individual assignment risk management

• Business Essentials
• Leadership & Management
• Credential of Leadership, Impact, and Management in Business (CLIMB)
• Entrepreneurship & Innovation
• Digital Transformation
• Finance & Accounting
• Business in Society
• For Organizations
• Support Portal
• Media Coverage
• Founding Donors
• Leadership Team

• Harvard Business School →
• HBS Online →
• Business Insights →

Business Insights

Harvard Business School Online's Business Insights Blog provides the career insights you need to achieve your goals and gain confidence in your business skills.

• Career Development
• Communication
• Decision-Making
• Earning Your MBA
• Negotiation
• News & Events
• Productivity
• Staff Spotlight
• Student Profiles
• Work-Life Balance
• AI Essentials for Business
• Alternative Investments
• Business Analytics
• Business Strategy
• Business and Climate Change
• Creating Brand Value
• Design Thinking and Innovation
• Digital Marketing Strategy
• Disruptive Strategy
• Economics for Managers
• Entrepreneurship Essentials
• Financial Accounting
• Global Business
• Launching Tech Ventures
• Leadership Principles
• Leadership, Ethics, and Corporate Accountability
• Leading Change and Organizational Renewal
• Leading with Finance
• Management Essentials
• Negotiation Mastery
• Organizational Leadership
• Power and Influence for Positive Impact
• Strategy Execution
• Sustainable Business Strategy
• Sustainable Investing
• Winning with Digital Platforms

What Is Risk Management & Why Is It Important?

• 24 Oct 2023

Businesses can’t operate without risk. Economic, technological, environmental, and competitive factors introduce obstacles that companies must not only manage but overcome.

According to PwC’s Global Risk Survey , organizations that embrace strategic risk management are five times more likely to deliver stakeholder confidence and better business outcomes and two times more likely to expect faster revenue growth.

If you want to enhance your job performance and identify and mitigate risk more effectively, here’s a breakdown of what risk management is and why it’s important.

Access your free e-book today.

What Is Risk Management?

Risk management is the systematic process of identifying, assessing, and mitigating threats or uncertainties that can affect your organization. It involves analyzing risks’ likelihood and impact, developing strategies to minimize harm, and monitoring measures’ effectiveness.

“Competing successfully in any industry involves some level of risk,” says Harvard Business School Professor Robert Simons, who teaches the online course Strategy Execution . “But high-performing businesses with high-pressure cultures are especially vulnerable. As a manager, you need to know how and why these risks arise and how to avoid them.”

According to Strategy Execution , strategic risk has three main causes:

• Pressures due to growth: This is often caused by an accelerated rate of expansion that makes staffing or industry knowledge gaps more harmful to your business.
• Pressures due to culture: While entrepreneurial risk-taking can come with rewards, executive resistance and internal competition can cause problems.
• Pressures due to information management: Since information is key to effective leadership , gaps in performance measures can result in decentralized decision-making.

These pressures can lead to several types of risk that you must manage or mitigate to avoid reputational, financial, or strategic failures. However, risks aren’t always obvious.

“I think one of the challenges firms face is the ability to properly identify their risks,” says HBS Professor Eugene Soltes in Strategy Execution .

Therefore, it’s crucial to pinpoint unexpected events or conditions that could significantly impede your organization’s business strategy .

Related: Business Strategy vs. Strategy Execution: Which Course Is Right for Me?

According to Strategy Execution , strategic risk comprises:

• Operations risk: This occurs when internal operational errors interrupt your products or services’ flow. For example, shipping tainted products can negatively affect food distribution companies.
• Asset impairment risk: When your company’s assets lose a significant portion of their current value because of a decreased likelihood of receiving future cash flows . For instance, losing property assets, like a manufacturing plant, due to a natural disaster.
• Competitive risk: Changes in the competitive environment can interrupt your organization’s ability to create value and differentiate its offerings—eventually leading to a significant loss in revenue.
• Franchise risk: When your organization’s value erodes because stakeholders lose confidence in its objectives. This primarily results from failing to control any of the strategic risk sources listed above.

Understanding these risks is essential to ensuring your organization’s long-term success. Here’s a deeper dive into why risk management is important.

4 Reasons Why Risk Management Is Important

1. protects organization’s reputation.

In many cases, effective risk management proactively protects your organization from incidents that can affect its reputation.

“Franchise risk is a concern for all businesses,“ Simons says in Strategy Execution . “However, it's especially pressing for businesses whose reputations depend on the trust of key constituents.”

For example, airlines are particularly susceptible to franchise risk because of unforeseen events, such as flight delays and cancellations caused by weather or mechanical failure. While such incidents are considered operational risks, they can be incredibly damaging.

In 2016, Delta Airlines experienced a national computer outage, resulting in over 2,000 flight cancellations. Delta not only lost an estimated $150 million but took a hit to its reputation as a reliable airline that prided itself on “canceling cancellations.”

While Delta bounced back, the incident illustrates how mitigating operational errors can make or break your organization.

2. Minimizes Losses

Most businesses create risk management teams to avoid major financial losses. Yet, various risks can still impact their bottom lines.

A Vault Platform study found that dealing with workplace misconduct cost U.S. businesses over $20 billion in 2021. In addition, Soltes says in Strategy Execution that corporate fines for misconduct have risen 40-fold in the U.S. over the last 20 years.

One way to mitigate financial losses related to employee misconduct is by implementing internal controls. According to Strategy Execution , internal controls are the policies and procedures designed to ensure reliable accounting information and safeguard company assets.

“Managers use internal controls to limit the opportunities employees have to expose the business to risk,” Simons says in the course.

One company that could have benefited from implementing internal controls is Volkswagen (VW). In 2015, VW whistle-blowers revealed that the company’s engineers deliberately manipulated diesel vehicles’ emissions data to make them appear more environmentally friendly.

This led to severe consequences, including regulatory penalties, expensive vehicle recalls, and legal settlements—all of which resulted in significant financial losses. By 2018, U.S. authorities had extracted $25 billion in fines, penalties, civil damages, and restitution from the company.

Had VW maintained more rigorous internal controls to ensure transparency, compliance, and proper oversight of its engineering practices, perhaps it could have detected—or even averted—the situation.

Related: What Are Business Ethics & Why Are They Important?

3. Encourages Innovation and Growth

Risk management isn’t just about avoiding negative outcomes. It can also be the catalyst that drives your organization’s innovation and growth.

“Risks may not be pleasant to think about, but they’re inevitable if you want to push your business to innovate and remain competitive,” Simons says in Strategy Execution .

According to PwC , 83 percent of companies’ business strategies focus on growth, despite risks and mixed economic signals. In Strategy Execution , Simons notes that competitive risk is a challenge you must constantly monitor and address.

“Any firm operating in a competitive market must focus its attention on changes in the external environment that could impair its ability to create value for its customers,” Simons says.

This requires incorporating boundary systems —explicit statements that define and communicate risks to avoid—to ensure internal controls don’t extinguish innovation.

“Boundary systems are essential levers in businesses to give people freedom,” Simons says. “In such circumstances, you don’t want to stifle innovation or entrepreneurial behavior by telling people how to do their jobs. And if you want to remain competitive, you’ll need to innovate and adapt.”

Netflix is an example of how risk management can inspire innovation. In the early 2000s, the company was primarily known for its DVD-by-mail rental service. With growing competition from video rental stores, Netflix went against the grain and introduced its streaming service. This changed the market, resulting in a booming industry nearly a decade later.

Netflix’s innovation didn’t stop there. Once the steaming services market became highly competitive, the company shifted once again to gain a competitive edge. It ventured into producing original content, which ultimately helped differentiate its platform and attract additional subscribers.

By offering more freedom within internal controls, you can encourage innovation and constant growth.

4. Enhances Decision-Making

Risk management also provides a structured framework for decision-making. This can be beneficial if your business is inclined toward risks that are difficult to manage.

By pulling data from existing control systems to develop hypothetical scenarios, you can discuss and debate strategies’ efficacy before executing them.

“Interactive control systems are the formal information systems managers use to personally involve themselves in the decision activities of subordinates,” Simons says in Strategy Execution . “Decision activities that relate to and impact strategic uncertainties.”

JPMorgan Chase, one of the most prominent financial institutions in the world, is particularly susceptible to cyber risks because it compiles vast amounts of sensitive customer data . According to PwC , cybersecurity is the number one business risk on managers’ minds, with 78 percent worried about more frequent or broader cyber attacks.

Using data science techniques like machine learning algorithms enables JPMorgan Chase’s leadership not only to detect and prevent cyber attacks but address and mitigate risk.

Start Managing Your Organization's Risk

Risk management is essential to business. While some risk is inevitable, your ability to identify and mitigate it can benefit your organization.

But you can’t plan for everything. According to the Harvard Business Review , some risks are so remote that no one could have imagined them. Some result from a perfect storm of incidents, while others materialize rapidly and on enormous scales.

By taking an online strategy course , you can build the knowledge and skills to identify strategic risks and ensure they don’t undermine your business. For example, through an interactive learning experience, Strategy Execution enables you to draw insights from real-world business examples and better understand how to approach risk management.

Do you want to mitigate your organization’s risks? Explore Strategy Execution —one of our online strategy courses —and download our free strategy e-book to gain the insights to build a successful strategy.

