Skip to main content.

Starting points

Conversations about risk management start in many ways. A simple question might have a simple answer or lead to a deeper discussion. Some of the requests and questions we receive are set out here with a note explaining how we recommend they be addressed.

Routine risk assessment

How should I go about:

  • A first risk assessment?
  • Updating an existing risk assessment?
  • Reviewing or updating a risk register?
  • Running a risk workshop?


It will be useful to think about what existing risk management materials and practices you have in place, and whether this is a one-off exercise or something you hope will be part of your management processes in the long term.

If you are approaching tasks such as these in isolation, you will almost certainly run into difficulties. It is important to think about what success means in your context, for your organisation or project, and you need an effective mechanism for analysing consequences, likelihoods and overall risk ratings.

Sometimes quantitative analysis will be required or will be carried out at the same time, which is described briefly further down the page.

If you would like to discuss this, contact us so we can help you decide how to proceed. If you would like to explore the subject further yourself, the following links may be useful.

Quantifying risk

Quantitative risk assessment can be used to:

  • Evaluate the effect of risk on a budget
  • Decide how much a risk is worth to you or someone else
  • Work out how much to spend to treat a risk
  • Set a contingency allowance for a project
  • Agree on a realistic completion date for a project
  • Compare options with different amounts of risk


Key questions in these situations centre on how well you know the uncertainties affecting you, how stable your estimates and forecasts are, and what is at stake. Building a risk model is usually straightforward. The challenges come in the estimating, planning and decision making activities that surround it.

Here is some information that you might find useful. Whether it is or not, contact us so we can advise you on the best way to approach your requirement. Quantitative risk analysis need not be complicated.

Risk management frameworks, plans and strategy

Organisations and projects often say that they need to:

  • Set up a risk management framework
  • Create a risk management plan
  • Design a risk management system
  • Develop a risk management strategy


Integrating risk management into the way you work will deliver the better results than treating it as a stand alone exercise. To be really successful, it needs authority and resources to make sure it is applied consistently and sustained over time.

The risk management framework is the means the organisation (or project) adopts to ensure that risk is being actively managed as an integral part of how the organisation or project is run. It comprises the way an organisation communicates its intentions to manage risk and also how it provides capacity to match those intentions. All organisations already possess a framework of some form, but in many cases they are not complete or effective.

Depending on your needs, enhancing the existing framework might involve building a new one from scratch or building on existing systems. These references will give you an idea of what is involved although it is an area where there is really no substitute for talking to an expert.

Risky language

We have spent a lot of time figuring out useful ways to think and talk about risk. There are some terms we don’t use because they make it difficult to think clearly and make sound decisions. We understand that real needs might not always be expressed in the terms found in ISO 31000 though. We have listed some of them below, with pointers to how they can be expressed clearly and what can be done about them.

De-risk a project

This usually means someone wants to improve the control of risk on their project. It is unrealistic to expect to remove all risk, and usually undesirable, but sometimes it is clear that risk management is not yet as good as it could be.

Simple things to think about in this case are carrying out a project risk assessment or a quantitative risk analysis. If you want to improve risk management across all your projects then a risk management framework is the place to start.

Mitigate risk

This is an old fashioned term based on the idea that all uncertainty, which means all risk, is bad. Opening up our minds to the possibility that some uncertainty might include outcomes that are better than was planned is very beneficial. Not only might we identify ways to improve on the planned outcome, but we can also move away from seeing risk management primarily as a protective activity and towards using it as a means of optimising a plan.

Mitigate also tends to focus our attention on dealing with the consequences after an event, rather than on taking action to change the likelihood 'before the event'.

The much more useful term, recommended in the standard, is risk treatment, which is neutral. It describes taking action to create or improve controls.

How much is this risk worth?

This can be about how much contingency should be held to cover against being affected by a risk, how much you could give in negotiations to transfer responsibility for a risk to someone else, or how much to spend to improve control over a risk. Quantitative analysis or risk treatment planning will usually be a sound starting point.

How risky is my project?

Risk only makes sense when set in the context of your objectives – in the case of a project, the project’s objectives. There is no sensible answer to this question when it is taken literally but you can find out what risks it does face, which ones it is worth treating, and what cost and schedule contingency you need to give yourself a certain level of confidence that you will be successful.

I need to set up a risk management framework

This can be a sound statement of a requirement. It depends what is meant by “framework”. Some people use framework to narrowly mean a set of risk rating scales or even just a risk register.

Sound sustainable risk management requires an enabling framework within the organisation that it serves. Following the standard, we reserve the term risk management framework for this strategic level. The day to day activities by which an organisation or project understands its risk and decides what to do about it sits within this framework. Also present are those aspects of its system of management that build competence, allocate accountability and exercise oversight.

Risk management plan

Like the word framework (above), plan can mean many things. It might mean a short term plan to run a risk assessment, or a plan to sustain risk management through a project or a year of an organisation’s operation. The most comprehensive form of risk management plan is a plan to implement or enhance a complete risk management framework through all levels of an organisation.