Only those who risk going too far can possibly find out how far they can go.

T.S. Elliot

Risk management

The activities involved in risk management are the same as strategic risk management, only the scope of the potential threats differ.  Here we provide a reminder of what these activities are, as we often find that organisations choose to adopt different and inconsistent definitions.  The definitions here are aligned with international standards for risk management.

The first activity is to define the scope of the risk problem and the particular objectives that could be threatened.  ‘Strategic risk management’ demands the scope to be defined as all potential threats to an organisation’s objectives.  More commonly the scope is limited to the objectives of a specific undertaking of the organisation, i.e. a project, process, or activity.

The second activity is to identify what can go wrong.  Specifically, all potential threats to the objectives being considered should be identified.

The third activity is to estimate how bad these threats could be.  In particular we consider how big the impact could be and how likely it is that this impact will be realised.  If there is good historical data available then it may be possible to quantify these risks but often there is little data and in such cases semi-quantitative or qualitative schemes may be used.

The fourth activity is to evaluate whether or not something needs to be done about the risks that have been identified. This involves comparing the results of the risk estimates against some pre-defined criteria that define what organisational response is required.  These criteria may be defined by regulation or reflect the organisation’s ‘risk appetite'. 

The final fifth activity is to capture the organisational response to the risks in a plan for action. The actions captured in this plan should be placed on named individuals and should have specific dates for implementation.  As the diagram illustrates:

  • Risk Analysis involves activities 1 to 3, and tells us "What risks and how big?"
  • Risk Assessment involves activities 1 to 4, and tells us "Do we need to do something about the risks?"
  • Risk Management involves activities 1 to 5, and tells us "What we are doing to manage the risks?"


To find out more about this Service in relation to a specific Sector, please select a Sector from the list below: