Step by step risk management implementation guide for professionals who want to move beyond RM1

Step by step video guide to implementing risk management 1 and 2. Let me know in the comments if this helped you and what would you add to the list.

Despite the fact that risk management is a decision making tool, you should probably get Risk Management I sorted first, to keep the auditors, rating agencies and regulators at bay. It’s RM1, so keep it as simple and as quick as possible, this is less than 10% of the overall effort.

A1. Develop a short risk management policy structured around ISO31000 principles – this one is very easy, just follow the steps below:

A2. Develop a very basic risk management framework document, aligned with ISO31000 – same as above, use the ISO31000:2019 to develop a framework document. Stick to the text of the standard as close as possible, don’t reinvent the wheel. Borrow some good sentences from COSO: ERM 2017 as well, just for fun. Claim that the document is aligned with both. Auditors love that.

A3. Identify and fulfil any other regulatory or shareholder requirement regarding risk management – this is also an important step, as many industries have additional risk management requirements, make sure you crossed them all when drafting policy and framework documents.

A4. Develop a high level risk profile, linking key risks to strategic objectives – this is basically a colourful risk register. You can talk to some of the key decision makers, but you really don’t have to. Competitor 10K reports and sample risk registers like the one I have will do the job.

A5. Document risk appetite – did you notice how I put risk appetite after risk profile? This is just to show that RM1 is just window dressing, it doesn’t matter how you do it, it’s not real. You don’t believe me it’s not real, well allow Grant Purdy, one of the creators of the AS/NZS 4360 and ISO31000, share his sobering views. This is a must watch for all risk managers.

When implementing RM2 start with the key decisions

B6. Develop a specific risk analysis methodology for each key decision type – the organisation should implement risk management by:

  • identifying where, when and how different types of decisions are made across the organisation, and by whom;
  • modifying the applicable decision-making processes where necessary by applying some of risk analysis techniques to the actual decision making process. This will help decision makers make informed and intelligent decisions based on proper risk analysis. Which techniques work and which don’t? I have an article on that.
  • ensuring that the organisation’s arrangements for managing risk are clearly understood and practised.

B7. Provide tools to the decision makers or perform risk analysis on key decisions yourself – this is an important step to decide whether the risk team will become a methodology and monitoring centre and the actual risk analysis will be performed by decision makers or the risk team will become the analysis support centre and will perform all risk analysis themselves given the decision makers just the outputs. It’s a complex decision. If the decision makers are not mature, don’t have strong quant skills and are very biased, then risk team must become the analysis support centre and perform all risk analysis. Here is important to work with internal auditors to make sure risk analysis quality is sufficient to support decision making.

This is pretty basic stuff but if decision science is new to you, I recommend reading good books that had all the answers for the last 10+ years.

B8. Change the way uncertainty is accounted for during planning by moving away from single point estimates to ranges. Sam Savage, Executive Director of, author of the Flaw of Averages – Why we Underestimate Risk in the Face of Uncertainty, Adjunct Professor in Stanford University’s School of Engineering and a Fellow of the Judge Business School at Cambridge University, will desribe this better than I ever could. Make sure you watch his workshop. It’s free, but places are limited.

B9. Replace traditional scenarios run by finance with more sophisticated risk modelling.

B10. Use simulations to change how KPIs and performance targets are calculated and how performance against them is measured.

It is important to make sure roles and responsibilities reflect risk-based decision making:

  • C11. Update existing position descriptions to include responsibility for risk-based decision making, planning and performance management
  • C12. Update existing committee charters to include responsibility for risk-based decision making, planning and performance management

Most staff do not have risk management training and unable to adequately consider uncertainty when making decisions:

  • C13. Provide risk-based thinking training to decision makers. I have numerous courses for that online and offline at the
  • C14. Include risk management competencies into existing business training programs. Over the years I have discovered that it is actually much better to make every training course that HR department runs a little bit risk-based than do a standalone big risk training.

A series of workshops talk a lot more about what and how to train decision makers.

Need to establish clear communication channels. Here are some ideas:

  • C15. Set up and become a secretary for the Risk Committee
  • C16. Present risk related topics at every corporate speaking opportunity
  • C17. Include risk management topics on the meeting agendas
  • C18. Write risk management speeches for executives at every opportunity
  • C19. Participate in corporate events and run own risk competitions

It is important to provide transparency through disclosure as well:

  • C20. Disclose information about risk-based decision making in the annual report
  • C21. Disclose information about risk-based decision making on the corporate intranet
  • C22. Disclose information about risk-based decision making on the corporate website


Risk management requires special competencies

  • D23. Develop quantitative skills
  • D24. Develop soft skills
  • D25. Develop a strong understanding of the nature of the business and the specifics of decision making within the organisation.

Here is my article on the competencies risk managers in non-financial companies mus have.

Risk management 2 requires tools beyond common GRC systems

  • D26. Invest into proper modelling tools. There are plenty of RM2 systems on the market and some are actually amazing.
  • D27. AutomateRM1 if possible. Archer Insight combines RM1 and RM2 quant functionality, which is actually quite rare to kill both birds with one stone.

Networking should be a big part of team development

  • D28. At every opportunity meet and exchange ideas with other global risk managers
  • D29. Quickly separate RM1 from RM2 risk experts. Spend your time interacting with RM2 risk managers and experts, don’t waste time on RM1 gurus. I have a whole list of RM2 experts.


And finally…

30. Have fun and if you are not having fun doing the above, if the management is blocking any attempt to improve decision making, start looking for a better more rewarding job.



RISK-ACADEMY offers online courses


Informed Risk Taking

Learn 15 practical steps on integrating risk management into decision making, business processes, organizational culture and other activities!


ISO31000 Integrating Risk Management

Alex Sidorenko, known for his risk management blog, has created a 25-step program to integrate risk management into decision making, core business processes and the overall culture of the organization.


Advanced Risk Governance

This course gives guidance, motivation, critical information, and practical case studies to move beyond traditional risk governance, helping ensure risk management is not a stand-alone process but a change driver for business.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.