, can streamline and optimize response to similar risks or incidents.

Built-In Buffers

Applicable to discrete projects, building in buffers in the form of time, resources, and funds can be another viable strategy to mitigate risks. As you may know, projects can get derailed very easily, going out of scope, over budget, or past the timeline. Whether a project team can successfully navigate project risks spells the success or failure of the project. By building in some buffers, project teams can set expectations appropriately and account for the possibility that project risks may come to fruition.

Risk-Reward Analysis

In a risk-reward analysis, companies and project teams weigh the possibility of something going wrong with the potential benefits of an opportunity or initiative. This analysis can be done by looking at historical data, doing research about the opportunity, and drawing on lessons learned. Sometimes the risk of an initiative outweighs the reward; sometimes the potential reward outweighs the risk. At other times, it’s unclear whether the risk is worth the potential reward or not. Still, a simple risk-reward analysis can keep organizations from bad investments and bad deals.

Third-Party Risk Assessments

Another strategy teams can employ as part of their risk management plan is to conduct periodic third-party risk assessments. In this method, a company would contract with a third party experienced in conducting risk assessments, and have them perform one (or more) for the organization. Third-party risk assessments can be immensely helpful for the new risk management team or for a mature risk management team that wants a new perspective on their program. 

Generally, third-party risk assessments result in a report of risks, findings, and recommendations. In some cases, a third-party provider may also be able to help draft or provide input into your risk register. As external resources, third-party risk assessors can bring their experience and opinions to your organization, leading to insights and discoveries that may not have been found without an independent set of eyes.

Components of an Effective Risk Management Plan

An effective risk management plan has buy-in from leadership and key stakeholders; applies the risk management steps; has good documentation; and is actionable. Buy-in from management often determines whether a risk management function is successful or not, since risk management requires resources to conduct risk assessments, risk identification, risk mitigation, and so on. Without leadership buy-in, risk management teams may end up just going through the motions without the ability to make an impact. Risk management plans should be integrated into organizational strategy, and without stakeholder buy-in, that typically does not happen. 

Applying the risk management methodology is another key component of an effective plan. That means following the six steps outlined above should be incorporated into a company’s risk management lifecycle. Identifying and analyzing risks, establishing controls, allocating resources, conducting mitigation, and monitoring and reporting on findings form the foundations of good risk management. 

Good documentation is another cornerstone of effective risk management. Without a risk register recording all of a company’s identified risks and accompanying scores and mitigation strategies, there would be little for a risk team to act on. Maintaining and updating the risk register should be a priority for the risk team — risk management software can help here, providing users with a dashboard and collaboration mechanism.

Last but not least, an effective risk management plan needs to be actionable. Any activities that need to be completed for mitigating risks or establishing controls, should be feasible for the organization and allocated resources. An organization can come up with the best possible, best practice risk management plan, but find it completely unactionable because they don’t have the capabilities, technology, funds, and/or personnel to do so. It’s all well and good to recommend that cybersecurity risks be mitigated by setting up a 24/7 continuous monitoring Security Operations Center (SOC), but if your company only has one IT person on staff, that may not be a feasible action plan.

Executing on an effective risk management plan necessitates having the right people, processes, and technology in place. Sometimes the challenges involved with running a good risk management program are mundane — such as disconnects in communication, poor version control, and multiple risk registers floating around. Risk management software can provide your organization with a unified view of the company’s risks, a repository for storing and updating key documentation like a risk register, and a space to collaborate virtually with colleagues to check on risk mitigation efforts or coordinate on risk assessments. Get started building your ideal risk management plan today!

Emily Villanueva, MBA, is a Senior Manager of Product Solutions at AuditBoard. Emily joined AuditBoard from Grant Thornton, where she provided consulting services specializing in SOX compliance, internal audit, and risk management. She also spent 5 years in the insurance industry specializing in SOX/ICFR, internal audits, and operational compliance. Connect with Emily on LinkedIn .

Related Articles

A guide to business risk assessment

No business venture is entirely without risk. However, conducting a company risk assessment offers one way to identify potential hazards and mitigate them. Keep reading to learn more about what’s involved in business risk assessment.

What is risk analysis in business?

Apart from this type of business decision, there are also wider risks such as natural disasters which must also be accounted for. By identifying these problems, both large and small, a company can conduct a business analysis risk assessment and prepare for all eventualities. The goal of risk analysis in business is to assess potential outcomes, and ultimately make smarter business decisions.

Benefits of performing a company risk assessment

There are plentiful benefits to business risk analysis, including the following:

Avoid overly risky decisions that could damage your bottom line

Identify steps needed to protect your business from external damages

Pull together information needed to speak with lenders about financing

Create an action plan to respond quickly to adverse situations

Reduce recovery time after a natural disaster, legal damages, or security threat

Types of risk in business

There are both internal and external risks to consider when performing a business risk assessment. Internal risks occur as part of your business’s operations, while external risks involve outside incidents that impact your finances.

Generally, inside risks are easier to mitigate. These include factors like marketing, workforce, or operational risks.

By contrast, external risks might be out of your company’s immediate control. As a result, you’ll need to prepare for their effects on your business. Examples of external risks include things like natural disasters, changes to government regulations, new competitors, or changing economic conditions.

How to perform a business risk assessment

To create your own business analysis risk assessment and accompanying strategy, follow these steps:

1.  Identify likely hazards.

The first step in any company risk assessment is to outline which hazards your company is most likely to face. This will vary according to your business’s size, typical operations, geographical location, and industry. Think about which situations would pose the greatest threat to your finances.

2.  Identify at-risk assets.

The next step is to think about the assets that would be most at-risk from the hazards you’ve written down. For example, if there was a change to government regulations impacting your mechanical processes, this would mainly cause risk to your business’s operations. Risks could also impact your finances, properties, employees, customers, or brand reputation.

3.  Document risks.

No business risk analysis is complete without fully documenting the identified risks, at-risk assets, and potential harms. Define these categories in a document, developing an internal process to give each type of risk a weight. It’s helpful to create your own scoring system ranging from mild to severe for each identified risk.

4.  Analyze the impacts.

After documenting and scoring your risks, weigh these impacts with a thorough analysis of harm. For example, if you’re analyzing the impact of a cyber-attack, you should think about the specific damages that would occur. This could include compromised customer details, harm to your company’s reputation, leaking of sensitive company information, and draining of bank accounts.

5.  Create a mitigation strategy.

Once you’ve analyzed the potential impacts of a risk, the next step is to create a mitigation strategy. In the example of the cyber-attack, this could include strengthening your online security platforms. Designate individuals at the business to implement these mitigation actions and manage risks. Create new flows for reporting and handling each risk.

6.  Perform regular risk reviews.

Finally, remember that business risk assessment is an ongoing process. You will need to determine controls used to reduce risks, analyzing patterns over time to predict and document future financial outcomes. Review these processes annually to verify that they’re still working – and identify new risks.

We can help

GoCardless helps you automate payment collection, cutting down on the amount of admin your team needs to deal with when chasing invoices. Find out how GoCardless can help you with ad hoc payments or recurring payments .

Over 85,000 businesses use GoCardless to get paid on time. Learn more about how you can improve payment processing at your business today.

Interested in automating the way you get paid? GoCardless can help

Try a better way to collect payments, with GoCardless. It's free to get started.

Try a better way to collect payments

What is business risk?

You know about death and taxes. What about risk? Yes, risk is just as much a part of life as the other two inevitabilities. This became all the more apparent during COVID-19, as each of us had to assess and reassess our personal risk calculations as each new wave of the pandemic— and pandemic-related disruptions —washed over us. It’s the same in business: executives and organizations have different comfort levels with risk and ways to prepare against it.

Where does business risk come from? To start with, external factors can wreak havoc on an organization’s best-laid plans. These can include things like inflation , supply chain  disruptions, geopolitical upheavals , unpredictable force majeure events like a global pandemic or climate disaster, competitors, reputational  issues, or even cyberattacks .

But sometimes, the call is coming from inside the house. Companies can be imperiled by their own executives’ decisions or by leaks of privileged information, but most damaging of all, perhaps, is the risk of missed opportunities. We’ve seen it often: when companies choose not to adopt disruptive innovation, they risk losing out to more nimble competitors.

The modern era is rife with increasingly frequent sociopolitical, economic, and climate-related shocks. In 2019 alone, for example, 40 weather disasters caused damages exceeding $1 billion each . To stay competitive, organizations should develop dynamic approaches to risk and resilience. That means predicting new threats, perceiving changes in existing threats, and developing comprehensive response plans. There’s no magic formula that can guarantee safe passage through a crisis. But in situations of threat, sometimes only a robust risk-management plan can protect an organization from interruptions to critical business processes. For more on how to assess and prepare for the inevitability of risk, read on.

Learn more about McKinsey’s Risk and Resilience  Practice.

What is risk control?

Risk controls are measures taken to identify, manage, and eliminate threats. Companies can create these controls through a range of risk management strategies and exercises. Once a risk is identified and analyzed, risk controls can be designed to reduce the potential consequences. Eliminating a risk—always the preferable solution—is one method of risk control. Loss prevention and reduction are other risk controls that accept the risk but seek to minimize the potential loss (insurance is one method of loss prevention). A final method of risk control is duplication (also called redundancy). Backup servers or generators are a common example of duplication, ensuring that if a power outage occurs no data or productivity is lost.

But in order to develop appropriate risk controls, an organization should first understand the potential threats.

What are the three components to a robust risk management strategy?

A dynamic risk management plan can be broken down into three components : detecting potential new risks and weaknesses in existing risk controls, determining the organization’s appetite for risk taking, and deciding on the appropriate risk management approach. Here’s more information about each step and how to undertake them.

1. Detecting risks and controlling weaknesses

A static approach to risk is not an option, since an organization can be caught unprepared when an unlikely event, like a pandemic, strikes. So it pays to always be proactive. To keep pace with changing environments, companies should answer the following three questions for each of the risks that are relevant to their business.

• How will a risk play out over time? Risks can be slow moving or fast moving. They can be cyclical or permanent. Companies should analyze how known risks are likely to play out and reevaluate them on a regular basis.
• Are we prepared to respond to systemic risks? Increasingly, risks have longer-term reputational or regulatory consequences, with broad implications for an industry, the economy, or society at large. A risk management strategy should incorporate all risks, including systemic ones.
• What new risks lurk in the future? Organizations should develop new methods of identifying future risks. Traditional approaches that rely on reviews and assessments of historical realities are no longer sufficient.

2. Assessing risk appetite

How can companies develop a systematic way of deciding which risks to accept and which to avoid? Companies should set appetites for risk that align with their own values, strategies, capabilities, and competitive environments—as well as those of society as a whole. To that end, here are three questions companies should consider.

• How much risk should we take on? Companies should reevaluate their risk profiles frequently according to shifting customer behaviors, digital capabilities, competitive landscapes, and global trends.
• Are there any risks we should avoid entirely? Some risks are clear: companies should not tolerate criminal activity or sexual harassment. Others are murkier. How companies respond to risks like economic turmoil and climate change depend on their particular business, industry, and levels of risk tolerance.
• Does our risk appetite adequately reflect the effectiveness of our controls? Companies are typically more comfortable taking risks for which they have strong controls in place. But the increased threat of severe risks challenges traditional assumptions about risk control effectiveness. For instance, many businesses have relied on automation to increase speed and reduce manual error. But increased data breaches and privacy concerns can increase the risk of large-scale failures. Organizations, therefore, should evolve their risk profiles accordingly.

3. Deciding on a risk management approach

Finally, organizations should decide how they will respond when a new risk is identified. This decision-making  process should be flexible and fast, actively engaging leaders from across the organization and honestly assessing what has and hasn’t worked in past scenarios. Here are three questions organizations should be able to answer.

• How should we mitigate the risks we are taking? Ultimately, people need to make these decisions and assess how their controls are working. But automated control systems should buttress human efforts. Controls guided, for example, by advanced analytics can help guard against quantifiable risks and minimize false positives.
• How would we respond if a risk event or control breakdown happens? If (or more likely, when) a threat occurs, companies should be able to switch to crisis management mode quickly, guided by an established playbook. Companies with well-rehearsed crisis management capabilities weather shocks better, as we saw with the COVID-19 pandemic.
• How can we build true resilience? Resilient companies not only better withstand threats—they emerge stronger. The most resilient firms can turn fallout from crises into a competitive advantage. True resilience stems from a diversity of skills and experience, innovation, creative problem solving, and the basic psychological safety that enables peak performance.

Change is constant. Just because a risk control plan made sense last year doesn’t mean it will next year. In addition to the above points, a good risk management strategy involves not only developing plans based on potential risk scenarios but also evaluating those plans on a regular basis.

Learn more about McKinsey’s  Risk and Resilience  Practice.

What are five actions organizations can take to build dynamic risk management?

In the past, some organizations have viewed risk management as a dull, dreary topic, uninteresting for the executive looking to create competitive advantage. But when the risk is particularly severe or sudden, a good risk strategy is about more than competitiveness—it can mean survival. Here are five actions leaders can take to establish risk management capabilities .

• Reset the aspiration for risk management.  This requires clear objectives and clarity on risk levels and appetite. Risk managers should establish dialogues with business leaders to understand how people across the business think about risk, and share possible strategies to nurture informed risk-versus-return decision making—as well as the capabilities available for implementation.
• Establish agile  risk management practices.  As the risk environment becomes more unpredictable, the need for agile risk management grows. In practice, that means putting in place cross-functional teams empowered to make quick decisions about innovating and managing risk.
• Harness the power of data and analytics.  The tools of the digital revolution  can help companies improve risk management. Data streams from traditional and nontraditional sources can broaden and deepen companies’ understandings of risk, and algorithms can boost error detection and drive more accurate predictions.
• Develop risk talent for the future.  Risk managers who are equipped to meet the challenges of the future will need new capabilities and expanded domain knowledge in model risk management , data, analytics, and technology. This will help support a true understanding of the changing risk landscape , which risk leaders can use to effectively counsel their organizations.
• Fortify risk culture.  Risk culture includes the mindsets and behavioral norms that determine an organization’s relationship with risk. A good risk culture allows an organization to respond quickly when threats emerge.

How do scenarios help business leaders understand uncertainty?

Done properly, scenario planning prompts business leaders to convert abstract hypotheses about uncertainties into narratives about realistic visions of the future. Good scenario planning can help decision makers experience new realities  in ways that are intellectual and sensory, as well as rational and emotional. Scenarios have four main features  that can help organizations navigate uncertain times.

• Scenarios expand your thinking.  By developing a range of possible outcomes, each backed with a sequence of events that could lead to them, it’s possible to broaden our thinking. This helps us become ready for the range of possibilities the future might hold—and accept the possibility that change might come more quickly than we expect.
• Scenarios uncover inevitable or likely futures.  A broad scenario-building effort can also point to powerful drivers of change, which can help to predict potential outcomes. In other words, by illuminating critical events from the past, scenario building can point to outcomes that are very likely to happen in the future.
• Scenarios protect against groupthink.  In some large corporations, employees can feel unsafe offering contrarian points of view for fear that they’ll be penalized by management. Scenarios can help companies break out of this trap by providing a “safe haven” for opinions that differ from those of senior leadership and that may run counter to established strategy.
• Scenarios allow people to challenge conventional wisdom.  In large corporations in particular, there’s frequently a strong bias toward the status quo. Scenarios are a nonthreatening way to lay out alternative futures in which assumptions underpinning today’s strategy can be challenged.

Learn more about McKinsey’s Strategy & Corporate Finance  Practice.

What’s the latest thinking on risk for financial institutions?

In late 2021, McKinsey conducted survey-based research with more than 30 chief risk officers (CROs), asking about the current banking environment, risk management practices, and priorities for the future.

According to CROs, banks in the current environment are especially exposed to accelerating market dynamics, climate change, and cybercrime . Sixty-seven percent of CROs surveyed cited the pandemic as having significant impact on employees and in the area of nonfinancial risk. Most believed that these effects would diminish in three years’ time.

Introducing McKinsey Explainers : Direct answers to complex questions

Climate change, on the other hand, is expected to become a larger issue over time. Nearly all respondents cited climate regulation as one of the five most important forces in the financial industry in the coming three years. And 75 percent were concerned about climate-related transition risk: financial and other risks arising from the transformation away from carbon-based energy systems.

And finally, cybercrime was assessed as one of the top risks by most executives, both now and in the future.

