10 Steps to Create a Risk Management Plan

Sophie Danby July 3, 2023
- 14 min read

It’s always nice to know the theory behind the practice, but sadly that’s not enough. A Risk Management plan is what will make you truly effective at avoiding risks and keeping your organization safe. 

Having a set of guidelines will help you map your activities, ensure the right people are held accountable, and avoid possible disruptions or fines.  

Don’t know where to start? Don’t worry! Keep reading for a complete overview of the four basic components you need to put Risk Management in practice, along with some  resources to effectively create a plan (template included!). 

Let's get started.



What is a Risk Management plan?

A Risk Management plan is a document that comprehensively registers and describes all your organization's procedures to mitigate and address risks. It covers your entire approach to the practice, from the scope and the Risk Management lifecycle to documentation and audits.

The plan requires input and collaboration from your senior management, legal, governance, compliance and risk teams to create an approach that aligns with business objectives and meets regulatory or legal obligations. 

Roles and responsibilities in a Risk Management plan

Your plan will need clearly defined roles and responsibilities so everyone knows what is expected and everything is taken care of.

Role Responsibility
Risk Manager Responsible for the day-to-day running of the Risk Management practice and creating the risk plan.
Risk Analyst Supports the Risk Manager.
Risk Owner Owns the mitigation actions for an individual risk.
Senior Management Team Approves the risk plan and signs off on the overall risk threshold, which sets the organization's tolerance for risk.
Compliance Team Provides subject matter expertise and ensures the risk plan meets all obligations from a compliance perspective.
Legal Team

Provides subject matter expertise and ensures the risk plan meets all obligations from a legal perspective.

Finance Team Provides subject matter expertise and ensures the risk plan meets all obligations from a financial perspective.
HR Team Provides subject matter expertise, ensures the risk plan meets all obligations from a people perspective and that HR policies align with the overall risk strategy.
IT Identifies and suggests mitigation activities for information security risks.

The importance of an IT Risk Management plan

Organizations across the globe are revisiting how their IT infrastructure functions. Risk is a significant factor in that. A Risk Management plan not only documents how you approach risk but it also provides governance and structure. 

Benefits of a Risk Management plan include:

  • Better organization - All risk activities are captured in one place so that everyone knows where to go for information about Risk Management activities.

  • Supported IT or information security - By identifying vulnerabilities and potential threats to IT systems, a thorough plan enables the business to put the appropriate countermeasures in place.

  • More effective compliance and regulatory requirements - Many industries have specific rules, regulatory frameworks, and compliance requirements that companies must adhere to (for example SOX). A Risk Management plan supports companies to meet these requirements by addressing risks related to data protection, governance and IT security. 

  • Cost savings - A risk plan can help organizations identify and deal with risks sooner rather than later, reducing the likelihood of costly incidents such as service downtime or data breaches. It can also help companies optimize IT spending by prioritizing assets and resources based on risk exposure and criticality.

  • Transparency and improved decision-making - If your risks are identified and on a plan, everyone will be aware, and you can make better decisions based on  hard and reliable risk information.

  • A shift to a more proactive approach - Actively planning for how you can identify, assess and respond to risks helps you get ahead of the game and makes your approach to risk proactive rather than just reactive firefighting. This also supports business continuity by identifying potential risks that could disrupt services.

  • Improved confidence - Having a defined Risk Management plan sends the message that you're committed to owning and managing risks effectively. Demonstrating a robust, proactive approach to handling risk can act as a market differentiator to customers and stakeholders.

The 4 components of a Risk Management plan

A Risk Management plan typically has four components:

  • Risk identification: set out how risks should be identified in your organization. Do people know how to report risks? Are there links to the appropriate processes? For example, if your IT service desk identifies an incident that includes organization risk, would they know the correct escalation pathway?

  • Risk assessment: this step helps organizations prioritize the risk based on probability and impact. A useful tool to do so is to define a risk matrix.

  • Risk mitigation: how each risk will be dealt with. ITIL 4 incorporates specific knowledge on Risk Management and describes four main possible responses towards risk: mitigation, avoidance, switching, and acceptance.

  • Risk monitoring: monitoring the risk throughout its lifecycle to ensure it doesn't escalate and any risk remains below the appropriate level for your organization.

How to create a Risk Management plan in 10 steps

Now, to materialize the four components of the risk plan, you can follow these ten steps.

1. Define the scope

As always, set the scope of your risk plan early so there's no potential for scope creep. Start with your most significant exposure area – you're the biggest source of risk or your most important compliance objective and go up from there. 

Don't try to do too much at once; focus on a solid area of domain and getting your house in order. You can always add to it once your plan is more established and you've had time to reflect on the process and what is and isn't working.

2. Assign roles and responsibilities

Setting out roles and responsibilities in your risk plan is essential so everyone knows what they are responsible for. In an ideal world, details of roles and responsibilities should be codified in a RACI matrix.

3. Set a baseline/threshold

If you have an internal audit team, use them to check your risk landscape thoroughly. This will give you a baseline on which you can build your plan and use it as a comparison point as your risk practice matures. 

Another thing to do is to agree on your risk threshold – this will look different for every organization as everyone has a different appetite for risk. However, ensure it is approved by all and captured in your risk plan so it can be referred back to as and when necessary.  

4. Risk Identification

Set out how risks can be identified and reported in your organization. Make it easy to report them (for starters, make the risk form easy to find on your intranet) and build touchpoints with other processes so that it can be flagged quickly and easily if a risk is identified. 

