Scope. Context & Criteria
Step 1 involves understanding the Subject Entity’s objectives, defining factors that could be a source of uncertainty, and setting the scope and risk criteria for the remaining risk management processes.
Step 2 determines what, where, when, why and how risks could arise, and the effect this would have on the Subject Entity’s ability to achieve its objectives.
Step 3 determines the risk level against the risk criteria by understanding how quickly a risk can occur, the sources and causes of a risk, as well as the consequences and likelihood of those consequences.
Step 4 compares the level of risk against the risk criteria to determine the overall risk rating and based on that, consider the need for treatment.
Step 5 involves Subject Entities systematically identifying and assessing a range of response alternatives or strategies to accept, transfer, share, avoid, or mitigate major risks, based on their risk appetite.
Respond to Risks
Step 6 requires the Subject Entity’s leadership to evaluate the alternatives and decide how to allocate scarce resources (e.g. budget, analytical capabilities, time) to address major risks facing the entity.
Monitor and Review
Step 7 recognizes that as uncertainty changes, so does the risk.
Communication, Consultation, Learning
Step 8 takes place throughout Steps 1 - 6 above with all identified stakeholders confirming that those accountable for implementing the risk management process
Records Maintenance & Reporting
Step 9 is a continuous effort, integral to the organization’s governance as it improves the dialogue among stakeholders, and the learning from the Subject Entity’s collective experience from risk management activities.