What’s Required Based on Size of Project
(short duration; 2-4 members of project team)
(duration of several weeks to several months; medium-sized project team)
(duration of year or more; large project team)
Many risk management experts emphasize that an organization’s project risk management plans might not change much from project to project. That’s because the plan sets out particulars that will be followed for all projects.
“Remember, it's just an approach document that answers the question: How?” says Kris Reynolds, Founder and CEO of Arrowhead Consulting in Tulsa, Oklahoma. “The company or the department as a whole should have a single risk management plan that gets built as you're building your project management methodology. And it’s your Bible. It’s your guidebook.
“But it isn't going to change across projects,” Reynolds continues. “What changes are the artifacts, including the risk register. But your approach of how you're going to address risk or analyze risk or plan for risk is in the project risk management plan document. As a company or organization, you create that document, and it exists for a year or two years without changing.”
To create a project risk management plan, your team should gather important documents and decide on an approach for assessing and responding to risks. This process involves gathering support documents, listing potential risk management tools, and more.
Consider some of these basic steps and factors as you begin creating the project risk management plan:
After your project team has gathered documents and done other preparation work, you will want to follow nine basic steps in creating a project risk management plan. Those start with identifying and assessing risks.
Here are details on the nine steps of project risk management to keep in mind while drafting your project risk management plan:
Examples of project risk management plans can help your team understand what information to include in a plan. The risk management plan can also detail various components that will be part of your team’s risk management.
Download the Sample Project Risk Management Plan Template for Microsoft Word
Download this sample project risk management plan, which includes primary components that might be described in a project risk management plan, such as details on risk identification, risk mitigation, and risk tracking and reporting.
Download the Blank Project Risk Management Plan for Microsoft Word
Use this blank template to create your own project risk management plan. The template includes sections to ensure that your team covers all areas of risk management, such as risk identification, risk assessment, and risk mitigation. Customize the template based on your needs.
Download the Sample Project Risk Register for Excel
This sample project risk register gives your team a better understanding of the information that a risk register should include to help the team understand and deal with risks. This sample includes potential risks that a project manager might track for a construction project.
Download the Blank Project Risk Register Template for Excel
Use this project risk register template to help your team identify, track, and plan for project risks. The template includes columns for categorizing risks, providing risk descriptions, determining a risk severity score, and more.
Download the Sample Quantitative Project Risk Impact Matrix for Excel
This sample quantitative project risk impact matrix template can help your team assess a project risk based on quantitative measures, such as potential monetary cost to the project. The template includes columns where your team can assess and track the probability and potential cost of each project risk. The template calculates a total monetary risk impact based on your estimates of probability and cost.
Download the Risk Breakdown Structure Template for Excel
Your team can use this template to create a risk breakdown structure diagram that shows different types of risks that could affect a project. The template helps your team organize risks into broad categories.
Below are step-by-step instructions on how to fill out a project risk management plan template. Follow these steps to help you and your team understand the information needed in an effective risk management plan.
This template is based on a project risk management plan template created by Arrowhead Consulting of Tulsa, Oklahoma, and was shared with us by Kris Reynolds.
Experts say that complex projects shouldn’t require more complex project risk management plans. A project might have more complex tools, such as a more detailed risk register, but the risk management plan should cover the same basics for all projects.
“The problem is, most people get these management plans confused. They then start lumping in the artifacts [such as risk registers] — which can be more complex and have more detail — to the risk management plan itself,” says Reynolds. “You want it to be easily understood and easily followed.
“I don't think the complexity of the project changes the risk management plan,” Reynolds says. “You may have to circulate the plan to more people. You may have to meet more frequently. You may have to use quantitative risk analysis. That would be more complex with more complex projects. But the management plan itself — no.”
From simple task management and project planning to complex resource and portfolio management, Smartsheet helps you improve collaboration and increase work velocity -- empowering you to get more done.
The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed.
When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time. Try Smartsheet for free, today.
A risk management plan can help minimise the impact of risks that could weaken your cash flow or damage your brand. It will also help create a culture of sensible risk awareness and management in your business.
Our Crisis planning template and checklist includes a risk management plan:
Follow these steps to create a risk management plan that's tailored for your business.
What are the risks to your business?
For example:
Some risks will cause major disruption while others will be a minor irritation.
Assess the risks that you've identified.
Try to estimate the:
Prioritise your risk planning based on the results of your assessment.
Some risks are preventable, so eliminate or minimise these where possible. For some risks, it might be as simple as installing an alarm system or buying extra personal protective equipment (PPE).
Insurance is one way to reduce the impact of an event or disaster.
For example, business interruption insurance can make sure that you receive your average earnings for the insured period until you're able to start operating again.
Make sure your insurance is enough to cover you in the event of a significant disruption to your business.
Identify what needs to happen if a crisis or disaster occurs and who is responsible for each action. Having clear directions is one of the simplest and most powerful tools for a fast recovery.
Come up with contingency plans for how you'll continue or resume your operations if a crisis occurs. Your contingency plan is basically your 'plan B' for risks that you can't avoid completely.
Your contingency plans will depend on the:
People in or connected to your business must be aware of the strategies you've put in place to mitigate or recover from a disaster situation.
To do this:
Next, train your staff in your procedures and have them practise. This way if a disaster occurs, the process can take over and guide the staff.
Risks can pop up during day-to-day operations, so it's important to know how to identify potential risks before they escalate.
Continuously monitoring for risks will help you develop realistic and effective strategies for dealing with issues if they occur.
Risk is simply uncertainty of outcome whether positive or negative ( PRINCE2, 2002, p239 ). Business risk is uncertainty around strategy, profits, compliance, environment, health and safety and so on. stakeholdermap.com
Business Risk description | Actions that could be taken to manage the risk |
---|---|
1. Assets - to buildings, assets e.g. fire, flooding | |
2. Bad debt | |
3. Bankruptcy of suppliers or clients | |
4. Brand fatigue | |
5. - poor or becoming less effective | |
6. Cashflow | |
7. Client attrition |
Risk description | Actions that could be taken to manage the risk |
---|---|
8. Competition: aggressive | |
9. Competition: better intelligence | |
10. Competition: legal action | of legal action |
11. Compliance with regulations, laws etc | team |
12. Copyright theft - theft of your copyright or action against your business | |
13. Cost of components - increase or decrease | |
14. Customer satisfaction low |
Risk description | Actions that could be taken to manage the risk |
---|---|
15. Data security | |
16. Difficult-to-sell product | materials, sales plays, provide additional sales training |
17. Environment - natural or business environment | to employees of extreme weather - ensure safe temperatures at work, access to water, home working in bad weather, support with travel, accomodation etc to facilities, buildings, , materials - insurance e.g. buildings and contents, invest in storm protection, fire prevention etc |
18. Espionage (commercial) | |
19. Exchange rates e.g. forex | and buy or sell currency in the spot market |
20. Failure of utilities e.g. water, electricity | |
21. Health and safety | and complete a |
Risk description | Actions that could be taken to manage the risk |
22. Lack of office space | |
23. Lack of skills/expertise | |
24. Loss of key skills | |
25. Loss of political support | |
26. Machinery failure | |
27. Market acceptance | |
28. Market changes e.g. movements in stock prices, interest rates, commodity prices. | |
29. Natural disaster | |
30. New markets - distract or provide opportunity | |
31. Operational risk e.g. risk to day-to-day | |
32. Patent theft/infringement - of your patents or competitor against your business | |
33. Poor management | |
34. Political instability e.g. coup, or political unrest | |
35. Profit - loss of profit or missing profit projections |
Risk description | Actions that could be taken to manage the risk |
36. Recession | |
37. Regulatory compliance - difficulty in compliance or failure to comply | |
38. Reputation - negatively impacted | |
39. Revenue forecast missed | |
40. Seasonal risk | |
41. Staff sickness/absence | |
42. Supply chain failure/delays | procedures |
43. Technology - advances provide opportunity or threaten existing products | |
44. Technology breakdown e.g. server outage | |
45. Theft - of product, information from shop floor | |
46. Time-to-market | |
47. Transportation delay or damage | |
48. Under-resourcing | needed over peak periods e.g. Amazon warehouse model from repetitive time-consuming work |
49. Unexpected demand - supply issues | |
50. War - military conflicts |
Word download - the top 50 business risks (word), pdf download - the top 50 business risks (pdf), 20 common project risks - example risk register, checklist of 30 construction risks, overall project risk assessment template, simple risk register - excel template, business risk - references and further reading, read more on risk management.
Blog Product & Roadmapping Project Management
Sign up is secure and free. (No credit card required.)
Get Started Free
When you’re driving a car, avoiding accidents is as important (arguably more important) than knowing where you’re going. The same holds true for project planning – risk management is a key factor in how successful your project will be.
This is where risk matrix templates come into play. A risk matrix is a visual tool that helps you prioritize risks based on their likelihood and potential impact.
In this blog post, we’ll explore the ins and outs of using a risk matrix template, including:
Want to effortlessly keep an eye on risk? Visor can help. Try it for free today and make sure your risk is always managed.
A risk matrix is a tool that helps you visualize and prioritize risks based on their likelihood and potential impact. By plotting risks on a simple grid, you can quickly see which threats require immediate attention and which ones can be monitored over time.
These matrices show up a lot in project management, safety management, and other fields that demand risk assessment and mitigation planning. For instance, you can use it for:
Those are just a portion of the ways these matrices can be used. They can be customized to fit a wide variety of use cases, so if you don’t see your particular industry above, that doesn’t mean the info below can’t still apply to you.
