By Ewa Jodlowska

Beginner’s Guide to Effective Risk Management

Assessing your vendor's security posture is a part of risk management. To a first time founder, risk management could be a scary topic to approach, so let's break it down!

Every company has risks. A risk can be a global pandemic, a developer committing private keys to GitHub, or a vendor experiencing a data breach.

Organizations, large and small, need to consider risks that can impact their objectives. Risk management will benefit a company financially, strategically, and operationally when done effectively and efficiently. The goal is to make potential risks better understood, more predictable, and therefore, more preventable or mitigable. This process becomes the organization’s risk management practice.

“Prescriptively, organizations should seek to identify all material risks to their objectives and sub-objectives, design controls and mitigations which produce a residual risk consistent with a target risk appetite, and monitor this entire process, making feedback adjustments as necessary.”1

Even though this one sentence manages to describe the entire process, creating a risk management plan can be an overwhelming task.

Keep it simple

To make matters worse, there isn’t a universal risk management approach. Instead, there are many frameworks and strategies to choose from. They vary based on company size, industry, and who is giving the advice. Try to keep it simple! Here’s the gist of what you need to get started:

  • Find the boundaries for your risk management program.
    • Scope the space you will be analyzing for risks and ensure it aligns with your company’s mission. Ultimately, you are looking for what uncertainties matter to your business’s objectives.
  • Identify the risks within the boundaries.
    • Inventory risks that can impact your business. If it makes it easier, you can sort the risks into strategic, operational, financial, people, and legislative categories. The Project Management Institute has a great resource on their website for identifying project risks.
  • Understand the risks and how they impact the scope; prioritize them based on that information.
    • When processes are created by those that do not understand the problem, they will fail. Bring in company experts (or external ones) into the discussion. When prioritizing, note that priorities will change over time.
  • Find appropriate responses to identified risks to minimize/avoid threats and take full advantage of opportunities.
    • Determine if a risk should be avoided, mitigated, transferred, or accepted and how that should happen.
  • Implement the actions and monitor the effectiveness
    • If it’s not working, find out why and change it.
  • Review the plan continuously.
    • Every company evolves over time, and those changes impact what the risk management plan says and does. Therefore, the risk management program needs to be reviewed, adjusted based on feedback, and regularly discussed with staff.

Your company’s reputation and bottom line are at hand. So keep things short and to the point, especially if you are just starting. There are many ways a risk management plan could be ineffective, but the quickest way to make that happen is by making it unnecessarily long and hard to follow.

Elements to focus on

People are key

Planning for uncertainty is hard. Not only does it come with a sense of ambiguity, but there are also various ways incidents can occur and how someone reacts. Different personalities add complexity. How do you find the correct balance? Organizations need to embrace a culture of risk analysis. It also needs to understand how its staff perceives risk. People often make decisions based on emotions. Take that into consideration when documenting risk responses and actions. Have open discussions with your staff to better understand their point of views.

Seek opportunities

An organization should be wary of falling into the trap of treating risk management as a means to an end. Risk management isn’t just about proving resiliency and closing a deal. That is _one_ benefit of having a risk management plan, but an organization should reap all the benefits to make it genuinely beneficial. Modern risk management does not only focus on threats but also on opportunities. Reframe your approach to risk management to use opportunities for improvement and to bring additional value to your organization. It is about making the right investment calls, planning budgets accordingly, understanding legal liabilities, setting up secure information systems, preparing for inventory/supply chain issues, and so much more.

Normalize regular review

A familiar story is that an organization goes through all the trouble of creating a risk management plan, but never looks at it again. Stale documentation of any kind is nothing new and something organizations of all sizes deal with. Changing the internal culture to normalize regular review either through tooling or group sessions will go a long way. Otherwise in a couple of months, your risk management plan will be obsolete because the company evolved significantly since its creation. And when practically drifts from what’s documented, it leaves staff in the dark and opens the door for mismanaging incidents.

This isn’t an exhaustive list of what’s essential in risk management, but focusing on these elements will go a long way in setting up your company for growth and resilience.

1 Michael Power, The risk management of nothing,
Accounting, Organizations and Society, Volume 34, Issues 6–7, 2009, Pages 849-855, ISSN 0361-3682,

Arrow Up