Risk management is the identification, assessment, and prioritization of risks (defined in ISO 31000 as the effect of uncertainty on objectives, whether positive or negative) followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities. 

Risks can come from uncertainty in financial markets, project failures, legal liabilities, credit risk, accidents, natural as well as deliberate attacks from an adversary. Several risk management standards have been developed including the Project Management Institute, the National Institute of Science and Technology, actuarial societies, and ISO standards. Methods, definitions and goals vary widely according to whether the risk management method is in the context of project management, security, engineering, industrial processes, financial portfolios, actuarial assessments, or public health and safety.

The strategies to manage risk include transferring the risk to another party, avoiding the risk, reducing the negative effect of the risk, and accepting some or all of the consequences of a particular risk.

Certain aspects of many of the risk management standards have come under criticism for having no measurable improvement on risk even though the confidence in estimates and decisions increase.

Principles of risk management

The International Organization for Standardization (ISO) identifies the following principles of risk management:^[4]

Risk management should:

• create value
• be an integral part of organizational processes
• be part of decision making
• explicitly address uncertainty
• be systematic and structured
• be based on the best available information
• be tailored
• take into account human factors
• be transparent and inclusive
• be dynamic, iterative and responsive to change
• be capable of continual improvement and enhancement

After establishing the context, the next step in the process of managing risk is to identify potential risks. Risks are about events that, when triggered, cause problems. Hence, risk identification can start with the source of problems, or with the problem itself.

• Source analysis^{[citation needed]} Risk sources may be internal or external to the system that is the target of risk management.

Examples of risk sources are: stakeholders of a project, employees of a company or the weather over an airport.

• Problem analysis^{[citation needed]} Risks are related to identified threats. For example: the threat of losing money, the threat of abuse of privacy information or the threat of accidents and casualties. The threats may exist with various entities, most important with shareholders, customers and legislative bodies such as the government.

When either source or problem is known, the events that a source may trigger or the events that can lead to a problem can be investigated. For example: stakeholders withdrawing during a project may endanger funding of the project; privacy information may be stolen by employees even within a closed network; lightning striking an aircraft during takeoff may make all people on board immediate casualties.

The chosen method of identifying risks may depend on culture, industry practice and compliance. The identification methods are formed by templates or the development of templates for identifying source, problem or event. Common risk identification methods are:

• Objectives-based risk identification^{[citation needed]} Organizations and project teams have objectives. Any event that may endanger achieving an objective partly or completely is identified as risk.
• Scenario-based risk identification In scenario analysis different scenarios are created. The scenarios may be the alternative ways to achieve an objective, or an analysis of the interaction of forces in, for example, a market or battle. Any event that triggers an undesired scenario alternative is identified as risk – see Futures Studies for methodology used byFuturists.
• Taxonomy-based risk identification The taxonomy in taxonomy-based risk identification is a breakdown of possible risk sources. Based on the taxonomy and knowledge of best practices, a questionnaire is compiled. The answers to the questions reveal risks.^[5]
• Common-risk checking In several industries, lists with known risks are available. Each risk in the list can be checked for application to a particular situation.^[6]
• Risk charting^[7] This method combines the above approaches by listing resources at risk, threats to those resources, modifying factors which may increase or decrease the risk and consequences it is wished to avoid. Creating a matrix under these headings enables a variety of approaches. One can begin with resources and consider the threats they are exposed to and the consequences of each. Alternatively one can start with the threats and examine which resources they would affect, or one can begin with the consequences and determine which combination of threats and resources would be involved to bring them about.

Five steps to risk assessment

Five steps to risk assessment aims to help you assess health and safety risks.

A risk assessment is an important step in protecting your workers and your business, as well as complying with the law. It helps you focus on the risks that really matter in your workplace — the ones with the potential to cause harm. In many instances, straightforward measures can readily control risks, for example, ensuring spillages are cleaned up promptly so people do not slip or cupboard drawers kept closed to ensure people do not trip. For most, that means simple, cheap and effective measures to ensure your most valuable asset — your workforce — is protected.