There are multiple reasons the risk assessment matrix is so popular across multiple industries:
When you create a risk assessment matrix, you’re basically comparing two things: the likelihood something will happen and the impact that risk might have. By cross referencing them, you can determine how much energy you should put into mitigating that risk.
You can create a risk matrix of different sizes, but one of the most common is a 5×5 risk matrix, so let’s start there.
First you lay out the likelihood something will happen, with a list like the one below. Each likelihood has a point value, which we’ll explain in a little bit:
Next, let’s tackle the impact. This is how serious a problem you’d have if this risk actually happened.
To determine the overall risk, you multiply the likelihood of a risk by its impact. For example, a Severe risk that’s considered Possible would be 5×3 for a risk score of 15. An Insignificant risk that’s Likely would be 1×4 for an overall risk score of 4. You can determine what you consider a high or low risk based on your organization’s preferences, but we’ve broken down our 5×5 matrix as follows:
We’ve put together a series of risk matrix templates, along with a couple of general risk assessment templates for listing and analyzing individual risks. They’re designed to be adapted to your particular organizational needs, so feel free to adjust them as needed.
The 5×5 risk management template gives you room to dig into the degree of risk a situation presents, allowing you to score risk on a scale of 1-25. It’s a larger array than the 3×3 matrix , so you can add some nuance to your risk scores.
The template can be adjusted based on your organization’s needs. For instance, you could scale back the risks labeled as High Risk or label some of the Low Risks as Medium and so one.Use together with the Risk Management Assessment Template below to analyze individual risks.
If you need a simplified risk management template, this 3×3 model may be the right choice for you. It works the same as the 5×5 model, though risk scores only run from 1-9. However, with a smaller grid, it may be easier to assess risk (if you don’t need granular detail). This can also be used with the Risk Management Assessment Template to review potential risks.
If you’re assessing risk for an IT project, the template below is designed for you. In addition to an attached risk matrix, you can also list out your risks, discuss how you’re handling them in control settings, review mitigation strategies, and review the effect those mitigation strategies have on the outcome.
This could be a good chart to include in project status reports or other reports that need to be shared with stakeholders.
If you want a simple way to review potential risks, check out the risk assessment list below. It gives you a straightforward way to detail the risks for your project, the areas that will be affected, and your recommendation. The risk matrix is attached, so you can review and adjust it as needed.
Use this chart when reviewing risks with stakeholders to offer a solid overview of potential pitfalls for your project and how you plan to address them.
One of the easiest ways to judge whether a project is at risk is by checking out a visual project plan, like a Gantt chart. Visor lets you make your project plan crystal clear for all stakeholders, no matter what software they’re using.
A Gantt chart in Visor
Visualizations let you quickly see whether or not tasks are on target – for example, you can check to see if you’re meeting project Milestones on time. Then you can enter the risks as issues in either Visor or Jira and have the issue tracked in your Visor data. Unlike an Excel spreadsheet, Visor is always up to date, letting you adjust and adapt to changes in your project plans.
Create Gantt charts, boards, or spreadsheets that are all connected to your Jira project management data, then share it with stakeholders on and off your team – no difficult-to-maintain systems required.
Effectively managing risk is essential for the success and resilience of any project or organization. Risk matrix templates offer a straightforward yet powerful way to identify, assess, and prioritize risks, enabling you to take proactive measures to mitigate potential threats.
But if you want to avoid the fuss of a spreadsheet template, give Visor a try. You can track risks in real time and effortlessly connect stakeholders to all your Jira data. You can even create custom Views designed for different groups of stakeholders so that everyone has exactly the info they need to analyze and mitigate risks.
If this article was helpful, considering reading these related articles:
Visor is secure, free, and doesn't require a credit card.
Get Started For Free
Business plan risks analysis, problem, challenging factors and mitigation strategies.
What is a major example of critical risk in a business plan? Every business is prone to facing certain business risks, which might appear very critical in the real world.
As a business person, you must be able to spend sufficient time in drafting your business plan so that it is capable of addressing the critical risks and assumptions that your business might face.
You should be able to envision and determine, in your business plan, critical risks in a restaurant business plan that might pose a threat to the overall success of your business. When you do not pay enough attention to these risks, it could cause your readers – most important of which are potential investors and bankers – to negatively evaluate your business plan.
Need to write a plan for your venture? Download a FREE Business Plan PDF Sample to develop a template for your own startup.
Below are some critical business risks and contingencies in a business plan that you must ensure to properly handle before they pose a threat to the success of your business.
• Risk of Overestimated Figures
The number one critical business risk that might land your business into problem by getting too much negative attention has to do with figures that have been overestimated. We are talking about high sales profit that seem too optimistic; salaries that appear to be too high or outrageous for a business of its age; and profitability. These three, if you overestimate the figures, will inadvertently pose as a serious business risk.
For salaries, it will be wise for you to go for the minimum as a startup business, together with any additional incomes that come in the form of profits.
For sales and profits, it will be wise of you to always give figures that appear to be more likely, not figures that seem to match your optimism. Your business’ profitability largely depends on your ability to meet sales projections, and your ability to be able to operate in the confines of your costs. • Risk of Indecisive Conversion Rates
Conversion rate (also hit rate) has to do with the percentage of people, out of the total number of people you approached, that purchased or patronized your product or services. Conversion rate could be best tested through test marketing or pre-selling.
When you test market, it simply means you offer the sales of your product within a particular limited area, for a particular period of time. Usually, you would offer incentives to buyers to encourage them help you outline your actual target customers for your business.
When you pre-sell, you are making introduction of your products or services to prospective customers, and even accepting orders for deliveries.
Your goal is to accurately know the conversion rate such that a reader may be able to take your projected market size, apply the conversion rate, and be able to deduce what the total sales estimate might be. • Risk of Ignored Competition
Here is another critical business risk that many entrepreneurs fail to curtail. As an entrepreneur, you are the master and captain of your game. You are to take charge and seize your market. How do you do that? You are to know every competitor in the industry of your business. Yes, it is an obligation you can never overlook.
Many entrepreneurs feel they know their competitors very well, when in actually reality, they have no real clue as to who their major competitors are. You must ensure you have adequate knowledge of your immediate competitors, as well as substitutes and potential or latent competitors.
If you want to prove your long-term vision for your business, you must always keep abreast with the latest development regarding your competitors. You should even envision businesses that, in later years, might stand as competitors.
• Financial Risk
Most businesses today fold up as a result of financial difficulties. Lack of adequate financial resources is a very critical business risk that might make a business to close.
In most cases, the business runs out of enough money; many customers are taking too long to pay up; unforeseen expenses and too much miscellaneous; accidents and costly financial mistakes could pose a very critical business risk to the business, and even lead to the eventual folding up if the business does not have enough money saved for rainy days to handle such problems.
In your business plan, you should demonstrate that you have adequate financial strength to operate your business until break-even and even after that. Provide the amount of needed investments and loans you will obtain to start and even run the business successfully – even if you are sure your sales volume will generate as much needed money to run the business.
• Risk of Inadequate Payback
When drafting your business plan, it is pertinent to always think about what the readers of your business plan will be expecting. For most people, it is how you intend to pay back the loan or investment you obtained, or the line of credit you hope to obtain from external sources such as banks.
For bankers, they would analyze the business plan critically to understand how exactly you have made plans to settle up the loans or line of credit you want to obtain from the bank. Your cash flows and your collateral issues are highly significant.
In the case of investors, the growth rates and profit margins of the business are highly critical because these are the factors that will actually determine how much they would earn.
For very vital employees, analyzing the business plan helps them have a good grasp of the business’ operation; this in turn would help them envision their future with the business. • Strategic Risk
Another critical business risk factor to your business plan is the strategic risk. Sometimes, your best well-laid business plan might very quickly, actually look so obsolete.
The strategic risk is the business risk that your business strategy might actually become too rigid and no longer efficient in shooting your business to its desired level; your business then starts struggling in order to achieve its business goals.
This business risk could be as a result of a very powerful new competitor in the industry; technological advancement; a shift in the demand of customers; or even a rise in the cost of raw materials or other market changes.
You should take out time to write your business plan such that whenever you face a strategic risk, you should be able to easily tweak your business strategy and adapt, and be able to come up with a viable solution.
25 entrepreneurs share essential skills one needs to be a ceo.
When starting a business, it is understood that there are risks and problems associated with development. The business plan should contain some assumptions about these factors. If your investors discover some unstated negative factors associated with your company or its product, then this can cause some serious questions about the credibility of your company and question the monetary investment. If you are up front about identifying and discussing the risks that the company is undertaking, then this demonstrates the experience and skill of the management team and increase the credibility that you have with your investors. It is never a good idea to try to hide any information that you have in terms of risks and problems.
Identifying the problems and risks that must be dealt with during the development and growth of the company is expected in the business plan. These risks may include any risk related to the industry, risk related to the company, and risk related to its employees. The company should also take into consideration the market appeal of the company, the timing of the product or development, and how the financing of the initial operations is going to occur. Some things that you may want to discuss in your plan includes: how cutting costs can affect you, any unfavorable industry trends, sales projections that do not meet the target, costs exceeding estimates, and other potential risks and problems. The list should be tailored to your company and product. It is a good idea to include an idea of how you will react to these problems so your investors see that you have a plan.
Business plan 101: personal financial statement.
This Teach a CEO focuses on Google Business Profile formerly Google My Business. List your business on Google with a...