About the Author

• SUGGESTED TOPICS
• The Magazine
• Newsletters
• Managing Yourself
• Managing Teams
• Work-life Balance
• The Big Idea
• Data & Visuals
• Case Selections
• HBR Learning
• Topic Feeds
• Account Settings
• Email Preferences

Managing Risks: A New Framework

• Robert S. Kaplan
• Anette Mikes

Risk management is too often treated as a compliance issue that can be solved by drawing up lots of rules and making sure that all employees follow them. Many such rules, of course, are sensible and do reduce some risks that could severely damage a company. But rules-based risk management will not diminish either the likelihood or the impact of a disaster such as Deepwater Horizon, just as it did not prevent the failure of many financial institutions during the 2007–2008 credit crisis.

In this article, Robert S. Kaplan and Anette Mikes present a categorization of risk that allows executives to understand the qualitative distinctions between the types of risks that organizations face. Preventable risks, arising from within the organization, are controllable and ought to be eliminated or avoided. Examples are the risks from employees’ and managers’ unauthorized, unethical, or inappropriate actions and the risks from breakdowns in routine operational processes. Strategy risks are those a company voluntarily assumes in order to generate superior returns from its strategy. External risks arise from events outside the company and are beyond its influence or control. Sources of these risks include natural and political disasters and major macroeconomic shifts. Risk events from any category can be fatal to a company’s strategy and even to its survival.

Companies should tailor their risk management processes to these different risk categories. A rules-based approach is effective for managing preventable risks, whereas strategy risks require a fundamentally different approach based on open and explicit risk discussions. To anticipate and mitigate the impact of major external risks, companies can call on tools such as war-gaming and scenario analysis.

Smart companies match their approach to the nature of the threats they face.

Editors’ note: Since this issue of HBR went to press, JP Morgan, whose risk management practices are highlighted in this article, revealed significant trading losses at one of its units. The authors provide their commentary on this turn of events in their contribution to HBR’s Insight Center on Managing Risky Behavior.

• Robert S. Kaplan is a senior fellow and the Marvin Bower Professor of Leadership Development emeritus at Harvard Business School. He coauthored the McKinsey Award–winning HBR article “ Accounting for Climate Change ” (November–December 2021).
• Anette Mikes is a fellow at Hertford College, Oxford University, and an associate professor at Oxford’s Saïd Business School.

Partner Center

Warning: The NCBI web site requires JavaScript to function. more...

An official website of the United States government

The .gov means it's official. Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you're on a federal government site.

The site is secure. The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

• Publications
• Account settings
• Browse Titles

NCBI Bookshelf. A service of the National Library of Medicine, National Institutes of Health.

StatPearls [Internet]. Treasure Island (FL): StatPearls Publishing; 2024 Jan-.

StatPearls [Internet].

Risk management event evaluation and responsibilities.

Joel McGowan ; Amanda Wojahn ; Joseph R. Nicolini .

Affiliations

Last Update: August 23, 2023 .

• Continuing Education Activity

Risk management in healthcare is a complex set of clinical and administrative systems, processes, procedures, and reporting structures designed to detect, monitor, assess, mitigate, and prevent risks to patients. Currently, the numerous risk management practices and processes that occur in healthcare organizations are a response to The Institute of Medicine’s (“IOM”) report entitled “To Err is Human: Building a Safer Health System.” This activity reviews the evaluation of risks and highlights the interprofessional team's role in managing and minimizing risks in the healthcare setting.

• Describe common procedures in risk management.
• Summarize the key definitions of terms involved in risk management.
• Outline why risk management is important to clinical practice.
• Review how an interprofessional team can work together to mitigate risk and improve outcomes.
• Introduction

Risk management in healthcare is a complex set of clinical and administrative systems, processes, procedures, and reporting structures designed to detect, monitor, assess, mitigate, and prevent risks to patients. Currently, the numerous risk management practices and processes that occur in healthcare organizations are a response to The Institute of Medicine’s (“IOM”) report entitled “To Err is Human: Building a Safer Health System.” [1]

In the report, the IOM noted that approximately 98,000 people die in any given year from medical errors while in the hospital. As a result of the report, Congress enacted the Patient Safety and Quality Improvement Act (“PSQIA”) of 2005 (hereafter referred to as “The Act”). [2]

Legal commentators reviewed the impact of The Act and articulated several of its key principles and responsibilities. [3] These duties include:

• Provision for the certification and recertification of Patient Safety Organizations (“PSO’s”)
• Collection and dissemination of information related to patient safety
• Establishment of a patient safety database
• Facilitation of the development of consensus among healthcare providers, patients, and other interested parties concerning patient safety and recommendations to improve patient safety
• Provision of technical assistance to states that have (or are developing) medical-error reporting systems
• Provision of assistance to the states in developing standardized methods for data collection and data collection from state reporting systems for inclusion in the patient safety database.

The fundamental goal of this act was to increase the nation’s overall patient safety by encouraging confidential and voluntary reporting of adverse events that affected patients. Policymakers theorized that the systematic collection of medical-error data could achieve improved patient safety. The awareness of such error-data by health care providers and administrators would lead to the prevention of errors and the global reduction of their recurrence. [4]

Relevant Definitions

Sentinel Event: Defined by the Joint Commission as “a patient safety event that results in death, permanent harm, or severe, temporary harm” (The Joint Commission 2017). These events are typically unrelated to the patient’s illness/underlying condition. It is important to note that the Joint Commission requires each accredited organization to establish its own definition for a sentinel event to prevent, review, and respond to these occurrences.   

Medical Error: The failure of a planned action to be completed as intended or using a wrong plan to achieve an aim. [1] In the context of this article, medical errors may fall under the definition of sentinel events if the error is severe enough.

Root Cause Analysis: The process for identifying the basic or causal factor(s) underlying variation in performance. Also established by the Joint Commission, this multi-step process is crucial to identify and fix systemic problems in patient safety and care.

Risk Management: Clinical and administrative activities undertaken to identify, evaluate, and reduce the risk of injury to patients, staff, and visitors and the risk of loss to the organization itself (The Joint Commission 2017).

Why Is This Important To Clinical Practice?

The healthcare system is made up of individual players, but its ultimate goals of patient care and safety are accomplished through teamwork. Likewise, when medical errors occur, though they may result from an individual’s actions, the appropriate next steps fall on the institution to identify, learn from, and improve on the prevention of such events. This process focuses on systemic policy changes, not individual performances, to progress.

For example, consider an emergency room triage system that primarily relies on color-coded wristbands to stratify patients who present with various complaints. When given a red wristband, this signifies to a healthcare provider that a patient needs immediate medical care. A white wristband may signify that there is no real urgency, etc. Many hospitals utilize such systems to manage a hectic emergency department efficiently. [5]

Imagine that a real estate conference is being held in a busy downtown. Attendees are required to wear a purple wristband for admission to the event. At one point in the evening, a 65-year-old conference attendee with a significant medical history for hypertension, diabetes, and hyperlipidemia begins to feel crushing, substernal chest pain. He drives himself to the local hospital and awaits care in triage. It is 7:00 PM on a Friday night, and a shift change has just occurred. Moments later, the patient stops breathing. The nurse who just began her shift rushes to the patient’s side and notices a purple wristband. Mistaking it for a Do Not Resuscitate (DNR) band, she doesn’t call the code. [6]

It is clear to see that this was one individual’s medical error in misidentifying a patient’s wristband, resulting in a sentinel event. However, what if, to check in to the ED, a front desk employee’s responsibility was to give patients the appropriate, color-coded wristband and to check for any bracelets/bands that a patient may be wearing? Medical errors are likely to happen in this environment, but systems-based safety policies, though loaded with redundancies, can reduce the chances that such a medical error progresses any further.

How pervasive is this issue? In 1999, a monumental report was released by the U.S. Institute of Medicine that brought to light the significant issue of medical errors. By their estimates, between 44,000 and 98,000 patients die each year from preventable medical errors. [1] Throughout the years, many academic papers have attempted to quantify or rank medical error as a leading cause of death in the United States. Though the Joint Commission releases an annual report summarizing the sentinel events reviewed by the committee, they include a caveat that these submissions by accredited institutions are encouraged, but not required. Therefore, the true number of sentinel events is difficult to pinpoint, and statistical conclusions cannot be accurately drawn. Nonetheless, the importance of identifying, reviewing, and learning from sentinel events cannot be undersold. Not only would an increase in sentinel event reporting result in a more accurate epidemiological picture of medical error in the United States, but hospitals would benefit from a culture of transparency and proactivity that promotes patient safety at all costs.  

• Issues of Concern

How Are Sentinal Events Prevented?

Sentinel event prevention is a team sport. Research has previously shown the creation of a culture where anyone, regardless of perceived status or importance, is welcomed to contribute their concerns regarding patient safety. [7] This team includes physicians, physician assistants and nurse practitioners, nurses, nursing assistants/medical technicians, hospital support staff, patients, and patients' family members. Each of these individuals is involved in a specific component of medical care and see a different aspect of a patient's interaction with the medical system. With this in mind, the only way to comprehensively ensure that a sentinel event is recognized is by creating a system in which everyone is empowered to speak up. This culture must be pervasive - from the highest hospital administrator to the newest volunteer, patient safety-focused training must begin on day one of the new hire orientation and be reinforced frequently throughout an employee's career. [7]  There are varied methods via which hospital systems seek to create this team approach to patient safety; however, the foundational concept is one of empowering employees, patients, and visitors to participate.

The priority of sentinel event prevention is ensuring an accurate understanding of what constitutes a sentinel event. This is a specific subcategory within the broader concept of medical error. As stated in the definitions above and according to The Joint Commission, a sentinel event is "a patient safety event that results in death, permanent harm, or severe temporary harm" (The Joint Commission, 2017).

