Arrow back

How to manage risk in your organisation

24 October, 2022

Risks exist everywhere, and we face them every day. Whether taking on a new client, moving into a new office building or just crossing the road, risk must be managed appropriately to minimise potential issues and maximise gain.

In an ideal world, we’d make decisions with all facts available. However, life doesn’t often hand us those opportunities and decisions must always be made. The severity and likelihood of risks can vary, and so should your responses. Therefore, you must familiarise yourself with your organisation’s policies and procedures concerning risk management.

The following blog will take you through everything you need to know about risk management, including identification, assessment and response.

Identifying and assessing risks

You can’t fix something you don’t know is broken, meaning that the first thing to do when it comes to risks is to identify them.

For example, you may identify the risk of ‘teething problems’ when switching to a new Customer Relationship Management (CRM) system.

Once you’ve identified the risk, you should assess it based on likelihood and impact. Put simply, these two elements determine how likely a consequence of the risk is and how much of an impact the consequence could have. A common way of measuring this is on a scale of one to four.

For example, the risk of ‘teething problems’ with a new CRM could have a likelihood score of ‘two’ but an impact score of ‘four’.

Simply formalising that process and being able to use your resources more wisely are the goals of developing a risk management plan. Identifying your risks is the first and most crucial stage in this approach.

You must compile a list of all the unique dangers that can affect your business. This can be a difficult task, especially for startup companies without a track record or years of expertise to draw from. Fortunately, there are certain methods you can use to help:

1: Break down the big picture

When beginning the risk management process, identifying risks can be overwhelming. Start with a broad analysis. What are the most obvious potential problems for your business or sector? These may be based on your daily routine and business strategy.

Risk comes in many forms. There are numerous categories, including financial, operational, technological, legal, political, safe, and reputational. Consider your organisation's vulnerabilities in each of these categories when you break it down by department.

Asking yourself insightful questions can reveal weaknesses in your organisation that you may not have considered. Is your manufacturing process, for instance, completely secure? Are all of your staff members qualified? What would happen if your greatest client disappeared? Would you know what to do and who to blame if a catastrophic incident happened? If you can't provide an answer to a query like this, it indicates a risk that needs to be addressed.

2. Try and take a glass-half-empty approach (momentarily)

What is the worst possible scenario for your company? What would the course of events be if there was a day when everything went wrong? Being extremely pessimistic may not be the ideal strategy for managing a company, but it's quite useful for recognising hazards.

Avoiding arrogance and believing anything ‘can't’ or ‘won't’ happen at this point is crucial. Challenge every one of your beliefs regarding potential threats, and be ready for any or all of them to materialise.

3. Train your employees

Everyone will view the organisation and the hazards they face while doing their jobs differently, from the CEO to the front-line employees. Employees are, therefore, one of the most important resources for spotting dangers.

You can ask for anonymous input from employees, one-on-one interviews, or group discussions. While group talks may improve the amount of brainstorming and result in a higher number of identified hazards, allowing anonymous incident reporting may raise the possibility that employees who are concerned about the consequences from speaking up will respond.

Third-parties providers Bob’s Business can also offer compliance training solutions, so your employees know how to recognise and report risks when needed in your organisation. When deployed into your teams and appropriately reinforced, these courses can help increase policy adoption in your business by an average of 45%!

How to respond to risks

Your assessment will dictate the manner in which you respond to each risk. You can easily remember the different responses to risks by remembering the ‘four Ts’.


If a risk has a low likelihood and impact score, you may decide to tolerate the risk. This is not the same as ignoring it! Tolerating a risk is about acknowledging the potential consequences but deciding that they are not severe enough to warrant avoiding the risk entirely.


There are a number of reasons why a risk might be transferred. Transferring a risk does not necessarily mean passing it over to someone else because of apathy. A colleague may simply be better placed to deal with the risk due to a greater level of experience or knowledge.


A medium-to-high score on the likelihood and impact scale may result in you treating the risk, or lowering its potential likelihood or impact. For example, if you identify a trip hazard that you cannot fix until a later date, then an acceptable response could be to treat the risk by cordoning off the area.


If a risk has a high likelihood and impact, but cannot be treated, then the appropriate response would be to terminate it.

For example, if you research the new CRM you’re looking to implement only to find that they have several legal cases pending and scathing customer reviews in relation to information security, then you may decide to terminate the risk by not pursuing the new system.

Top tips for risk management in your organisation

We’ve amassed a number of simple, top tips that should help you remember the essentials of risk management.

  • Identify risks as early as possible.
  • View everything with a glass-half-empty mindset.
  • Describe risks appropriately.
  • Estimate and prioritise risk.
  • Take responsibility and ownership.
  • Learn from past mistakes.
  • Use appropriate strategies to manage risk.
  • Keep monitoring & reviewing.
  • Make sure your employees are trained and kept up to date.
  • Remember the four Ts of risk response: tolerate, transfer, treat and terminate.

Ready to start taking compliance seriously? Check out Bob's Culture, our fully-managed compliance and cybersecurity training programme to reduce your risk of breach and noncompliance in one fell swoop.

Back to resources

Ready to build your cybersecurity culture?

Whether you’re looking for complete culture change, phishing simulations or compliance training, we have solutions that are tailor-made to fit for your organisation.

Girl with laptop
Boy with laptop
man and woman with laptops
Global Cyber Alliance