Learn more about the risk priorities of banking CROs here .

What is cyber risk?

Cyber risk is a form of business risk. More specifically, it’s the potential for business losses of all kinds  in the digital domain—financial, reputational, operational, productivity related, and regulatory related. While cyber risk originates from threats in the digital realm, it can also cause losses in the physical world, such as damage to operational equipment.

Cyber risk is not the same as a cyberthreat. Cyberthreats are the particular dangers that create the potential for cyber risk. These include privilege escalation (the exploitation of a flaw in a system for the purpose of gaining unauthorized access to resources), vulnerability exploitation (an attack that uses detected vulnerabilities to exploit the host system), or phishing. The risk impact of cyberthreats includes loss of confidentiality, integrity, and availability of digital assets, as well as fraud, financial crime, data loss, or loss of system availability.

In the past, organizations have relied on maturity-based cybersecurity approaches to manage cyber risk. These approaches focus on achieving a particular level of cybersecurity maturity by building capabilities, like establishing a security operations center or implementing multifactor authentication across the organization. A maturity-based approach can still be helpful in some situations, such as for brand-new organizations. But for most institutions, a maturity-based approach can turn into an unmanageably large project, demanding that all aspects of an organization be monitored and analyzed. The reality is that, since some applications are more vulnerable than others, organizations would do better to measure and manage only their most critical vulnerabilities.

What is a risk-based cybersecurity approach?

A risk-based approach is a distinct evolution from a maturity-based approach. For one thing, a risk-based approach identifies risk reduction as the primary goal. This means an organization prioritizes investment based on a cybersecurity program’s effectiveness in reducing risk. Also, a risk-based approach breaks down risk-reduction targets into precise implementation programs with clear alignment all the way up and down an organization. Rather than building controls everywhere, a company can focus on building controls for the worst vulnerabilities.

Here are eight actions that comprise a best practice for developing  a risk-based cybersecurity approach:

• fully embed cybersecurity in the enterprise-risk-management framework
• define the sources of enterprise value across teams, processes, and technologies
• understand the organization’s enterprise-wide vulnerabilities—among people, processes, and technology—internally and for third parties
• understand the relevant “threat actors,” their capabilities, and their intent
• link the controls in “run” activities and “change” programs to the vulnerabilities that they address and determine what new efforts are needed
• map the enterprise risks from the enterprise-risk-management framework, accounting for the threat actors and their capabilities, the enterprise vulnerabilities they seek to exploit, and the security controls of the organization’s cybersecurity run activities and change program
• plot risks against the enterprise-risk appetite; report on how cyber efforts have reduced enterprise risk
• monitor risks and cyber efforts against risk appetite, key cyber risk indicators, and key performance indicators

How can leaders make the right investments in risk management?

Ignoring high-consequence, low-likelihood risks can be catastrophic to an organization—but preparing for everything is too costly. In the case of the COVID-19 crisis, the danger of a global pandemic on this scale was foreseeable, if unexpected. Nevertheless, the vast majority of companies were unprepared: among billion-dollar companies in the United States, more than 50 filed for bankruptcy in 2020.

McKinsey has described the decisions to act on these high-consequence, low-likelihood risks as “ big bets .” The number of these risks is far too large for decision makers to make big bets on all of them. To narrow the list down, the first thing a company can do is to determine which risks could hurt the business versus the risks that could destroy the company. Decision makers should prioritize the potential threats that would cause an existential crisis  for their organization.

To identify these risks, McKinsey recommends using a two-by-two risk grid, situating the potential impact of an event on the whole company against the level of certainty about the impact. This way, risks can be measured against each other, rather than on an absolute scale.

Organizations sometimes survive existential crises. But it can’t be ignored that crises—and missed opportunities—can cause organizations to fail. By measuring the impact of high-impact, low-likelihood risks on core business, leaders can identify and mitigate risks that could imperil the company. What’s more, investing in protecting their value propositions can improve an organization’s overall resilience.

Articles referenced:

• “ Seizing the momentum to build resilience for a future of sustainable inclusive growth ,” February 23, 2023, Børge Brende and Bob Sternfels
• “ Data and analytics innovations to address emerging challenges in credit portfolio management ,” December 23, 2022, Abhishek Anand , Arvind Govindarajan , Luis Nario  and Kirtiman Pathak
• “ Risk and resilience priorities, as told by chief risk officers ,” December 8, 2022, Marc Chiapolino , Filippo Mazzetto, Thomas Poppensieker , Cécile Prinsen, and Dan Williams
• “ What matters most? Six priorities for CEOs in turbulent times ,” November 17, 2022, Homayoun Hatami  and Liz Hilton Segel
• “ Model risk management 2.0 evolves to address continued uncertainty of risk-related events ,” March 9, 2022, Pankaj Kumar, Marie-Paule Laurent, Christophe Rougeaux, and Maribel Tejada
• “ The disaster you could have stopped: Preparing for extraordinary risks ,” December 15, 2020, Fritz Nauck , Ophelia Usher, and Leigh Weiss
• “ Meeting the future: Dynamic risk management for uncertain times ,” November 17, 2020, Ritesh Jain, Fritz Nauck , Thomas Poppensieker , and Olivia White
• “ Risk, resilience, and rebalancing in global value chains ,” August 6, 2020, Susan Lund, James Manyika , Jonathan Woetzel , Edward Barriball , Mekala Krishnan , Knut Alicke , Michael Birshan , Katy George , Sven Smit , Daniel Swan , and Kyle Hutzler
• “ The risk-based approach to cybersecurity ,” October 8, 2019, Jim Boehm , Nick Curcio, Peter Merrath, Lucy Shenton, and Tobias Stähle
• “ Value and resilience through better risk management ,” October 1, 2018, Daniela Gius, Jean-Christophe Mieszala , Ernestos Panayiotou, and Thomas Poppensieker

Want to know more about business risk?

Related articles.

What matters most? Six priorities for CEOs in turbulent times

Creating a technology risk and cyber risk appetite framework

Risk and resilience priorities, as told by chief risk officers

How to Create a Project Risk Management Plan

By Kate Eby | February 27, 2023

• Share on Facebook
• Share on LinkedIn

Link copied

Teams can use a project risk management plan to identify and assess the potential risks to a project. We’ve gathered expert tips on creating an effective risk management plan, as well as step-by-step instructions for creating an example plan.

On this page, you’ll find information on what to include in a project risk management plan and how to create a plan , as well as step-by-step instructions for completing an example project risk management plan .

What Is a Project Risk Management Plan?

Project teams create a project risk management plan , a document that helps identify and assess potential risks to a project. The plan outlines how your team will analyze and mitigate the potential risks to ensure project success.

The project risk management plan is one of the most important documents in project risk management . You can learn more about project risks in general — as well as specific types of project risks — in our comprehensive guides

What Does a Risk Management Plan Cover?

A risk management plan should cover a number of areas detailing potential project risks and how your team will deal with them. It will include a description of the project, along with how your team will identify and assess risk.

At a minimum, your project risk management plan should include the following details:

• Project description, including its purpose
• The team plan for identifying, logging, and assessing potential risks
• How the team will identify broad categories of risk
• How the team will evaluate the severity of each potential risk
• How your team will continue to monitor risks throughout the project
• How team members will be assigned as owners of various risks
• Your organization’s tolerance for certain risks, along with criteria for a risk being too large to accept

“A risk management plan defines how the risks for a project will be handled to ensure that the project can be completed within the set timeframe,” says Veniamin Simonov, Director of Product Management at NAKIVO , a backup and ransomware recovery software vendor. “The plan should cover methodology, risk categorization and prioritization, a response plan, staff roles, and responsibility areas and budgets.”

“The risk management plan will address ‘What are we going to do? How are we going to do it? What are the processes we're going to follow?’” says Alan Zucker, Founding Principal of Project Management Essentials . “It may include things such as what are the major categories you're going to use to define your risks. It might also include some guidelines for assessing risks.”

Components in a Project Risk Management Plan 

A project risk management plan will include certain components and describe how your project team will use certain tools to understand and manage potential risks. Some components include a risk register, a risk breakdown structure, and a risk response plan.

Here are components or tools that a project risk management plan often includes or describes:

• Risk Register: A risk register is the document your project team will use to identify, log, and monitor potential project risks.
• Risk Breakdown Structure: A risk breakdown structure is a chart that allows your team to identify broad risk categories and specific risks that fit within each category. Your team can decide on the broad categories, depending on your project.
• Risk Assessment Matrix: A risk assessment matrix is a chart matrix that allows teams to score the severity of potential risks based on both the likelihood of each risk happening and the impact to the project if a risk happens.
• Risk Response Plan: A risk response plan is a document that details how your team plans to respond to each potential risk to try to either prevent it from happening or lessen the impact if it does happen. You can learn more about project risk mitigation . 
• Roles and Responsibilities: The risk management plan can provide details on the project risk management team, including the lead member for risk management. It also likely details the roles and responsibilities each team member will have in addressing and dealing with specific risks.
• Risk Reporting Formats: The risk management plan describes how the project team will document and report its work on monitoring and dealing with risks. It describes the risk register format that the team will use. It might also describe how risks will be added to or deleted from the register and how the project team will provide periodic summarized risk reports to top project and organization leaders.
• Project Funding and Timing: The plan will likely have a section describing the overall funding and timing for the project. That section also likely details funding for all project risk management work.

To determine what you need to include in your risk management plan, see the following requirements based on project size:

An Organization’s Risk Management Plan Often Doesn’t Change with Projects  

Many risk management experts emphasize that an organization’s project risk management plans might not change much from project to project. That’s because the plan sets out particulars that will be followed for all projects.

“Remember, it's just an approach document that answers the question: How?” says Kris Reynolds, Founder and CEO of Arrowhead Consulting in Tulsa, Oklahoma. “The company or the department as a whole should have a single risk management plan that gets built as you're building your project management methodology. And it’s your Bible. It’s your guidebook. 

“But it isn't going to change across projects,” Reynolds continues. “What changes are the artifacts, including the risk register. But your approach of how you're going to address risk or analyze risk or plan for risk is in the project risk management plan document. As a company or organization, you create that document, and it exists for a year or two years without changing.”

To create a project risk management plan, your team should gather important documents and decide on an approach for assessing and responding to risks. This process involves gathering support documents, listing potential risk management tools, and more. 

Consider some of these basic steps and factors as you begin creating the project risk management plan:

• Gather Supporting Documents: Gather and read through supporting documents related to the overall project, including the project and project management plan. It’s important for your project risk team to have a full view of project goals and objectives.
• Frame the Context: Make sure your team understands both the business value of the project and the impact on the organization if the project fails.
• Decide on Risk Assessment Criteria: Decide how your team will identify and assess important risks. That will require your team to have an understanding of which types of risks your organization can tolerate and which risks could be ruinous to the project.
• Inventory Possible Risk Management Tools: Make a list of risk management tools and documents that your team might use to help identify and manage project risk.
• Known Risks: At the start of a project, team members will be able to identify a number of known risks , such as budget issues, shortages of material, and human and other resource constraints, which are measurable and based on specific events. 
• Unknown Risks: At the start of a project, team members will not be able to identify a range of unknown risks that could impact your project. Those risks are not as easily or objectively measurable as known risks and can crop up at any point during a project. A main goal of project risk management is to help your team discover and address unknown risks before they happen.
• Unknowable Risks: Your team will not be able to anticipate unknowable risks that could affect the project, such as catastrophic weather events, accidents, and major system failures.
• Understand Human Bias: Studies have shown that people overestimate their ability to predict and influence the future. We often think we have more control than we do. Those biases can affect how we assess and manage risks in a project. We tend to give too much credence to what happened with past processes, fall into agreement with others in our group, and be more optimistic than we should be about how long a project will take or how much it will cost.  It’s important to account for all of those biases as your team identifies and assesses project risk.

Steps in Developing a Project Risk Management Plan

After your project team has gathered documents and done other preparation work, you will want to follow nine basic steps in creating a project risk management plan. Those start with identifying and assessing risks.

Here are details on the nine steps of project risk management to keep in mind while drafting your project risk management plan:

• Identify Risks: Your team should gather information and request input from team and organization members to determine potential risks to the project. Some specific risks can threaten many projects. Other risks will vary, based on the type of project and the industry. “If you're talking about a software project, you could have risks associated with the technology, resources, and interdependencies with other systems,” says Zucker. “If you have vendors you're working with, there may be risks associated with the vendors. There may be risks that are software- or hardware-specific. If you're working on a construction project, those risks obviously would be very different. ”You can learn more about project risk analysis and how to identify potential risks to a project .
• Assess Potential Impact of Each Risk: After your team identifies potential risks, it can assess the likelihood of each risk, along with the expected impact on the project if the risk happens. Your team can use a risk matrix to identify both the likelihood and impact of each risk. You can learn more about how to create a risk matrix and assess risks .
• Determine Your Organization's Risk Threshold and Tolerance: Your team will want to understand your organization’s risk threshold , or tolerance for risk. Organization leaders might decide that some risks should be avoided at all costs, while others are acceptable. Take the time to understand those views as you prioritize project risks.
• Prioritize Risks Based on Impact and Risk Tolerance: Once your team assesses the potential impact of a risk and your organization's risk tolerance for risks, it will prioritize risks accordingly. “Prioritize risks based on their disruptive potential for an organization,” says Simonov.
• Create a Risk Response Plan: Your team should then create a response plan for each risk that the team considers a priority. That response plan will include measures that could prevent the risk from happening or lessen the risk’s impact if it does happen.
• Select Project Risk Management Tools: Your team will need to decide on the best risk management tools to use for your project. That will likely include a risk register and a risk assessment matrix. It might include other tools, such as Monte Carlo simulations. Learn more about various tools and documents to use in risk management . 
• Select an Owner for Each Risk: Each identified risk should have an assigned owner. In some cases, a department might be an owner of a risk, but most often, the team will assign individuals to monitor risks. In some cases, the owner will be responsible for dealing with the risk if it happens. Teams can list the owners of each risk on their project risk register. 
• Determine Possible Triggers for Each Risk: As your team conducts a closer assessment of all risks, it should identify risk triggers where possible. Triggers are events that can cause a risk to happen. Your team won’t be able to identify triggers for all risks, but it will for some. For example, if you have a plant without sufficient backup power, a trigger could be warnings of a violent storm that could cause a power outage.
• Determine How Your Team Will Monitor Risks: An important part of your plan includes recording concrete details about how your team will ensure that it can continually monitor risks throughout the life of a project.

Risk Management Plan Examples, Templates, and Components

Examples of project risk management plans can help your team understand what information to include in a plan. The risk management plan can also detail various components that will be part of your team’s risk management.

Project Risk Management Plan Template

Download the Sample Project Risk Management Plan Template for Microsoft Word  

Download this sample project risk management plan, which includes primary components that might be described in a project risk management plan, such as details on risk identification, risk mitigation, and risk tracking and reporting.

Download the Blank Project Risk Management Plan for Microsoft Word

Use this blank template to create your own project risk management plan. The template includes sections to ensure that your team covers all areas of risk management, such as risk identification, risk assessment, and risk mitigation. Customize the template based on your needs.

Project Risk Register Template

Download the Sample Project Risk Register for Excel

This sample project risk register gives your team a better understanding of the information that a risk register should include to help the team understand and deal with risks. This sample includes potential risks that a project manager might track for a construction project.

Download the Blank Project Risk Register Template for Excel  

Use this project risk register template to help your team identify, track, and plan for project risks. The template includes columns for categorizing risks, providing risk descriptions, determining a risk severity score, and more.  

Quantitative Risk Register Template

Download the Sample Quantitative Project Risk Impact Matrix for Excel

This sample quantitative project risk impact matrix template can help your team assess a project risk based on quantitative measures, such as potential monetary cost to the project. The template includes columns where your team can assess and track the probability and potential cost of each project risk. The template calculates a total monetary risk impact based on your estimates of probability and cost.

Risk Breakdown Structure Template

Download the Risk Breakdown Structure Template for Excel

Your team can use this template to create a risk breakdown structure diagram that shows different types of risks that could affect a project. The template helps your team organize risks into broad categories.

Step-By-Step Guide to Creating a Project Risk Management Plan

Below are step-by-step instructions on how to fill out a project risk management plan template. Follow these steps to help you and your team understand the information needed in an effective risk management plan.

This template is based on a project risk management plan template created by Arrowhead Consulting of Tulsa, Oklahoma, and was shared with us by Kris Reynolds.