Even an exhaustive list of day-to-day medical care areas that can precipitate a sentinel event would still be incomplete. Commonly cited high-risks processes include (AHRQ, 2017; [1] ):

• Verifying surgical site
• Specimen mislabeling
• Medication errors: Correct medication, correct dose, correct patient
• Equipment failure/misuse: IV pump rates, IV tubing, securing in-dwelling devices
• Indwelling device infections: urinary catheters, central venous catheters, percutaneously inserted central venous catheters, provider hand hygiene
• Provider sleep deprivation
• Provider-to-provider turnover
• Inadequate staffing/high patient volumes per provider
• Diagnostic error
• Patient falls

The simple fact is that modern medical care is fraught with risk. The landmark publication, "To Err is Human: Building a Safer Health System," first released in 1999 by the US Institute of Medicine, was the first of its kind to acknowledge this fact. [1] This report focuses on the epidemic of medical error, seeking not to place blame on individuals but identify systems-level failures and suggest areas to improve. It acknowledges that human beings make mistakes - whether due to fatigue, stress, or working conditions, this fact is unavoidable. It states, "there are not bad people in healthcare, but good people working in bad systems that need to be made safer." This report seeks to spur systems-level protections to minimize the opportunity for human error. Ultimately, this set forth a nation-wide agenda to improve patient safety. 

While each of the high-risk areas listed above individually deserves article-length attention, this article's focus will be on three exemplary situations - patient handoff, medication errors, and wrong-site/wrong-patient procedures. 

Patient Handoff

Many hospital systems have adopted standardized communication systems, particularly for provider-to-provider turnover. This process has previously been shown to contribute heavily to medical error and poor patient safety. [1] [8]  The most ubiquitous example is the TeamSTEPPS Curriculum ("Advances in Patient Safety," AHRQ, 2008) - an evidence-based patient turnover framework developed by the Department of Defence (DOD) and Agency for Healthcare Research and Quality (AHRQ). This curriculum yielded the "I-PASS" standardized approach to patient turnover. This is a mnemonic for the passage of critical patient information to be passed between providers during turnover (Figure 1, "I-PASS" template). 

I - Illness severity: "stable", "watcher", "unstable"

P - Patient summary

A - Action list: "to-do list" and timeline

S - Situation awareness and contingency planning: planning for "what might happen"

S - Synthesis by the receiver: summarizes back to off-going staff, repeats action list

For example, handoff of a patient following the "I-PASS" system would be structured as follows: "This patient is a watcher. Ms. X is a 65-year-old female, anticoagulated on apixaban, who presented to the ED after a mechanical fall. She was neurologically intact, but her head CT showed a subdural hematoma without midline shift, so she was admitted to the ICU. She needs neurological checks every 1 hour and a repeat head CT in 4 hours. Should she have an acute mental status change, please plan to reverse her anticoagulation, consider intubating her and giving hypertonic saline, obtain a STAT head CT, and contact neurosurgery immediately. "After this, the receiving provider would summarize the patient and repeat the action points back to ensure proper understanding.

The I-PASS patient handoff system has been successfully implemented at the physician and nursing levels. It has shown positive results concerning patient safety and avoidance of medical errors in both adult and pediatric medicine. [9] [10] [11] [12] [13] [14]

Wrong-Site/Wrong-Patient Procedures

Wrong-site and wrong-patient procedures were identified in "To Err is Human" as a particularly devastating example of medical error and patient harm. This information ultimately led to a massive undertaking to improve safety in the surgical arena. In 2009, the World Health Organization (WHO) was the first to release a "surgical checklist" of critical patient information that must undergo verification before initiation of a surgical procedure (Figure 2, "WHO Surgical Checklist"). This is a "pre-op," "intra-op," and "post-op" process that makes patient safety the number one priority in the operating room. The checklist includes "check-boxes" such as:

• Confirmation of patient identify
• Marking of the correct surgical site
• Verifying functional cardiopulmonary monitors and anesthesia machine
• Allergy review
• Airway assessment
• Review of all surgical team members and assigned roles
• Expected blood loss
• Prophylactic antibiotic administration
• Verification of the procedure performed
• Anticipated recovery concerns

This checklist has been adjusted and modified countless times by hospital systems as well as national governing bodies such as the Association of Perioperative Registered Nurses (AORN), American Academy of Orthopedic Surgeons (AAOS), American Society of Anesthesiologists (ASA), the American College of Surgeons (ACS), and countless others. This approach is now standard-of-care in modern surgical medicine. Checklist implementation has citations as one the single most effective patient safety measures to date. [15] [16] [17] [18]

Medication Errors

Medication-related errors have long been cited as a cause of patient harm - this includes incorrect medication administration, incorrect dosing, and administration of medications to which patients have documented allergy. [19] [20] While responsibility certainly falls on individuals to verify correct medication, correct dose, and patient allergies before ordering and administering medication, this topic was also covered in "To Err is Human" and an area for systems-level improvement. The advent and wide-spread implementation of Electronic Medical Records (EMRs) have been imperative to developing protections against medication errors. EMRs could verify the correct dosage based on a patient's weight, verify the dosing frequency, and provide an alert if a medication ordered conflicts with the patient's allergy list. [21]  These are systems protection at the time of the physician ordering medication; EMRs also provide levels of protection for nursing colleagues. Many hospitals have implemented a barcode scanning system in which a patient identification wristband has a barcode that must be scanned to verify the identity and accuracy of the medication prior to administration by the nurse. [22] [23]  Finally, many hospitals have increased pharmacist availability and visibility as an additional step to prevent medication-related errors; this includes 24-hour pharmacist consultation by phone, pharmacist review and sign-off on all medication orders, and physical presence of a clinical pharmacist in higher risk areas of medicine, such as intensive care and emergency medicine. [24] [25] [26]  These systems-level protections all seek to fulfill the goal outlined in "To Err is Human" - to minimize the opportunity for human error by creating a multi-layered system of protection around providers and patients. 

To prevent sentinel events, a hospital system must first accept that human error is inevitable and, to some degree, unavoidable. As introduced in "To Err is Human," the focus must shift from blaming individuals for human error and, instead, developing a multi-faceted system and culture of protection surrounding providers and patients. Successful examples of this approach include standardization of patient handoff, perioperative checklists, use of EMRs to verify accurate medications, and increased visibility and involvement of pharmacists. Overall, hospital-systems that succeed in patient safety share one key feature - a positive, supportive, and collaborative culture that encourages every employee, patient's family member, and the individual patient to participate. [27] [28] [29] [8]

The Proper Response To A Sentinal Event

When a sentinel event occurs, an organization must take two important actions. The first involves a comprehensive systems-based investigation into the causative factors of the event, known as a root cause analysis, or RCA. This goal of RCA is to develop a robust, corrective action plan that will not only address the current event but also will implement changes that prevent future sentinel events. This method successfully shifts focus away from an individual's errors and onto policies or lack thereof that may have contributed to the incident. Root cause analysis can work in conjunction with a single sentinel event, but it may be applicable in analyzing several lower-risk medical error occurrences as well. For example, in a Danish study of 40 randomly selected community pharmacies, a root-cause analysis was employed to investigate over 400 separate medical errors. [30]  The results identified four chief causes of medical error:

• Illegible handwritten prescriptions
• Misleading packaging labels, strengths, or dosages of medications
• Lack of effective control of prescription label and medicine
• Lack of concentration caused by interruptions

Since 1997, the Joint Commission has provided materials to accredited institutions to help establish individual sentinel event policies and work through a root cause analysis. Central to this process are three questions:

• What happened?
• Why did it happen?
• What are the latent conditions?

Latent conditions can be defined as the elements of a healthcare system's inherent design that can either contribute to or prevent medical error and sentinel events. One author describes these conditions as pertaining to "the 6 P's." [31]

• Providers: unfamiliarity with new procedures, hospital layout, or policies
• Procedures: inherent risks involved
• Products: the complexity of medical devices, variability in branding, names, etc
• Peripherals: hospital infrastructure, environmental factors
• Patients: capable of preventing accidental treatment
• Policy: outdated regulations, unnecessary complexity

In answering the three questions above, an institution can identify specific causes that may be amenable to solutions. However, root cause analysis has not been immune to criticism. A 2017 retrospective study published in the BMJ Quality and Safety journal examined over three hundred root cause analyses in an eight-year period. The three most common event types involved a procedure complication, cardiopulmonary arrest, and neurological deficits. In 106 RCAs, action plans were proposed. The most common solution types were training (20%), process change (19.6%), and policy reinforcement (15.2%). The study concluded that "the most commonly proposed solutions were weaker actions, which were less likely to decrease event recurrence." [32]  The trouble seemed to be more with the effectiveness of the action plan than the methods by which solutions were reached. An opinion piece published in JAMA in 2008 proposed:

"...many recommendations stemming from RCAs should focus at the level of the healthcare system to prevent the inefficiencies of having individual institutions recycle the same discussions locally. This conversation would require greater collaboration among relevant national stakeholders to develop and share mechanisms for deploying scarce implementation resources." [33]

In 2015, the National Patient Safety Foundation convened to provide an updated definition for root cause analysis, based on substantive feedback on the lack of success in implementing its results. "Root cause analysis and actions" was determined to provide an appropriate emphasis on preventing patient harm through action. [34]  Their recommendations included forming a diverse, 4 to 6 member team within 72 hours of recognizing that an RCA is necessary. Though the individuals directly associated with the sentinel event are not included on the team, the RCA committee must interview those individuals. The National Patient Safety Foundation hoped that these new recommendations would place heavier importance on actual outcomes and results from root cause analyses.

