At most organizations today, risk management is the subject of a great deal of talk but little action. For companies that are ready to move beyond the discussion phase, there is a proven seven-step process they can follow to truly reduce their risks and safeguard their future.
[Related: BCM Basics: The 5 Types of Risk and How to Mitigate Them]
In the corporate world today, risk management holds a special place. Due to the unusually challenging nature of the current business environment, few topics are talked about more. Unfortunately, this conversation is rarely matched with effective action. The risk management effort at most organizations is superficial at best.
Few companies conduct systematic risk assessments. Few managers can tell you what the top three or five risks facing their organizations are. And the most common response leaders give when asked what risk mitigation controls they have in place is, “I have no clue.”
We do find quite a few companies that have put together and circulate spreadsheets listing the top 15 or 20 risks they face. This is better than nothing but a long way from being an effective risk management program.
A much smaller but very inspiring group of organizations has learned to do risk management the right way. These organizations have active risk management steering committees and conduct systematic assessments of the risks they face. They routinely identify the top five or seven risks confronting the company and evaluate the controls the organization has in place to mitigate them.
Once they have a handle on their top risks, they identify the organization’s residual risk and get senior management to indicate its level of risk tolerance. Finally, these organizations employ some combination of the four main risk management strategies to keep the residual risk within acceptable levels.
This approach reflects the method MHA Consulting uses to manage risk for our clients. It is an option available to any organization willing to make a sustained though fairly modest effort to protect its future.
MHA Consulting’s experience in risk reduction consulting and risk management program implementation is both broad and deep. Here is the process we use in helping our clients manage their risks.
Form a small, knowledgeable group responsible for managing risk. You could call it the Enterprise Risk Management (ERM) group or committee or even just the risk team. Include a mix of senior leaders and operational personnel who understand how the organization actually functions. This group will be responsible for identifying, assessing, and managing risk on an ongoing basis.
Step back and look at the organization from an enterprise perspective. Understand what you do, how you operate, where you operate, and what you depend on, including third parties. This assessment doesn’t need to be overly detailed. The goal is to establish a clear, high-level picture of your operational footprint and the scope of the risks you face.
Once you’ve defined the context in which you’re operating, identify the most significant risks facing the organization. Focus on a manageable number of risks, say, 10 to 15. Consider a broad range of threats, including natural events, technology failures, cyber incidents, human factors, supply chain disruptions, and geopolitical or economic risks.
For each identified risk, evaluate the following: impact (how severe the consequences would be), likelihood (how probable the event is), and current mitigation controls (what protections are already in place). Rank impact and likelihood using a simple scoring approach (e.g., 1–5). Then assess how effective your existing controls are at taming these risks. From this, determine your residual risk (the level of risk that remains after controls are applied).
Work with senior management to define its risk tolerance, that is, how much risk the organization is willing to accept. Knowing your leadership’s risk tolerance enables you to make informed decisions about where to invest your time and resources. Referencing your organization’s residual risk and declared risk tolerance, narrow your focus to the five or seven most critical risks.
For each priority risk, define a clear strategy using the four standard risk mitigation responses. These are: risk acceptance (deciding to live with the risk), risk avoidance (stepping away from the activity that creates the risk), risk limitation (taking steps to reduce the likelihood or impact that causes the risk), and risk transference (shifting the risk to a third party, such as through insurance or outsourcing). Then translate those strategies into specific, actionable mitigation plans.
This is where most organizations fail. Each mitigation action must have: a clearly assigned owner, a responsible department, and defined timelines and milestones. Break execution down across functional areas (e.g., IT, facilities, HR, compliance), with accountability flowing back to the central risk team. Track progress, reassess risks periodically, and adjust controls as needed.
These steps outline a process any organization can follow to move from simply talking about risk to actively managing and reducing it.
For those interested, here’s a closer look at how MHA implements this process when working with clients to reduce risk.
We begin by conducting an independent threat analysis based on the organization’s industry, locations, and operating environment. This produces an initial list of potential risks, which we review and refine through workshops with the client’s risk team and subject matter experts. Together, we assess the impact and likelihood of each risk and evaluate the effectiveness of existing controls.
We also work with senior management to define the organization’s risk tolerance and align it with business priorities. Using this information, we quantify residual risk and identify where exposures exceed acceptable levels.
From there, we develop a practical roadmap: a prioritized set of mitigation actions with clear timelines, ownership, and accountability. Where appropriate, we continue working with clients to support implementation, track progress, and update the program as conditions evolve.
Two additional elements strengthen our approach. We leverage our proprietary BCMMETRICS resilience platform to assess program capability, identify critical business dependencies and determine residual risk. And we bring experience in navigating the thorny political challenges that often accompany risk management, helping ensure that identified issues are addressed, not deferred.
Most organizations recognize the importance of managing risk, but few move beyond surface-level efforts. Without a structured approach, risk management remains fragmented, reactive, and largely ineffective.
Effective risk management starts with establishing a risk team, defining the organization’s scope, and identifying key risks along with their impact and likelihood. It then requires evaluating existing controls, determining risk tolerance, assessing residual risk, and developing and implementing practical mitigation plans.
MHA consultants have extensive experience helping organizations design and implement effective risk management programs. Contact MHA to learn how we can help you identify your most critical risks, reduce your exposure, and build a more resilient organization.
Most programs fall short because they remain at the discussion stage and are not translated into action. Organizations often fail to conduct structured risk assessments, clearly identify their top risks, or implement and follow through on mitigation plans with accountability.
An effective program includes a cross-functional risk team, regular identification and assessment of key risks, evaluation of existing controls, clear definition of risk tolerance, and the implementation of practical mitigation plans with assigned ownership and timelines.
Risk mitigation controls are the measures an organization puts in place to reduce the likelihood or impact of a risk. These can include physical safeguards (e.g., security systems), technical protections (e.g., backup systems, cybersecurity tools), and procedural controls (e.g., policies, training, and contingency plans).
Residual risk is the level of risk that remains after mitigation controls have been applied.
The four main risk mitigation strategies are:
Most organizations use a combination of these strategies to keep their overall risk within acceptable levels.
The process typically includes:
MHA begins by conducting an independent threat analysis based on the organization’s industry, locations, and operations. The firm then facilitates workshops with client stakeholders to identify and assess risks, evaluate existing controls, and define risk tolerance. Using this information, MHA consultants quantify residual risk and prioritize areas requiring attention. MHA then develops a practical, actionable roadmap with defined timelines and ownership. It can also support clients through implementation, monitoring, and continuous improvement to ensure risks are effectively reduced.