The law does not expect you to eliminate all risk, but you are required to protect people as far as is ‘reasonably practicable’. This guide tells you how to achieve that with minimum fuss.

This is not the only way to do a risk assessment, there are other methods that work well, particularly for more complex risks and circumstances. However, we believe this method is the most straightforward for most organisations.

What is risk assessment?

A risk assessment is simply a careful examination of what, in your work, could cause harm to people, so that you can weigh up whether you have taken enough precautions or should do more to prevent harm. Workers and others have a right to be protected from harm caused by a failure to take reasonable control measures.

Accidents and ill health can ruin lives and affect your business if output is lost, machinery is damaged, insurance costs increase or you have to go to court. You are legally required to assess the risks in your workplace so you must put plans in place to control risks.

How to assess the risks in your workplace

Follow the five steps in our leaflet: Five steps to risk assessment .

1. Identify the hazards
2. Decide who might be harmed and how
3. Evaluate the risks and decide on precaution
4. Record your findings and implement them
5. Review your assessment and update if necessary

Don’t overcomplicate the process. In many organisations, the risks are well known and the necessary control measures are easy to apply. You probably already know whether, for example, you have employees who move heavy loads and so could harm their backs, or where people are most likely to slip or trip. If so, check that you have taken reasonable precautions to avoid injury.

If you run a small organisation and you are confident you understand what’s involved, you can do the assessment yourself. You don’t have to be a health and safety expert.

Download the Risk Assessment and Policy Template. This template brings together your risk assessment, health and safety policy, and record of health and safety arrangements into one document to help you get started and save time. If you already have a health and safety policy, you may choose to simply complete the risk assessment part of the template. We also have a number of example risk assessments to show you what a risk assessment might look like. Choose the example closest to your own business and use it as a guide for completing the template, adapting it to meet the needs of your own business.

If you work in a larger organisation, you could ask a health and safety adviser to help you. If you are not confident, get help from someone who is competent. In all cases, you should make sure that you involve your staff or their representatives in the process. They will have useful information about how the work is done that will make your assessment of the risk more thorough and effective. But remember, you are responsible for seeing that the assessment is carried out properly.

When thinking about your risk assessment, remember:

• a hazard is anything that may cause harm, such as chemicals, electricity, working from ladders, an open drawer, etc; and
• the risk is the chance, high or low, that somebody could be harmed by these and other hazards, together with an indication of how serious the harm could be.

Some frequently asked questions

What if the work I do tends to vary a lot, or I (or my employees) move from one site to another?

Identify the hazards you can reasonably expect and assess the risks from them. This general assessment should stand you in good stead for the majority of your work. Where you do take on work or a new site that is different, cover any new or different hazards with a specific assessment. You do not have to start from scratch each time.

What if I share a workplace?

Tell the other employers and self-employed people there about any risks your work could cause them, and what precautions you are taking. Also, think about the risks to your own workforce from those who share your workplace.

Do my employees have responsibilities?

Yes. Employees have legal responsibilities to co-operate with their employer’s efforts to improve health and safety (eg they must wear protective equipment when it is provided), and to look out for each other.

What if one of my employee’s circumstances change?

You’ll need to look again at the risk assessment. You are required to carry out a specific risk assessment for new or expectant mothers, as some tasks (heavy lifting or work with chemicals for example) may not be appropriate. If an employee develops a disability then you are required to make reasonable adjustments. People returning to work following major surgery may also have particular requirements. If you put your mind to it, you can almost always find a way forward that works for you and your employees.

What if I have already assessed some of the risks?

If, for example, you use hazardous chemicals and you have already assessed the risks to health and the precautions you need to take under the Control of Substances Hazardous to Health Regulations (COSHH), you can consider them ‘checked’ and move on.