Once a root cause analysis has been performed, and the provocating factors that led to the sentinel event have been identified, a corrective action plan must be established and put into effect. The Joint Commission defines an effective action plan as one that addresses:

• Identification of corrective actions to eliminate or control system hazards or vulnerabilities directly related to causal and contributory factors
• Responsibility for implementation
• Timelines for completion
• Strategies for evaluating the effectiveness of the actions
• Strategies for sustaining the change

The accredited institution submits a root cause analysis and corrective action plan to the Joint Commission for review. If deemed acceptable, the Joint Commission will assign a follow-up activity to gauge the action plan's success and determine if the institution's accreditation is in jeopardy due to compliance issues. This objective measurement is known as a Sentinel Event Measure of Success (SE MOS) (The Joint Commission 2020). Through these efforts, hospitals may benefit from a culture of transparency and teamwork with systems-based patient safety protocols capable of investigating and preventing sentinel events.

• Clinical Significance

Risk management requires each provider to be aware of the inherent risk and benefits of care of the patient and a goal among all providers to "first do no harm". Working together as a team will improve patient outcomes and mitigate risks.

• Enhancing Healthcare Team Outcomes

Risk management requires the efforts of a complete, top-down interprofessional team, both in terms of implementing policies and practices, executing them in day to day patient care, and even when addressing medical errors that have occurred. A coordinated team approach where everyone is on the same team and empowered to express their concerns irrespective of "rank," and members are knowledgable about their duties, offers the best chance for successful risk mitigation. This interprofessional approach leads to enhanced patient care and a reduction in potentially catastrophic events.

• Review Questions
• Access free multiple choice questions on this topic.
• Comment on this article.

Disclosure: Joel McGowan declares no relevant financial relationships with ineligible companies.

Disclosure: Amanda Wojahn declares no relevant financial relationships with ineligible companies.

Disclosure: Joseph Nicolini declares no relevant financial relationships with ineligible companies.

This book is distributed under the terms of the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International (CC BY-NC-ND 4.0) ( http://creativecommons.org/licenses/by-nc-nd/4.0/ ), which permits others to distribute the work, provided that the article is not altered or used commercially. You are not required to obtain permission to distribute this article, provided that you credit the author and journal.

• Cite this Page McGowan J, Wojahn A, Nicolini JR. Risk Management Event Evaluation and Responsibilities. [Updated 2023 Aug 23]. In: StatPearls [Internet]. Treasure Island (FL): StatPearls Publishing; 2024 Jan-.

In this Page

Bulk download.

• Bulk download StatPearls data from FTP

Related information

• PMC PubMed Central citations
• PubMed Links to PubMed

Similar articles in PubMed

• Folic acid supplementation and malaria susceptibility and severity among people taking antifolate antimalarial drugs in endemic areas. [Cochrane Database Syst Rev. 2022] Folic acid supplementation and malaria susceptibility and severity among people taking antifolate antimalarial drugs in endemic areas. Crider K, Williams J, Qi YP, Gutman J, Yeung L, Mai C, Finkelstain J, Mehta S, Pons-Duran C, Menéndez C, et al. Cochrane Database Syst Rev. 2022 Feb 1; 2(2022). Epub 2022 Feb 1.
• Implementing the 2009 Institute of Medicine recommendations on resident physician work hours, supervision, and safety. [Nat Sci Sleep. 2011] Implementing the 2009 Institute of Medicine recommendations on resident physician work hours, supervision, and safety. Blum AB, Shea S, Czeisler CA, Landrigan CP, Leape L. Nat Sci Sleep. 2011; 3:47-85. Epub 2011 Jun 24.
• Prevention of Surgical Errors. [StatPearls. 2024] Prevention of Surgical Errors. Santos G, Jones MW. StatPearls. 2024 Jan
• Review Evidence Brief: The Quality of Care Provided by Advanced Practice Nurses [ 2014] Review Evidence Brief: The Quality of Care Provided by Advanced Practice Nurses McCleery E, Christensen V, Peterson K, Humphrey L, Helfand M. 2014 Sep
• Review The measurement and monitoring of surgical adverse events. [Health Technol Assess. 2001] Review The measurement and monitoring of surgical adverse events. Bruce J, Russell EM, Mollison J, Krukowski ZH. Health Technol Assess. 2001; 5(22):1-194.

Recent Activity

• Risk Management Event Evaluation and Responsibilities - StatPearls Risk Management Event Evaluation and Responsibilities - StatPearls

Your browsing activity is empty.

Activity recording is turned off.

Turn recording back on

Connect with NLM

National Library of Medicine 8600 Rockville Pike Bethesda, MD 20894

Web Policies FOIA HHS Vulnerability Disclosure

Help Accessibility Careers

• Contact sales

Start free trial

The Risk Management Process in Project Management

When you start the planning process for a project, one of the first things you need to think about is: what can go wrong? It sounds negative, but pragmatic project managers know this type of thinking is preventative. Issues will inevitably come up, and you need a mitigation strategy in place to know how to manage risks when project planning .

But how do you work towards resolving the unknown? It sounds like a philosophical paradox, but don’t worry—there are practical steps you can take. In this article, we’ll discuss strategies that let you get a glimpse at potential risks, so you can identify and track risks on your project.

What Is Risk Management on Projects?

Project risk management is the process of identifying, analyzing and responding to any risk that arises over the life cycle of a project to help the project remain on track and meet its goal. Risk management isn’t reactive only; it should be part of the planning process to figure out the risk that might happen in the project and how to control that risk if it in fact occurs.

A risk is anything that could potentially impact your project’s timeline, performance or budget. Risks are potentialities, and in a project management context, if they become realities, they then become classified as “issues” that must be addressed with a risk response plan . So risk management, then, is the process of identifying, categorizing, prioritizing and planning for risks before they become issues.

Risk management can mean different things on different types of projects. On large-scale projects, risk management strategies might include extensive detailed planning for each risk to ensure mitigation strategies are in place if project issues arise. For smaller projects, risk management might mean a simple, prioritized list of high, medium and low-priority risks.

Get your free

Risk Matrix Template

Use this free Risk Matrix Template for Excel to manage your projects better.

How to Manage Project Risk

To begin managing risk, it’s crucial to start with a clear and precise definition of what your project has been tasked to deliver. In other words, write a very detailed project charter , with your project vision, objectives, scope and deliverables. This way risks can be identified at every stage of the project. Then you’ll want to engage your team early in identifying any and all risks.

Don’t be afraid to get more than just your team involved to identify and prioritize risks, too. Many project managers simply email their project team and ask to send them things they think might go wrong on the project. But to better plot project risk, you should get the entire project team, your client’s representatives, and vendors into a room together and do a risk identification session.

With every risk you define, you’ll want to log it somewhere—using a risk tracking template helps you prioritize the level of risk. Then, create a risk management plan to capture the negative and positive impacts of the project and what actions you will take to deal with them. You’ll want to set up regular meetings to monitor risk while your project is ongoing. Transparency is critical.

Project management software can help you keep track of risk. ProjectManager is online software that helps you identify risks, track them and calculate their impact. With our Risk view, you can make a risk list with your team and stay on top of all the risks within your project. Write a description, add tags, identify a resolution, mark impact and likelihood, even see a risk matrix—all in one place. Get started today with a free trial.

What Is Positive Risk in Project Management?

Not all risk is created equally. Risk can be either positive or negative, though most people assume risks are inherently the latter. Where negative risk implies something unwanted that has the potential to irreparably damage a project, positive risks are opportunities that can affect the project in beneficial ways.

Negative risks are part of your risk management plan, just as positive risks should be, but the difference is in approach. You manage and account for known negative risks to neuter their impact, but positive risks can also be managed to take full advantage of them.

There are many examples of positive risks in projects: you could complete the project early; you could acquire more customers than you accounted for; you could imagine how a delay in shipping might open up a potential window for better marketing opportunities, etc. It’s important to note, though, that these definitions are not etched in stone. Positive risk can quickly turn to negative risk and vice versa, so you must be sure to plan for all eventualities with your team.

Managing Risk Throughout the Organization

Can your organization also improve by adopting risk management into its daily routine? Yes! Building a risk management protocol into your organization’s culture by creating a consistent set of risk management tools and templates, with training, can reduce overhead over time. That way, each time you start a new project, it won’t be like having to reinvent the wheel.

Things such as your organization’s records and history are an archive of knowledge that can help you learn from that experience when approaching risk in a new project. Also, by adopting the attitudes and values of your organization to become more aware of risk, your organization can develop a risk culture . With improved governance comes better planning, strategy, policy and decisions.

Free Risk Matrix Template

To manage project risks throughout your organization, it’s important to create a risk matrix. A risk matrix is going to help you organize your risks by severity and likelihood, so you can stay on top of potential issues that threaten the greatest impact. Try this free risk matrix template for Excel so you and your team can organize project risks.

6 Steps in the Risk Management Process

So, how do you handle something as seemingly elusive as project risk management? You make a risk management plan. It’s all about the process. Turn disadvantages into an advantage by following these six steps.

Identify the Risk

You can’t resolve a risk if you don’t know what it is. There are many ways to identify risk. As you do go through this step, you’ll want to collect the data in a risk register .

One way is brainstorming with your team, colleagues or stakeholders. Find the individuals with relevant experience and set up interviews so you can gather the information you’ll need to both identify and resolve the risks. Think of the many things that can go wrong. Note them. Do the same with historical data on past projects. Now your list of potential risks has grown.