How can you get your products into Walmart? Many entrepreneurs struggle with the lack of ideas on where exactly they...
As we know that ‘Content is the King’, therefore, you must have an ability to write and share good quality...
WordPress 4.8 is named "Evans" in honor of jazz pianist and composer William John “Bill” Evans. There's not a log of...
Leave a reply cancel reply.
Your email address will not be published. Required fields are marked *
Privacy Policy Agreement * I agree to the Terms & Conditions and Privacy Policy .
This site uses Akismet to reduce spam. Learn how your comment data is processed .
Join thousands of subscribers & be the first to get new freebies.
We're like a global business chamber but with content... lots of it.
CBNation includes a library of blogs, podcasts, videos and more helping CEOs, entrepreneurs and business owners level up
CBNation is a community of niche sites for CEOs, entrepreneurs and business owners through blogs, podcasts and video content. Started in much the same way as most small businesses, CBNation captures the essence of entrepreneurship by allowing entrepreneurs and business owners to have a voice.
CBNation curates content and provides news, information, events and even startup business tips for entrepreneurs, startups and business owners to succeed.
+ Mission: Increasing the success rate of CEOs, entrepreneurs and business owners.
+ Vision: The media of choice for CEOs, entrepreneurs and business owners.
+ Philosophy: We love CEOs, entrepreneurs and business owners and everything we do is driven by that. We highlight, capture and support entrepreneurship and start-ups through our niche blog sites.
Understand the basics of risk management planning and discover how essential it is for your business to have one.
A risk management plan is a systematic and structured plan to identify, analyze, assess, measure, and monitor risks and threats to an organization. It serves as an important tool for managing the risks that affect the running of an organization.
Simply put, a risk management plan is a comprehensive strategy that identifies and analyzes potential risks to a business or organization and devises solutions to minimize or avoid them, maximizing the probability of success or reaching organizational goals.
Creating a risk management plan can seem daunting, but it’s important to have one in place to help protect your business from risks. Here are the basic steps you need to take to create a risk management plan:
An essential component of any successful risk management plan is the establishment of strong risk culture. Risk culture is commonly known as the shared values, beliefs, and attitudes toward the handling of risks throughout the organization.
It is the responsibility of senior management and the board of directors to create the company culture and set the tone from the top-down and communicated throughout the organization.
Stakeholders emerged from various functions inside and outside of your organization. They could be employees, customers, vendors, etc. In order to plan risk management properly, it is important to engage with them every step of the way. This is because stakeholders provide you with a detailed representation of all facets of your business along with corresponding risks.
A clear policy with delineated roles, responsibilities, and templates is essential for an effective risk management strategy. This will help you identify all risks that could potentially affect your business, evaluate the impact of those risks, and develop plans to mitigate them.
Communication is one of the most important aspects of risk management planning. It is critical for an effective risk management plan to have a good understanding of how communication works and how it can help you to manage risk.
By implementing transparent risk monitoring processes, we can be sure that all risk mitigation endeavors are effective. A risk management plan is an always-changing and essential process. With these best practices, you should be able to create a strategy for your organization.
To make an effective risk management plan, it is essential to know the process of risk management as it is a systematic process used by a company in managing risks.
Empower your team with SafetyCulture to perform checks, train staff, report issues, and automate tasks with our digital platform.
Now that you understand the basics of a risk management plan, it’s time to talk about how to create one. This is important, as it will ensure that your plan is effective and can be used to identify and mitigate any risks that may occur.
There are a few key steps to writing a risk management plan:
By following these steps, you can create a risk management plan that will help protect your business from any potential dangers.
Why use safetyculture.
SafetyCulture can help you create a risk management plan specific to your organization. It features an audit tool that can be used to identify potential risks, as well as thousands of customized templates and forms to help you document and track your risk management activities.
SafetyCulture provides a mobile application to access and store your risk management plan, automatically generate reports after an inspection, and share those reports with the appropriate people. Having SafetyCulture as part of your digital risk management process creates data sets that better inform your decisions and encourage compliance within your organization.
This free risk management plan template lets you identify the risks, record the risks’ impact on a project, assess the likelihood, seriousness and grade. Also, specify planned mitigation strategies and assign corrective actions needed to responsible individuals. Breakdown costs and set the timeline of mitigation actions.
SafetyCulture Content Team
Learn more about reputational risk, why it’s important that businesses properly manage it, and how to effectively implement risk mitigation strategies.
This guide will discuss what reputation management is, why it’s important, and ways in which business leaders can maintain their organization’s healthy image
Explore the intricacies of environmental aspects and impacts of the organization’s practices to enhance the company’s sustainability, compliance, and competitive advantage.
Galen is a digital project manager with over 10 years of experience shaping and delivering human-centered digital transformation initiatives in government, healthcare, transit, and retail. He is a digital project management nerd, a cultivator of highly collaborative teams, and an impulsive sharer of knowledge. He's also the co-founder of The Digital Project Manager and host of The DPM Podcast.
Effective risk management is crucial for project managers. Explore practical steps, templates, and real-world examples that will help you navigate risk and lead your projects with confidence.
When starting a new project, the responsibility of risk management falls squarely on the project manager's shoulders. While it may sound counterintuitive, the most successful project managers are those who meticulously plan for the worst-case scenarios. Potential risks will arise, and it’s your job to devise a mitigation strategy in your project plan to ensure your team is well-prepared and set up for success.
In this article, we will explore practical steps, templates, real-world examples, and the project management software that can help you navigate risk management and lead your projects with confidence.
Project risk management is the systematic process of proactively identifying, analyzing, evaluating, and responding to potential risk events that could impact your project's objectives. Some common project risks include unrealistic deadlines, cost overruns, scope creep , and changes in stakeholder priorities.
Risk management is not about reacting to problems as they arise but identifying the risk probability and planning for them in advance.
Not all risks are created equally. Here’s why it’s important to identify and address risks before they become issues.
Proactive risk management isn't just about anticipating problems; it's about considering all possibilities to ensure a successful project. Here's a breakdown of common project risks and what to prioritize:
Sign up to get weekly insights, tips, and other helpful content from digital project management experts.
Identifying risks involves brainstorming all potential threats and opportunities that could impact your project. Gather your team and stakeholders for a workshop, and get the ideas flowing by considering:
Example : Let's say you're leading a website redesign project. Here's a sample risk identification list:
Once you've identified your risks, analyze their likelihood of occurring and the potential impact they could have on your project. A common technique is to use a risk matrix or risk management plan .
This is essentially a grid with a severity rating (high, medium, low) on one axis and a probability rating (very likely, likely, unlikely) on the other. Each risk is plotted on the matrix based on its likelihood and severity.
Example : Your website redesign risk matrix might show that developer illness is a "medium likelihood" but a "high severity" risk. Focus on mitigation strategies here to prevent significant impacts on the project timeline. Compatibility issues, on the other hand, might be "low likelihood" but "medium severity." While less likely to occur, a plan to address them would still be wise.
Remember, not all risks are equal. Use the risk matrix from Step 2 to identify the risks that fall into the "high likelihood" and "high severity" categories. These are your top priorities and should be addressed first.
For each identified risk, designate the team member responsible for monitoring and developing mitigation strategies. This promotes accountability and ensures someone is actively watching out for each potential issue.
Choose team members with the skills and experience most relevant to their assigned risk. For instance, the most technically experienced team member might be best suited to monitor compatibility issues.
There are several ways to mitigate risks, such as:
Example : To mitigate the risk of a key team member falling ill, a mitigation strategy could be to delegate some tasks or have a backup team member trained and ready to step in.
By creating mitigation plans, you're prepared to address potential challenges and minimize their impact on the project.
Risks don't stay static. Regularly review your risk register and update it as needed.
Schedule a series of project meetings to manage risks proactively. Ensure you’re aligned on the communication format and cadence for these meetings. Whatever you choose, always remember to be transparent so your team has full visibility.
In its most minimal form, a risk management plan could be a handful of pages describing:
This can also be done using a RAID log, which can help you track risks, assumptions, issues, and dependencies so that the project manager and team can stay aligned.
Get access to our action-ready RAID log template through DPM membership . You’ll also get a filled-in sample to see how it should look when complete.
Imagine managing a complex project with dozens of potential risks. Tracking them all on paper or in spreadsheets is a nightmare.
Luckily, there are many simple to advanced tools to help you streamline tasks, improve communication, and provide a source of truth for risk management.
Getting in front of potential risks like technical bugs, scope creep, and unexpected delays will help you drive more successful projects.
Here’s a list of the best project management software for achieving this:
Find specific risk management software here .
Here are some additional best practices and strategies to elevate your risk management game .
Create a risk-aware culture where open communication is encouraged. Schedule regular brainstorming sessions specifically dedicated to risk identification and mitigation. Frame these sessions as collaborative problem-solving exercises, not opportunities for finger-pointing. This fosters an environment where team members feel comfortable raising concerns and suggesting solutions.
Risks can emerge at any stage. Regularly revisit your risk register and update it during project meetings. This ensures consistent monitoring and adaptation of mitigation strategies. Consider using a project management software with built-in risk management features to streamline this process.
Hold a pre-mortem analysis workshop early on. Ask "what if" questions to envision worst-case scenarios and identify potential failure points. Use these findings to inform your risk mitigation strategies.
Time tracking: your secret risk management superpower, increase project success with a risk register + easy template, raid logs: definition, template, examples, & how to guide, 4. leverage scenario planning.
Identify 2-3 potential future states (positive and negative) for your project. Brainstorm how you'd adapt your approach to succeed under each scenario. This helps you develop flexible strategies that can adapt to changing circumstances.