5. Risk Assessment

Agree on a standard way of assessing risks so they can be prioritized and managed appropriately. One way to accomplish this is to use a risk matrix based on probability and impact. This removes the potential for human error and ensures that all risks are assessed consistently.

Probability / Impact












Highly Likely




6. Response approach

This is your action plan for mitigating the risk if the event occurs. Work with your GRC and senior management teams to agree on the most appropriate response based on your organization's appetite for risk. 

7. Triggers

When creating your risk plan, make a list of triggers against your risks so that you can be more proactive in addressing them.

8. Risk Register

This is your list of risks, along with their probability and impact details. Your risk register should form the basis of your plan, as this is where all risks that could potentially threaten your organization are captured. It is used to store all risks in one central location and is used to manage risks across their lifecycle.

9. Contingency planning

Your risk landscape isn't static. As you address or mitigate existing risks, new project activity could introduce unknown risks into your environment, so have a change plan. Contingency planning also applies to reclassifying existing risks in the event of a change, so make sure you build enough flexibility into your process to deal with any adjustments that need to be made.

10. Continual improvement

Build a continual improvement cycle into your plan so your processes and procedures can be reviewed and improved.

As you can see, a Risk Management plan involves simultaneously defining and managing several elements at the same time. An IT Asset Management tool, such as InvGate Insight, can help you get the job done more efficiently by automating Risk Management activities.

For instance, you can set Health Rules to notify you when a particular asset is under danger to take the appropriate action. You can also use Smart Tags to get alerted when forbidden software applications are installed.

Example of the IT asset health rules view on InvGate Insight.

IT Risk Management plan example

Here's an example template for you to use:

Plan stage Activities
  • Has your scope been verified by your GRC, legal and management teams that it is both appropriate and fit for purpose in your organization?
  • Has it been agreed upon and signed off by all stakeholders?
Set a baseline/threshold
  • Has your risk landscape been audited or peer-reviewed in the last calendar year?
  • Has the risk threshold been agreed upon and signed off by all stakeholders?
Risk Identification
  • Have we defined how to report risks?
  • Have all our colleagues received the appropriate training?
  • Are there process stages in key business processes that include risk management activities?
  • Is the risk capture form easy to use?
Risk Assessment
  • Has an appropriate subject matter expert assessed the risk?
  • Has the correct risk matrix been used?
Response approach
  • Has the response been reviewed and agreed upon by all stakeholders?
  • Has the response been documented and communicated to all?
Roles and responsibilities
  • Risk Manager
  • Risk Analyst
  • Rick Owner
  • Senior Management team
  • GRC team
  • Have we captured all possible triggers for each risk event?
  • Have we documented and communicated the appropriate response to each trigger event?
Risk Register
  • Have we agreed on where the risk register should be stored?
  • Have we agreed on who has to write/edit access so colleagues in risk-related roles can edit or update risks?
  • How do we make sure the risk register is regularly reviewed and updated?
Contingency planning
  • How do we update the risk register if a risk has changed?
  • How do we communicate to other stakeholders that a risk status has changed?
Continual Improvement
  • How comfortable do we feel that the risk management process is meeting the needs of the business?
  • Can we run another baseline event?
  • What is working well?
  • What can be improved on?
  • Can we template anything or use automation to make risk management more efficient?


To sum up

Essentially, a Risk Management plan captures your whole approach to managing risks. Many different elements can threaten your organization’s well functioning. It’s important not only to know what they are, but also their probability, their impact, how to address them, and who is responsible.

The different stages that have been set out in this article work as guidelines to address the process. Having a plan ensures a defined path with clearly defined activities and safeguards. And, at the same time, it holds people accountable through dedicated roles and responsibilities. 

At last, don’t forget that you can automate several tasks within this plan with InvGate Insight. Request a 30-day free trial and explore its possibilities by yourself!

Frequently Asked Questions

What are the basic tasks in a Risk Management plan? 

A Risk Management plan should include identifying, assessing, and managing risks. It should also have a risk register to capture all risks in a single, central location so that nothing can be lost, ignored or forgotten about.

How often should an organization perform a Risk Management plan? 

For most organizations, an annual risk assessment should meet best practice frameworks, support compliance, and reduce the threat landscape to your organization. However, always check to see if there are any specific legal, regulatory, or compliance standards you need to adhere to. Reviewing Risk Management actions at the beginning of any significant new project is also an excellent idea to protect your company from project or change-related risk.

What is a compliance Risk Management plan? 

A compliance Risk Management plan captures your business's liability for compliance failures, including legal action, fines, and reputational damage. It also documents the appropriate management steps to keep compliance risks at an acceptable level.

What is a contingency plan in Risk Management? 

A contingency Risk Management plan is our action plan of what we need to do as a business if the risk occurs to lessen the impact on customers and stakeholders. 

What is a mitigation plan in Risk Management? 

A mitigation plan is how to reduce the impact of the risk occurring. An example could be we've all dropped our costly phone or tablet - we can mitigate that risk by using a cover and screen protector so that even though you've dropped your device, it won't be damaged.

How to monitor a Risk Management plan? 

The risk team should monitor Risk Management plans, and regular updates should be sent to the senior leadership team to ensure they are kept apprised of all significant risk activity.

Read other articles like this : risk management

Evaluate InvGate as Your ITSM Solution

30-day free trial - No credit card needed