Developing A Formal Risk Management Program

Of all the client inquiries and advisories we get related to risk management, one of the most frequent topics of discussion continues to be the role of risk management. Who should be involved? How? What should our objectives be? How should we measure success?

I cover these and related topics in my Risk Manager's Handbook series, which presents best practice examples and recommendations following the core process elements found in the ISO 31000 standard. My first two reports in this series are The Risk Manager's Handbook: How To Explain The Role Of Risk Management and The Risk Manager's Handbook: How To Identify And Describe Risks.

In an upcoming Security & Risk Council member meeting in London, I plan to take members through each of the five steps of ISO 31000 in an interactive workshop. We will discuss how to build repeatable and consistent processes, demonstrate that process to stakeholders, improve strategy and planning, and show support for relevant corporate functions and business units. If you’re interested in discussing this idea with me and other members of the Security & Risk Council, please consider joining us on March 16 in London. In order to qualify to attend, you must be a senior-level security and/or risk management executive in a $1B+ organization.  Please click here for more details on the S&R Council or on the member meeting itself.

For those of you that cannot attend, I welcome any comments or questions you have on this topic. Also, I am currently writing my next report in the series, which will cover methods and best practices in analyzing risks. Keep an eye out for this report in April, and feel free to contact me if you are interested in contributing your perspectives and experiences.


Risk Management

Great post Chris...any insight on how mid size businesses should manage risk?

Risk management for small/medium businesses

Thanks for the question Edward. Smaller organizations are naturally less likely to have an individual designated as chief risk officer or the equivalent... this function may be the part time responsibility of the CFO or COO.

In any case, I strongly recommend that risk management follow the same processes I outline in the reports referenced in this post. When you define the role of risk management, the scope may be more narrow, you may decide you only have the resources to track the organization's top 15 risk categories, or you may collapse the risk identification and analysis steps into a single, less formal process of brainstorming in surveys.

But again, every aspect of the risk management process that is adopted by the largest organizations should be discussed and considered by smaller ones.

Hope this helps.

Loss Events Management - A critical area as well

Thanks for sharing Chris. I feel Loss Events Management is also a critical area to be addressed by financial institutions.

In this regard, Lera Technologies extends its services around TASSO – The Operational Risk Management Solution, we are glad to propose Loss Event Management Module as an introductory offer to banks. Please reach me at

Please visit:

Hope this helps!!

Thank you for the tips and

Thank you for the tips and tricks, appreciate it.
Chris Harris
Risk management consultants