Publicly recognize team members who identified or mitigated critical risks. This reinforces the importance of risk management and motivates continued vigilance. Consider using a RAID Log to track identified risks, actions to address them, issues (changes), and decisions made.
We did a workshop on managing risk —it's only available to DPM members. If you're not a member, consider joining our active community of fellow project managers .
Risk assessment plan | ms word, 13+ sample risk assessment plan, a risk assessment, benefits of risk assessment plans, types of financial risk, how to conduct a risk assessment, how can we avert danger, who typically takes a risk, what constitutes a tolerable level of risk, how critical is planning.
What is a risk assessment, share this post on your network, you may also like these articles.
In this comprehensive guide, we explore the essentials of creating an effective Floor Plan. Whether you are designing a new home, renovating an existing space, or planning an office…
In this comprehensive guide, we explore the essentials of creating an effective Nursing Care Plan. Whether you are a nursing student, a new graduate, or an experienced nurse, this…
Are you an owner of a food business ? The HACCP system should be implemented in your company because it is an essential part of your quality assurance program. It is the cornerstone of your company’s product safety system and is compatible with the overall quality assurance program. However, to put this system into action, you’ll need to gain system knowledge and understanding, as well as commitment, planning, and resources. As a result, we’ve included some valuable tips in this article to help you out. We also have some templates available for free download.
1. haccp principles example.
Size: 17 KB
Size: 287 KB
Size: 661 KB
HACCP is significant because it prioritizes and monitors potential risks in the production of foodstuffs. The industry can assure consumers that its products are as safe as good research and technology can control significant food hazards, such as microbiological, chemical, and physical contaminants .
Similar to structure and design for projects commonly utilized in different firms, implementing HACCP principles in conjunction with a project plan requires a list of steps supplemented by resources and provisions created by research and testing for technical process development, critical inspection points, and other critical limitations. If you plan to be aware of things you need to work on, you can run a successful business. We recommend that you follow the following steps in this section:
Do you need to reduce customer complaints from the previous year? Do you wish to conduct pre-employment food safety induction training for new employees? Consider the goals and objectives established by your food business in producing and delivering safe and nutritious food to your customers.
A HACCP team coordinator should possess strong communication skills and relate to staff at all levels and establish trust. While the team should include familiar with all aspects of the manufacturing process, it should also have specialists in specific fields such as microbiology or engineering.
Create a list of the target food products, label each one, and include raw materials and ingredients. It would help if you created a flow diagram to depict the process. Create unique flow diagrams for each product that detail the critical control points and their associated types for specific hazards .
Examine the potential hazards that could arise during the manufacturing process. Please keep track of the hazard analysis and risk categories for the target products, their ingredients, and the dangers throughout the product food chain. After that, write down the necessary limit monitoring procedures and the monitoring frequency and the names of the people in charge of specific monitoring activities. Include deviation procedures for each, determining what action should be taken if monitoring indicates something is out of control.
A preventive control system for the safety of food products is the most important part of HACCP. End product inspection cannot carry out the prevention of hazards. The best way is to monitor the manufacturing process with HACCP.
Danger analysis, CCP detection, vital limit setting, control procedures, remedial measures, verification procedures, and record-keeping and recording are the seven HACCP concepts.
A HACCP flow chart depicts the food operation’s process flow from raw materials to finished product. Typically, a HACCP flow chart is created by a group referred to as the HACCP Team or Food Safety Team.
Throughout your food business, the proper application of the HACCP system is essential to control any food area or point that could contribute to a harmful event, such as contaminants, pathogens, objects, chemicals, raw materials, a process, and more. The development of a systematic HACCP Plan is helpful to improve your food products’ safety and good quality. To begin, download now in this article our plan template!
Text prompt
Create a study plan for final exams in high school
Develop a project timeline for a middle school science fair.
How to Run a Cybersecurity Risk Assessment in 5 Steps
Share with your friends.
Your email has been sent
Though cybersecurity is on every executive’s checklist today, most struggle with growing compliance burdens, keeping the costs moderate and bringing team alignment.
A cybersecurity assessment is the key to combating the rising threat environment, and it’s prudent to secure systems before a breach cripples your business.
Read this guide, written by Avya Chaudhary for TechRepublic Premium, to learn how to perform a cybersecurity assessment within a five-point framework.
Featured text from the download:
STEP 4: DEVELOP A RISK ANALYSIS REGISTER
The risk analysis report is an important bridge between executives, developers and security teams. It translates complex technical jargon into actionable insights for informed security decisions. But the living document doesn’t just bring alignment between the middle and top tier of an organization — it can also be a financial lifesaver.
A well-defined risk analysis report could have prevented the Equifax data breach of 2017. The company reportedly failed to patch a critical vulnerability for months, exposing the data of 147 million customers. Creating and updating a risk analysis report regularly would have likely identified this vulnerability as “High Risk” and saved Equifax from the immense reputational damage and spending $425 million in the aftermath.
Boost your cybersecurity knowledge with our in-depth nine-page PDF guide. This is available for download at just $9. Alternatively, enjoy complimentary access with a Premium annual subscription. Click here to find out more.
TIME SAVED: Crafting this content required 18 hours of dedicated writing, editing and research.
Save time with the latest TechRepublic Premium downloads, including customizable IT & HR policy templates, glossaries, hiring kits, features, event coverage, and more. Exclusively for you! Delivered Tuesdays and Thursdays.
* Sign up for a TechRepublic Premium subscription for $299.99/year, and download this content as well as any other content in our library. Cancel anytime. Details here .
Get the web's best business technology news, tutorials, reviews, trends, and analysis—in your inbox. Let's start with the basics.
* - indicates required fields
Lost your password? Request a new password
Please enter your email adress. You will receive an email message with instructions on how to reset your password.
Check your email for a password reset link. If you didn't receive an email don't forgot to check your spam folder, otherwise contact support .
This will help us provide you with customized content.
You're all set.
Thanks for signing up! Keep an eye out for a confirmation email from our team. To ensure any newsletters you subscribed to hit your inbox, make sure to add [email protected] to your contacts list.
Payment information.
A credit card or PayPal account is required for purchase. You will be billed the total shown above and you will receive a receipt via email once your payment is processed.
A credit card or PayPal account is required to activate your subscription. You will be billed $299.00/year and you will receive a receipt via email once your payment is processed. You may cancel your subscription with at least 10 business days notice prior to the expiration of your current subscription by accessing the Premium tab in your TechRepublic Profile and selecting "Cancel Subscription."
TechRepublic Premium is the fastest, smartest way to solve the toughest IT problems. Subscribe to access our full library of resources and gain benefits from:
Quick access to expert analysis from IT leaders, original research and surveys, comprehensive guides on hot topics, and eBooks from TechRepublic.
Ready-to-go policies and initiatives, downloadable templates and forms you can customize, and hundreds of time-saving tools, calculators and kits.
Digitalisation is a structural trend affecting European banks. They are adapting to changing customer preferences, new technologies, a different competitive landscape – with new entrants in the financial markets – and changes in the value chain. Digitalisation is impacting banks’ front office and back office operations – as they are offering new digital products and services while automating internal processes. It is also affecting their risk profiles, including strategic and operational risks but also financial risks depending on the digital activities. ECB Banking Supervision is closely following developments such as digitalisation that are likely to affect euro area institutions and updating its methodological toolbox to assess related risks.
This is why ECB Banking Supervision included digitalisation in its priorities for 2022-24 and again for 2023-25 in order to address digitalisation challenges, related risks and management body’s steering and risk management capabilities. While supervised institutions should keep a strong focus on addressing structural challenges and risks stemming from the digitalisation of their banking services with a view to ensuring the resilience and sustainability of their business models, ECB Banking Supervision is assessing the related risks, how they are identified, monitored and mitigated.
Building on the market intelligence discussions with banks and key market players, and the survey on digitalisation involving all significant institutions under European banking supervision conducted in 2022, a broad set of supervisory activities was completed in 2023. These included targeted reviews on the steering of digitalisation covering 21 banks, 10 on-site inspections on digitalisation (5 in 2022 and 5 in 2023), and the assessment of digitalisation data collected through the short-term exercise (STE) and for the Supervisory Review and Evaluation Process (SREP).
These activities have further allowed ECB banking supervision to assess banks’ digitalisation activities and related risks. The starting point for such an assessment is the general framework outlined in the Capital Requirements Directive (CRD), as implemented in national law, together with the relevant European Banking Authority (EBA) guidelines – in particular, on the SREP, outsourcing and internal governance. Along with these the ECB considered the publications of international and European standard-setting bodies on digitalisation and technology-related risks. Some consistently applied “sound practices” of SSM banks – approaches the ECB has observed to generally meet the assessment criteria – have also emerged. These are being published today at an early stage, in order to inform the supervisory dialogue on those aspects with the banks making a strategic decision to develop their digital footprint. As part of this supervisory dialogue, the ECB will discuss with institutions the ECB’s assessment criteria in terms of any possible divergences in institutions’ practices.
The assessment criteria and sound practices set out below are grouped together according to three themes: business model impact, governance and risk management. These criteria and practices may be further fine-tuned based on upcoming supervisory activities, including future targeted reviews, on-site inspections and deep dives.
