How to Build and Strengthen Risk Management Plans

Risk can present tremendous opportunities, but the first step is understanding what kind of risk is eroding your organization’s value and how to manage it. In a poll conducted by Moss Adams during a webcast on this topic, 76% of participants said their organization was predominantly reactionary with limited value-based response to risks and emerging threats. Only 6% considered their organization to be proactively monitoring risks.

A strong risk management plan, which includes assessing risk and establishing a management approach, can help close the loss gaps, address complacency, and strategically position your future goals.

Some could feel that implementing a risk management plan is more applicable to larger organizations.  This is not the case. Small organizations in the United States reported losing an average of just over $28,000 to online fraud in 2018, even though 48% didn’t believe they were large enough to be the target of online fraud, according to a 2019 report from Emailage.

Regardless of your organization’s size, once you have a good grasp on what the risks are and how to manage them, there could be an opportunity to focus on positive risks that allow continued development and growth.

Risk Assessment

Risk assessment is the methodical identification, measurement, and prioritization of relevant events or risks that could compromise your organization’s ability to achieve its objectives.

Consider a third-party risk assessment of your internal procedures If your organization is evaluating its risks for the first time or rethinking its current risk-response plan.


A third-party risk assessment can:

  • Provide an objective, holistic evaluation of the current situation
  • Identify current, previously unknown risks and predict future risks
  • Inform new project planning and development

Emerging risks can be identified from many different sources with a third-party assessment.

Risk Sources
  • Stock market
  • Stockholder expectations and demands
  • Lapses in regulatory compliance
  • Changes in state and local legislation
  • Employee contracts
  • Reputation and public perception of the organization
Risk Heat Map

The assessment results can be placed into a risk heat map, which is a visualization tool that helps prioritize risk. It’s organized according to how that risk affects business performance and the likelihood of control or process issues.

Imagine you’re a biotech company that would like to go public in the next 18 months. Knowing this is a priority allows you to be specific about the type of risk assessment you’ll perform. In this case, you may consider an initial public offering (IPO) readiness assessment focused on tax planning, internal controls and technology, financial systems, and fraud detection and prevention, which are all areas to specifically review when a company is sold or going public.

The results of the IPO readiness assessment can then be placed into a heat map to show which risks may prevent you from reaching your goal and allow you to focus on them.

Here’s an example of what a heat risk map portrays.

Risk Management

Risk management uses the information from a risk assessment to help you make informed decisions about outside threats and risks within your organization.


Developing strong risk management tools, and making them an integral part of your processes, could help your organization:

  • Draft a systematic, structured, and timely plan to prioritize remediation efforts
  • Shorten decision-making time
  • Reduce the number and frequency of risks and facilitate continual improvement
  • Influence decision-making and address uncertainty based on the best available information
  • Create dynamic and iterative responses to change on an as-needed basis
  • Protect the organization’s shared values and promote transparency and inclusivity

Monitor Results

Risk management is a continuous process. Once you identify and assess your risks, you evaluate when and how to respond, in addition to whether or not you continue to monitor the results.

If you identify a profit leak during a risk assessment, your risk management plan allows you to respond in a timely, efficient manner. You could achieve an immediate result and improve your bottom line, especially when considering profit leaks cost organizations an average of 5%–10% of profit each year, according to a 2017 report on employer firms put out by 12 of the Federal Reserve Banks.

However, you may still want to consider continuous monitoring to ensure the incident doesn’t reoccur or a different profit loss doesn’t take place moving forward.

Project Prioritization

Project prioritization can help you deliver the greatest impact to your organization in the shortest amount of time.


Here are two of the most common methods:

  • Trial by fire. React to situations as they occur. These are often critical situations—a data breach or cybersecurity hack, fraud, natural disaster, regulatory noncompliance, or an unexpected employee turnover and loss of knowledge. During these times, projects quickly need to be reprioritized.
  • Value-based prioritization. Evaluate organizational goals to determine how each decision increases, preserves, or erodes value. Try to anticipate the function of risk and return to understand uncertainties.

Strengthening your risk management plan may allow you to move away from trial by fire and more toward value-based prioritization.

Complete Perspective

It’s easy to fall into the trap of evaluating one risk at a time to simplify your response plans, but this becomes a risk of its own. By funneling your risks into silos, you could miss how they’re interacting one with one another and potentially affecting finances and culture.

To get a fuller picture, you could consider organization-wide, enterprise risk management.

Enterprise Risk Management

Enterprise risk management (ERM) is focused on data and performance metrics. Instead of reviewing the risks of one department or branch, it looks at all of the organization’s risks at the same time.

If your organization has never evaluated or documented high-risk areas, performed risk assessments across the entire entity, or addressed a significant industry change, then you may want to consider an ERM program.

ERM Benefits

ERM can help your organization:

  • Identify risk exposures and analyze risks. This includes the consequences and probabilities of incidents.
  • Document risk description. The report can assign risk scores and provide recommendations for remediation.
  • Track relevant developments. It will also monitor changes to risk.
  • Tie-in to any pre-existing assessments. Past process documentation will be taken into account and evaluated.
  • Prepare management. If an incident occurs, ERM can help answer common questions employees may have.

If your organization has difficulty understanding key performance indicators, an ERM program can also help you interpret data to see if you’re reaching your goals.  

We’re Here to Help

For more detailed information on how to build or improve risk management plans and use risk opportunities for continued growth at your organization, contact your Moss Adams professional.