Risks are everywhere. It is easy to perceive and accept their presence. In another post, I wrote about the multiple applications of risk management, giving examples of where risks may occur, regardless of your company’s business activity or which department you work in. However, in this post, I want to introduce you to a practical guide that consists of 12 steps for you to create a risk plan.

This way, in addition to perceiving the risks, you can also address them, so that small risks do not turn into major concerns for you.

But first, a quick review.

Risk is the effect (positive or negative) of an event or series of events that take place in one or several locations. It is calculated based on the probability of the event becoming an issue and the impact it would have. Various factors should be identified in order to analyze risk, including:

Event: What could happen?

Probability: How likely is it to happen?

Impact: How bad will it be if it happens?

Mitigation: How can you reduce the Probability (and by how much)?

Contingency: How can you reduce the Impact (and by how much)?

Creating a complete risk plan

With these concepts in mind, let’s look at the 12 steps that will help you to create a risk management plan to address any risk in your organization.

1 – Define your scope

As we have seen, risks are present in many areas of an organization. Therefore, you need to define the scope of your risk plan. Am I going to evaluate the risks of a project? Of a process? From a list of assets? Or from my strategic planning?

2 – Get input from others

Brainstorm risks. Get several people together that are familiar with the project and ask for input on what could happen, how to help prevent these events, and what to do if an event does happen. Take a lot of notes! You will use the output of this very important session several times during the following steps.

3 – Identify risks and consequences

List the risks and associate each risk with its consequences. Be as specific as possible with each one. “Depletion of resources” is not as desirable as “Missing half of the raw material for completion of the activity.” If there is a monetary value, list it.

4 – Identify controls for each risk

Controls are activities, procedures or mechanisms that, if implemented, can affect a risk, changing its probability or its impact. Identify the controls now and consider them during our risk assessment.

5 – Assign probability

For each risk element on your list, determine if the likelihood of the risk actually materializing is High, Medium or Low. (This is just an example, you can create your own range according your needs.)

6 – Assign impact

In general, assign Impact as High, Medium or Low based on pre-established guidelines. If you absolutely have to use numbers, then calculate Impact on a scale as well.

plano de riscos

7 – Determine the risk level

A table is oftentimes used for this, but using software is much better! If you have used the Low, Medium and High values for Probability and Impact, a simple table is most useful. If you have used numeric values, you will need to consider a bit more of a complex rating system (much easier done with software). It is important to note that there is no universal formula for combining Probability and Impact; it will vary between companies and projects

8 – Rank the risks

List all the elements you have identified from the highest risk to the lowest risk.

9 – Develop mitigation and contingency strategies

Mitigation is designed to reduce the probability that a risk will materialize. Contingency is designed to reduce the impact if a risk does materialize. You will usually only develop mitigation and contingencies for High and Medium elements. You might want to mitigate low risk items, but certainly address the other ones first.

10 – Analyze the effectiveness of the strategies

How much have you reduced the Probability and Impact? Evaluate your Contingency and Mitigation strategies and reassign the ratings to your risks.

11 – Compute your residual risk

After the contingency and mitigation plans were applied, has the evaluation improved? This means that you have attained a reduction in your risk and that it is now within an acceptable level.

12 – Monitor your risks

Now that you know what your risks are, you need to determine how you’ll know if they materialize so you’ll know when and if you should put your contingencies in place. Indicators with triggers and alerts can help with this. Do this for each one of your High and Medium risk elements. Then, as your project progresses, you will be able to determine if a risk element has become an issue.

There! That wasn’t so hard, was it? With these 12 steps, you have an excellent basis for your risk plan. However, as I said, I have only given an introduction to the topic. You can get more details about each step in the eBook: How to develop a risk management plan in 12 practical steps.

Download the eBook now!

Tobias Schroeder


Tobias Schroeder

MBA in Strategic Management from UFPR. Business and market analyst at SoftExpert, a software provider for enterprise-wide business processes automation, improvement, compliance management and corporate governance.

You might also like:

Get free content in your inbox!

Subscribe to our Newsletter and get content about corporate management's best practices produced by specialists.

By clicking the button below, you confirm that you have read and accept our Privacy Policy.