Sound steering of digitalisation: key assessment criteria for institutions’ business models, governance and risk management
Institutions assessed as adequately steering digitalisation had taken the following steps:
Articles 73 and 74(1) of the CRD, as further specified by the EBA Guidelines on internal governance, require institutions to implement internal governance arrangements, processes and mechanisms to ensure effective and prudent management of the institution. In this respect, it is important for institutions to identify, assess and monitor the current and forward-looking impact of digital trends on their business environment and to ensure that any digital strategy they pursue is properly coordinated, steered and monitored.
Assessment criterion 1 : Does the institution understand the impact of digital trends on the business environment in which it operates, in the short, medium and long term, enabling it to make informed commercial and strategic decisions?
Assessment criterion 1.1
Does the institution identify, assess and document, in a comprehensive and systematic manner, the digital-related external factors impacting its business environment? These factors include the competitive landscape, policy and regulation, innovative technologies and customer preferences, also based on socio-demographic factors.
Moreover, does the institution perform a digital readiness assessment to understand its digital positioning? The digital readiness assessment entails gaining an understanding of internal factors, such as the availability of financial resources, human capital and skills, the complexity of legacy systems and the use of innovative technologies.
Assessment criterion 1.2
Does the institution understand how digitalisation affects its business environment in the short, medium and long term and does this awareness inform its business strategy process? The way that institutions strategically respond to changes in their business environment stemming from digitalisation may impact their business model over time.
Institutions therefore need to explicitly consider digital trends even if they may decide against pursuing a digital strategy. This would be reflected in institutions’ business strategy processes and demonstrated by documented management body meetings and discussions.
The ECB identified a comprehensive strengths, opportunities, weaknesses and threats (SWOT) analysis as a sound practice. For instance, some institutions organised the SWOT analysis across the following pillars to inform their digital strategies:
The ECB observed that a few institutions have a group strategy, technology and innovation department in charge of developing a trend book covering technologies, products, business models, client behaviours and competitors’ strategies. The trend book is reported to the Board of Directors and serves multiple purposes:
An additional sound practice observed by the ECB is an external market analysis accompanied by customer satisfaction measures, with dedicated input from the customer complaints team.
By analysing past patterns of complaints, this approach helped predict which changes could result in spikes in complaints. The input was considered before the development of new digital initiatives. For critical initiatives, a dedicated quality management expert from the complaints function assisted the development team. The quality management function was also often involved afterwards, reacting to unusual complaint clusters related to digital migration. For example, when introducing new automated banking terminals in branches a task force was created to address and avoid the potential increase in complaints, and improve customer experience.
This resulted in: a new design for the banking terminals, a plan for reviewing the implementation after one month, internal communication and the introduction of more terminals in high-stress branches.
Assessment criterion 2: Does the institution – based on an informed perspective – take decisions on the need to formulate a clear and well-articulated digital strategy, defining strategic objectives that are to be achieved by means of digitalisation and innovation?
The ECB has a neutral stance on the format of the digital strategy: it can be embedded in the business strategy or the IT strategy, or it can be a standalone document.
Assessment criterion 2.1
Does the institution make a clear decision on whether to formulate a digital strategy? If so, does the digital strategy set out clear strategic objectives to be achieved through the application of digital technology solutions? Clarity on digital strategic initiatives implies understanding how the use of technology can support business initiatives, ultimately boosting the performance of the institution.
A well-articulated digital strategy identifies: the key digital initiatives and their alignment with the long-term business strategy; the key technologies underlying key digital initiatives; quantitative profitability targets for key digital initiatives or, if this is not possible, an understanding of the value they generate by enabling other strategic initiatives; and a granular definition of the strategy at all the relevant levels of the institution (such as geographical areas, business lines and sectors).
The ECB observed some institutions that had a clear digital strategy embedded in their business plan. Digitalisation plays a key role in the business plan as enabler of strategic priorities.
For instance, one good practice was defining clear strategic priorities on “reinventing the customer experience” (personal banking in the digital age, with a focus on client groups that value expertise and relationships) and “building a future-proof bank” (rationalisation, digitalisation and automation further enhancing customer service, compliancy and efficiency). This was underpinned by:
The ECB observed another good practice in this area: a well articulated digital strategy based on a balance between the global vision of the executive leadership and the operational realities of the business units, tailoring the high-level priorities according to the bank’s specific activities, markets, clients and geographical coverage.
Another aspect of a well articulated digital strategy is detail on the technologies underlying the main digital initiatives. In particular, digital initiatives are linked to the following technological areas of interest: next generation technologies and optimisation of legacy systems; the development of cloud platforms, and the use of AI for extreme automation. The engineering team is a key stakeholder in the definition of the strategic plan and is also in charge of defining the institution’s development of new architectures and innovative applications.
Assessment criterion 3: Does the institution have in place adequate financial and non-financial execution capabilities for the proper implementation of the digital strategy as defined?
Assessment criterion 3.1
Does the institution have in place a clear and robust budgeting process to support the implementation of the digital strategy and its initiatives? Clarity here implies a multi-year budgeting process, aligned with the digital strategy, assigning a level of resources commensurate with the ambition involved in the digital initiatives. Robustness requires a budgeting process specifying both the rationale for budget allocation (for instance expected pay-offs identified through cost-benefit analysis) and the mechanism for budget recalibration or adjustments, if needed.
Assessment criterion 3.2
Does the institution have in place a proper project management framework for steering the implementation of digital strategies? A proper project management framework would typically include an operational plan for executing digital initiatives, detailing timelines, milestones, roles, responsibilities and resources, and aligned with strategic objectives. The structure of such an operational plan makes it possible to gauge interdependencies across projects and to disentangle single digital initiatives, so as to facilitate their monitoring, reporting and follow-up at group level. The evaluation of digitalisation strategies is to consider the investments made.
The ECB observed that cross-team collaboration and periodic reviews of the digital strategy help institutions to i) prioritise projects and ii) reconcile the strategic top-down view with the bottom-up and project level view. Sound project management practices include elements such as the following:
To provide an additional example, another sound practice observed was the steering of the execution of digital priorities at group level by means of a development agenda. This agenda was aimed at prioritising the allocation of human and economic resources. Resources were assigned to projects according to their impact and strategic alignment. Periodic reviews covered progress in general and on milestones, commitments and deliverables, as well as resources and budget required. There was a quarterly review of the strategic projects portfolio to decide on their prioritisation, monitor their planning and execution, and to challenge initiatives – with potential action points and reallocation of resources and required investments.
Another sound practice observed was the implementation of a new organisational model to drive the execution of digital initiatives: “digital labs”. This involves a network of miniature digital start-ups, each focused on a specific business domain (e.g. personal lending, investments, mortgages, cards or payments). Meanwhile the network retains centralised core competences (e.g. IT, digital business, design and user experience).
To gain speed and agility, each digital lab adopts agile practices and owns a portfolio of initiatives in its specific business domain. Lab initiatives are set out in lab-level operational plans that track deliverables, timelines and milestones (including user acceptance testing and product launching). Dependencies on the initiatives of other labs are also monitored. Each operational plan is accompanied by a summary of the strategic context that anchors the plan in the business strategy-related macro-initiatives and objectives.
Operational plans are dynamic as they can be continuously updated to reflect changes, such as the inclusion of new initiatives, shifts in prioritisation or delays. Adjustments are discussed in monthly lab steering meetings.
To optimise the execution of the digital lab initiatives, a few principles are followed:
As the digital strategy is embedded in the business strategy, digital initiatives are integrated in the general annual budgeting process. However, the most strategic digital initiatives carried out in the labs are funded by budget pools, achieving agility by allowing for adjustment of allocation and prioritisation.
Finally, another sound practice observed was setting up “ideation labs” for innovation purposes. Such labs are put in place to come up with a long list of potential use cases for new technologies (e.g. AI), selecting the most viable ideas for development.
The development phase employed “user experience” (UX) labs with groups of customers to test each “minimum viable product” (MVP) and adapt feedback on features and functionality to iterate from MVP1 to MVP2 and so on until the go-live. Such UX labs were also used to test even modest changes to mobile application functionalities.
Assessment criterion 4: Is the institution developing a comprehensive framework of financial and non-financial KPIs against which to monitor the implementation and execution of the digital strategy and reassess it if targets are missed?
Assessment criterion 4.1
Is the KPI framework sufficiently comprehensive to allow for the proper implementation of the digital strategy? Does the KPI framework ultimately reflect how the digital strategy is translated into measurable digitally-driven impacts (both financial and non-financial)?
An ideal set of KPIs is i) granular and multi-layered across all levels of the organisation involved in defining the digital strategy and implementing digital projects. The granularity helps reconcile the top-down strategic view with the bottom-up and project level dimensions. Moreover, an ideal framework includes ii) measurable and actionable KPIs, which are used for different levels of reporting, and iii) KPIs with clear ownership and responsibility, which are regularly monitored and reviewed.
Assessment criterion 4.2
Does the institution understand the reasons for missed KPI targets, and incorporate the lessons learnt from failed initiatives into the strategy update? In other words, if critical KPIs linked to the implementation of critical projects are missed, is the institution able to re-scope a project and feed lessons learnt into the reassessment of the strategy? A critical element is the existence of a feedback loop for incorporating those lessons learnt into new strategy development.
In terms of adequacy of the KPI process, the ECB observed that some institutions make use of a solid firm-wide KPI framework that can be easily extended to steer the implementation of the digital strategy and projects. The following are examples demonstrating the adequacy of the KPI process framework.
Regarding the comprehensiveness of the financial and non-financial KPIs framework, the ECB has observed different approaches.
The ECB also observed a few institutions starting to develop financial KPIs to monitor the profitability impact of their digital strategies and initiatives.