• Cover Section: Provide information for the cover section , also known as the summary section . This will include the name of the project, the project overview, the project goals, the expected length of the project, and the project manager.
• Risk Management Approach: Write a short summary of your organization's overall approach to project risk management for all projects, not only the project at hand. The summary might describe overall goals, along with your organization’s view of the benefits of good project risk management.
• Plan Purpose: Write a short summary explaining how the plan will help your team perform proper risk management for the project.
• Risk Identification: Provide details on how your team plans to identify and define risks to the project. Those details should include who is assigned to specific responsibilities for risk identification and tracking, as well as what information and categories will be included in your team’s project risk register.
• Risk Assessment: Provide details on how your team will assess the probability and potential impact of each risk it has identified. Your team should also include details on any risk matrices it plans to use and how the team will prioritize risks based on those matrices.
• Risk Response: Provide details on the ways your team can choose to respond to various risks. In the case of high-priority risks, that will include prevention or mitigation plans for each risk. In the case of low-priority risks, or risks that might be prohibitively expensive to mitigate, it might include accepting the risk with limited mitigation measures.
• Risk Mitigation: Provide more details on how your team plans to lessen the likelihood  or impact of each risk. Your team should also provide details on how it will monitor the effectiveness of prevention and mitigation strategies, and change them if needed.
• Risk Tracking and Reporting: Provide details on how your team plans to track and report on risks and risk mitigation activities. These details will likely include information on the project risk register your team plans to use and information on how your team plans to periodically report risk and risk responses to organizational leadership.

Do Complex Projects Require More Complex Project Risk Management Plans? 

Experts say that complex projects shouldn’t require more complex project risk management plans. A project might have more complex tools, such as a more detailed risk register, but the risk management plan should cover the same basics for all projects.

“The problem is, most people get these management plans confused. They then start lumping in the artifacts [such as risk registers] — which can be more complex and have more detail — to the risk management plan itself,” says Reynolds. “You want it to be easily understood and easily followed.

“I don't think the complexity of the project changes the risk management plan,” Reynolds says. “You may have to circulate the plan to more people. You may have to meet more frequently. You may have to use quantitative risk analysis. That would be more complex with more complex projects. But the management plan itself —  no.”

Effectively Manage Project Risks with Real-Time Work Management in Smartsheet

From simple task management and project planning to complex resource and portfolio management, Smartsheet helps you improve collaboration and increase work velocity -- empowering you to get more done. 

The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed.

When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time. Try Smartsheet for free, today.

Discover a better way to streamline workflows and eliminate silos for good.

A risk management plan can help minimise the impact of risks that could weaken your cash flow or damage your brand. It will also help create a culture of sensible risk awareness and management in your business.

Our Crisis planning template and checklist includes a risk management plan:

Follow these steps to create a risk management plan that's tailored for your business.

1. Identify risks

What are the risks to your business?

For example:

• data breach
• contamination
• power outage

Some risks will cause major disruption while others will be a minor irritation.

2. Assess the risks

Assess the risks that you've identified.

Try to estimate the:

• potential severity of each risk
• likelihood that it might happen

Prioritise your risk planning based on the results of your assessment.

3. Minimise or eliminate risks

Some risks are preventable, so eliminate or minimise these where possible. For some risks, it might be as simple as installing an alarm system or buying extra personal protective equipment (PPE).

Check your insurance

Insurance is one way to reduce the impact of an event or disaster.

For example, business interruption insurance can make sure that you receive your average earnings for the insured period until you're able to start operating again.

Make sure your insurance is enough to cover you in the event of a significant disruption to your business.

4. Assign responsibility for tasks

Identify what needs to happen if a crisis or disaster occurs and who is responsible for each action. Having clear directions is one of the simplest and most powerful tools for a fast recovery.

5. Develop contingency plans

Come up with contingency plans for how you'll continue or resume your operations if a crisis occurs. Your contingency plan is basically your 'plan B' for risks that you can't avoid completely.

Your contingency plans will depend on the:

• type, style and size of your business
• extent of the damage

6. Communicate the plan and train your staff

People in or connected to your business must be aware of the strategies you've put in place to mitigate or recover from a disaster situation.

To do this:

• Decide if you'll communicate by phone, email, text or other means.
• Create procedural statements.
• Inform the relevant people (such as staff, suppliers, contractors and service providers).

Next, train your staff in your procedures and have them practise. This way if a disaster occurs, the process can take over and guide the staff.

7. Monitor for new risks

Risks can pop up during day-to-day operations, so it's important to know how to identify potential risks before they escalate.

Continuously monitoring for risks will help you develop realistic and effective strategies for dealing with issues if they occur.

Risk Management, Risk Analysis, Templates and Advice

• #1 Mind Mapping Tool
• Collaborate Anywhere
• Stunning Presentations
• Simple Project Management
• Innovative Project Planning
• Creative Problem Solving

The Top 50 Business Risks And How To Manage them!

Risk is simply uncertainty of outcome whether positive or negative ( PRINCE2, 2002, p239 ). Business risk is uncertainty around strategy, profits, compliance, environment, health and safety and so on. stakeholdermap.com

The Top 50 Business Risks

Download the full list of Business Risks

Word download - the top 50 business risks (word), pdf download - the top 50 business risks (pdf), 20 common project risks - example risk register, checklist of 30 construction risks, overall project risk assessment template, simple risk register - excel template, business risk - references and further reading, read more on risk management.

• Risk Assessment
• Construction Risk Management
• Risk Management Glossary
• Risk Management Guidelines
• Risk Identification
• NHS Risk Register
• Risk Register template
• Risk Management Report
• Risk Responses
• Prince2 Risk Register
• Prince2 Risk Management Strategy

Share this Image

Blog Product & Roadmapping Project Management

4 Risk Assessment Matrix Templates with Examples

Ready to try Visor?

Sign up is secure and free. (No credit card required.)

Get Started Free

When you’re driving a car, avoiding accidents is as important (arguably more important) than knowing where you’re going. The same holds true for project planning – risk management is a key factor in how successful your project will be. 

This is where risk matrix templates come into play. A risk matrix is a visual tool that helps you prioritize risks based on their likelihood and potential impact. 

In this blog post, we’ll explore the ins and outs of using a risk matrix template, including:

• What a risk assessment matrix is
• Why you should use them
• How to write a risk assessment matrix
• Risk assessment matrix templates you can download
• Managing risk with Visor

Want to effortlessly keep an eye on risk? Visor can help. Try it for free today and make sure your risk is always managed.

What is a risk assessment matrix?

A risk matrix is a tool that helps you visualize and prioritize risks based on their likelihood and potential impact. By plotting risks on a simple grid, you can quickly see which threats require immediate attention and which ones can be monitored over time.

These matrices show up a lot in project management, safety management, and other fields that demand risk assessment and mitigation planning. For instance, you can use it for:

• Project management: A risk matrix lets you analyze the risks associated with timelines, budget, resources, and scope to ensure project success. It’s also a good way to prioritize high-risk areas on a project that may need extra attention.
• Health and management: You can use it here to identify and mitigate potential hazards to workers as well as make sure your organization stays in compliance with regulations by identifying risks.
• Information technology: In terms of cybersecurity, a risk matrix can help assess risks related to data breaches, hacking, and system failures. It can also be used to identify potential risks in deploying new software or hardware systems.
• Financial management: When you’re investing, you can use the matrix to assess financial risks or look out for operational risks, like fraud, compliance breaches, or operational failures.

Those are just a portion of the ways these matrices can be used. They can be customized to fit a wide variety of use cases, so if you don’t see your particular industry above, that doesn’t mean the info below can’t still apply to you. 

Benefits of Using a Risk Assessment Matrix

There are multiple reasons the risk assessment matrix is so popular across multiple industries:

• You can create clear visualization of risk : A risk assessment matrix takes complex risk data and puts it into an easy-to-understand visual format.
• It makes it easier to prioritize : The matrix helps focus attention and resources on the most significant risks.
• It allows you to communicate risk clearly : You can foster discussions among stakeholders about the most critical risks, using the matrix as a jumping off point.
• You have an additional tool for decision making : In other words, it provides a structure for making risk management decisions.

How to Write a Risk Assessment Matrix

When you create a risk assessment matrix, you’re basically comparing two things: the likelihood something will happen and the impact that risk might have. By cross referencing them, you can determine how much energy you should put into mitigating that risk.

You can create a risk matrix of different sizes, but one of the most common is a 5×5 risk matrix, so let’s start there.

First you lay out the likelihood something will happen, with a list like the one below. Each likelihood has a point value, which we’ll explain in a little bit:

• 5- Very Likely: This risk is almost certain to happen
• 4- Likely: There is a good likelihood this will occur
• 3- Possible: There is a moderate possibility this risk could occur
• 2- Unlikely: This probably won’t happen
• 1- Very Unlikely: This is extremely unlikely to happen.

Next, let’s tackle the impact. This is how serious a problem you’d have if this risk actually happened.

• 5- Severe: This risk could have a catastrophic impact and be extremely difficult to recover from
• 4- Significant: This risk could create major problems and take a long time to recover from
• 3- Moderate: It may take some time to recover.
• 2- Minor: There will be little impact here and recovery will be quick.
• 1- Insignificant: This risk will have minimal impact (if any) and shouldn’t affect normal operations.

To determine the overall risk, you multiply the likelihood of a risk by its impact. For example, a Severe risk that’s considered Possible would be 5×3 for a risk score of 15. An Insignificant risk that’s Likely would be 1×4 for an overall risk score of 4. You can determine what you consider a high or low risk based on your organization’s preferences, but we’ve broken down our 5×5 matrix as follows:

• 12-25- High Risk: These risks are likely and can have a massive, even disastrous, impact on projects. Therefore these are the elements that must be prioritized in project planning.
• 5-11- Medium Risk: If you can mitigate these risks during project planning, you can limit the effect they have. However, they’re not top priority if you’re putting out fires from the High Risk category.
• 1-4- Low Risk: You can address these risks if you have additional time and want to streamline processes. However, these risks are unlikely to impact project planning and can be safely deprioritized.

4 Downloadable Risk Assessment Matrix Templates (and When to Use Them)

We’ve put together a series of risk matrix templates, along with a couple of general risk assessment templates for listing and analyzing individual risks. They’re designed to be adapted to your particular organizational needs, so feel free to adjust them as needed. 

5×5 Risk Matrix Template

The 5×5 risk management template gives you room to dig into the degree of risk a situation presents, allowing you to score risk on a scale of 1-25. It’s a larger array than the 3×3 matrix , so you can add some nuance to your risk scores. 

The template can be adjusted based on your organization’s needs. For instance, you could scale back the risks labeled as High Risk or label some of the Low Risks as Medium and so one.Use together with the Risk Management Assessment Template below to analyze individual risks.

3×3 Risk Matrix Template

If you need a simplified risk management template, this 3×3 model may be the right choice for you. It works the same as the 5×5 model, though risk scores only run from 1-9. However, with a smaller grid, it may be easier to assess risk (if you don’t need granular detail). This can also be used with the Risk Management Assessment Template to review potential risks.

IT Risk Assessment Template

If you’re assessing risk for an IT project, the template below is designed for you. In addition to an attached risk matrix, you can also list out your risks, discuss how you’re handling them in control settings, review mitigation strategies, and review the effect those mitigation strategies have on the outcome.

This could be a good chart to include in project status reports or other reports that need to be shared with stakeholders.

Risk Management Assessment Template

If you want a simple way to review potential risks, check out the risk assessment list below. It gives you a straightforward way to detail the risks for your project, the areas that will be affected, and your recommendation. The risk matrix is attached, so you can review and adjust it as needed.

Use this chart when reviewing risks with stakeholders to offer a solid overview of potential pitfalls for your project and how you plan to address them.

Managing Risk with Visor

One of the easiest ways to judge whether a project is at risk is by checking out a visual project plan, like a Gantt chart. Visor lets you make your project plan crystal clear for all stakeholders, no matter what software they’re using. 

A Gantt chart in Visor

Visualizations let you quickly see whether or not tasks are on target – for example, you can check to see if you’re meeting project Milestones on time. Then you can enter the risks as issues in either Visor or Jira and have the issue tracked in your Visor data. Unlike an Excel spreadsheet, Visor is always up to date, letting you adjust and adapt to changes in your project plans. 

Create Gantt charts, boards, or spreadsheets that are all connected to your Jira project management data, then share it with stakeholders on and off your team – no difficult-to-maintain systems required.  

Empower your Risk Management

Effectively managing risk is essential for the success and resilience of any project or organization. Risk matrix templates offer a straightforward yet powerful way to identify, assess, and prioritize risks, enabling you to take proactive measures to mitigate potential threats.

But if you want to avoid the fuss of a spreadsheet template, give Visor a try. You can track risks in real time and effortlessly connect stakeholders to all your Jira data. You can even create custom Views designed for different groups of stakeholders so that everyone has exactly the info they need to analyze and mitigate risks.

If this article was helpful, considering reading these related articles:

• Conducting a More Effective Project Health Assessment
• How to Use Agile Gantt Charts in Project Management
• Stakeholder Alignment: How Project Managers Save Time with Visor

Are you ready to begin?

Visor is secure, free, and doesn't require a credit card.

Get Started For Free

6 Critical Risks in a Business Plan

Business plan risks analysis, problem, challenging factors and mitigation strategies.

What is a major example of critical risk in a business plan? Every business is prone to facing certain business risks, which might appear very critical in the real world.

As a business person, you must be able to spend sufficient time in drafting your business plan so that it is capable of addressing the critical risks and assumptions that your business might face.

You should be able to envision and determine, in your business plan, critical risks in a restaurant business plan that might pose a threat to the overall success of your business. When you do not pay enough attention to these risks, it could cause your readers – most important of which are potential investors and bankers – to negatively evaluate your business plan.

Need to write a plan for your venture? Download a FREE Business Plan PDF Sample to develop a template for your own startup.

Below are some critical business risks and contingencies in a business plan that you must ensure to properly handle before they pose a threat to the success of your business.

Conducting Business Plan Risk Assessment – Business Plan Risk Factors

• Risk of Overestimated Figures

The number one critical business risk that might land your business into problem by getting too much negative attention has to do with figures that have been overestimated. We are talking about high sales profit that seem too optimistic; salaries that appear to be too high or outrageous for a business of its age; and profitability.  These three, if you overestimate the figures, will inadvertently pose as a serious business risk.

For salaries, it will be wise for you to go for the minimum as a startup business, together with any additional incomes that come in the form of profits.

For sales and profits, it will be wise of you to always give figures that appear to be more likely, not figures that seem to match your optimism. Your business’ profitability largely depends on your ability to meet sales projections, and your ability to be able to operate in the confines of your costs. • Risk of Indecisive Conversion Rates

Conversion rate (also hit rate) has to do with the percentage of people, out of the total number of people you approached, that purchased or patronized your product or services. Conversion rate could be best tested through test marketing or pre-selling.

When you test market, it simply means you offer the sales of your product within a particular limited area, for a particular period of time. Usually, you would offer incentives to buyers to encourage them help you outline your actual target customers for your business.

When you pre-sell, you are making introduction of your products or services to prospective customers, and even accepting orders for deliveries.

Your goal is to accurately know the conversion rate such that a reader may be able to take your projected market size, apply the conversion rate, and be able to deduce what the total sales estimate might be. • Risk of Ignored Competition

Here is another critical business risk that many entrepreneurs fail to curtail. As an entrepreneur, you are the master and captain of your game. You are to take charge and seize your market. How do you do that? You are to know every competitor in the industry of your business. Yes, it is an obligation you can never overlook.

Many entrepreneurs feel they know their competitors very well, when in actually reality, they have no real clue as to who their major competitors are. You must ensure you have adequate knowledge of your immediate competitors, as well as substitutes and potential or latent competitors.

If you want to prove your long-term vision for your business, you must always keep abreast with the latest development regarding your competitors. You should even envision businesses that, in later years, might stand as competitors.

• Financial Risk

Most businesses today fold up as a result of financial difficulties. Lack of adequate financial resources is a very critical business risk that might make a business to close.

In most cases, the business runs out of enough money; many customers are taking too long to pay up; unforeseen expenses and too much miscellaneous; accidents and costly financial mistakes could pose a very critical business risk to the business, and even lead to the eventual folding up if the business does not have enough money saved for rainy days to handle such problems.

