At most organizations today, risk management is the subject of a great deal of talk but little action. For companies that are ready to move beyond the discussion phase, there is a proven seven-step process they can follow to truly reduce their risks and safeguard their future.
[Related: BCM Basics: The 5 Types of Risk and How to Mitigate Them]
How Most Risk Programs Fall Short
In the corporate world today, risk management holds a special place. Due to the unusually challenging nature of the current business environment, few topics are talked about more. Unfortunately, this conversation is rarely matched with effective action. The risk management effort at most organizations is superficial at best.
Few companies conduct systematic risk assessments. Few managers can tell you what the top three or five risks facing their organizations are. And the most common response leaders give when asked what risk mitigation controls they have in place is, “I have no clue.”
We do find quite a few companies that have put together and circulate spreadsheets listing the top 15 or 20 risks they face. This is better than nothing but a long way from being an effective risk management program.
What Effective Risk Management Looks Like
A much smaller but very inspiring group of organizations has learned to do risk management the right way. These organizations have active risk management steering committees and conduct systematic assessments of the risks they face. They routinely identify the top five or seven risks confronting the company and evaluate the controls the organization has in place to mitigate them.
Once they have a handle on their top risks, they identify the organization’s residual risk and get senior management to indicate its level of risk tolerance. Finally, these organizations employ some combination of the four main risk management strategies to keep the residual risk within acceptable levels.
This approach reflects the method MHA Consulting uses to manage risk for our clients. It is an option available to any organization willing to make a sustained though fairly modest effort to protect its future.
A Practical 7-Step Process for Managing Risk
MHA Consulting’s experience in risk reduction consulting and risk management program implementation is both broad and deep. Here is the process we use in helping our clients manage their risks.
Step 1: Establish a Cross-Functional Risk Team
Form a small, knowledgeable group responsible for managing risk. You could call it the Enterprise Risk Management (ERM) group or committee or even just the risk team. Include a mix of senior leaders and operational personnel who understand how the organization actually functions. This group will be responsible for identifying, assessing, and managing risk on an ongoing basis.
Step 2: Define the Scope of Your Organization
Step back and look at the organization from an enterprise perspective. Understand what you do, how you operate, where you operate, and what you depend on, including third parties. This assessment doesn’t need to be overly detailed. The goal is to establish a clear, high-level picture of your operational footprint and the scope of the risks you face.
Step 3: Identify Your Key Risks
Once you’ve defined the context in which you’re operating, identify the most significant risks facing the organization. Focus on a manageable number of risks, say, 10 to 15. Consider a broad range of threats, including natural events, technology failures, cyber incidents, human factors, supply chain disruptions, and geopolitical or economic risks.
Step 4: Assess Risk Impact, Likelihood, and Existing Controls
For each identified risk, evaluate the following: impact (how severe the consequences would be), likelihood (how probable the event is), and current mitigation controls (what protections are already in place). Rank impact and likelihood using a simple scoring approach (e.g., 1–5). Then assess how effective your existing controls are at taming these risks. From this, determine your residual risk (the level of risk that remains after controls are applied).
Step 5: Define Risk Tolerance and Prioritize
Work with senior management to define its risk tolerance, that is, how much risk the organization is willing to accept. Knowing your leadership’s risk tolerance enables you to make informed decisions about where to invest your time and resources. Referencing your organization’s residual risk and declared risk tolerance, narrow your focus to the five or seven most critical risks.
Step 6: Develop Practical Risk Mitigation Plans
For each priority risk, define a clear strategy using the four standard risk mitigation responses. These are: risk acceptance (deciding to live with the risk), risk avoidance (stepping away from the activity that creates the risk), risk limitation (taking steps to reduce the likelihood or impact that causes the risk), and risk transference (shifting the risk to a third party, such as through insurance or outsourcing). Then translate those strategies into specific, actionable mitigation plans.
Step 7: Implement, Assign Ownership, and Monitor Progress
This is where most organizations fail. Each mitigation action must have: a clearly assigned owner, a responsible department, and defined timelines and milestones. Break execution down across functional areas (e.g., IT, facilities, HR, compliance), with accountability flowing back to the central risk team. Track progress, reassess risks periodically, and adjust controls as needed.
These steps outline a process any organization can follow to move from simply talking about risk to actively managing and reducing it.
MHA Consulting’s Approach
For those interested, here’s a closer look at how MHA implements this process when working with clients to reduce risk.