Make sure the risks are rooted in the cause of a problem. Basically, drill down to the root cause to see if the risk is one that will have the kind of impact on your project that needs identifying. When trying to minimize risk, it’s good to trust your intuition. This can point you to unlikely scenarios that you just assume couldn’t happen. Use a risk breakdown structure process to weed out risks from non-risks.

Analyze the Risk

Analyzing risk is hard. There is never enough information you can gather. Of course, a lot of that data is complex, but most industries have best practices, which can help you with your risk analysis . You might be surprised to discover that your company already has a framework for this process.

When you assess project risk you can ultimately and proactively address many impacts, such as avoiding potential litigation, addressing regulatory issues, complying with new legislation, reducing your exposure and minimizing impact.

So, how do you analyze risk in your project? Through qualitative and quantitative risk analysis, you can determine how the risk is going to impact your schedule and budget.

Project management software helps you analyze risk by monitoring your project. ProjectManager takes that one step further with real-time dashboards that display live data. Unlike other software tools, you don’t have to set up our dashboard. It’s ready to give you a high-level view of your project from the get-go. We calculate the live date and then display it for you in easy-to-read graphs and charts. Catch issues faster as you monitor time, costs and more.

Prioritize Risks & Issues

Not all risks are created equally. You need to evaluate the risk to know what resources you’re going to assemble towards resolving it when and if it occurs.

Having a large list of risks can be daunting. But you can manage this by simply categorizing risks as high, medium or low. Now there’s a horizon line and you can see the risk in context. With this perspective, you can begin to plan for how and when you’ll address these risks. Then, if risks become issues, it’s advisable to keep an issue log so you can keep track of each of them and implement corrective actions.

Some risks are going to require immediate attention. These are the risks that can derail your project. Failure isn’t an option. Other risks are important, but perhaps do not threaten the success of your project. You can act accordingly. Then there are those risks that have little to no impact on the overall project’s schedule and budget . Some of these low-priority risks might be important, but not enough to waste time on.

Assign an Owner to the Risk

All your hard work identifying and evaluating risk is for naught if you don’t assign someone to oversee the risk. In fact, this is something that you should do when listing the risks. Who is the person who is responsible for that risk, identifying it when and if it should occur and then leading the work toward resolving it?

That determination is up to you. There might be a team member who is more skilled or experienced in the risk. Then that person should lead the charge to resolve it. Or it might just be an arbitrary choice. Of course, it’s better to assign the task to the right person, but equally important in making sure that every risk has a person responsible for it.

Think about it. If you don’t give each risk a person tasked with watching out for it, and then dealing with resolving it when and if it should arise, you’re opening yourself up to more risk. It’s one thing to identify risk, but if you don’t manage it then you’re not protecting the project.

Respond to the Risk

Now the rubber hits the road. You’ve found a risk. All that planning you’ve done is going to be put to use. First, you need to know if this is a positive or negative risk. Is it something you could exploit for the betterment of the project? If not you need to deploy a risk mitigation strategy .

A risk mitigation strategy is simply a contingency plan to minimize the impact of a project risk. You then act on the risk by how you prioritize it. You have communications with the risk owner and, together, decide on which of the plans you created to implement to resolve the risk.

Monitor the Risk

You can’t just set forces against risk without tracking the progress of that initiative. That’s where the monitoring comes in. Whoever owns the risk will be responsible for tracking its progress toward resolution. However, you’ll need to stay updated to have an accurate picture of the project’s overall progress to identify and monitor new risks.

You’ll want to set up a series of project meetings to manage the risks. Make sure you’ve already decided on the means of communication to do this. It’s best to have various channels dedicated to communication.

Whatever you choose to do, remember to always be transparent. It’s best if everyone in the project knows what is going on, so they know what to be on the lookout for and help manage the process.

In the video below, Jennifer Bridges, professional project manager (PMP) dives deeper into the steps in the risk management process.

Risk Management Templates

We’ve created dozens of free project management templates for Excel and Word to help you manage projects. Here are some of our risk management templates to help you as you go through the process of identifying, analyzing, prioritizing and responding to risks.

Risk Register Template

A risk register is a risk management document that allows project managers to identify and keep track of potential project risks. Using a risk register to list down project risks is one of the first steps in the risk management process and one of the most important because it sets the stage for future risk management activities.

A risk matrix is a project management tool that allows project managers to analyze the likelihood and potential impact of project risks. This helps them prioritize project risks and build a risk mitigation plan to respond to those risks if they were to occur.

Managing Risk With ProjectManager

Using a risk-tracking template is a start, but to gain even more control over your project risks you’ll want to use project management software. ProjectManager has a number of tools including risk management that let you address risks at every phase of a project.

Make an Online Risk Register

Identify and track all the risks for your project in one place. Unlike other project management software, you can manage risks alongside your project rather than in a separate tool. Set due dates, mark priority, identify resolutions and more.

Gantt Charts for Risk Management Plans

Use our award-winning Gantt charts to create detailed risk management plans to prevent risks from becoming issues. Schedule, assign and monitor project tasks with full visibility. Gantt charts allow team members add comments and files to their assigned tasks, so all the communication happens on the project level—in real time.

Risk management is complicated. A risk register or template is a good start, but you’re going to want robust project management software to facilitate the process of risk management. ProjectManager is an online tool that fosters the collaborative environment you need to get risks resolved, as well as provides real-time information, so you’re always acting on accurate data. Try it yourself and see, take this free 30-day trial.

Deliver your projects on time and on budget

Start planning your projects.

Risk Management 101: Process, Examples, Strategies

Emily Villanueva

August 16, 2023

Effective risk management takes a proactive and preventative stance to risk, aiming to identify and then determine the appropriate response to the business and facilitate better decision-making. Many approaches to risk management focus on risk reduction, but it’s important to remember that risk management practices can also be applied to opportunities, assisting the organization with determining if that possibility is right for it.

Risk management as a discipline has evolved to the point that there are now common subsets and branches of risk management programs, from enterprise risk management (ERM) , to cybersecurity risk management, to operational risk management (ORM) , to  supply chain risk management (SCRM) . With this evolution, standards organizations around the world, like the US’s National Institute of Standards and Technology (NIST) and the International Standards Organization (ISO) have developed and released their own best practice frameworks and guidance for businesses to apply to their risk management plan.

Companies that adopt and continuously improve their risk management programs can reap the benefits of improved decision-making, a higher probability of reaching goals and business objectives, and an augmented security posture. But, with risks proliferating and the many types of risks that face businesses today, how can an organization establish and optimize its risk management processes? This article will walk you through the fundamentals of risk management and offer some thoughts on how you can apply it to your organization.

What Are Risks?

We’ve been talking about risk management and how it has evolved, but it’s important to clearly define the concept of risk. Simply put, risks are the things that could go wrong with a given initiative, function, process, project, and so on. There are potential risks everywhere — when you get out of bed, there’s a risk that you’ll stub your toe and fall over, potentially injuring yourself (and your pride). Traveling often involves taking on some risks, like the chance that your plane will be delayed or your car runs out of gas and leave you stranded. Nevertheless, we choose to take on those risks, and may benefit from doing so. 

Companies should think about risk in a similar way, not seeking simply to avoid risks, but to integrate risk considerations into day-to-day decision-making.

• What are the opportunities available to us?
• What could be gained from those opportunities?
• What is the business’s risk tolerance or risk appetite – that is, how much risk is the company willing to take on?
• How will this relate to or affect the organization’s goals and objectives?
• Are these opportunities aligned with business goals and objectives?

With that in mind, conversations about risks can progress by asking, “What could go wrong?” or “What if?” Within the business environment, identifying risks starts with key stakeholders and management, who first define the organization’s objectives. Then, with a risk management program in place, those objectives can be scrutinized for the risks associated with achieving them. Although many organizations focus their risk analysis around financial risks and risks that can affect a business’s bottom line, there are many types of risks that can affect an organization’s operations, reputation, or other areas.

Remember that risks are hypotheticals — they haven’t occurred or been “realized” yet. When we talk about the impact of risks, we’re always discussing the potential impact. Once a risk has been realized, it usually turns into an incident, problem, or issue that the company must address through their contingency plans and policies. Therefore, many risk management activities focus on risk avoidance, risk mitigation, or risk prevention.

What Different Types of Risks Are There?

There’s a vast landscape of potential risks that face modern organizations. Targeted risk management practices like ORM and SCRM have risen to address emerging areas of risk, with those disciplines focused on mitigating risks associated with operations and the supply chain. Specific risk management strategies designed to address new risks and existing risks have emerged from these facets of risk management, providing organizations and risk professionals with action plans and contingency plans tailored to unique problems and issues.

Common types of risks include: strategic, compliance, financial, operational, reputational, security, and quality risks.

Strategic Risk

Strategic risks are those risks that could have a potential impact on a company’s strategic objectives, business plan, and/or strategy. Adjustments to business objectives and strategy have a trickle-down effect to almost every function in the organization. Some events that could cause strategic risks to be realized are: major technological changes in the company, like switching to a new tech stack; large layoffs or reductions-in-force (RIFs); changes in leadership; competitive pressure; and legal changes.

Compliance Risk

Compliance risks materialize from regulatory and compliance requirements that businesses are subject to, like Sarbanes-Oxley for publicly-traded US companies, or GDPR for companies that handle personal information from the EU. The consequence or impact of noncompliance is generally a fine from the governing body of that regulation. These types of risks are realized when the organization does not maintain compliance with regulatory requirements, whether those requirements are environmental, financial, security-specific, or related to labor and civil laws.