In your business plan, you should demonstrate that you have adequate financial strength to operate your business until break-even and even after that. Provide the amount of needed investments and loans you will obtain to start and even run the business successfully – even if you are sure your sales volume will generate as much needed money to run the business.

• Risk of Inadequate Payback

When drafting your business plan, it is pertinent to always think about what the readers of your business plan will be expecting. For most people, it is how you intend to pay back the loan or investment you obtained, or the line of credit you hope to obtain from external sources such as banks.

For bankers, they would analyze the business plan critically to understand how exactly you have made plans to settle up the loans or line of credit you want to obtain from the bank. Your cash flows and your collateral issues are highly significant.

In the case of investors, the growth rates and profit margins of the business are highly critical because these are the factors that will actually determine how much they would earn.

For very vital employees, analyzing the business plan helps them have a good grasp of the business’ operation; this in turn would help them envision their future with the business. • Strategic Risk

Another critical business risk factor to your business plan is the strategic risk. Sometimes, your best well-laid business plan might very quickly, actually look so obsolete.

The strategic risk is the business risk that your business strategy might actually become too rigid and no longer efficient in shooting your business to its desired level; your business then starts struggling in order to achieve its business goals.

This business risk could be as a result of a very powerful new competitor in the industry; technological advancement; a shift in the demand of customers; or even a rise in the cost of raw materials or other market changes.

You should take out time to write your business plan such that whenever you face a strategic risk, you should be able to easily tweak your business strategy and adapt, and be able to come up with a viable solution.

Leave a Comment Cancel reply

• GLOBAL SEARCH
• WEB SUPPORT

18 Entrepreneurs Share Essential Skills One Needs to be a CEO

16 Entrepreneurs Explain What Work Means to Them

25 entrepreneurs share essential skills one needs to be a ceo.

22 Entrepreneurs Share How They Incorporate Health and Fitness into Their Day

8 Entrepreneurs Reveal How Much They Work In a Week

11 Entrepreneurs Reveal Their Why/Motivation

12 Entrepreneurs Share Views on Whether Entrepreneurs are Born or Made

7 Entrepreneurs Share Essential Skills One Needs to be a CEO

30 Entrepreneurs Share Essential Skills One Needs to be a CEO

• Wordpress 4 CEOs

How to Create a Google Business Profile / Tips to Optimize Google Business Profile

How to Get Your Product Into Walmart- {Infographic}

Make Money using Facebook – Make Great Posts

2 Interesting Updates from WordPress 4.8 Evans

How To Know If Your Business Idea Will Succeed

This is How to Write a Converting Email Autoresponder Series

15 Entrepreneurs Explain What They Love And/Or Hate About WordPress

6 Updates That I’m Paying Attention to with WordPress 4.7 – Vaughan

Download Our Free Guide

5 Entrepreneurs Share Their Favorite Business Books

18 Entrepreneurs and Business Owners Reveal Their Best Leadership Tips

30 Entrepreneurs Share Their Thoughts On the Role of Middle Management Within Organizations

30 Entrepreneurs Reveal The Future Trends They Anticipate in Entrepreneurship

27 Entrepreneurs Reveal The Future Trends They Anticipate in Entrepreneurship

7 Entrepreneurs Reveal Their Business Goals for 2024

27 Entrepreneurs List Their Favorite Business Books

14 Entrepreneurs Describe Their Leadership Style

30 Entrepreneurs Define The Term Disruption

25 Entrepreneurs Define Innovation And Disruption

16 Entrepreneurs Define The Term Disruption

15 Entrepreneurs Define Innovation And Disruption

• GUEST POSTS
• WEBSITE SUPPORT SERVICES
• FREE CBNation Buzz Newsletter
• Premium CEO Hack Buzz Newsletter

Business Plan 101: Critical Risks and Problems

When starting a business, it is understood that there are risks and problems associated with development. The business plan should contain some assumptions about these factors. If your investors discover some unstated negative factors associated with your company or its product, then this can cause some serious questions about the credibility of your company and question the monetary investment. If you are up front about identifying and discussing the risks that the company is undertaking, then this demonstrates the experience and skill of the management team and increase the credibility that you have with your investors.  It is never a good idea to try to hide any information that you have in terms of risks and problems.

Identifying the problems and risks that must be dealt with during the development and growth of the company is expected in the business plan. These risks may include any risk related to the industry, risk related to the company, and risk related to its employees. The company should also take into consideration the market appeal of the company, the timing of the product or development, and how the financing of the initial operations is going to occur. Some things that you may want to discuss in your plan includes: how cutting costs can affect you, any unfavorable industry trends, sales projections that do not meet the target, costs exceeding estimates, and other potential risks and problems.  The list should be tailored to your company and product. It is a good idea to include an idea of how you will react to these problems so your investors see that you have a plan.

Related Posts

Business Plan 101: Overall Schedule

Business plan 101: personal financial statement.

This Teach a CEO focuses on Google Business Profile formerly Google My Business. List your business on Google with a...

How can you get your products into Walmart? Many entrepreneurs struggle with the lack of ideas on where exactly they...

As we know that ‘Content is the King’, therefore, you must have an ability to write and share good quality...

WordPress 4.8 is named "Evans" in honor of jazz pianist and composer William John “Bill” Evans. There's not a log of...

Business Plan 101: Financial History

Leave a reply cancel reply.

Your email address will not be published. Required fields are marked *

Privacy Policy Agreement * I agree to the Terms & Conditions and Privacy Policy .

This site uses Akismet to reduce spam. Learn how your comment data is processed .

Join CBNation Buzz

Our Latest CBNation Content:

• CEO Provides Solution to Simplify Job Searching by Aggregating Job Listings
• IAM2163 – Marketing Consultant Shares on Mastering LinkedIn in the Healthcare Market
• Founder and CEO Helps Business Owners through Online Business Growth
• CEO Shares the Evolution of a Virtual Assistant Business
• IAM2162 – Business Mentor Helps Individuals Reach their Highest Potential
• IAM2161 – CEO Helps Chiropractors Be More Successful in their Business Practice

Our Sponsors

Join thousands of subscribers & be the first to get new freebies.

What is CBNation?

We're like a global business chamber but with content... lots of it.

CBNation includes a library of blogs, podcasts, videos and more helping CEOs, entrepreneurs and business owners level up

CBNation is a community of niche sites for CEOs, entrepreneurs and business owners through blogs, podcasts and video content. Started in much the same way as most small businesses, CBNation captures the essence of entrepreneurship by allowing entrepreneurs and business owners to have a voice.

CBNation curates content and provides news, information, events and even startup business tips for entrepreneurs, startups and business owners to succeed.

+ Mission: Increasing the success rate of CEOs, entrepreneurs and business owners.

+ Vision: The media of choice for CEOs, entrepreneurs and business owners.

+ Philosophy: We love CEOs, entrepreneurs and business owners and everything we do is driven by that. We highlight, capture and support entrepreneurship and start-ups through our niche blog sites.

Our Latest Content:

• IAM2160 – Founder Helps Businesses Build Robust Marketing Strategies
• IAM2159 – Creative Strategist Helps Businesses Compete with the Big Brands
• IAM2158 – Texas Based Dental Practice Provides Patients The Latest Techniques & Technology
• IAM2157 – Top Producing Real Estate Agent Provides Solutions for DC Area Clients

Privacy Overview

• Teach A CEO

Share on Mastodon

• Sign up for free
• SafetyCulture
• Risk Management
• Risk Management Plan

Why Your Business Needs a Risk Management Plan

Understand the basics of risk management planning and discover how essential it is for your business to have one.

What is a Risk Management Plan?

A risk management plan is a systematic and structured plan to identify, analyze, assess, measure, and monitor risks and threats to an organization. It serves as an important tool for managing the risks that affect the running of an organization.

Simply put, a risk management plan is a comprehensive strategy that identifies and analyzes potential risks to a business or organization and devises solutions to minimize or avoid them, maximizing the probability of success or reaching organizational goals.

How Do You Plan for a Risk Management Plan?

Creating a risk management plan can seem daunting, but it’s important to have one in place to help protect your business from risks. Here are the basic steps you need to take to create a risk management plan:

Step 1: Develop a solid risk culture

An essential component of any successful risk management plan is the establishment of strong risk culture. Risk culture is commonly known as the shared values, beliefs, and attitudes toward the handling of risks throughout the organization.

It is the responsibility of senior management and the board of directors to create the company culture and set the tone from the top-down and communicated throughout the organization.

Step 2: Engage key stakeholders

Stakeholders emerged from various functions inside and outside of your organization. They could be employees, customers, vendors, etc. In order to plan risk management properly, it is important to engage with them every step of the way. This is because stakeholders provide you with a detailed representation of all facets of your business along with corresponding risks.

Step 3: Create appropriate risk management policies

A clear policy with delineated roles, responsibilities, and templates is essential for an effective risk management strategy. This will help you identify all risks that could potentially affect your business, evaluate the impact of those risks, and develop plans to mitigate them.

Step 4: Communicate

Communication is one of the most important aspects of risk management planning. It is critical for an effective risk management plan to have a good understanding of how communication works and how it can help you to manage risk.

Step 5: Implement transparent monitoring

By implementing transparent risk monitoring processes, we can be sure that all risk mitigation endeavors are effective. A risk management plan is an always-changing and essential process. With these best practices, you should be able to create a strategy for your organization.

5 Steps in a Risk Management Process

To make an effective risk management plan, it is essential to know the process of risk management as it is a systematic process used by a company in managing risks.

• Risk Identification – Risk Identification is the process of determining which risks could potentially affect the organization. It involves brainstorming, reviewing past events, and analyzing current trends.
• Risk Analysis – Risk Analysis is the process of determining the probability that a particular risk will occur and the potential impact it could have on the organization. This step also involves prioritizing risks in order of importance.
• Risk Control – Risk Control is the process of implementing measures to reduce or eliminate the risks identified in the previous two steps. This may involve changing processes or procedures, investing in new technology, or increasing insurance coverage.
• Risk Financing – Risk Financing is the process of setting aside funds to cover the costs associated with a potential risk. This may involve purchasing insurance, establishing a reserve fund, or self-insuring.
• Claims Management – Claims Management is the process of dealing with actual or potential claims arising from a risk event. This includes investigating claims, negotiating settlements, and paying out benefits.

Digitize the way you Work

Empower your team with SafetyCulture to perform checks, train staff, report issues, and automate tasks with our digital platform.

How to Create a Risk Management Plan

Now that you understand the basics of a risk management plan, it’s time to talk about how to create one. This is important, as it will ensure that your plan is effective and can be used to identify and mitigate any risks that may occur.

There are a few key steps to writing a risk management plan:

• Assess your risks – The first step is to list and assess all of the risks that your business may face. This includes anything from natural disasters to cyberattacks.
• Mitigate your risks – Once you have identified the risks, you need to come up with ways to mitigate them. This could include developing contingency plans , increasing security measures, or purchasing insurance policies.
• Review and update – It’s important to review and update your risk management plan regularly, as new risks may emerge and old risks may change.

By following these steps, you can create a risk management plan that will help protect your business from any potential dangers.

Create Your Risk Management Plan with SafetyCulture (formerly iAuditor)

Why use safetyculture.

SafetyCulture can help you create a risk management plan specific to your organization. It features an audit tool that can be used to identify potential risks, as well as thousands of customized templates and forms to help you document and track your risk management activities.

SafetyCulture provides a mobile application to access and store your risk management plan, automatically generate reports after an inspection, and share those reports with the appropriate people. Having SafetyCulture as part of your digital risk management process creates data sets that better inform your decisions and encourage compliance within your organization.

Risk Management Plan Template

This free risk management plan template lets you identify the risks, record the risks’ impact on a project, assess the likelihood, seriousness and grade. Also, specify planned mitigation strategies and assign corrective actions needed to responsible individuals. Breakdown costs and set the timeline of mitigation actions.

SafetyCulture Content Team

Related articles

• Reputational Risk

Learn more about reputational risk, why it’s important that businesses properly manage it, and how to effectively implement risk mitigation strategies.

• Find out more

• Reputation Management

This guide will discuss what reputation management is, why it’s important, and ways in which business leaders can maintain their organization’s healthy image

• Environmental Aspects and Impacts

Explore the intricacies of environmental aspects and impacts of the organization’s practices to enhance the company’s sustainability, compliance, and competitive advantage.

Related pages

• Integrated Risk Management Software
• Operational Risk Management Software
• Risk Based Inspection Software
• Supplier Risk Management Software
• Risk Register Software
• Risk Mitigation Strategies
• Risk Assessment Examples
• Contract Risk Assessment Checklist
• Point of Work Risk Assessment Template
• 7 Best Risk Assessment Templates
• 5×5 Risk Matrix Template
• Risk Mitigation Plan Template

• Share on Twitter
• Share on LinkedIn
• Share on Facebook
• Share on Pinterest
• Share through Email

Project Risk Management: How To Do It Well & 5 Expert Tips

Expert Evidence

Galen is a digital project manager with over 10 years of experience shaping and delivering human-centered digital transformation initiatives in government, healthcare, transit, and retail. He is a digital project management nerd, a cultivator of highly collaborative teams, and an impulsive sharer of knowledge. He's also the co-founder of The Digital Project Manager and host of The DPM Podcast.

Effective risk management is crucial for project managers. Explore practical steps, templates, and real-world examples that will help you navigate risk and lead your projects with confidence.

When starting a new project, the responsibility of risk management falls squarely on the project manager's shoulders. While it may sound counterintuitive, the most successful project managers are those who meticulously plan for the worst-case scenarios. Potential risks will arise, and it’s your job to devise a mitigation strategy in your project plan to ensure your team is well-prepared and set up for success.

In this article, we will explore practical steps, templates, real-world examples, and the project management software that can help you navigate risk management and lead your projects with confidence.

What Is Project Risk Management?

Project risk management is the systematic process of proactively identifying, analyzing, evaluating, and responding to potential risk events that could impact your project's objectives. Some common project risks include unrealistic deadlines, cost overruns, scope creep , and changes in stakeholder priorities.

Risk management is not about reacting to problems as they arise but identifying the risk probability and planning for them in advance.

Why Is Risk Management Important?

Not all risks are created equally. Here’s why it’s important to identify and address risks before they become issues. 

• Foresight for informed decisions: Identifying roadblocks early can give you a clearer project view. This empowers informed decisions and mitigation strategies, boosting your success rate.
• Prioritization for easier risk triage: Risk management goes beyond acknowledging problems. It equips you to prioritize threats based on likelihood and impact, ensuring you focus on what matters most.
• Reduced costs and delays: Identifying issues early can minimize costly delays and budget overruns that often occur when scrambling to fix problems after they arise.
• Enhanced stakeholder satisfaction: Delivering projects without hiccups builds trust with stakeholders. Risk management showcases your ability to anticipate and address challenges, leading to a strong reputation for getting things done. 

Types Of Risk On Projects

Proactive risk management isn't just about anticipating problems; it's about considering all possibilities to ensure a successful project. Here's a breakdown of common project risks and what to prioritize:

How To Manage Risk On Projects

Sign up to get weekly insights, tips, and other helpful content from digital project management experts.

• Your email *
• Yes, I want to sign up to receive regular emails filled with tips, expert insights, and more to build my PM practice.
• By submitting you agree to receive occasional emails and acknowledge our Privacy Policy . You can unsubscribe at any time. Protected by reCAPTCHA; Google Privacy Policy and Terms of Service apply.
• Email This field is for validation purposes and should be left unchanged.

1. Identify Risks

Identifying risks involves brainstorming all potential threats and opportunities that could impact your project. Gather your team and stakeholders for a workshop, and get the ideas flowing by considering:

• What could go wrong? List anything that might delay, derail, or negatively affect your project.
• What could go right? Consider unexpected positive developments that could benefit your project.
• Review past projects. Think about challenges faced in similar endeavors and how they can inform your risk assessment.

Example : Let's say you're leading a website redesign project. Here's a sample risk identification list:

• Risk: A key developer gets sick and falls behind schedule.
• Risk: Unforeseen compatibility issues arise between new design elements and existing plugins.
• Opportunity: Discover a new design tool that significantly improves workflow efficiency .

2. Analyze Risks

Once you've identified your risks, analyze their likelihood of occurring and the potential impact they could have on your project. A common technique is to use a risk matrix or risk management plan .

This is essentially a grid with a severity rating (high, medium, low) on one axis and a probability rating (very likely, likely, unlikely) on the other. Each risk is plotted on the matrix based on its likelihood and severity.

Example : Your website redesign risk matrix might show that developer illness is a "medium likelihood" but a "high severity" risk. Focus on mitigation strategies here to prevent significant impacts on the project timeline. Compatibility issues, on the other hand, might be "low likelihood" but "medium severity." While less likely to occur, a plan to address them would still be wise.

3. Prioritize Risks

Remember, not all risks are equal. Use the risk matrix from Step 2 to identify the risks that fall into the "high likelihood" and "high severity" categories. These are your top priorities and should be addressed first.

4. Assign An Owner To Each Risk

For each identified risk, designate the team member responsible for monitoring and developing mitigation strategies. This promotes accountability and ensures someone is actively watching out for each potential issue.

Choose team members with the skills and experience most relevant to their assigned risk. For instance, the most technically experienced team member might be best suited to monitor compatibility issues.

5. Mitigate Risks

There are several ways to mitigate risks, such as:

• Avoidance: Can you completely eliminate the risk by changing your approach?
• Reduction: Can you lessen the likelihood or impact of the risk?
• Transfer: Can you shift the ownership or responsibility for the risk to someone else (e.g., insurance)?
• Contingency planning : Develop a backup plan in case the risk occurs.

Example : To mitigate the risk of a key team member falling ill, a mitigation strategy could be to delegate some tasks or have a backup team member trained and ready to step in.

By creating mitigation plans, you're prepared to address potential challenges and minimize their impact on the project.

6. Monitor Risks

Risks don't stay static. Regularly review your risk register and update it as needed.

Schedule a series of project meetings to manage risks proactively. Ensure you’re aligned on the communication format and cadence for these meetings. Whatever you choose, always remember to be transparent so your team has full visibility.

Risk Management Plan Template

In its most minimal form, a risk management plan could be a handful of pages describing:

• How and when to assess risk
• The roles and responsibilities for risk owners
• At what point the project risk should trigger an escalation

This can also be done using a RAID log, which can help you track risks, assumptions, issues, and dependencies so that the project manager and team can stay aligned.

Get access to our action-ready RAID log template through DPM membership . You’ll also get a filled-in sample to see how it should look when complete.

Tools For Managing Risk

Imagine managing a complex project with dozens of potential risks. Tracking them all on paper or in spreadsheets is a nightmare.

Luckily, there are many simple to advanced tools to help you streamline tasks, improve communication, and provide a source of truth for risk management.

Getting in front of potential risks like technical bugs, scope creep, and unexpected delays will help you drive more successful projects.

Here’s a list of the best project management software for achieving this:

• 1. Wrike — Best for large projects and scaling organizations
• 2. monday.com — Best for workflow automation
• 3. Celoxis — Best for Project Management with BI analytics and dashboards
• 4. ClickUp — Best for task customization
• 5. Jira — Best for cross-team project tracking
• 6. Zoho Projects — Best for integration with Zoho Suite
• 7. Visor — Best for spreadsheet-based management
• 8. Quickbase — Best for process automation
• 9. Hub Planner — Best for resource scheduling
• 10. Bonsai Agency Software — Best for agencies & consulting firms

Find specific risk management software here .

Best Practices For Managing Risk

Here are some additional best practices and strategies to elevate your risk management game .

1. Foster a Culture of Open Communication

Create a risk-aware culture where open communication is encouraged. Schedule regular brainstorming sessions specifically dedicated to risk identification and mitigation. Frame these sessions as collaborative problem-solving exercises, not opportunities for finger-pointing. This fosters an environment where team members feel comfortable raising concerns and suggesting solutions.

2. Integrate Risk Management Throughout the Project Life Cycle

Risks can emerge at any stage. Regularly revisit your risk register and update it during project meetings. This ensures consistent monitoring and adaptation of mitigation strategies. Consider using a project management software with built-in risk management features to streamline this process.

3. Conduct a Pre-Mortem Analysis

Hold a pre-mortem analysis workshop early on. Ask "what if" questions to envision worst-case scenarios and identify potential failure points. Use these findings to inform your risk mitigation strategies.

More Articles

Time tracking: your secret risk management superpower, increase project success with a risk register + easy template, raid logs: definition, template, examples, & how to guide, 4. leverage scenario planning.

Identify 2-3 potential future states (positive and negative) for your project. Brainstorm how you'd adapt your approach to succeed under each scenario. This helps you develop flexible strategies that can adapt to changing circumstances.

5. Celebrate Risk Management Successes

Publicly recognize team members who identified or mitigated critical risks. This reinforces the importance of risk management and motivates continued vigilance. Consider using a RAID Log to track identified risks, actions to address them, issues (changes), and decisions made.

Join For More Insights On Project Risk

We did a workshop on managing risk —it's only available to DPM members. If you're not a member, consider joining our active community of fellow project managers .

13+ SAMPLE Risk Assessment Plan in PDF | MS Word

Risk assessment plan | ms word, 13+ sample risk assessment plan,  a risk assessment, benefits of risk assessment plans, types of financial risk, how to conduct a risk assessment, how can we avert danger, who typically takes a risk, what constitutes a tolerable level of risk, how critical is planning.

Risk Assessment Worksheet and Management Plan

Covid-19 Risk Assessment Plan

Risk Assessment Study and Audit Plan

Event Risk Management Assessment Plan

Risk Assessment and Management Plan

Risk Assessment Plan in PDF

Risk Assessment Program Data Management Implementation Plan

Risk Assessment Plan Template

Risk Assessment and Rescue Plan

Risk Assessment and Mitigation Plan

Field Work Risk Assessment Plan

Risk Assessment in Audit Planning

Quality Assurance and Risk Assessment Plan

Risk Assessment Action Plan

What is  a risk assessment, share this post on your network, you may also like these articles.

In this comprehensive guide, we explore the essentials of creating an effective Floor Plan. Whether you are designing a new home, renovating an existing space, or planning an office…

Nursing Care Plan

In this comprehensive guide, we explore the essentials of creating an effective Nursing Care Plan. Whether you are a nursing student, a new graduate, or an experienced nurse, this…

browse by categories

• Questionnaire
• Description
• Reconciliation
• Certificate
• Spreadsheet

Information

• privacy policy
• Terms & Conditions

HACCP Principles & Plans

Are you an owner of a food business ? The HACCP system should be implemented in your company because it is an essential part of your quality assurance program. It is the cornerstone of your company’s product safety system and is compatible with the overall quality assurance program. However, to put this system into action, you’ll need to gain system knowledge and understanding, as well as commitment, planning, and resources. As a result, we’ve included some valuable tips in this article to help you out. We also have some templates available for free download.

4+ HACCP Principles & Plans Examples

1. haccp principles example.

Size: 17 KB

2. HACCP Plans Example

Size: 287 KB

3. HACCP Principles in Meat Plants

4. Food Safety HACCP Principles & Plans

5. HACCP Principles & Plans

Size: 661 KB

What Is The Importance Of a HACCP?

HACCP is significant because it prioritizes and monitors potential risks in the production of foodstuffs. The industry can assure consumers that its products are as safe as good research and technology can control significant food hazards, such as microbiological, chemical, and physical contaminants .

How To Create a HACCP Plan?

Similar to structure and design for projects commonly utilized in different firms, implementing HACCP principles in conjunction with a project plan requires a list of steps supplemented by resources and provisions created by research and testing for technical process development, critical inspection points, and other critical limitations. If you plan to be aware of things you need to work on, you can run a successful business. We recommend that you follow the following steps in this section:

1. Make a policy and set goals.

Do you need to reduce customer complaints from the previous year? Do you wish to conduct pre-employment food safety induction training for new employees? Consider the goals and objectives established by your food business in producing and delivering safe and nutritious food to your customers.

2. Form a team and appoint a team coordinator.

A HACCP team coordinator should possess strong communication skills and relate to staff at all levels and establish trust. While the team should include familiar with all aspects of the manufacturing process, it should also have specialists in specific fields such as microbiology or engineering.

3. Create a flow diagram with your team.

Create a list of the target food products, label each one, and include raw materials and ingredients. It would help if you created a flow diagram to depict the process. Create unique flow diagrams for each product that detail the critical control points and their associated types for specific hazards .

4. Perform a risk assessment and identify critical control points.

Examine the potential hazards that could arise during the manufacturing process. Please keep track of the hazard analysis and risk categories for the target products, their ingredients, and the dangers throughout the product food chain. After that, write down the necessary limit monitoring procedures and the monitoring frequency and the names of the people in charge of specific monitoring activities. Include deviation procedures for each, determining what action should be taken if monitoring indicates something is out of control.

What is the most crucial aspect of implementing HACCP?

A preventive control system for the safety of food products is the most important part of HACCP. End product inspection cannot carry out the prevention of hazards. The best way is to monitor the manufacturing process with HACCP.

What are the seven HACCP principles?

Danger analysis, CCP detection, vital limit setting, control procedures, remedial measures, verification procedures, and record-keeping and recording are the seven HACCP concepts.

What is the flow chart for HACCP?

A HACCP flow chart depicts the food operation’s process flow from raw materials to finished product. Typically, a HACCP flow chart is created by a group referred to as the HACCP Team or Food Safety Team.

Throughout your food business, the proper application of the HACCP system is essential to control any food area or point that could contribute to a harmful event, such as contaminants, pathogens, objects, chemicals, raw materials, a process, and more. The development of a systematic HACCP Plan is helpful to improve your food products’ safety and good quality. To begin, download now in this article our plan template!

Text prompt

• Instructive
• Professional

Create a study plan for final exams in high school

Develop a project timeline for a middle school science fair.

TechRepublic

How to Run a Cybersecurity Risk Assessment in 5 Steps

Account Information

Share with your friends.

Your email has been sent

Though cybersecurity is on every executive’s checklist today, most struggle with growing compliance burdens, keeping the costs moderate and bringing team alignment.

A cybersecurity assessment is the key to combating the rising threat environment, and it’s prudent to secure systems before a breach cripples your business.

Read this guide, written by Avya Chaudhary for TechRepublic Premium, to learn how to perform a cybersecurity assessment within a five-point framework.

Featured text from the download:

STEP 4: DEVELOP A RISK ANALYSIS REGISTER

The risk analysis report is an important bridge between executives, developers and security teams. It translates complex technical jargon into actionable insights for informed security decisions. But the living document doesn’t just bring alignment between the middle and top tier of an organization — it can also be a financial lifesaver.

A well-defined risk analysis report could have prevented the Equifax data breach of 2017. The company reportedly failed to patch a critical vulnerability for months, exposing the data of 147 million customers. Creating and updating a risk analysis report regularly would have likely identified this vulnerability as “High Risk” and saved Equifax from the immense reputational damage and spending $425 million in the aftermath.

Boost your cybersecurity knowledge with our in-depth nine-page PDF guide. This is available for download at just $9. Alternatively, enjoy complimentary access with a Premium annual subscription. Click here to find out more.

TIME SAVED: Crafting this content required 18 hours of dedicated writing, editing and research.

Subscribe to the TechRepublic Premium Exclusives Newsletter

Save time with the latest TechRepublic Premium downloads, including customizable IT & HR policy templates, glossaries, hiring kits, features, event coverage, and more. Exclusively for you! Delivered Tuesdays and Thursdays.

Resource Details

* Sign up for a TechRepublic Premium subscription for $299.99/year, and download this content as well as any other content in our library. Cancel anytime. Details here .

Create a TechRepublic Account

Get the web's best business technology news, tutorials, reviews, trends, and analysis—in your inbox. Let's start with the basics.

* - indicates required fields

Sign in to TechRepublic

Lost your password? Request a new password

Reset Password

Please enter your email adress. You will receive an email message with instructions on how to reset your password.

Check your email for a password reset link. If you didn't receive an email don't forgot to check your spam folder, otherwise contact support .

Welcome. Tell us a little bit about you.

This will help us provide you with customized content.

Want to receive more TechRepublic news?

You're all set.

Thanks for signing up! Keep an eye out for a confirmation email from our team. To ensure any newsletters you subscribed to hit your inbox, make sure to add [email protected] to your contacts list.

Billing Information

Payment information.

Your total Single Purchase Charges

• USD $ 99.00 Subtotal
• USD $ 0.00 Tax, GST, or VAT
• USD $ 0.00 Discount

Upgrade To A Subscription And Save

• USD $ 299.00 Subtotal

A credit card or PayPal account is required for purchase. You will be billed the total shown above and you will receive a receipt via email once your payment is processed.

A credit card or PayPal account is required to activate your subscription. You will be billed $299.00/year and you will receive a receipt via email once your payment is processed. You may cancel your subscription with at least 10 business days notice prior to the expiration of your current subscription by accessing the Premium tab in your TechRepublic Profile and selecting "Cancel Subscription."

TechRepublic Premium is the fastest, smartest way to solve the toughest IT problems. Subscribe to access our full library of resources and gain benefits from:

Quick access to expert analysis from IT leaders, original research and surveys, comprehensive guides on hot topics, and eBooks from TechRepublic.

Ready-to-go policies and initiatives, downloadable templates and forms you can customize, and hundreds of time-saving tools, calculators and kits.

Search Results

1 Introduction

Digitalisation is a structural trend affecting European banks. They are adapting to changing customer preferences, new technologies, a different competitive landscape – with new entrants in the financial markets – and changes in the value chain. Digitalisation is impacting banks’ front office and back office operations – as they are offering new digital products and services while automating internal processes. It is also affecting their risk profiles, including strategic and operational risks but also financial risks depending on the digital activities. ECB Banking Supervision is closely following developments such as digitalisation that are likely to affect euro area institutions and updating its methodological toolbox to assess related risks.

This is why ECB Banking Supervision included digitalisation in its priorities for 2022-24 and again for 2023-25 in order to address digitalisation challenges, related risks and management body’s steering and risk management capabilities. While supervised institutions should keep a strong focus on addressing structural challenges and risks stemming from the digitalisation of their banking services with a view to ensuring the resilience and sustainability of their business models, ECB Banking Supervision is assessing the related risks, how they are identified, monitored and mitigated.

Building on the market intelligence discussions with banks and key market players, and the survey on digitalisation involving all significant institutions under European banking supervision conducted in 2022, a broad set of supervisory activities was completed in 2023. These included targeted reviews on the steering of digitalisation covering 21 banks, 10 on-site inspections on digitalisation (5 in 2022 and 5 in 2023), and the assessment of digitalisation data collected through the short-term exercise (STE) and for the Supervisory Review and Evaluation Process (SREP).

These activities have further allowed ECB banking supervision to assess banks’ digitalisation activities and related risks. The starting point for such an assessment is the general framework outlined in the Capital Requirements Directive (CRD), as implemented in national law, together with the relevant European Banking Authority (EBA) guidelines – in particular, on the SREP, outsourcing and internal governance. Along with these the ECB considered the publications of international and European standard-setting bodies on digitalisation and technology-related risks. Some consistently applied “sound practices” of SSM banks – approaches the ECB has observed to generally meet the assessment criteria – have also emerged. These are being published today at an early stage, in order to inform the supervisory dialogue on those aspects with the banks making a strategic decision to develop their digital footprint. As part of this supervisory dialogue, the ECB will discuss with institutions the ECB’s assessment criteria in terms of any possible divergences in institutions’ practices.

The assessment criteria and sound practices set out below are grouped together according to three themes: business model impact, governance and risk management. These criteria and practices may be further fine-tuned based on upcoming supervisory activities, including future targeted reviews, on-site inspections and deep dives.