Articles 73 and 74(1) of the CRD, as further specified by the EBA Guidelines on internal governance, require institutions to implement internal governance arrangements, processes and mechanisms to ensure effective and prudent management of the institution.
In accordance with Article 88(1)(a) of the CRD and as specified by the EBA Guidelines on internal governance, the management body must have ultimate and overall responsibility for the institution and defines, oversees and is accountable for the implementation of the governance arrangements within the institution that ensure effective and prudent management of the institution. Furthermore, the management body should fully know and understand the legal, organisational and operational structure of the institution (“know your structure”) and ensure that it is in line with its approved business and risk strategy and risk appetite and covered by its RMF. This therefore also includes the digitalisation strategy and digital initiatives.
According to Art 91(1) of the CRD, members of the management body shall at all times be of sufficiently good repute and possess sufficient knowledge, skills and experience to perform their duties. The overall composition of the management body shall reflect an adequately broad range of experiences. The management body shall therefore possess adequate collective knowledge, skills and experience to be able to understand the institution’s activities, including the main risks. This therefore also includes the necessary digital knowledge and skills to have an understanding of risks related to digital activities.
The role of non-executive members of the management body within an institution must be carried out in accordance with Article 88(1) of the CRD in conjunction with Article 91(8) of the CRD and in line with recital 57 of the CRD and the EBA Guidelines on internal governance. Accordingly their role should include constructively challenging the strategy of the institution and thereby contributing to its development, scrutinising the performance of management on achieving agreed objectives, satisfying themselves that financial information is accurate and that financial controls and systems of risk management are robust and defensible, scrutinising the design and implementation of the institution’s remuneration policy and providing objective views on resources, appointments and standards of conduct. This therefore requires them to challenge management on the digitalisation strategy and ensure relevant risks are covered.
With regard to third-party dependencies, the EBA Guidelines on outsourcing could provide a main reference point. Finally, the requirements under the EU’s Digital Operational Resilience Act (DORA), specifically as regards the oversight of critical information and communications technology (ICT) third-party service providers, may apply. Articles 28 to 30 indicate the need for proper oversight and an overview of contracts with critical ICT third-party service providers, information on how the institution addresses potential weaknesses and disruptions, and concentration risk assessment. These articles also state that institutions remain ultimately responsible for compliance with the regulatory requirements stemming from financial legislation.
Assessment criterion 5 : Does the institution have a clear allocation of responsibilities related to digital topics in the management body, whether individual allocation to those within its management function/executives, and/or senior managers reporting to the executive management, or a dedicated centralised steering/coordination body, so as to adequately coordinate digital initiatives at group level?
The central coordination and steering could be assigned to the management body in its management function/executives or delegated to senior managers who directly report to the management body/executives.
Assessment criterion 5.1
Does the institution have central coordination and steering of digital initiatives in the form of a central coordination body, proportionate to the institution’s complexity and scope? This can also entail fully embedding digitalisation in the steering of the organisation. A central coordination body assists the whole management body in its management function with the implementation of the digital strategy, by ensuring that the Board of Directors has the right information to develop and monitor the overall digital strategy.
Assessment criterion 5.2
Does the central steering include, as a minimum, a clear and focused approach to the following aspects:
The ECB observed institutions with a dedicated team or department responsible for coordinating and steering as well as executing the digitalisation strategy and digital projects. The team or department was either within the management body or directly reporting to the management body, with clear responsibilities set also at the executive level. The coordinating unit was responsible for the roll-out of the strategy at group level and ensuring consistency between the group entities and business lines. This was facilitated by clear ownership of the digitalisation activities at all levels of the organisation in order to foster the coordination of digital activities at group level both bottom-up and top-down. This was further supported by adequate governance at the level of the regional groups and for the various business lines, in order to further roll out the strategy.
More specifically, the ECB observed those units as having responsibility for the following:
The ECB also observed some institutions where digitalisation was completely embedded in the overall strategy and organisation, with attention to digitalisation coordination, steering and reporting in all relevant areas and aspects.
Assessment criterion 6: Does the institution set up adequate monitoring processes (top-down), and define the business areas ultimately responsible for reporting on digitalisation initiatives, as well as establishing a proper reporting process (bottom-up), covering all subsidiaries and business lines?
The central coordination body is responsible for the monitoring and needs to define relevant business lines to report on the progress made.
Assessment criterion 6.1
Does the institution have in place adequate monitoring processes related to its digital strategy and, accordingly, an adequate process for reporting to the management body in its management function/at executive level with regard to digital topics? This involves defining the business area(s) ultimately responsible for the reporting. Such reporting encompasses the main findings, issues for discussion and the central body’s advice to the management body in its management function/at executive level.
If the institution has in place a suitable structured process, it will be able to adequately monitor the roll-out and execution of the digitalisation strategy and take actions and escalation measures in case KPIs are not met.
Assessment criterion 6.2
Does the institution effectively monitor the digitalisation strategy? The institution:
The ECB observed institutions with digital transformation initiatives translated into operational plans including timelines, milestones, and associated information such as objectives, roles and responsibilities. These plans were further consolidated into the overall operational plan for digitalisation in order to enhance monitoring of digital progress. Subsequent waves of innovation trigger updates on the structure for decision-making and challenging, KPIs and reporting lines.
Some institutions impose regular monitoring meetings to discuss operational plans for digital initiatives, KPIs, adjustments or delays. In particular, challenges and risks related to digitalisation are reported to the management body on a regular basis, e.g. monthly. Sometimes, a second line view on the projects and their assessment was presented as part of the risk map. The coordination/steering body can take decisions based on the monitoring information on the steering, alignment and prioritisation of the digital initiatives.
More specifically, the ECB observed institutions that ensure the following:
Assessment criterion 7: Does the institution have a management body with a supervisory function/at non-executive level that constructively challenges the management body in its management function/at executive level and that provides effective oversight for the digitalisation strategy and related risks?
The management body in its supervisory function/at non-executive level (management board supervisory function; MBSF) also oversees and challenges the digitalisation initiatives .
Assessment criterion 7.1
Does the institution have an MBSF which constructively challenges the management body in its management function/executives (management board management function; MBMF) and provides effective oversight of the MBMF, also in the context of digital topics and their related risks? The MBSF should proactively discuss and bring to the agenda digitalisation-related topics.
The ECB observed institutions where the MBSF selected the topics to be discussed with the MBMF/executives in order to assess the digitalisation strategy, request updates on the progress of the main digital projects as well as review new product approval procedures. This could also involve reviewing the evolution of the training of MBMF/executives on digital transformation.
In addition to the agenda put forward by the MBSF, some banks also organise a dedicated Q&A session between the MBSF and MBMF on digitalisation, for example on a bi-monthly basis.
The ECB also observed that most banks have a specific digital committee at MBSF level.
Assessment criterion 8: Does the institution provide internal control functions with a strong role in the digitalisation strategy process, the NPAP and ongoing business operations, while ensuring their independence?
It is a sound practice for Internal Control Functions (ICFs) to be involved in approving the digitalisation strategy, new products or significant changes to existing products, processes and systems as well as ongoing risk assessments, in order to also include the impact of digitalisation-related risks.
Assessment criterion 8.1
Does the institution ensure that ICFs have a strong role in the strategy process and new product approval/review processes, as well as ongoing business operations, in order to take into account risk dimensions in digitalisation-related decision-making, while fully respecting the independence of the ICFs?
In particular, it is sound practice for the compliance function and risk management function to be involved in approving the digitalisation strategy, new products or significant changes to existing products, processes and systems, according to their respective mandates.
Assessment criterion 8.2
Does the institution carry out a full and objective assessment of the risks arising from new activities under a variety of scenarios, and of the ability of the institution to manage and control any new risks effectively?
ICFs need direct access and/or to report directly to the management body (both its management and its supervisory function). The management body needs to be kept properly informed by the ICFs, and receive reports on any major deficiencies and risks identified in relation to digitalisation, with recommendations and corrective measures to be taken.
The ECB observed institutions where the risk dimension is an integral part of the digitalisation strategy-setting and of any decision to change the strategy, the new product approval procedures for digital products or services and the monitoring of digital activities. This includes the ICFs already having a strong role in the digital strategy-setting phase, sometimes with a veto or decision-making power. For some institutions, more specifically, the chief risk officer (CRO) is part of the strategy-setting phase and ICFs are involved in all phases of the design and roll-out of the digitalisation strategy.
At a few banks, a dedicated risk workstream complemented business line and operational workstreams in the strategy-setting process and conducted a holistic risk assessment of the digital strategy towards the end of the process. The compliance function supported this by identifying specific regulatory issues which could – and eventually did – cause delays.
The ECB has also observed banks which specifically mention digitalisation topics in their reporting to the MBSF from the ICFs, or in special digitalisation risk reports that are submitted to the decision-making bodies at a pre-defined frequency. Here the information is shared both bottom-up and also top-down, as the management body subsequently reports back to the ICFs on the decisions taken.
Assessment criterion 9 : Does the institution embed digitalisation in its risk culture (e.g. tone from the top, incentives, risk accountability, culture of challenge) both top-down and bottom-up, including the communication on strategy and risks, creating awareness and fostering knowledge?
Assessment criterion 9.1
Does the institution’s management body foster a risk culture which also includes technological advancements within the organisation? The following are indicators of fostering an appropriate risk culture.
To achieve this, institutions ensure full alignment of behaviours within the different units of the organisation – clear and open communication on decision-making processes as well as a “culture of challenge” are of utmost importance.