Financial Risk

Financial risks are fairly self-explanatory — they have the possibility of affecting an organization’s profits. These types of risks often receive significant attention due to the potential impact on a company’s bottom line. Financial risks can be realized in many circumstances, like performing a financial transaction, compiling financial statements, developing new partnerships, or making new deals.

Operational Risk

Risks to operations, or operational risks, have the potential to disrupt daily operations involved with running a business. Needless to say, this can be a problematic scenario for organizations with employees unable to do their jobs, and with product delivery possibly delayed. Operational risks can materialize from internal or external sources — employee conduct, retention, technology failures, natural disasters, supply chain breakdowns — and many more.

Reputational Risk

Reputational risks are an interesting category. These risks look at a company’s standing in the public and in the media and identify what could impact its reputation. The advent of social media changed the reputation game quite a bit, giving consumers direct access to brands and businesses. Consumers and investors too are becoming more conscious about the companies they do business with and their impact on the environment, society, and civil rights. Reputational risks are realized when a company receives bad press or experiences a successful cyber attack or security breach; or any situation that causes the public to lose trust in an organization.

Security Risk

Security risks have to do with possible threats to your organization’s physical premises, as well as information systems security. Security breaches, data leaks, and other successful types of cyber attacks threaten the majority of businesses operating today. Security risks have become an area of risk that companies can’t ignore, and must safeguard against.

Quality Risk

Quality risks are specifically associated with the products or services that a company provides. Producing low-quality goods or services can cause an organization to lose customers, ultimately affecting revenue. These risks are realized when product quality drops for any reason — whether that’s technology changes, outages, employee errors, or supply chain disruptions.

Steps in the Risk Management Process

The six risk management process steps that we’ve outlined below will give you and your organization a starting point to implement or improve your risk management practices. In order, the risk management steps are: 

• Risk identification
• Risk analysis or assessment
• Controls implementation
• Resource and budget allocation
• Risk mitigation
• Risk monitoring, reviewing, and reporting

If this is your organization’s first time setting up a risk management program, consider having a formal risk assessment completed by an experienced third party, with the goal of producing a risk register and prioritized recommendations on what activities to focus on first. Annual (or more frequent) risk assessments are usually required when pursuing compliance and security certifications, making them a valuable investment.

Step 1: Risk Identification

The first step in the risk management process is risk identification. This step takes into account the organization’s overarching goals and objectives, ideally through conversations with management and leadership. Identifying risks to company goals involves asking, “What could go wrong?” with the plans and activities aimed at meeting those goals. As an organization moves from macro-level risks to more specific function and process-related risks, risk teams should collaborate with critical stakeholders and process owners, gaining their insight into the risks that they foresee.

As risks are identified, they should be captured in formal documentation — most organizations do this through a risk register, which is a database of risks, risk owners, mitigation plans, and risk scores.

Step 2: Risk Analysis or Assessment

Analyzing risks, or assessing risks, involves looking at the likelihood that a risk will be realized, and the potential impact that risk would have on the organization if that risk were realized. By quantifying these on a three- or five-point scale, risk prioritization becomes simpler. Multiplying the risk’s likelihood score with the risk’s impact score generates the risk’s overall risk score. This value can then be compared to other risks for prioritization purposes.

The likelihood that a risk will be realized asks the risk assessor to consider how probable it would be for a risk to actually occur. Lower scores indicate less chances that the risk will materialize. Higher scores indicate more chances that the risk will occur.

Likelihood, on a 5×5 risk matrix, is broken out into:

• Highly Unlikely
• Highly Likely

The potential impact of a risk, should it be realized, asks the risk assessor to consider how the business would be affected if that risk occurred. Lower scores signal less impact to the organization, while higher scores indicate more significant impacts to the company.

Impact, on a 5×5 risk matrix, is broken out into:

• Negligible Impact
• Moderate Impact
• High Impact
• Catastrophic Impact

Risk assessment matrices help visualize the relationship between likelihood and impact, serving as a valuable tool in risk professionals’ arsenals.

Organizations can choose whether to employ a 5×5 risk matrix, as shown above, or a 3×3 risk matrix, which breaks likelihood, impact, and aggregate risk scores into low, moderate, and high categories.

Step 3: Controls Assessment and Implementation

Once risks have been identified and analyzed, controls that address or partially address those risks should be mapped. Any risks that don’t have associated controls, or that have controls that are inadequate to mitigate the risk, should have controls designed and implemented to do so.

Step 4: Resource and Budget Allocation

This step, the resource and budget allocation step, doesn’t get included in a lot of content about risk management. However, many businesses find themselves in a position where they have limited resources and funds to dedicate to risk management and remediation. Developing and implementing new controls and control processes is timely and costly; there’s usually a learning curve for employees to get used to changes in their workflow.

Using the risk register and corresponding risk scores, management can more easily allocate resources and budget to priority areas, with cost-effectiveness in mind. Each year, leadership should re-evaluate their resource allocation as part of annual risk lifecycle practices.

Step 5: Risk Mitigation

The risk mitigation step of risk management involves both coming up with the action plan for handling open risks, and then executing on that action plan. Mitigating risks successfully takes buy-in from various stakeholders. Due to the various types of risks that exist, each action plan may look vastly different between risks. 

For example, vulnerabilities present in information systems pose a risk to data security and could result in a data breach. The action plan for mitigating this risk might involve automatically installing security patches for IT systems as soon as they are released and approved by the IT infrastructure manager. Another identified risk could be the possibility of cyber attacks resulting in data exfiltration or a security breach. The organization might decide that establishing security controls is not enough to mitigate that threat, and thus contract with an insurance company to cover off on cyber incidents. Two related security risks; two very different mitigation strategies. 

One more note on risk mitigation — there are four generally accepted “treatment” strategies for risks. These four treatments are:

• Risk Acceptance: Risk thresholds are within acceptable tolerance, and the organization chooses to accept this risk.
• Risk Transfer : The organization chooses to transfer the risk or part of the risk to a third party provider or insurance company.
• Risk Avoidance : The organization chooses not to move forward with that risk and avoids incurring it.
• Risk Mitigation : The organization establishes an action plan for reducing or limiting risk to acceptable levels.

If an organization is not opting to mitigate a risk, and instead chooses to accept, transfer, or avoid the risk, these details should still be captured in the risk register, as they may need to be revisited in future risk management cycles.

Step 6: Risk Monitoring, Reviewing, and Reporting

The last step in the risk management lifecycle is monitoring risks, reviewing the organization’s risk posture, and reporting on risk management activities. Risks should be monitored on a regular basis to detect any changes to risk scoring, mitigation plans, or owners. Regular risk assessments can help organizations continue to monitor their risk posture. Having a risk committee or similar committee meet on a regular basis, such as quarterly, integrates risk management activities into scheduled operations, and ensures that risks undergo continuous monitoring. These committee meetings also provide a mechanism for reporting risk management matters to senior management and the board, as well as affected stakeholders.

As an organization reviews and monitors its risks and mitigation efforts, it should apply any lessons learned and use past experiences to improve future risk management plans.

Examples of Risk Management Strategies

Depending on your company’s industry, the types of risks it faces, and its objectives, you may need to employ many different risk management strategies to adequately handle the possibilities that your organization encounters. 

Some examples of risk management strategies include leveraging existing frameworks and best practices, minimum viable product (MVP) development, contingency planning, root cause analysis and lessons learned, built-in buffers, risk-reward analysis, and third-party risk assessments.

Leverage Existing Frameworks and Best Practices

Risk management professionals need not go it alone. There are several standards organizations and committees that have developed risk management frameworks, guidance, and approaches that business teams can leverage and adapt for their own company. 

Some of the more popular risk management frameworks out there include:

• ISO 31000 Family : The International Standards Organization’s guidance on risk management.
• NIST Risk Management Framework (RMF) : The National Institute of Standards and Technology has released risk management guidance compatible with their Cybersecurity Framework (CSF).
• COSO Enterprise Risk Management (ERM) : The Committee of Sponsoring Organizations’ enterprise risk management guidance.

Minimum Viable Product (MVP) Development

This approach to product development involves developing core features and delivering those to the customer, then assessing response and adjusting development accordingly. Taking an MVP path reduces the likelihood of financial and project risks, like excessive spend or project delays by simplifying the product and decreasing development time.

Contingency Planning

Developing contingency plans for significant incidents and disaster events are a great way for businesses to prepare for worst-case scenarios. These plans should account for response and recovery. Contingency plans specific to physical sites or systems help mitigate the risk of employee injury and outages.

Root Cause Analysis and Lessons Learned

Sometimes, experience is the best teacher. When an incident occurs or a risk is realized, risk management processes should include some kind of root cause analysis that provides insights into what can be done better next time. These lessons learned, integrated with risk management practices, can streamline and optimize response to similar risks or incidents.

Built-In Buffers

Applicable to discrete projects, building in buffers in the form of time, resources, and funds can be another viable strategy to mitigate risks. As you may know, projects can get derailed very easily, going out of scope, over budget, or past the timeline. Whether a project team can successfully navigate project risks spells the success or failure of the project. By building in some buffers, project teams can set expectations appropriately and account for the possibility that project risks may come to fruition.

Risk-Reward Analysis

In a risk-reward analysis, companies and project teams weigh the possibility of something going wrong with the potential benefits of an opportunity or initiative. This analysis can be done by looking at historical data, doing research about the opportunity, and drawing on lessons learned. Sometimes the risk of an initiative outweighs the reward; sometimes the potential reward outweighs the risk. At other times, it’s unclear whether the risk is worth the potential reward or not. Still, a simple risk-reward analysis can keep organizations from bad investments and bad deals.

