Arrow back

How to Manage Risk in your Organisation

18 May, 2020

Risks exist everywhere and we face them every day. Whether it’s taking on a new client, moving into a new office building or just crossing the road, risks need to be managed appropriately to minimise potential issues and maximise gain.

The severity and likelihood of risks can vary, and so should your responses. Therefore, it’s important that you familiarise yourself with your organisation’s policies and procedures in relation to risk management.

The following blog will take you through everything you need to know about risk management, including identification, assessment and response.

Identifying and Assessing Risks

You can’t fix something you don’t know is broken, meaning that the first thing to do when it comes to risks is to identify them.

For example, you may identify the risk of ‘teething problems’ when switching to a new Customer Relationship Management (CRM) system.

Once you’ve identified the risk, you should assess it based on two categories: likelihood and impact. This simply means how likely a consequence of the risk is and how much of an impact the consequence could have. A common way of measuring this is on a scale of one to four.

For example, the risk of ‘teething problems’ with a new CRM could have a likelihood score of ‘two’ but an impact score of ‘four’.

How to Respond to Risks

Your assessment will dictate the manner in which you respond to each risk. You can easily remember the different responses to risks by remembering the ‘four Ts’.


If a risk has a low likelihood and impact score, you may decide to simply tolerate the risk. This is not the same as ignoring it! Tolerating a risk is about acknowledging the potential consequences but deciding that they are not severe enough to warrant avoiding the risk entirely.


There may be a number of reasons why a risk might be transferred. Transferring a risk does not necessarily mean passing it over to someone else because of apathy. A colleague may simply be better placed to deal with the risk due to a greater level of experience or knowledge.


A more medium/high scoring on the likelihood and impact scale may result in you treating the risk, or lowering its potential likelihood or impact. For example, if you identify a trip hazard that you cannot fix until a later date, then an acceptable response could be to treat the risk by cordoning off the area.


If a risk has a high likelihood and impact, but cannot be treated, then the appropriate response would be to terminate it.

For example, if you research the new CRM you’re looking to implement only to find that they have several legal cases pending and scathing customer reviews in relation to information security, then you may decide to terminate the risk by not pursuing the new system.

Bob’s Top Tips

We’ve amassed a number of simple, top tips that should help you remember the essentials of risk management.

  • Risk management is essential to each aspect of your business.
  • Assess risks to gauge their likelihood and potential impact to your organisation.
  • Remember the four Ts of risk response: tolerate, transfer, treat and terminate.

Back to resources

Ready to build your cybersecurity culture?

Whether you’re looking for complete culture change, phishing simulations or compliance training, we have solutions that are tailor-made to fit for your organisation.

Girl with laptop
Boy with laptop
Crown Commercial Service Supplier
HM Treasury
ISO27001 & ISO9001
Cyber Essentials Plus
Global Cyber Alliance