We begin by conducting an independent threat analysis based on the organization’s industry, locations, and operating environment. This produces an initial list of potential risks, which we review and refine through workshops with the client’s risk team and subject matter experts. Together, we assess the impact and likelihood of each risk and evaluate the effectiveness of existing controls.
We also work with senior management to define the organization’s risk tolerance and align it with business priorities. Using this information, we quantify residual risk and identify where exposures exceed acceptable levels.
From there, we develop a practical roadmap: a prioritized set of mitigation actions with clear timelines, ownership, and accountability. Where appropriate, we continue working with clients to support implementation, track progress, and update the program as conditions evolve.
Two additional elements strengthen our approach. We leverage our proprietary BCMMETRICS resilience platform to assess program capability, identify critical business dependencies and determine residual risk. And we bring experience in navigating the thorny political challenges that often accompany risk management, helping ensure that identified issues are addressed, not deferred.
Making Risk Management Work
Most organizations recognize the importance of managing risk, but few move beyond surface-level efforts. Without a structured approach, risk management remains fragmented, reactive, and largely ineffective.
Effective risk management starts with establishing a risk team, defining the organization’s scope, and identifying key risks along with their impact and likelihood. It then requires evaluating existing controls, determining risk tolerance, assessing residual risk, and developing and implementing practical mitigation plans.
MHA consultants have extensive experience helping organizations design and implement effective risk management programs. Contact MHA to learn how we can help you identify your most critical risks, reduce your exposure, and build a more resilient organization.
Further Reading
- The Risk Management Process: Manage Uncertainty, Then Repeat
- The Essentials of Resilience: Mitigate Your Risks and Prepare for Outages
- The ABCs of ERM: The Rise of Enterprise Risk Management
- BCM Basics: The 5 Types of Risk and How to Mitigate Them
- Risk Mitigation in Practice: 4 Strategies Explained
- A New Vision for BC Practitioners: Focus on Risk Reduction
- Don’t Just Hope: Choosing Strategies to Mitigate Risk
Frequently Asked Questions
Why do most risk management programs fall short?
Most programs fall short because they remain at the discussion stage and are not translated into action. Organizations often fail to conduct structured risk assessments, clearly identify their top risks, or implement and follow through on mitigation plans with accountability.
What does an effective risk management program look like?
An effective program includes a cross-functional risk team, regular identification and assessment of key risks, evaluation of existing controls, clear definition of risk tolerance, and the implementation of practical mitigation plans with assigned ownership and timelines.
What are risk mitigation controls?
Risk mitigation controls are the measures an organization puts in place to reduce the likelihood or impact of a risk. These can include physical safeguards (e.g., security systems), technical protections (e.g., backup systems, cybersecurity tools), and procedural controls (e.g., policies, training, and contingency plans).
What is residual risk?
Residual risk is the level of risk that remains after mitigation controls have been applied.
What are the four main risk mitigation strategies?
The four main risk mitigation strategies are:
- Risk Acceptance: Acknowledging the risk and choosing to live with it because it falls within acceptable tolerance or the cost of mitigation outweighs the benefit.
- Risk Avoidance: Eliminating the risk entirely by discontinuing the activity or changing plans to prevent exposure.
- Risk Limitation: Taking steps to reduce the likelihood or impact of the risk through controls such as safeguards, redundancies, or process improvements.
- Risk Transference: Shifting the risk to a third party, typically through insurance, outsourcing, or contractual agreements.
Most organizations use a combination of these strategies to keep their overall risk within acceptable levels.
What are the main steps in the risk management process?
The process typically includes:
- Establishing a cross-functional risk team
- Defining the organization’s scope and operating environment
- Identifying key risks
- Assessing risk impact, likelihood, and existing controls
- Defining risk tolerance and prioritizing risks
- Developing mitigation strategies and plans
- Implementing actions, assigning ownership, and monitoring progress
Describe MHA Consulting’s approach in working with clients to reduce risk?
MHA begins by conducting an independent threat analysis based on the organization’s industry, locations, and operations. The firm then facilitates workshops with client stakeholders to identify and assess risks, evaluate existing controls, and define risk tolerance. Using this information, MHA consultants quantify residual risk and prioritize areas requiring attention. MHA then develops a practical, actionable roadmap with defined timelines and ownership. It can also support clients through implementation, monitoring, and continuous improvement to ensure risks are effectively reduced.