Third-Party Risk Assessments

Another strategy teams can employ as part of their risk management plan is to conduct periodic third-party risk assessments. In this method, a company would contract with a third party experienced in conducting risk assessments, and have them perform one (or more) for the organization. Third-party risk assessments can be immensely helpful for the new risk management team or for a mature risk management team that wants a new perspective on their program. 

Generally, third-party risk assessments result in a report of risks, findings, and recommendations. In some cases, a third-party provider may also be able to help draft or provide input into your risk register. As external resources, third-party risk assessors can bring their experience and opinions to your organization, leading to insights and discoveries that may not have been found without an independent set of eyes.

Components of an Effective Risk Management Plan

An effective risk management plan has buy-in from leadership and key stakeholders; applies the risk management steps; has good documentation; and is actionable. Buy-in from management often determines whether a risk management function is successful or not, since risk management requires resources to conduct risk assessments, risk identification, risk mitigation, and so on. Without leadership buy-in, risk management teams may end up just going through the motions without the ability to make an impact. Risk management plans should be integrated into organizational strategy, and without stakeholder buy-in, that typically does not happen. 

Applying the risk management methodology is another key component of an effective plan. That means following the six steps outlined above should be incorporated into a company’s risk management lifecycle. Identifying and analyzing risks, establishing controls, allocating resources, conducting mitigation, and monitoring and reporting on findings form the foundations of good risk management. 

Good documentation is another cornerstone of effective risk management. Without a risk register recording all of a company’s identified risks and accompanying scores and mitigation strategies, there would be little for a risk team to act on. Maintaining and updating the risk register should be a priority for the risk team — risk management software can help here, providing users with a dashboard and collaboration mechanism.

Last but not least, an effective risk management plan needs to be actionable. Any activities that need to be completed for mitigating risks or establishing controls, should be feasible for the organization and allocated resources. An organization can come up with the best possible, best practice risk management plan, but find it completely unactionable because they don’t have the capabilities, technology, funds, and/or personnel to do so. It’s all well and good to recommend that cybersecurity risks be mitigated by setting up a 24/7 continuous monitoring Security Operations Center (SOC), but if your company only has one IT person on staff, that may not be a feasible action plan.

Executing on an effective risk management plan necessitates having the right people, processes, and technology in place. Sometimes the challenges involved with running a good risk management program are mundane — such as disconnects in communication, poor version control, and multiple risk registers floating around. Risk management software can provide your organization with a unified view of the company’s risks, a repository for storing and updating key documentation like a risk register, and a space to collaborate virtually with colleagues to check on risk mitigation efforts or coordinate on risk assessments. Get started building your ideal risk management plan today!

Emily Villanueva, MBA, is a Senior Manager of Product Solutions at AuditBoard. Emily joined AuditBoard from Grant Thornton, where she provided consulting services specializing in SOX compliance, internal audit, and risk management. She also spent 5 years in the insurance industry specializing in SOX/ICFR, internal audits, and operational compliance. Connect with Emily on LinkedIn .

Related Articles

Risk management is the process of identifying, assessing and controlling financial, legal, strategic and security risks to an organization’s capital and earnings. These threats , or risks, could stem from a wide variety of sources, including financial uncertainty, legal liabilities, strategic management errors, accidents and natural disasters.

If an unforeseen event catches your organization unaware, the impact could be minor, such as a small impact on your overhead costs. In a worst-case scenario, though, it could be catastrophic and have serious ramifications, such as a significant financial burden or even the closure of your business.

To reduce risk, an organization needs to apply resources to minimize, monitor and control the impact of negative events while maximizing positive events. A consistent, systemic and integrated approach to risk management can help determine how best to identify, manage and mitigate significant risks.

Get insights to better manage the risk of a data breach with the latest Cost of a Data Breach report.

Register for the X-Force Threat Intelligence Index

At the broadest level, risk management is a system of people, processes and technology that enables an organization to establish objectives in line with values and risks.

A successful risk assessment program must meet legal, contractual, internal, social and ethical goals, as well as monitor new technology-related regulations. By focusing attention on risk and committing the necessary resources to control and mitigate risk, a business protects itself from uncertainty, reduce costs and increase the likelihood of business continuity and success.

Three important steps of the risk management process are risk identification, risk analysis and assessment, and risk mitigation and monitoring.

Risk identification is the process of identifying and assessing threats to an organization, its operations and its workforce. For example, risk identification can include assessing IT security threats such as malware and ransomware, accidents, natural disasters and other potentially harmful events that could disrupt business operations.

Risk analysis involves establishing the probability that a risk event might occur and the potential outcome of each event. Risk evaluation compares the magnitude of each risk and ranks them according to prominence and consequence.

Risk mitigation refers to the process of planning and developing methods and options to reduce threats to project objectives. A project team might implement risk mitigation strategies to identify, monitor and evaluate risks and consequences inherent to completing a specific project, such as new product creation. Risk mitigation also includes the actions put into place to deal with issues and effects of those issues regarding a project.

Risk management is a nonstop process that adapts and changes over time. Repeating and continually monitoring the processes can help assure maximum coverage of known and unknown risks.

There are five commonly accepted strategies for addressing risk. The process begins with an initial consideration of risk avoidance then proceeds to 3 additional avenues of addressing risk (transfer, spreading and reduction). Ideally, these three avenues are employed in concert with one another as part of a comprehensive strategy. Some residual risk may remain.

Avoidance is a method for mitigating risk by not participating in activities that may negatively affect the organization. Not making an investment or starting a product line are examples of such activities as they avoid the risk of loss.

This method of risk management attempts to minimize the loss, rather than completely eliminate it. While accepting the risk, it stays focused on keeping the loss contained and preventing it from spreading. An example of this in health insurance is preventive care.

When risks are shared, the possibility of loss is transferred from the individual to the group. A corporation is a good example of risk sharing—several investors pool their capital and each only bears a portion of the risk that the enterprise may fail.

Contractually transferring a risk to a third-party, such as, insurance to cover possible property damage or injury shifts the risks associated with the property from the owner to the insurance company.

After all risk sharing, risk transfer and risk reduction measures have been implemented, some risk will remain since it is virtually impossible to eliminate all risk (except through risk avoidance). This is called residual risk.

Risk management standards set out a specific set of strategic processes that start with the objectives of an organization and intend to identify risks and promote the mitigation of risks through best practice.

Standards are often designed by agencies who are working together to promote common goals, to help to ensure high-quality risk management processes. For example, the ISO 31 000 standard on risk management is an international standard that provides principles and guidelines for effective risk management.

While adopting a risk management standard has its advantages, it is not without challenges. The new standard might not easily fit into what you are doing already, so you could have to introduce new ways of working. And the standards might need customizing to your industry or business. 

Manage risk from changing market conditions, evolving regulations or encumbered operations while increasing effectiveness and efficiency.

Speed insights, cut infrastructure costs and increase efficiency for risk-aware decisions with IBM RegTech.

Simplify how you manage risk and regulatory compliance with a unified GRC platform fueled by AI and all your data.

Better manage your risks, compliance and governance by teaming with our security consultants.

Create a smarter security framework to manage the full threat lifecycle.

Understand your cybersecurity landscape and prioritize initiatives together with senior IBM security architects and consultants in a no-cost, virtual or in-person, 3-hour design thinking session.

Discover how a governance, risk, and compliance (GRC) framework helps an organization align its information technology with business objectives, while managing risk and meeting regulatory compliance requirements.

Find out how threat management is used by cybersecurity professionals to prevent cyber attacks, detect cyber threats and respond to security incidents.

Explore financial impacts and security measures that can help your organization avoid a data breach, or in the event of a breach, mitigate costs.

Keep up to date with the latest strategies from our expert writers.

Protect your business from potential risks and strive towards compliance with regulations as you explore the world of proper governance.

IBM cybersecurity services deliver advisory, integration and managed security services and offensive and defensive capabilities. We combine a global team of experts with proprietary and partner technology to co-create tailored security programs that manage risk.

• Search Search Please fill out this field.
• What Is RMF?
• Understanding RMF

The Bottom Line

Risk management framework (rmf): definition and components.

Investopedia contributors come from a range of backgrounds, and over 25 years there have been thousands of expert writers and editors who have contributed.

What Is Risk Management Framework (RMF)?

All companies face risk; without risk, rewards are less likely. The flip side of this is that too much risk can lead to business failure. Risk management allows a balance to be struck between taking risks and reducing them.

Effective risk management can add value to any organization. In particular, companies operating in the investment industry rely heavily on risk management as the foundation that allows them to withstand market crashes .

An effective risk management framework seeks to protect an organization’s capital base and earnings without hindering growth. Furthermore, investors are more willing to invest in companies with good risk management practices. This generally results in lower borrowing costs, easier access to capital for the firm, and improved long-term performance.

Key Takeaways

• Risk is a reality for business owners and managers regardless of the industry sector or size of the company.
• Well-run companies will have a comprehensive risk management framework in place to identify existing and potential risks and assess how to deal with them if they arise.
• Risk identification, measurement, mitigation, reporting and monitoring, and governance are the five key pieces of an effective framework.

Understanding Risk Management Framework (RMF)

Effective risk management plays a crucial role in any company’s pursuit of financial stability and superior performance. The adoption of a risk management framework that embeds best practices into the firm’s risk culture can be the cornerstone of an organization’s financial future.

The 5 Components of Risk Management Framework

There are at least five crucial components that must be considered when creating a risk management framework. They are risk identification; risk measurement and assessment; risk mitigation; risk reporting and monitoring; and risk governance.