Sound steering of digitalisation: key assessment criteria for institutions’ business models, governance and risk management

Institutions assessed as adequately steering digitalisation had taken the following steps:

• understanding the impact of digital trends on the business environment in which institutions operate in the short, medium and long term, in order to be able to make informed commercial and strategic decisions;
• based on an informed perspective, deciding on the need to formulate a clear and well-articulated digital strategy, and defining strategic objectives that are to be achieved by means of digitalisation and innovation;
• having in place adequate financial and non-financial execution capabilities for a proper implementation of the digital strategy as defined;
• developing a comprehensive framework of financial and non-financial key performance indicators (KPIs) for monitoring the implementation and execution of the digital strategy and for reassessing it in the event that targets are missed;
• having a clear allocation of responsibilities related to digital topics in the management body, whether individual allocation to those with a management function/executives, and/or senior managers reporting to the executive management, or a dedicated centralised steering/coordination body, enabling adequate coordination of digital initiatives at group level;
• setting up adequate processes covering all subsidiaries and business lines: defining the business areas ultimately responsible for reporting on digitalisation initiatives and setting up top-down steering and monitoring processes and proper bottom-up reporting processes,
• having a management body with a supervisory function/non-executive role that constructively challenges the management body in its management function/executive level role and provides effective oversight of the digitalisation strategy and related risks;
• assigning internal control functions a strong role in the digitalisation process, new product approval process (NPAP) and ongoing business operations, while ensuring their independence;
• embedding digitalisation in the risk culture (e.g. tone from the top, incentives, risk accountability and a culture of challenge), both top-down and bottom-up, including the communication on strategy and risks, thereby creating awareness and fostering knowledge;
• ensuring insight and monitoring of critical dependencies, interdependencies and third-party relationships, and not only of outsourcing, on an ongoing basis;
• having in place a data governance process to support data-driven digitalisation activities;
• carrying out a detailed impact review on traditional and non-traditional dimensions of risk during the process of digital strategy-setting and the NPAP as well as during the execution of the digital strategy;
• assessing and updating all dimensions of the risk map, reviewing the suitability of existing risk models in view of digitalisation and adapting them as necessary;
• reviewing the risk appetite framework (RAF), the risk management framework (RMF) and the key risk indicators (KRIs) defined ex ante and adapting them if needed in view of digitalisation initiatives.

2 Assessment criteria relating to business models and strategy

Articles 73 and 74(1) of the CRD, as further specified by the EBA Guidelines on internal governance, require institutions to implement internal governance arrangements, processes and mechanisms to ensure effective and prudent management of the institution. In this respect, it is important for institutions to identify, assess and monitor the current and forward-looking impact of digital trends on their business environment and to ensure that any digital strategy they pursue is properly coordinated, steered and monitored.

2.1 Business environment

Assessment criterion 1 : Does the institution understand the impact of digital trends on the business environment in which it operates, in the short, medium and long term, enabling it to make informed commercial and strategic decisions?

Assessment criterion 1.1

Does the institution identify, assess and document, in a comprehensive and systematic manner, the digital-related external factors impacting its business environment? These factors include the competitive landscape, policy and regulation, innovative technologies and customer preferences, also based on socio-demographic factors.

Moreover, does the institution perform a digital readiness assessment to understand its digital positioning? The digital readiness assessment entails gaining an understanding of internal factors, such as the availability of financial resources, human capital and skills, the complexity of legacy systems and the use of innovative technologies.

Assessment criterion 1.2

Does the institution understand how digitalisation affects its business environment in the short, medium and long term and does this awareness inform its business strategy process? The way that institutions strategically respond to changes in their business environment stemming from digitalisation may impact their business model over time.

Institutions therefore need to explicitly consider digital trends even if they may decide against pursuing a digital strategy. This would be reflected in institutions’ business strategy processes and demonstrated by documented management body meetings and discussions.

Box 1 Examples of observed sound practices: comprehensive business environmental analysis

The ECB identified a comprehensive strengths, opportunities, weaknesses and threats (SWOT) analysis as a sound practice. For instance, some institutions organised the SWOT analysis across the following pillars to inform their digital strategies:

• clients’ behaviours, expectations (monitored for instance through specialised regular market benchmarks or continuous client feedback) and the demographic implications of the institution’s client base, which help tailor its offer to specific audiences;
• competition insights (trends or market approaches in terms of offer and distribution) to allow a competitive analysis also covering non-banks (fintech, bigtech, e-commerce, retailers and utilities) and the evaluation of potential collaborations and partnerships;
• regulatory requirements and their implications, to ensure due compliance, to force reprioritisation dynamics into the original roadmap and scan for opportunities for innovation;
• operating model and support capabilities, to ensure that the current organisational set-up and those internal processes impacting the execution of digital strategy are effectively supporting digital development;
• cybersecurity and data protection considerations, to ensure that the digital strategy safeguards customer data and a secure online environment, while adapting to evolving threat patterns and technological advancements;
• technological developments and potential risks (the IT team, together with digital and business teams, monitors new technologies and performs sandbox testing of technologies considered relevant in terms of their potential applications in the short and medium term);
• technological infrastructure and innovation capabilities, to ensure alignment with the business strategy objectives and digital implications in terms of innovation, resilience and long-term agility;
• data and artificial intelligence (AI) capabilities, to spot opportunities for automating internal processes and improving customer services;
• the maturity of the current digital capabilities, to spot gaps in digitalisation coverage and opportunities for major improvements in customer journeys;
• digital talent acquisition and development, to enhance the institution’s ability to implement its digital strategy effectively and maintain a sustainable pace of transformation.

The ECB observed that a few institutions have a group strategy, technology and innovation department in charge of developing a trend book covering technologies, products, business models, client behaviours and competitors’ strategies. The trend book is reported to the Board of Directors and serves multiple purposes:

• ensuring that the institution makes appropriate and timely investments in specific trends;
• guiding subsidiaries in different geographical areas in setting priorities and defining strategies;
• providing continuous evidence of the validity of the strategic assumptions and serving as an input for their regular update – there is also a methodology for clearly indicating those trends where greater effort is needed to safeguard profitability and the competitive position.

An additional sound practice observed by the ECB is an external market analysis accompanied by customer satisfaction measures, with dedicated input from the customer complaints team.

By analysing past patterns of complaints, this approach helped predict which changes could result in spikes in complaints. The input was considered before the development of new digital initiatives. For critical initiatives, a dedicated quality management expert from the complaints function assisted the development team. The quality management function was also often involved afterwards, reacting to unusual complaint clusters related to digital migration. For example, when introducing new automated banking terminals in branches a task force was created to address and avoid the potential increase in complaints, and improve customer experience.

This resulted in: a new design for the banking terminals, a plan for reviewing the implementation after one month, internal communication and the introduction of more terminals in high-stress branches.

2.2 Digital strategy formulation and definition

Assessment criterion 2: Does the institution – based on an informed perspective – take decisions on the need to formulate a clear and well-articulated digital strategy, defining strategic objectives that are to be achieved by means of digitalisation and innovation?

The ECB has a neutral stance on the format of the digital strategy: it can be embedded in the business strategy or the IT strategy, or it can be a standalone document.

Assessment criterion 2.1

Does the institution make a clear decision on whether to formulate a digital strategy? If so, does the digital strategy set out clear strategic objectives to be achieved through the application of digital technology solutions? Clarity on digital strategic initiatives implies understanding how the use of technology can support business initiatives, ultimately boosting the performance of the institution.

A well-articulated digital strategy identifies: the key digital initiatives and their alignment with the long-term business strategy; the key technologies underlying key digital initiatives; quantitative profitability targets for key digital initiatives or, if this is not possible, an understanding of the value they generate by enabling other strategic initiatives; and a granular definition of the strategy at all the relevant levels of the institution (such as geographical areas, business lines and sectors).

Box 2 Examples of observed sound practices: a clear and well-articulated digital strategy

The ECB observed some institutions that had a clear digital strategy embedded in their business plan. Digitalisation plays a key role in the business plan as enabler of strategic priorities.

For instance, one good practice was defining clear strategic priorities on “reinventing the customer experience” (personal banking in the digital age, with a focus on client groups that value expertise and relationships) and “building a future-proof bank” (rationalisation, digitalisation and automation further enhancing customer service, compliancy and efficiency). This was underpinned by:

• a new targeted operating model outlining how the approach would work internally, covering aspects of client experience such as: i) clients being serviced through a new three-layer model – first digital, then remote, then personal support; ii) reducing the number of products by a given percentage; iii) standardising a digitalisation cluster for customers, product and internal processes;
• clearer structures and processes: i) organisational restructuring around customer segments; ii) skill-profiled adjustment for digital age;
• resilient and efficient IT backbone: i) a simplified IT landscape; ii) cloud adoption of a certain percentage of platform scope; iii) better data capabilities.

The ECB observed another good practice in this area: a well articulated digital strategy based on a balance between the global vision of the executive leadership and the operational realities of the business units, tailoring the high-level priorities according to the bank’s specific activities, markets, clients and geographical coverage.

• In support of each business line’s strategic plan, there is a central effort to drive different entities towards the definition, monitoring and alignment of the information system strategy, the group strategy and the technological priorities. This allows the monitoring of initiatives delivered in the IT, enterprise architecture, security, data, digital and financial fields.
• Centrally, the institution is building up a digital net banking income metric to ensure alignment with the business strategy and associated financials. This helps evaluate the contribution of digital initiatives to the group’s value generation.

Another aspect of a well articulated digital strategy is detail on the technologies underlying the main digital initiatives. In particular, digital initiatives are linked to the following technological areas of interest: next generation technologies and optimisation of legacy systems; the development of cloud platforms, and the use of AI for extreme automation. The engineering team is a key stakeholder in the definition of the strategic plan and is also in charge of defining the institution’s development of new architectures and innovative applications.

2.3 Execution capabilities

Assessment criterion 3: Does the institution have in place adequate financial and non-financial execution capabilities for the proper implementation of the digital strategy as defined?

Assessment criterion 3.1

Does the institution have in place a clear and robust budgeting process to support the implementation of the digital strategy and its initiatives? Clarity here implies a multi-year budgeting process, aligned with the digital strategy, assigning a level of resources commensurate with the ambition involved in the digital initiatives. Robustness requires a budgeting process specifying both the rationale for budget allocation (for instance expected pay-offs identified through cost-benefit analysis) and the mechanism for budget recalibration or adjustments, if needed.

Assessment criterion 3.2

Does the institution have in place a proper project management framework for steering the implementation of digital strategies? A proper project management framework would typically include an operational plan for executing digital initiatives, detailing timelines, milestones, roles, responsibilities and resources, and aligned with strategic objectives. The structure of such an operational plan makes it possible to gauge interdependencies across projects and to disentangle single digital initiatives, so as to facilitate their monitoring, reporting and follow-up at group level. The evaluation of digitalisation strategies is to consider the investments made.

Box 3 Examples of observed sound practices: execution capabilities

The ECB observed that cross-team collaboration and periodic reviews of the digital strategy help institutions to i) prioritise projects and ii) reconcile the strategic top-down view with the bottom-up and project level view. Sound project management practices include elements such as the following:

• the top-level strategy is translated into business lines and teams collaborate to i) define a plan with the required budget, resources and expected deliverables, and ii) deliver on the plan, flagging adjustments or reprioritisations when needed;
• potential impediments and concerns are raised with the next level in the hierarchy and the escalation continues until the issues are resolved;
• frequent review processes track the progress on delivery and the achievement of the objectives up to the level of the Board of Directors;
• the Board of Directors, in the context of the business plan, flags critical aspects of execution that should be prioritised, progress on the specific roadmaps concerned is directly reported to the Board of Directors and addressing any related backlog is given highest priority.

To provide an additional example, another sound practice observed was the steering of the execution of digital priorities at group level by means of a development agenda. This agenda was aimed at prioritising the allocation of human and economic resources. Resources were assigned to projects according to their impact and strategic alignment. Periodic reviews covered progress in general and on milestones, commitments and deliverables, as well as resources and budget required. There was a quarterly review of the strategic projects portfolio to decide on their prioritisation, monitor their planning and execution, and to challenge initiatives – with potential action points and reallocation of resources and required investments.

Another sound practice observed was the implementation of a new organisational model to drive the execution of digital initiatives: “digital labs”. This involves a network of miniature digital start-ups, each focused on a specific business domain (e.g. personal lending, investments, mortgages, cards or payments). Meanwhile the network retains centralised core competences (e.g. IT, digital business, design and user experience).

To gain speed and agility, each digital lab adopts agile practices and owns a portfolio of initiatives in its specific business domain. Lab initiatives are set out in lab-level operational plans that track deliverables, timelines and milestones (including user acceptance testing and product launching). Dependencies on the initiatives of other labs are also monitored. Each operational plan is accompanied by a summary of the strategic context that anchors the plan in the business strategy-related macro-initiatives and objectives.

Operational plans are dynamic as they can be continuously updated to reflect changes, such as the inclusion of new initiatives, shifts in prioritisation or delays. Adjustments are discussed in monthly lab steering meetings.

To optimise the execution of the digital lab initiatives, a few principles are followed:

• initiatives are categorised according to timeline elasticity;
• effort-cost of execution may exceed the original plan by a set maximum percentage – above this level there is a reassessment of the scope, timeline and capacity allocation for the project;
• when a critical dependency occurs and there is no short-term solution, a decision may be taken to stop the project.

As the digital strategy is embedded in the business strategy, digital initiatives are integrated in the general annual budgeting process. However, the most strategic digital initiatives carried out in the labs are funded by budget pools, achieving agility by allowing for adjustment of allocation and prioritisation.

Finally, another sound practice observed was setting up “ideation labs” for innovation purposes. Such labs are put in place to come up with a long list of potential use cases for new technologies (e.g. AI), selecting the most viable ideas for development.

The development phase employed “user experience” (UX) labs with groups of customers to test each “minimum viable product” (MVP) and adapt feedback on features and functionality to iterate from MVP1 to MVP2 and so on until the go-live. Such UX labs were also used to test even modest changes to mobile application functionalities.

2.4 Key performance indicator framework

Assessment criterion 4: Is the institution developing a comprehensive framework of financial and non-financial KPIs against which to monitor the implementation and execution of the digital strategy and reassess it if targets are missed?

Assessment criterion 4.1

Is the KPI framework sufficiently comprehensive to allow for the proper implementation of the digital strategy? Does the KPI framework ultimately reflect how the digital strategy is translated into measurable digitally-driven impacts (both financial and non-financial)?

An ideal set of KPIs is i) granular and multi-layered across all levels of the organisation involved in defining the digital strategy and implementing digital projects. The granularity helps reconcile the top-down strategic view with the bottom-up and project level dimensions. Moreover, an ideal framework includes ii) measurable and actionable KPIs, which are used for different levels of reporting, and iii) KPIs with clear ownership and responsibility, which are regularly monitored and reviewed.

Assessment criterion 4.2

Does the institution understand the reasons for missed KPI targets, and incorporate the lessons learnt from failed initiatives into the strategy update? In other words, if critical KPIs linked to the implementation of critical projects are missed, is the institution able to re-scope a project and feed lessons learnt into the reassessment of the strategy? A critical element is the existence of a feedback loop for incorporating those lessons learnt into new strategy development.

Box 4 Examples of observed sound practices: a comprehensive and well-structured KPI framework

In terms of adequacy of the KPI process, the ECB observed that some institutions make use of a solid firm-wide KPI framework that can be easily extended to steer the implementation of the digital strategy and projects. The following are examples demonstrating the adequacy of the KPI process framework.

• Measurement: digital KPIs have a specific measurement methodology documented in a glossary.
• Monitoring: digital KPIs are tracked through an automated system and dashboards. Whenever possible, there is an attempt to include real-time KPIs to be immediately analysed by a dedicated digital team.
• Reporting: digital KPIs are reviewed by all the relevant reporting lines. Reports are structured to provide insights into each KPI, highlighting trends, achievements and areas where deviations from the plan occurred.
• Performance assessment and follow-up: as KPIs track progress on strategic objectives, significant deviations from targets trigger a detailed analysis of underlying factors behind delays/missed targets.
• Decision-making: if critical KPIs are not being reached (e.g. there is a decline in the pace of growth in digital clients), more resources are allocated to the associated project and the operational plans are revised accordingly.
• Granularity: top-layer digital KPIs are defined at business strategy level and are presented to executive management on a quarterly basis; middle-layer KPIs are reported monthly to dedicated committees and cover business dimensions (such as adoption, engagement, sales, change management, etc.); operational KPIs for the relevant business lines are available on the dynamic dashboard and include real-time and next-day metrics to support project execution.
• Communication: KPIs are used not only to report progress to executive committees and the Board of Directors, but also for investors and public disclosure.

Regarding the comprehensiveness of the financial and non-financial KPIs framework, the ECB has observed different approaches.

• Many institutions have in place non-financial KPIs related to customer satisfaction and engagement, the use of digital channels and volumes of digital transactions.
• Some banks have developed a more advanced set of KPIs to monitor the digital strategy. For instance, one institution is implementing a comprehensive end-to-end digitalisation strategy across the most important customer journeys by mobilising the relevant teams, tracking progress, and creating incentives to advance these initiatives throughout the organisation. To this aim the institution has developed, among other things, a group-level “digital index” (target-setting and progress tracking tool), as a summary of digital indices from different geographical areas. The digital index measures the success of digital journeys per segment (e.g. daily banking, lending, or savings) and it is therefore composed of several underlying metrics. Full-time equivalents (FTEs) are allocated and tracked at geographical level, and linked to the digital index.

The ECB also observed a few institutions starting to develop financial KPIs to monitor the profitability impact of their digital strategies and initiatives.

• For instance, one financial KPI is the concept of a digital dividend (both backward and forward-looking). This was structured as follows: first, all digital sales (realised or as targeted in the financial plan) per product line are aggregated, which is the sum of all revenues generated by products sold digitally. Then, on the cost side, maintenance and investment costs (based on invoices or estimates) for each digital project are taken into account.
• In another example, the development of financial KPIs was a tool to ensure alignment between digital initiatives and the financial objectives outlined in the business strategy. To this aim, the institution built: i) a digital net banking income tracker (see also Box 2) to isolate the digital component (e.g. digital sales and income from digital channels) of the overall banking income; and ii) a data/AI value, which measures the expected economic contribution from the use cases for data/AI.

3 Assessment criteria relating to governance

Articles 73 and 74(1) of the CRD, as further specified by the EBA Guidelines on internal governance, require institutions to implement internal governance arrangements, processes and mechanisms to ensure effective and prudent management of the institution.

In accordance with Article 88(1)(a) of the CRD and as specified by the EBA Guidelines on internal governance, the management body must have ultimate and overall responsibility for the institution and defines, oversees and is accountable for the implementation of the governance arrangements within the institution that ensure effective and prudent management of the institution. Furthermore, the management body should fully know and understand the legal, organisational and operational structure of the institution (“know your structure”) and ensure that it is in line with its approved business and risk strategy and risk appetite and covered by its RMF. This therefore also includes the digitalisation strategy and digital initiatives.

According to Art 91(1) of the CRD, members of the management body shall at all times be of sufficiently good repute and possess sufficient knowledge, skills and experience to perform their duties. The overall composition of the management body shall reflect an adequately broad range of experiences. The management body shall therefore possess adequate collective knowledge, skills and experience to be able to understand the institution’s activities, including the main risks. This therefore also includes the necessary digital knowledge and skills to have an understanding of risks related to digital activities.

The role of non-executive members of the management body within an institution must be carried out in accordance with Article 88(1) of the CRD in conjunction with Article 91(8) of the CRD and in line with recital 57 of the CRD and the EBA Guidelines on internal governance. Accordingly their role should include constructively challenging the strategy of the institution and thereby contributing to its development, scrutinising the performance of management on achieving agreed objectives, satisfying themselves that financial information is accurate and that financial controls and systems of risk management are robust and defensible, scrutinising the design and implementation of the institution’s remuneration policy and providing objective views on resources, appointments and standards of conduct. This therefore requires them to challenge management on the digitalisation strategy and ensure relevant risks are covered.

With regard to third-party dependencies, the EBA Guidelines on outsourcing could provide a main reference point. Finally, the requirements under the EU’s Digital Operational Resilience Act (DORA), specifically as regards the oversight of critical information and communications technology (ICT) third-party service providers, may apply. Articles 28 to 30 indicate the need for proper oversight and an overview of contracts with critical ICT third-party service providers, information on how the institution addresses potential weaknesses and disruptions, and concentration risk assessment. These articles also state that institutions remain ultimately responsible for compliance with the regulatory requirements stemming from financial legislation.

3.1 Coordination and steering of digital initiatives

Assessment criterion 5 : Does the institution have a clear allocation of responsibilities related to digital topics in the management body, whether individual allocation to those within its management function/executives, and/or senior managers reporting to the executive management, or a dedicated centralised steering/coordination body, so as to adequately coordinate digital initiatives at group level?

The central coordination and steering could be assigned to the management body in its management function/executives or delegated to senior managers who directly report to the management body/executives.

Assessment criterion 5.1

Does the institution have central coordination and steering of digital initiatives in the form of a central coordination body, proportionate to the institution’s complexity and scope? This can also entail fully embedding digitalisation in the steering of the organisation. A central coordination body assists the whole management body in its management function with the implementation of the digital strategy, by ensuring that the Board of Directors has the right information to develop and monitor the overall digital strategy.

Assessment criterion 5.2

Does the central steering include, as a minimum, a clear and focused approach to the following aspects:

• alignment of digitalisation projects across the organisation, including the subsidiaries;
• strategic alignment, with a focus on aligning business and IT strategies;
• staff and resource management, to ensure sufficient expertise for the roll-out and execution of the strategy;
• sound reporting to the management body in its management function/at executive level on the digitalisation strategy and related projects and progress made?

Box 5 Examples of observed sound practices: dedicated units responsible for the digitalisation strategy

The ECB observed institutions with a dedicated team or department responsible for coordinating and steering as well as executing the digitalisation strategy and digital projects. The team or department was either within the management body or directly reporting to the management body, with clear responsibilities set also at the executive level. The coordinating unit was responsible for the roll-out of the strategy at group level and ensuring consistency between the group entities and business lines. This was facilitated by clear ownership of the digitalisation activities at all levels of the organisation in order to foster the coordination of digital activities at group level both bottom-up and top-down. This was further supported by adequate governance at the level of the regional groups and for the various business lines, in order to further roll out the strategy.

More specifically, the ECB observed those units as having responsibility for the following:

• Strategic alignment, with a focus on aligning business and IT strategies and/or the digital strategy specifically, in order to make sure that digitalisation aspects are consistently addressed.
• Alignment of the digitalisation projects across the organisation, including the subsidiaries, by discussing projects undertaken, their main objectives and benefits, and how synergies between various projects could be achieved. This also helps prioritise projects and equip central expertise centres with mandates to define and roll out digital projects throughout the organisation in a consistent manner.
• Identification and management of interdependencies by means of detailed roadmaps, e.g. when some projects are enablers of others and certain milestones need to be achieved in order to allow a dependent project to move on to the next task/milestone.
• Staff and resource management, to ensure sufficient expertise for the roll-out of the strategy in line with the prioritisation. In this context central expertise centres can also help address any shortage of staff, although it needs to be ensured that the specific needs of local/regional subsidiaries are also sufficiently addressed, and that there is relevant expertise at regional/business line level.
• Workforce planning, recognising different needs at different phases of the roll-out to feed the information into hiring (including external developers), training and reskilling plans.
• Sound reporting to the management body in its management function/at executive level on the projects undertaken, their progress and any potential risks that may need to be addressed (e.g. in terms of execution).

The ECB also observed some institutions where digitalisation was completely embedded in the overall strategy and organisation, with attention to digitalisation coordination, steering and reporting in all relevant areas and aspects.

3.2 Monitoring and reporting

Assessment criterion 6: Does the institution set up adequate monitoring processes (top-down), and define the business areas ultimately responsible for reporting on digitalisation initiatives, as well as establishing a proper reporting process (bottom-up), covering all subsidiaries and business lines?

The central coordination body is responsible for the monitoring and needs to define relevant business lines to report on the progress made.

Assessment criterion 6.1

Does the institution have in place adequate monitoring processes related to its digital strategy and, accordingly, an adequate process for reporting to the management body in its management function/at executive level with regard to digital topics? This involves defining the business area(s) ultimately responsible for the reporting. Such reporting encompasses the main findings, issues for discussion and the central body’s advice to the management body in its management function/at executive level.

If the institution has in place a suitable structured process, it will be able to adequately monitor the roll-out and execution of the digitalisation strategy and take actions and escalation measures in case KPIs are not met.

Assessment criterion 6.2

Does the institution effectively monitor the digitalisation strategy? The institution:

• devotes sufficient time to digital topics during meetings of the management body (for both the management and the supervisory function), allowing discussion on the strategy, progress of various projects and related risks;
• has in place adequate top-down and bottom-up monitoring processes related to its digital strategy, also sufficiently covering its subsidiaries and various business lines;
• has set up an adequate reporting process indicating progress and relevant challenges and risks that need to be discussed, with a clear escalation process.

Box 6 Examples of observed sound practices: digital transformation initiatives translated into operational plans

The ECB observed institutions with digital transformation initiatives translated into operational plans including timelines, milestones, and associated information such as objectives, roles and responsibilities. These plans were further consolidated into the overall operational plan for digitalisation in order to enhance monitoring of digital progress. Subsequent waves of innovation trigger updates on the structure for decision-making and challenging, KPIs and reporting lines.

Some institutions impose regular monitoring meetings to discuss operational plans for digital initiatives, KPIs, adjustments or delays. In particular, challenges and risks related to digitalisation are reported to the management body on a regular basis, e.g. monthly. Sometimes, a second line view on the projects and their assessment was presented as part of the risk map. The coordination/steering body can take decisions based on the monitoring information on the steering, alignment and prioritisation of the digital initiatives.

More specifically, the ECB observed institutions that ensure the following:

• Sufficient time is devoted to digital topics during meetings of its management body in its management/executive function to allow discussion on the strategy and related risks, by having a specific time slot reserved, e.g. once a month, at which various project owners are present.
• The allocation of adequate human, financial and technical resources is discussed in relation to the strategic objectives, based on the progress monitoring reports.
• The institution has in place an adequate processes for the implementation of the top-down steering as well as bottom-up monitoring related to its digital strategy, taking project risks into consideration. Some banks for example have monthly meetings with an increase in frequency according to the status of individual project (red, amber or green).

3.3 The management body in its supervisory function/non-executives’ capacity to challenge

Assessment criterion 7: Does the institution have a management body with a supervisory function/at non-executive level that constructively challenges the management body in its management function/at executive level and that provides effective oversight for the digitalisation strategy and related risks?

The management body in its supervisory function/at non-executive level (management board supervisory function; MBSF) also oversees and challenges the digitalisation initiatives .

Assessment criterion 7.1

Does the institution have an MBSF which constructively challenges the management body in its management function/executives (management board management function; MBMF) and provides effective oversight of the MBMF, also in the context of digital topics and their related risks? The MBSF should proactively discuss and bring to the agenda digitalisation-related topics.

Box 7 Examples of observed sound practices: the MBSF has a clear role in challenging the MBMF

The ECB observed institutions where the MBSF selected the topics to be discussed with the MBMF/executives in order to assess the digitalisation strategy, request updates on the progress of the main digital projects as well as review new product approval procedures. This could also involve reviewing the evolution of the training of MBMF/executives on digital transformation.

In addition to the agenda put forward by the MBSF, some banks also organise a dedicated Q&A session between the MBSF and MBMF on digitalisation, for example on a bi-monthly basis.

The ECB also observed that most banks have a specific digital committee at MBSF level.

3.4 Internal control functions’ involvement in decision-making on digitalisation

Assessment criterion 8: Does the institution provide internal control functions with a strong role in the digitalisation strategy process, the NPAP and ongoing business operations, while ensuring their independence?

It is a sound practice for Internal Control Functions (ICFs) to be involved in approving the digitalisation strategy, new products or significant changes to existing products, processes and systems as well as ongoing risk assessments, in order to also include the impact of digitalisation-related risks.

Assessment criterion 8.1

Does the institution ensure that ICFs have a strong role in the strategy process and new product approval/review processes, as well as ongoing business operations, in order to take into account risk dimensions in digitalisation-related decision-making, while fully respecting the independence of the ICFs?

In particular, it is sound practice for the compliance function and risk management function to be involved in approving the digitalisation strategy, new products or significant changes to existing products, processes and systems, according to their respective mandates.

Assessment criterion 8.2

Does the institution carry out a full and objective assessment of the risks arising from new activities under a variety of scenarios, and of the ability of the institution to manage and control any new risks effectively?

ICFs need direct access and/or to report directly to the management body (both its management and its supervisory function). The management body needs to be kept properly informed by the ICFs, and receive reports on any major deficiencies and risks identified in relation to digitalisation, with recommendations and corrective measures to be taken.

Box 8 Examples of observed sound practices: involvement of the ICFs in the digitalisation strategy

The ECB observed institutions where the risk dimension is an integral part of the digitalisation strategy-setting and of any decision to change the strategy, the new product approval procedures for digital products or services and the monitoring of digital activities. This includes the ICFs already having a strong role in the digital strategy-setting phase, sometimes with a veto or decision-making power. For some institutions, more specifically, the chief risk officer (CRO) is part of the strategy-setting phase and ICFs are involved in all phases of the design and roll-out of the digitalisation strategy.

At a few banks, a dedicated risk workstream complemented business line and operational workstreams in the strategy-setting process and conducted a holistic risk assessment of the digital strategy towards the end of the process. The compliance function supported this by identifying specific regulatory issues which could – and eventually did – cause delays.

The ECB has also observed banks which specifically mention digitalisation topics in their reporting to the MBSF from the ICFs, or in special digitalisation risk reports that are submitted to the decision-making bodies at a pre-defined frequency. Here the information is shared both bottom-up and also top-down, as the management body subsequently reports back to the ICFs on the decisions taken.

3.5 Digitalisation risk culture

Assessment criterion 9 : Does the institution embed digitalisation in its risk culture (e.g. tone from the top, incentives, risk accountability, culture of challenge) both top-down and bottom-up, including the communication on strategy and risks, creating awareness and fostering knowledge?

Assessment criterion 9.1

Does the institution’s management body foster a risk culture which also includes technological advancements within the organisation? The following are indicators of fostering an appropriate risk culture.

• The institution ensures regular communication and proper coordination between all staff involved in delivering the digital transformation strategy, including project managers, ICFs, business analysts, support functions and the business areas affected, in order to discuss and obtain feedback on issues important to its successful execution.
• It ensures that a culture of effective communication and challenge exists at all levels, especially within the management body, its committees, ICFs and business lines, and with respect to all types of risks. It ensures accountability for risks including digital ones in relation to monitoring, managing and mitigating those risks. This encourages collaboration, communication and the opportunity for staff to challenge the digital transformation initiatives. This in turn ensures consistency and the existence of safeguards, as well as prudent risk-taking, without impacting the independence of the ICFs.

To achieve this, institutions ensure full alignment of behaviours within the different units of the organisation – clear and open communication on decision-making processes as well as a “culture of challenge” are of utmost importance.

Assessment criterion 9.2

Does the institution make sure that the financial and non-financial incentives of people working on digitalisation also take into account the implications of digitalisation developments on the internal controls of the bank?

Box 9 Examples of observed sound practices: dedicated programmes to promote digital risk culture

The ECB observed institutions with specific teams or innovation labs to test and roll out digital projects or ideas. This could also foster the use of innovative technologies by employees. Examples are the testing and use of, for example, a chatbot for internal use or a specific AI application for administrative purposes. This helps employees engage with innovative technologies and better understand the capabilities and potential risks also from first-hand experience.

Some institutions have dedicated programmes designed to nurture internal innovation. Through these programmes, every employee has the opportunity to showcase their innovative ideas and solutions. Examples are challenges and contests where employees can present their initiatives, creating a culture of innovation and engagement, and which also raise awareness of risks. Another example might be hackathons that offer employees a dedicated period to dive deeper into problem-solving on a specific opportunity, e.g. a new customer experience or back-end optimisation. Typically, the best winning ideas get a chance to be implemented in innovation labs or development hubs. The experience with innovative technologies is also intended to enhance awareness of risks related to data input and output, bias, etc.

Cross-cutting governance committees chaired by the chief executive officer (CEO) and with members from various levels and business units also foster innovation throughout the organisation. This was seen specifically in some cases where the institution involved staff from all layers of the organisation in further spreading the innovation agenda and rolling out innovations in their business areas. This also prevents a silo approach and ensures accountability.

3.6 Assessment of critical dependencies

Assessment criterion 10 : Does the institution ensure insight into and monitoring of critical dependencies, interdependencies and third-party relationships, and not only of outsourcing, on an ongoing basis?