Assessment criterion 9.2
Does the institution make sure that the financial and non-financial incentives of people working on digitalisation also take into account the implications of digitalisation developments on the internal controls of the bank?
The ECB observed institutions with specific teams or innovation labs to test and roll out digital projects or ideas. This could also foster the use of innovative technologies by employees. Examples are the testing and use of, for example, a chatbot for internal use or a specific AI application for administrative purposes. This helps employees engage with innovative technologies and better understand the capabilities and potential risks also from first-hand experience.
Some institutions have dedicated programmes designed to nurture internal innovation. Through these programmes, every employee has the opportunity to showcase their innovative ideas and solutions. Examples are challenges and contests where employees can present their initiatives, creating a culture of innovation and engagement, and which also raise awareness of risks. Another example might be hackathons that offer employees a dedicated period to dive deeper into problem-solving on a specific opportunity, e.g. a new customer experience or back-end optimisation. Typically, the best winning ideas get a chance to be implemented in innovation labs or development hubs. The experience with innovative technologies is also intended to enhance awareness of risks related to data input and output, bias, etc.
Cross-cutting governance committees chaired by the chief executive officer (CEO) and with members from various levels and business units also foster innovation throughout the organisation. This was seen specifically in some cases where the institution involved staff from all layers of the organisation in further spreading the innovation agenda and rolling out innovations in their business areas. This also prevents a silo approach and ensures accountability.
Assessment criterion 10 : Does the institution ensure insight into and monitoring of critical dependencies, interdependencies and third-party relationships, and not only of outsourcing, on an ongoing basis?
Assessment criterion 10.1
Does the institution ensure the monitoring of critical dependencies, interdependencies and third-party relationships on an ongoing basis? This would encompass the following activities:
The ECB observed institutions with a high-level sourcing strategy for all the material technology applications and projects. In addition, some institutions have a detailed overview with a mapping of all third-party service providers. For a few banks these providers have also already been assessed and ranked based on their criticality and importance, for example based on relevance for front and back office operations or customer relations.
Some banks have in place adequate controls and appropriate oversight measures to ensure that the processes outsourced or otherwise handled by third-party providers are aligned with the risk profile of the bank and its self-assessment of the risk level. The ECB also observed other sound practices for fostering adequate control in this area, such as:
Finally, the ECB observed some banks assessing the impact on the risk profile and keeping track of the impact on compliance aspects.
Article 74(1) of the CRD requires institutions to have robust governance arrangements in place. These include: a clear organisational structure with well defined, transparent and consistent lines of responsibility; effective processes to identify, manage, monitor and report the risks they are or might be exposed to; adequate internal control mechanisms, including sound administration and accounting procedures; and remuneration policies and practices that are consistent with and promote sound and effective risk management. This requirement therefore also includes digitalisation-related risks, and an assessment of how digitalisation is impacting the risk profile.
Article 76(1) of the CRD provides that the management body is to approve and periodically review the strategies and policies for taking up, managing, monitoring and mitigating the risks the institution is or might be exposed to, among other things. Such policies and processes in respect of digitalisation activities and related risks, also including all relevant financial and non-financial risks, are to cover the identification, management, monitoring and mitigation of those risks.
Assessment criterion 11: Does the institution run a detailed impact review of traditional and non-traditional risk dimensions during the digital strategy-setting process and the NPAP as well as during the execution of its digital strategy?
Assessment criterion 11.1
Does the institution run a detailed impact review of all financial and non-financial risk dimensions during the digitalisation strategy-setting and execution process (including credit, liquidity, market and operational risks, anti-money laundering (AML)/fraud governance, reputational impact and capital impact) covering risks arising from digitalisation? This is a comprehensive process not restricted to IT/cyber risk and operational risks.
A similar assessment should be performed as part of the NPAP and when there are amendments to the digitalisation strategy .
The ECB has observed banks running an assessment of all financial and non-financial risks such as credit, market, operational and reputational risks as well as capital and liquidity impact, with a detailed overview of how these could be affected by digitalisation.
The ECB observed banks with specific processes – in line with the general procedures above – to identify and assess new risks (i.e. risks that the bank does not already consider) arising from digitalisation and the implementation of innovative technologies: AI, cloud computing, distributed ledger technologies (DLT) and application programming interfaces (APIs). The ECB has observed some detailed risk maps and overviews indicating, for each risk area, how it could be affected by the digital strategy. The same is done for the launch of new digital products and services.
One bank’s multi-year financial planning considered an idiosyncratic adverse scenario in which the risks of its digital transformation strategy “going wrong” were identified: (i) employees (high levels of uncertainty may lead to human resource risks and attrition); (ii) postponement of IT architecture modernisation and implementation of new digital features (leading to higher costs); (iii) consequent operational instability, combined with pricing measures and dissatisfaction with the new support model, might lead to loss of reputation, earnings and customers. The total impact of this adverse scenario was presented for each of stage of the plan, also drilling down to identify which business lines would be most affected.
Some banks also closely involve the second and third lines of defence in order to cover all risks related to digitalisation. The ECB has observed a sound practice whereby the NPAP covering new digital services requires a specific opinion and authorisation from the AML function.
Assessment criterion 12: Does the institution have in place a data governance process to support data-driven digitalisation initiatives?
This includes a review of the availability of data relevant for digitalisation and for supporting such activities .
Assessment criterion 12.1
Are the sound data governance practices as set out in Chapter 3.2 of the ECB Guide on effective risk data aggregation and risk reporting applied for data-driven digital activities, as well as data generated by digital means? Are they are applied based on criteria as identified by the bank taking into consideration its digitalisation strategy and the nature, scale, complexity and risk profile of its operations? More specifically, do institutions have in place a data governance framework to support data-driven digitalisation activities with clearly defined roles and responsibilities? This data governance framework defines, among other things, the responsibilities of data owners, and the policies and processes for data lineage and independent validation to ensure availability and quality of the data within the data governance framework as defined by the bank. In this regard the bank reviews the availability of data to measure digitalisation and related risks , and to be able to produce timely and accurate reporting to the Board of Directors, also independently of the relevant business area, which is the first line of defence.
Assessment criterion 12.2
Are the digitalisation plans aligned with the bank’s ability to maintain, capture, and exploit data both resulting from digital activities and benefiting them? Do its digitalisation strategies consider the impact on risk aggregation capabilities , also in light of already existing risk data and reporting (RDAR) weaknesses?
The ECB observed banks increasingly updating their data governance frameworks to foster data-driven decisions also with respect to digitalisation initiatives. In particular some banks have:
Furthermore, the ECB observed one example where the data office was part of the digital office in order to ensure synergies.
Assessment criterion 13: Does the institution assess and update the risk map and relevant risk metrics in all risk dimensions, and review and adapt the suitability of existing risk models in view of digitalisation?
Assessment criterion 13.1
Does the institution assess and update the risk map and relevant risk metrics to reflect changes in all potentially relevant risk dimensions (for example business model, liquidity, credit risk, operational risk, market risk, IRRBB, governance, AML/Fraud)? Does the institution review and potentially adapt the suitability of existing risk models – including interest rate in the banking book (IRBB), early warning systems (EWS), stress tests and scoring models – related to changed customer behaviours or shifts in business processes in response to digitalisation and the use of innovative technologies?
The ECB observed sound practices such as a new risk map of risk metrics related to digitalisation. These maps evolve in order to incorporate new challenges and initiatives but also new risk assessment conclusions. Specific metrics could be defined for example for AI or third-party reliance. These maps include a definition of qualitative risk tolerance and the identification of suitable metrics, in order to mitigate risks related to technology innovation and use of new technologies.
One example is the development of new credit risk models across the credit risk lifecycle. This takes into account digital channels using credit risk models with specific customer and digital sales information for digital channels and business/subsidiaries. These could be fed with specific data sources from digital channels. Also, digital parameters (e.g. digital as opposed to physical branches) as a risk driver for capital calculations are explored.
Further metrics observed are related to IT and digital transformation risk, digital assets and to monitor specific risks e.g. in relation to AI.
Some banks have also been identifying new credit risk models for origination in the open market (acquisition scorecards, behavioural scores for pre-approved limits and income estimation models) and have assigned a specific capital add-on as a result of the change in the risk mapping. The ECB also observed new institutions where new products/instruments cannot be introduced without model validation function confirming ex ante that any impact on existing models has been validated.
At one institution, an indicator framework allowing early detection of social media threats, media tonality, etc. has been introduced. Such early warning indicators are closely monitored and linked to the crisis governance framework. For some institutions, developing various threat scenarios helps identify specific risks.
Assessment criterion 14.1
Do institutions review the RAF, RMF and KRIs defined ex ante to ensure they adequately cover digitalisation-related risks? Do they adapt them if needed, for example by defining suitable KRIs to capture new or altered risks related to digitalisation (if the risk is measurable)? Both quantitative and qualitative indicators can be used in the RAF to sufficiently cover risks which are not easily measurable, such as non-financial risks including digitalisation/IT-related risks. The institution reviews and, if necessary, updates existing KRIs to capture a change in sensitivity related to digitalisation. This also includes the definition of “red flags” or ‘early warnings’, i.e. thresholds that trigger decisions on mitigating measures.
