Risk Management 101

Lesson 1: Introduction & Terminology

In a general sense, risk management means contemplating threats and enacting countermeasures to prevent those threats from materializing.
In the professional lexicon of risk management, we call those threats “risks” and those countermeasures “controls.”
When a given risk has multiple controls, the controls are organized into “lines of defense.”

Lesson 2: Risk Management In Everyday Life

Here’s an example of how you might already be practicing risk management at home:

Risk - Burglary & Theft
Criminals may attempt to break in to your home in order to steal from you.
1st Line Control - Alarm
You install an alarm system in your home which makes it more difficult for criminals to break in.
2nd Line Control - Safe
You store your valuables in a safe, so even if criminals do manage to enter your home, your most precious possessions will be harder to access.

Lesson 3: Risk In The Business World

Businesses Cyberattacked

Source: Hiscox  |  Year: 2019

$2.89 billion

FCPA Enforcement Penalties

Source: FCPA Blog  |  Year: 2018

Businesses Suffering Supply Chain Disruption

Source: BCI  |  Year: 2018

$70 million

EEOC Sexual Harassment Recoveries

Source: EEOC  |  Year: 2018

Lesson 4: Risk Management In Business

Here’s an example of how a business risk might be managed:

Risk - Workplace Sexual Harassment
A business's employee may become a victim of sexual harassment by a co-worker.
1st Line Control - Policy & Training
The business adopts an Anti-Sexual Harassment Policy and conducts employee training on it.
2nd Line Control - Employee Hotline
The business creates a phone hotline through which employees may report workplace sexual harassment incidents.

Lesson 5: Implementing Business Risk Management

Step 1: Identifying Risk

Risk is anything and everything that can harm the value of a business.

From floods to firewall breaches, it is crucial to cast as wide a net as possible when creating an inventory of all of the ways in which a business can be harmed.

To bring order to this daunting and unwieldy task, risk management professionals use databases and tools designed to help capture the broadest set of potential risks.

This data set is then qualified with respect to the underlying business on the basis of likelihood, damage potential, and a variety of other characteristics.

The qualification process is perhaps the most crucial step in the workflow, and outcome value is driven by the qualifier’s understanding of the underlying business, experience in managing risk, and overall business judgment.

Step 2: Developing Controls

Once an inventory of relevant risks has been established, the next step in risk management is to develop controls for the identified risks.

Controls, simply put, are resources, processes and protocols which businesses can use to mitigate risk.

Risk controls can vary in several ways, including, but not limited to, cost, complexity and resource requirements.

Developing effective risk controls is an intricate and highly customized process. What may be an effective risk control for one business may prove unfeasible, and therefore ineffective, for another.

A risk management practitioner must have intimate knowledge of the underlying business, particularly with respect to its capabilities and constraints. Likewise, the practitioner must have significant experience and sound judgment in order to develop controls which are actionable by the underlying business.

Step 3: Building A Program

Once risks have been identified and controls have been developed, it is incumbent upon a business to systematize the separate risk-and-control fragments into an overarching infrastructure, also known as a risk management program.

A successful program will involve the deployment of both human capital and IT resources to ensure that the business successfully manages risk on an ongoing basis.

A successful program can be flexible around the needs and constraints of the underlying business. Success does not always require the acquisition of new human capital and / or IT resources for the sole purpose of managing risk. While these, concurrent with the establishment of a standalone risk management unit, are often the solution for larger enterprises, smaller businesses may successfully build effective risk management programs leveraging their existing resources and business units.

A successful program, however, must have management buy-in and sponsorship, regardless of the size or type of the underlying business. Success for a risk management program hinges upon whether the principles and processes of the risk management program are espoused by functional units throughout the business. Without the visible and enduring support of top-level leadership, commonly referred to as “tone from the top,” it is impossible for risk management to become a part of any company’s culture. The only successful risk management programs are those which are embraced by staff at all levels of the underlying business.

A competent risk management practitioner must not only be able to design and deliver human capital and IT resource plans, but also be able to secure support among senior leaders for the development and deployment of a risk management program within their business.

Contact Us To Learn More


All Fields Required