Assessment criterion 10.1

Does the institution ensure the monitoring of critical dependencies, interdependencies and third-party relationships on an ongoing basis? This would encompass the following activities:

• The institution has a policy in place for identifying critical dependencies on procedures, software and third-party risk management (and not only for outsourcing).
• It ensures that the internal audit function has access to third-party agreements, as well as access and cooperation arrangements between the internal audit function and the third-party within the sourcing strategy.
• The institution is aware of the ownership of the key innovative technology developed within the third-party relationship.
• It assesses the interconnections between different providers and the impact on the value chain.
• It defines a risk tolerance scope for risks related to third parties.
• In its first analysis of the relationship, the institution considers the grey area where third-party relationships do not necessarily constitute outsourcing based on the EBA Guidelines, but are nonetheless critical dependencies including critical ICT service providers as defined by DORA. Even if not classified as outsourcing, these relationships are adequately assessed in terms of dependencies and interdependencies. They are also managed and monitored to enable dependency quantification and, to identify concentration at institution level as well as across the supply chain, taking into account the DORA requirements.
• The institution assesses the need for a realistic and feasible exit plan.

Box 10 Examples of observed sound practices: high-level sourcing strategy and adequate controls

The ECB observed institutions with a high-level sourcing strategy for all the material technology applications and projects. In addition, some institutions have a detailed overview with a mapping of all third-party service providers. For a few banks these providers have also already been assessed and ranked based on their criticality and importance, for example based on relevance for front and back office operations or customer relations.

Some banks have in place adequate controls and appropriate oversight measures to ensure that the processes outsourced or otherwise handled by third-party providers are aligned with the risk profile of the bank and its self-assessment of the risk level. The ECB also observed other sound practices for fostering adequate control in this area, such as:

• performing the risk assessment before entering into any new relationship and reviewing it at pre-determined intervals;
• formalising a strategy approved by the management body that describes in detail the scope of the use of external partners, also beyond the scope of outsourcing;
• conducting a regular follow-up on dependencies on key providers also including interdependencies between suppliers.

Finally, the ECB observed some banks assessing the impact on the risk profile and keeping track of the impact on compliance aspects.

4 Assessment criteria relating to risk management

Article 74(1) of the CRD requires institutions to have robust governance arrangements in place. These include: a clear organisational structure with well defined, transparent and consistent lines of responsibility; effective processes to identify, manage, monitor and report the risks they are or might be exposed to; adequate internal control mechanisms, including sound administration and accounting procedures; and remuneration policies and practices that are consistent with and promote sound and effective risk management. This requirement therefore also includes digitalisation-related risks, and an assessment of how digitalisation is impacting the risk profile.

Article 76(1) of the CRD provides that the management body is to approve and periodically review the strategies and policies for taking up, managing, monitoring and mitigating the risks the institution is or might be exposed to, among other things. Such policies and processes in respect of digitalisation activities and related risks, also including all relevant financial and non-financial risks, are to cover the identification, management, monitoring and mitigation of those risks.

4.1 Risk identification

Assessment criterion 11: Does the institution run a detailed impact review of traditional and non-traditional risk dimensions during the digital strategy-setting process and the NPAP as well as during the execution of its digital strategy?

Assessment criterion 11.1

Does the institution run a detailed impact review of all financial and non-financial risk dimensions during the digitalisation strategy-setting and execution process (including credit, liquidity, market and operational risks, anti-money laundering (AML)/fraud governance, reputational impact and capital impact) covering risks arising from digitalisation? This is a comprehensive process not restricted to IT/cyber risk and operational risks.

A similar assessment should be performed as part of the NPAP and when there are amendments to the digitalisation strategy .

Box 11 Examples of observed sound practices: identification processes of risks related to digitalisation

The ECB has observed banks running an assessment of all financial and non-financial risks such as credit, market, operational and reputational risks as well as capital and liquidity impact, with a detailed overview of how these could be affected by digitalisation.

The ECB observed banks with specific processes – in line with the general procedures above – to identify and assess new risks (i.e. risks that the bank does not already consider) arising from digitalisation and the implementation of innovative technologies: AI, cloud computing, distributed ledger technologies (DLT) and application programming interfaces (APIs). The ECB has observed some detailed risk maps and overviews indicating, for each risk area, how it could be affected by the digital strategy. The same is done for the launch of new digital products and services.

One bank’s multi-year financial planning considered an idiosyncratic adverse scenario in which the risks of its digital transformation strategy “going wrong” were identified: (i) employees (high levels of uncertainty may lead to human resource risks and attrition); (ii) postponement of IT architecture modernisation and implementation of new digital features (leading to higher costs); (iii) consequent operational instability, combined with pricing measures and dissatisfaction with the new support model, might lead to loss of reputation, earnings and customers. The total impact of this adverse scenario was presented for each of stage of the plan, also drilling down to identify which business lines would be most affected.

Some banks also closely involve the second and third lines of defence in order to cover all risks related to digitalisation. The ECB has observed a sound practice whereby the NPAP covering new digital services requires a specific opinion and authorisation from the AML function.

4.2 Data governance framework

Assessment criterion 12: Does the institution have in place a data governance process to support data-driven digitalisation initiatives?

This includes a review of the availability of data relevant for digitalisation and for supporting such activities .

Assessment criterion 12.1

Are the sound data governance practices as set out in Chapter 3.2 of the ECB Guide on effective risk data aggregation and risk reporting applied for data-driven digital activities, as well as data generated by digital means? Are they are applied based on criteria as identified by the bank taking into consideration its digitalisation strategy and the nature, scale, complexity and risk profile of its operations? More specifically, do institutions have in place a data governance framework to support data-driven digitalisation activities with clearly defined roles and responsibilities? This data governance framework defines, among other things, the responsibilities of data owners, and the policies and processes for data lineage and independent validation to ensure availability and quality of the data within the data governance framework as defined by the bank. In this regard the bank reviews the availability of data to measure digitalisation and related risks , and to be able to produce timely and accurate reporting to the Board of Directors, also independently of the relevant business area, which is the first line of defence.

Assessment criterion 12.2

Are the digitalisation plans aligned with the bank’s ability to maintain, capture, and exploit data both resulting from digital activities and benefiting them? Do its digitalisation strategies consider the impact on risk aggregation capabilities , also in light of already existing risk data and reporting (RDAR) weaknesses?

Box 12 Examples of observed sound practices: data governance framework in line with digitalisation initiatives

The ECB observed banks increasingly updating their data governance frameworks to foster data-driven decisions also with respect to digitalisation initiatives. In particular some banks have:

• a data governance framework that includes all the entity’s relevant data, regardless of their origin, including digital-driven data or data relevant for digital initiatives;
• a unified governance structure and single data lake containing all of the bank’s data with appropriate data quality controls, in turn facilitating all reporting, modelling and a full customer 360 degree view for analytics-driven sales;
• an extensive data management framework also covering “new” risk dimensions/risk maps;
• automated data quality checks for the detection, correction and removal of data inaccuracies/inconsistencies;
• a dedicated data quality KRI dashboard reported to and actively discussed in the management body with appropriate follow-up;
• root cause and impact analysis of data quality issues to drive improvements within defined timelines;
• specific attention to the identification and reporting of risks coming from innovative technologies (e.g. AI or APIs);
• special attention for change projects, including digital ones, and their impact on risk data aggregation capabilities;
• checks against record requirements for any new application, any change in application, any application migrating to the cloud and any new central data sharing, with cataloguing of data class and data flows.

Furthermore, the ECB observed one example where the data office was part of the digital office in order to ensure synergies.

4.3 Risk modelling

Assessment criterion 13: Does the institution assess and update the risk map and relevant risk metrics in all risk dimensions, and review and adapt the suitability of existing risk models in view of digitalisation?

Assessment criterion 13.1

Does the institution assess and update the risk map and relevant risk metrics to reflect changes in all potentially relevant risk dimensions (for example business model, liquidity, credit risk, operational risk, market risk, IRRBB, governance, AML/Fraud)? Does the institution review and potentially adapt the suitability of existing risk models – including interest rate in the banking book (IRBB), early warning systems (EWS), stress tests and scoring models – related to changed customer behaviours or shifts in business processes in response to digitalisation and the use of innovative technologies?

Box 13 Examples of observed sound practices: risk mapping and modelling for new technologies

The ECB observed sound practices such as a new risk map of risk metrics related to digitalisation. These maps evolve in order to incorporate new challenges and initiatives but also new risk assessment conclusions. Specific metrics could be defined for example for AI or third-party reliance. These maps include a definition of qualitative risk tolerance and the identification of suitable metrics, in order to mitigate risks related to technology innovation and use of new technologies.

One example is the development of new credit risk models across the credit risk lifecycle. This takes into account digital channels using credit risk models with specific customer and digital sales information for digital channels and business/subsidiaries. These could be fed with specific data sources from digital channels. Also, digital parameters (e.g. digital as opposed to physical branches) as a risk driver for capital calculations are explored.

Further metrics observed are related to IT and digital transformation risk, digital assets and to monitor specific risks e.g. in relation to AI.

Some banks have also been identifying new credit risk models for origination in the open market (acquisition scorecards, behavioural scores for pre-approved limits and income estimation models) and have assigned a specific capital add-on as a result of the change in the risk mapping. The ECB also observed new institutions where new products/instruments cannot be introduced without model validation function confirming ex ante that any impact on existing models has been validated.

At one institution, an indicator framework allowing early detection of social media threats, media tonality, etc. has been introduced. Such early warning indicators are closely monitored and linked to the crisis governance framework. For some institutions, developing various threat scenarios helps identify specific risks.

4.4 Update of the RAF, the RMF and KRIs

Assessment criterion 14.1

Do institutions review the RAF, RMF and KRIs defined ex ante to ensure they adequately cover digitalisation-related risks? Do they adapt them if needed, for example by defining suitable KRIs to capture new or altered risks related to digitalisation (if the risk is measurable)? Both quantitative and qualitative indicators can be used in the RAF to sufficiently cover risks which are not easily measurable, such as non-financial risks including digitalisation/IT-related risks. The institution reviews and, if necessary, updates existing KRIs to capture a change in sensitivity related to digitalisation. This also includes the definition of “red flags” or ‘early warnings’, i.e. thresholds that trigger decisions on mitigating measures.

Box 14 Examples of observed sound practices: processes designed to update the RAF, RMF and KRIs

The ECB observed institutions considering the need to update their RAF and RMF in view of the impact of digitalisation, and in order to add new digital-related metrics and review risk tolerance. The ECB also observed banks including digital metrics in the RAF and reviewing them on a regular (e.g. annual) basis. The review included changes in the risk tolerance (e.g. related to economic capital and exposures to consumer-related credit risk), mostly in relation to changes in the digital environment and cyber threats with implications for the digitalisation of processes, services and products. The ECB observed banks setting thresholds for specific risks, e.g. percentage of critical applications run on external services as a threshold for third-party risk.

With regard to KRIs, the ECB has observed sound practices at some banks on the implementation of KRIs. These practices involve measuring risks affected by digitalisation in parallel with the risk identification process (business continuity, vulnerabilities, critical service providers, cyber controls, AML and fraud). Another sound practice links these KRIs, for example, to digital customers, application activities, or the percentage of systems operating in the cloud. Best practice is to also align the KRI development process with any necessary update of the RAF/RMF.

In the context of the digital risk framework, the ECB observed institutions where:

• KRIs are developed in the context of digital initiatives, and their outcome fuels other supervisory exercises if needed (especially the RAF);
• IT/third-party risks are included in the RAF based on newly added metrics and adjusted risk tolerance and consumer credit/distribution channels;
• transformation dashboards are included and updated in the RAF/RMF.

© European Central Bank, 2024

Postal address 60640 Frankfurt am Main, Germany Telephone +49 69 1344 0 Website www.ecb.europa.eu

All rights reserved. Reproduction for educational and non-commercial purposes is permitted provided that the source is acknowledged.

For specific terminology please refer to the ECB glossary (available in English only).

PDF ISBN 978-92-899-6789-1, doi:10.2866/681424 QB-05-24-468-EN-N HTML ISBN 978-92-899-6788-4, doi:10.2866/136159 QB-05-24-468-EN-Q

Our website uses cookies

We are always working to improve this website for our users. To do this, we use the anonymous data provided by cookies. Learn more about how we use cookies

We have updated our privacy policy

We are always working to improve this website for our users. To do this, we use the anonymous data provided by cookies. See what has changed in our privacy policy

Corporate sustainability due diligence

Fostering sustainable and responsible corporate behaviour for a just transition towards a sustainable economy.

On 23 February 2022, the European Commission adopted a proposal for a Directive on corporate sustainability due diligence. On 24 May 2024 the Council of the European Union approved the political agreement, thereby completing the adoption process. The aim of this Directive is to foster sustainable and responsible corporate behaviour in companies’ operations and across their global value chains. The new rules will ensure that companies in scope identify and address adverse human rights and environmental impacts of their actions inside and outside Europe.

What are the benefits of these new rules?

• Better protection of human rights, including labour rights.
• Healthier environment for present and future generations, including climate change migration.
• Increased trust in businesses.
• More transparency enabling informed choices.
• Better access to justice for victims. 

• Harmonised legal framework in the EU, creating legal certainty and level playing field.
• Greater customer trust and employees’ commitment.
• Better awareness of companies’ negative human rights and environmental impacts, less liability risks.
• Better risk management, more resilience and increased competitiveness.
• Increased attractiveness for talent, sustainability-oriented investors and public procurers.
• Increased incentives for innovation.
• Better access to finance.

• Better protection of human rights and the environment.
• Sustainable investment, capacity building and support for value chain companies.
• Improved sustainability-related practices.
• Increased take-up of international standards.
• Improved living conditions for people.

What are the obligations for companies?

This Directive establishes a  corporate due diligence duty . The core elements of this duty are identifying and addressing potential and actual adverse human rights and environmental impacts in the company’s own operations, their subsidiaries and, where related to their value chain(s), those of their business partners. In addition, the Directive sets out an obligation for large companies to adopt and put into effect, through best efforts, a transition plan for climate change mitigation aligned with the 2050 climate neutrality objective of the Paris Agreement as well as intermediate targets under the European Climate Law.

Which companies will the new EU rules apply to?

Large EU limited liability companies & partnerships :  

+/- 6,000 companies  - >1000 employees and >EUR 450 million turnover (net) worldwide.

Large non–EU companies: 

+/- 900 companies  - > EUR 450 million turnover (net) in EU .

The Directive contains provisions to facilitate compliance and limit the burden on companies, both in scope and in the value chain.

Micro companies and SMEs are not covered by the proposed rules. However, the Directive provides supporting and protective measures for SMEs, which could be indirectly affected as business partners in value chains.

What are the estimated costs of the new rules for companies?

Businesses will have to bear :

• The costs of establishing and operating the due diligence process.
• Transition costs, including expenditure and investments to adapt a company’s own operations and value chains to comply with the due diligence obligation, if needed. 

How will the new rules be enforced?

The rules on  corporate sustainability due diligence  will be enforced through:

• Administrative supervision : Member States will designate an authority to supervise and enforce the rules, including through injunctive orders and effective, proportionate and dissuasive penalties (in particular fines). At European level, the Commission will set up a European Network of Supervisory Authorities that will bring together representatives of the national bodies to ensure a coordinated approach.
• Civil liability : Member States will ensure that victims get compensation for damages resulting from an intentional or negligent failure to carry out due diligence.

Why does the EU need to foster sustainable corporate behaviour?

The Directive will contribute to the just transition to a sustainable economy, in which businesses play a key role.

A broad range of stakeholder groups, including civil society representatives, EU citizens, businesses as well as business associations, have been calling for mandatory due diligence rules. 70% of the businesses who responded to the public consultation sent a clear message:  EU action on corporate sustainability due diligence is needed .

A third of companies recognised the need to act and are taking measures to address adverse effects of their actions on human rights or the environment, but progress is slow and uneven. The increasing complexity and global nature of value chains makes it challenging for companies to get reliable information on business partners’ operations. The fragmentation of national rules on corporate, sustainability-related due diligence obligations further slows down the take-up of good practices. Stand-alone measures by some Member States are not enough to help companies exploit their full potential and act sustainably.

EU rules will provide a uniform legal framework and ensure a level playing field for companies across the EU Single Market. Such rules will also foster international competitiveness, increase innovation and ensure legal certainty for companies addressing sustainability impacts. The Directive will steer businesses towards responsible behaviour and could become a new global standard with regard to mandatory environmental and human rights due diligence. 

What are the next steps?

The Directive will enter into force 20 days after its publication in the Official Journal of the European Union. Member States will have two years to transpose the Directive into national law and communicate the relevant texts to the Commission. One year later, the rules will start to apply to companies, with a gradual phase-in between 3 and 5 years after entry into force. 

A set of guidelines to be issued by the Commission will help companies to conduct due diligence.

Related links

Sustainable corporate governance consultation

Share this page