If you have already been told how to do ‘risk management’, with templates

The how-to steps in this guide will differ from guidelines you have been given within your organisation.

What to read first: Risk management driven as a prescribed process Assumptions

Everyone Version 3.0 Beta

It is quite likely that you have been given some guidelines already, and that those guidelines include:

  • A template for a risk register, with a row for each risk and columns for per-risk details. Possibly it’s a form in an online system.
  • A rating scale or matrix for risk consequences or impacts, distinguishing about five levels of impact.
  • A rating scale for risk likelihoods, probability, or frequencies.
  • A look-up matrix that takes a risk’s likelihood level and its consequence level and gives a combined ‘level of risk’ (or risk severity). This matrix may be brightly coloured.
  • A separate template for registering risk treatments.

The how-to steps in this guide will differ from guidelines you have been given within your organisation.

This guide articles include models showing how the recommended method can be represented on a whiteboard or on a page. That way you won’t have to invent your own formats and steps while you are busy enough running your actual business and managing its risks. In important areas, the models provided here will look comfortably like typical corporate prescriptions. The models in Clear Lines on Audit and Risk can even be matched in a corporate database, if it has enough flexibility.

The important differences from organisational guidelines may not be about one template or scale being better than another.

This guide does not assert that its models are the best.

This guide asserts that real confidence in your unit’s outcomes is important, while going through the motions of ‘risk management’ is not. That change of perspective may lead to fundamental differences.

Another source of difference might be an organisation focus on Enterprise Risk Management, which could compete with your own management of risk.

The guide gives tips about managing those differences.

Please share any experiences with alternative models based on similar principles, and with linking this guide to on-line corporate ‘risk management’ systems. You can use the Leave a Reply box at the bottom of this page.

The blog method is consistent with the Australian Commonwealth Risk Management Policy, the international standard ISO 31000, and with the Australian ISO handbook on applying the international standard (HB 436). Specific templates, scales, and matrices do not appear in any of those sources. ISO 31000 starts out with some key principles for effective risk management (Section 3), and these principles are the central focus of the process recommended by the Clear Lines on Audit and Risk.

Parent articles


To reach assurance you must know your business. You and your boss must know what’s acceptable. It helps if you can talk with the boss. ‘What’s acceptable’ includes behaviours, numbers, delivery, real-world outcomes, and outcome likelihoods. It’s the real-world outcome likelihoods that matter.

Everyone Version 3.0 Beta

Risk management driven as a prescribed process

The Clear Lines on Audit and Risk lead to meeting the assurance demands of the boss. Corporate risk specialists may drive ‘risk management’ as a prescribed set of steps, regardless of assurance demands.

Everyone Version 3.0 Beta

Main article on Risk in work unit business planning

Leave a Reply

Your email address will not be published. Required fields are marked *

Comments are moderated from a sea of spam, so may not be published immediately. Email contact may get a quicker response.