The ECB observed institutions considering the need to update their RAF and RMF in view of the impact of digitalisation, and in order to add new digital-related metrics and review risk tolerance. The ECB also observed banks including digital metrics in the RAF and reviewing them on a regular (e.g. annual) basis. The review included changes in the risk tolerance (e.g. related to economic capital and exposures to consumer-related credit risk), mostly in relation to changes in the digital environment and cyber threats with implications for the digitalisation of processes, services and products. The ECB observed banks setting thresholds for specific risks, e.g. percentage of critical applications run on external services as a threshold for third-party risk.
With regard to KRIs, the ECB has observed sound practices at some banks on the implementation of KRIs. These practices involve measuring risks affected by digitalisation in parallel with the risk identification process (business continuity, vulnerabilities, critical service providers, cyber controls, AML and fraud). Another sound practice links these KRIs, for example, to digital customers, application activities, or the percentage of systems operating in the cloud. Best practice is to also align the KRI development process with any necessary update of the RAF/RMF.
In the context of the digital risk framework, the ECB observed institutions where:
© European Central Bank, 2024
Postal address 60640 Frankfurt am Main, Germany Telephone +49 69 1344 0 Website www.ecb.europa.eu
All rights reserved. Reproduction for educational and non-commercial purposes is permitted provided that the source is acknowledged.
For specific terminology please refer to the ECB glossary (available in English only).
PDF ISBN 978-92-899-6789-1, doi:10.2866/681424 QB-05-24-468-EN-N HTML ISBN 978-92-899-6788-4, doi:10.2866/136159 QB-05-24-468-EN-Q
We are always working to improve this website for our users. To do this, we use the anonymous data provided by cookies. Learn more about how we use cookies
We are always working to improve this website for our users. To do this, we use the anonymous data provided by cookies. See what has changed in our privacy policy
Fostering sustainable and responsible corporate behaviour for a just transition towards a sustainable economy.
On 23 February 2022, the European Commission adopted a proposal for a Directive on corporate sustainability due diligence. On 24 May 2024 the Council of the European Union approved the political agreement, thereby completing the adoption process. The aim of this Directive is to foster sustainable and responsible corporate behaviour in companies’ operations and across their global value chains. The new rules will ensure that companies in scope identify and address adverse human rights and environmental impacts of their actions inside and outside Europe.
This Directive establishes a corporate due diligence duty . The core elements of this duty are identifying and addressing potential and actual adverse human rights and environmental impacts in the company’s own operations, their subsidiaries and, where related to their value chain(s), those of their business partners. In addition, the Directive sets out an obligation for large companies to adopt and put into effect, through best efforts, a transition plan for climate change mitigation aligned with the 2050 climate neutrality objective of the Paris Agreement as well as intermediate targets under the European Climate Law.
Large EU limited liability companies & partnerships :
+/- 6,000 companies - >1000 employees and >EUR 450 million turnover (net) worldwide.
Large non–EU companies:
+/- 900 companies - > EUR 450 million turnover (net) in EU .
The Directive contains provisions to facilitate compliance and limit the burden on companies, both in scope and in the value chain.
Micro companies and SMEs are not covered by the proposed rules. However, the Directive provides supporting and protective measures for SMEs, which could be indirectly affected as business partners in value chains.
Businesses will have to bear :
The rules on corporate sustainability due diligence will be enforced through:
The Directive will contribute to the just transition to a sustainable economy, in which businesses play a key role.
A broad range of stakeholder groups, including civil society representatives, EU citizens, businesses as well as business associations, have been calling for mandatory due diligence rules. 70% of the businesses who responded to the public consultation sent a clear message: EU action on corporate sustainability due diligence is needed .
A third of companies recognised the need to act and are taking measures to address adverse effects of their actions on human rights or the environment, but progress is slow and uneven. The increasing complexity and global nature of value chains makes it challenging for companies to get reliable information on business partners’ operations. The fragmentation of national rules on corporate, sustainability-related due diligence obligations further slows down the take-up of good practices. Stand-alone measures by some Member States are not enough to help companies exploit their full potential and act sustainably.
EU rules will provide a uniform legal framework and ensure a level playing field for companies across the EU Single Market. Such rules will also foster international competitiveness, increase innovation and ensure legal certainty for companies addressing sustainability impacts. The Directive will steer businesses towards responsible behaviour and could become a new global standard with regard to mandatory environmental and human rights due diligence.
The Directive will enter into force 20 days after its publication in the Official Journal of the European Union. Member States will have two years to transpose the Directive into national law and communicate the relevant texts to the Commission. One year later, the rules will start to apply to companies, with a gradual phase-in between 3 and 5 years after entry into force.
A set of guidelines to be issued by the Commission will help companies to conduct due diligence.
Sustainable corporate governance consultation
Share this page
IMAGES
VIDEO
COMMENTS
The first step in building a risk management plan is to conduct an initial risk assessment. What sets a strategic risk assessment apart from other risk assessment methods is that it is driven by the business's core strategies. Get up to speed on strategic risk assessment with a checklist, template, and examples below.
Risk assessment stands as a cornerstone in strategic business decision-making.
What are Risk Assessment Examples? Risk assessment examples, varying widely across industries and contexts, illustrate the diverse applications of risk assessment in identifying, analyzing, and addressing potential risks to individuals, organizations, and the broader community. Understanding how to implement risk assessments through practical examples is crucial for businesses to protect their ...
What is Risk Analysis? Risk analysis is a multi-step process aimed at mitigating the impact of risks on business operations. Leaders from different industries use risk analysis to ensure that all aspects of the business are protected from potential threats. Performing regular risk analysis also minimizes the vulnerability of the business to unexpected events.
A business risk assessment matrix, sometimes called a probability and impact matrix, is a tool you can use to assess and prioritize different types of risks based on their likelihood (probability) and potential damage (impact). Here's a step-by-step process to create one: Step 1: Begin by listing out your risks.
The assessment is not 100% accurate when it comes to judging your level of risk. A small business risk analysis gives you a picture of the possible outcomes your business decisions could have. Use the following steps to do a financial risk assessment. Step 1: Identify risks. The first step to managing business risks is to identify what ...
Risk assessment is one of the major components of a risk analysis. Risk analysis is a process with multiple steps that intends to identify and analyze all of the potential risks and issues that are detrimental to the business or enterprise.
Find out what a business risk assessment is, why you need one, what types of risks to consider and how to mitigate your risk.
How to write a risk assessment, the type of risk assessments you will need and the importance of taking business risk seriously.
The Business Continuity Risk Assessment aims to identify, analyze and evaluate the risks of disruption to a business. This means analyzing threats and existing safeguards to determine the residual level of risk to your business.
Need to create a risk management plan? Use this step-by-step process to find, analyze, and monitor risks throughout a project.
Some examples of risk management strategies include leveraging existing frameworks and best practices, minimum viable product (MVP) development, contingency planning, root cause analysis and lessons learned, built-in buffers, risk-reward analysis, and third-party risk assessments.
Find out what is risk analysis in business, and how does it work? Learn how to create your own action plan to target and plan for risks.
Cyber risk is a form of business risk. More specifically, it's the potential for business losses of all kinds in the digital domain—financial, reputational, operational, productivity related, and regulatory related. While cyber risk originates from threats in the digital realm, it can also cause losses in the physical world, such as damage ...
Learn how to identify and manage 11 common types of business risks, with definitions and examples, to help your organization achieve its goals.
Learn how to create a project risk management plan, and find tips from experts, step-by-step instructions, and an example plan.
Use our template to assess and mitigate risks to your business and create a risk management plan that's tailored for you.
How to manage the TOP 50 BUSINESS RISKS. All businesses face risks around strategy, profits, compliance, environment, health and safety and so on. Download this free Business Risk Register.
Risk assessment matrices help you plan and strategize before you deploy your projects, especially in compliance-related fields.
A risk assessment is the process of identifying health and safety risks within a business, evaluating who this risk might affect, how significant the risk is and taking the necessary steps to control the risk. The government recommends that every business, regardless of its sector, complete a risk assessment at least once a year.
Business Plan Risks Analysis, Problem, Challenging Factors and Mitigation Strategies What is a major example of critical risk in a business plan? Every business is prone to facing certain business risks, which might appear very critical in the real world.
Identifying the problems and risks that must be dealt with during the development and growth of the company is expected in the business plan. These risks may include any risk related to the industry, risk related to the company, and risk related to its employees. The company should also take into consideration the market appeal of the company ...
Simply put, a risk management plan is a comprehensive strategy that identifies and analyzes potential risks to a business or organization and devises solutions to minimize or avoid them, maximizing the probability of success or reaching organizational goals.
Discover practical steps, templates, and examples for effective risk management that can help project managers lead with confidence.
13+ SAMPLE Risk Assessment Plan in PDF | MS Word. Risk assessment is the method of identifying potential risks inside an organization and developing strategies to minimize or eliminate them. A well-designed system contributes to the safety of employees while also safeguarding business assets. When considering why risk assessment is necessary ...
4. Perform a risk assessment and identify critical control points. Examine the potential hazards that could arise during the manufacturing process. Please keep track of the hazard analysis and risk categories for the target products, their ingredients, and the dangers throughout the product food chain.
How to Run a Cybersecurity Risk Assessment in 5 Steps Your email has been sent Though cybersecurity is on every executive's checklist today, most struggle with growing compliance burdens ...
At a few banks, a dedicated risk workstream complemented business line and operational workstreams in the strategy-setting process and conducted a holistic risk assessment of the digital strategy towards the end of the process.
A broad range of stakeholder groups, including civil society representatives, EU citizens, businesses as well as business associations, have been calling for mandatory due diligence rules. 70% of the businesses who responded to the public consultation sent a clear message: EU action on corporate sustainability due diligence is needed.