• constantiaconsulting

Risk management process - Risk evaluation

Risk evaluation uses the information obtained during the analysis to make decisions about whether the risk is acceptable in its current state or whether further action needs to be taken to mitigate the risk. If further action is required, this can be in the form of a treatment plan.

To evaluate the risk, the organisation's risk assessment matrix should be used to determine the levels of risk at the inherent and controlled stages. The control effectiveness is also considered at this point and plays a part in the decision whether treatments are required.

The organisation's Risk Appetite Statement will assist in evaluating risks. Typically organisations will ascertain the following:

  • Any risks where controls are less than effective require a treatment plan

  • Risks that are rated at the controlled level of risk as extreme or high require a treatment plan

  • Risks that are rated at the controlled level of risk as either moderate or low can be accepted and monitored - provided that the controls have been assessed as effective.

Some risks outside of the organisation’s risk appetite may need to be accepted with ongoing review because the cost of treatment is not feasible. However, if this is the case, an explanation from the risk owner is required.

An accepted risk does not mean that the risk is insignificant, rather that either:

  • no treatment is available

  • treatment costs are prohibitive

  • opportunities significantly outweigh the threats.


An example of an organisation's risk appetite may include the following actions:

Action required when rating is at controlled level of risk:


Immediate action required and commitment by the CEO


Senior management attention required and remedial action planned


Management responsibility must be specified and accountability defined


Managed by routine procedures such as quality management systems

27 views0 comments

Recent Posts

See All

Risk analysis is the process of developing an understanding of each risk. This involves analysing the causes of risk, consequence and likelihood, identification of the effectiveness of existing contro

Establishing the context defines the parameters within which risks should be identified, prioritised and managed. Some areas that can be considered in determining the context include: Scope and struct

Risk identification is the first step in the risk assessment process noted in the standard for risk management (ISO 31000:2018 Risk management - Guidelines). This step seeks to proactively identify th