Risk Identification

The first step in identifying the risks a company faces is to define the risk universe. The risk universe is simply a list of all possible risks. Examples include information technology (IT) risk, operational risk, regulatory risk , legal risk, political risk, strategic risk, and credit risk.

After listing all possible risks, the company can then select the risks to which it is exposed and categorize them into core and non-core risks. Core risks are those that the company must take in order to drive performance and long-term growth. Non-core risks are often not essential and can be minimized or eliminated completely.

Risk Measurement

Risk measurement provides information on the quantum of either a specific risk exposure or an aggregate risk exposure and the probability of a loss occurring due to those exposures. When measuring specific risk exposure, it’s important to consider the effect of that risk on the overall risk profile of the organization.

Some risks may provide diversification benefits, while others may not. Another important consideration is the ability to measure exposure. Some risks may be easier to measure than others. For example, market risk can be measured using observed market prices, but measuring operational risk is considered both an art and a science.

Specific risk measures often give the profit and loss (P/L) impact that can be expected if there is a small change in that risk. They may also provide information on how volatile the P/L can be. For example, the equity risk of a stock investment can be measured as the P/L impact of the stock as a result of a 1-unit change in, say, the S&P 500 Index  or as the standard deviation of the particular stock.

Common aggregate risk measures include value at risk (VaR) , earnings at risk (EaR) , and economic capital . Techniques such as scenario analysis and stress testing can be used to supplement these measures.

ISO 31000 is a set of international standards associated with risk management and mitigation.

Risk Mitigation

Having categorized and measured its risks, a company can then decide on which risks to eliminate or minimize, and how many of its core risks to retain. Risk mitigation can be achieved through an outright sale of assets or liabilities, buying insurance, hedging with derivatives, or diversification.

Risk Reporting and Monitoring

It is important to report regularly on specific and aggregate risk measures in order to ensure that risk levels remain at an optimal level. Financial institutions that trade daily will produce daily risk reports. Other institutions may require less frequent reporting. Risk reports must be sent to risk personnel who have the authority to adjust (or instruct others to adjust) risk exposures.

Risk Governance

Risk governance is the process that ensures that all company employees perform their duties in accordance with the risk management framework. Risk governance involves defining the roles of all employees, segregating duties , and assigning authority to individuals, committees, and the board for approval of core risks, risk limits, exceptions to limits, and risk reports, and for general oversight.

What Is the NIST Risk Management Framework?

The NIST Risk Management Framework is a federal guideline for organizations to assess and manage risks to their computers and information systems. This framework was established by the National Institute of Science and Technology to ensure the security of defense and intelligence networks. Federal agencies are required to comply with the risk management framework, but private companies and other organizations may also benefit from following its guidelines.

What Is the COBIT Risk Management Framework?

COBIT, or Control Objectives for Information and Related Technology, is a framework for the management and governance of enterprise IT. It was developed by the Information Systems Audit and Control Association (ISACA) to set reliable auditing standards as computer networks became more important in financial systems.

What Is the COSO Enterprise Risk Management Framework?

The Enterprise Risk Management—Integrated Framework is a set of guiding principles established by the Committee of Sponsoring Organizations (COSO) to help companies manage their business risks. It was originally published in 2004, although COSO has issued several updates to the framework as risk management practices have evolved.

Risk management is an essential part of running a business. As the market landscape changes, companies must constantly evaluate and reassess their own risk profiles. Having a strong risk management framework can help organizations identify and prepare for the different threats and dangers that they might face.

International Organization for Standardization. “ Risk Management: ISO 31000 .”

National Institute of Science and Technology, Computer Security Resource Center. “ NIST Risk Management Framework .”

IT Governance. “ What Is COBIT 5? ”

Committee of Sponsoring Organizations, via Internet Archive Wayback Machine. “ Guidance on Enterprise Risk Management .”

• Terms of Service
• Editorial Policy
• Privacy Policy

Operational Risk Management (ORM) - Safety

Risk is inherent in all tasks, training, missions, operations, and in personal activities no matter how routine. The most common cause of task degradation or mission failure is human error, specifically the inability to consistently manage risk. ORM reduces or offsets risks by systematically identifying hazards and assessing and controlling the associated risks allowing decisions to be made that weigh risks against mission or task benefits. As professionals, Navy personnel are responsible for managing risk in all tasks while leaders at all levels are responsible for ensuring proper procedures are in place and that appropriate resources are available for their personnel to perform assigned tasks. The Navy vision is to develop an environment in which every officer, enlisted, or civilian person is trained and motivated to personally manage risk in everything they do. This includes on- and off-duty evolutions in peacetime and during conflict, thereby enabling successful completion of any task and mission. Navy commands and activities accomplish this by executing a four pillar strategy.

It is required that all NPS Personnel take ORM training when they come on board, and every three years thereafter.

• Individual Managing Your Risk  (CIN - CPPD CPPD-ORM-MYR-1.0). This training has a mandatory triennial completion requirement for all Navy personnel.
• Supervisor Managing Your Team’s Risk  (CIN - CPPD-ORM-MYTR-1.0). This training is required upon initial assignment of supervisory responsibilities and every 36 months while assigned at command. 

In addition to these triennial trainings, there is an annual ORM Refresher training.  It is required for all individuals (Civilian and Military) per OPNAVINST 3500.39D.

Methods of training:

Android App  

• ESAMS  - All NPS Staff and Faculty (but not Students) should have an active ESAMS account.  If you are unable to log in, contact  [email protected]  

ORM Process

The most common idea of what ORM is revolves around a simple five-step process that is most frequently used in planning, or at the Deliberate Level. These five steps are:

Four Principles of ORM

The Three Levels of ORM

The in-depth level refers to situations when time is not a limiting factor and the right answer is required for a successful mission or task. Thorough research and analysis of available data, use of diagrams and analysis tools, formal testing or long term tracking of associated hazards are some of the tools used at this level. Other examples of application of ORM at the in-depth level include, but are not limited to: long term planning of complex or contingency operations; technical standards and system hazard management applied in engineering design during acquisition and introduction of new equipment and systems; development of tactics and training curricula; and major system overhaul or repair.

The deliberate level refers to situations when there is ample time to apply the RM process to the detailed planning of a mission or task. At this level, the planning primarily uses experienced personnel and brainstorming and is most effective when done in a group. The Navy planning process is a good example of ORM application integrated at the deliberate level. Other examples include: planning of unit missions, tasks or events; review of standard operating, maintenance or training procedures; recreational activities; and the development of damage control and emergency response plans.

Time Critical Risk Management (TCRM)

This is the level at which personnel operate on a daily basis both on- and off-duty. The time critical level is best described as being at the point of commencing or during execution of a mission or task. At this level there is little or no time to make a plan. An on-the-run mental or verbal assessment of the new or changed/changing situation is the best one can do. Time is limited in this situation, so the application of the 5-step process has proven impractical and ineffective. The Navy has adopted the ABCD Model.

RISK ASSESMENT CODES :

Combine the severity with the probability to determine the risk assessment code (RAC) or level of risk for each hazard, expressed as a single Arabic number. Although not required, the use of a matrix (such as the one below) is helpful in identifying the RAC. In some cases, the worst credible consequence of a hazard may not correspond to the highest RAC for that hazard. For example, one hazard may have two potential consequences. The severity of the worst consequence (I) may be unlikely (D), resulting in a RAC of 3. The severity of the lesser consequence (II) may be probable (B), resulting in a RAC of 2. Therefore, it is important to consider less severe consequences of a hazard if they are more likely than the worst credible consequence, since this combination may actually present a greater overall risk.

Mishap Severity Categories

• CATASTROPHIC - Loss of the ability to accomplish the mission.  Death or permanent total disability.  Loss of a mission-critical system or equipment.  Major facility damage.  Severe environmental damage.  Mission-critical security failure.  Unacceptable collateral damage. 
• CRITICAL -  Significantly degraded mission capability or unit readiness.  Permanent partial disability or severe injury or illness.  Extensive damage to equipment or systems.  Significant damage to property or the environment.  Security failure.  Significant collateral damage. 
• MODERATE - Degraded mission capability or unit readiness.  Minor damage to equipment, systems, property, or the environment.  Minor injury or illness. 
•   NEGLIGIBLE - Little or no adverse impact on mission capability or unit readiness.  Minimal threat to personnel, safety, or health.  Slight equipment or systems damage, but fully functional and serviceable.  Little or no property or environmental damage. 

Mishap Probability or Occurrence Levels

• FREQUENT - Frequent to occur. Continuously experienced to an individual item or person;  or continuously over a service life for an inventory of items or group.  
• LIKELY - Likely to occur, immediately or within a short period of time.  Expected to occur frequently to an individual item or person; or continuously over a service life for an inventory of items or group. 
• OCCASIONAL - Occasionally will occur in time.  Expected to occur several times to an individual item or person; or frequently over a service life for an inventory of items or group
• SELDOM - Seldom may occur in time.  Can reasonably be expected to occur sometime to an individual item or person; or several times over a service life for an inventory of items, or group. 
• UNLIKELY - Unlikely it will occur in time.  Unlikely to occur, but possible in the service life for an inventory of items, or group. 

• OPNAVINST 3500.39 - OPERATIONAL RISK MANAGMENT
• "ORM The Essentials: A Tool for Making Smart Decisions" by the Naval Safety Center
• Naval Safety Center ORM App Info Sheet (includes links to ORM training app)
• Navy's Travel Risk Planning System (TRiPS )
• Transportation Safety Institute
• Air Force Safety Center
• Army Safety Center
• U.S. Marine Corps Safety
• Naval Safety Center