How to Implement A Risk Management Framework

This article is the fifth of fourteen parts to our risk management series. The series will be taking a look at the risk management guidelines under the ISO 31000 Standard to help you better understand them and how they relate to your own risk management activities. In doing so, we’ll be walking through the core aspects of the Standard and giving you practical guidance on how to implement it.

In previous articles we’ve looked at the core elements of the risk management framework generally, as well as the role of leadership and commitment, integration and design more specifically. In this article, we’ll be looking at how to effectively implement the risk management framework into your organisation.


At this point in your risk management framework journey, you have gained commitment from top management, you’ve holistically integrated the design of the framework with your organisation, and now you need to implement it.

Implementation is arguably one of the most important steps in the risk management process. This is simply because failing to implement can mean failing to use the framework that you’ve already invested so much time and effort into creating and critiquing. Ineffective implementation in this sense can have dire consequences for risk management and attitudes thereto throughout your organisation.

When implementation is done well however, you may find a solid and effective framework that aligns with the risk management principles of customisation and integration. Particularly for integration, an effectively implemented risk framework can help to create clarity and alignment across your organisation’s teams, create a greater return on investment, and to help address and overcome organisational risks during the implementation process.

To ensure that your risk management framework is implemented as effectively as possible, there are a few key steps to doing so. These include developing a solid plan, identifying where, when and how different types of decisions are made across your organisation, who makes those decisions, whether or not those decisions need to be changed, as well as whether or not your implementation plan is understood and therefore practised. Let’s take a deeper look at each of these key steps.

Developing an appropriate plan including time and resources

The first step in the implementation process requires you to create a roadmap of how you’re going to implement your plan. This includes really basic planning for things like who’s responsible for leading the way, the stages to implementation, as well as timeframes for each of those stages.

I find that a really effective tool for tracking implementation plans are gantt charts, largely because they show the schedule of a project and from a purely visual perspective, they make it really easy to see whether or not you’re on track with your progress. It’s really easy (and cheap!) to pull one of these charts together in Microsoft Excel.

While it’s one thing to create your implementation plan with a Gantt chart for example, you need to appropriately plan for the time and resources to actually fulfil it. One of the really common mistakes that I see when people create these types of plans is that they aren’t realistic with their resources.

Time is naturally one of the most difficult resources to manage, especially when it comes to human resources. To mitigate this difficulty, it pays to be considerate to your human resource team, particularly when it comes to their current and future work capacity. To determine such capacity, you may choose to discuss this capacity with both the worker and their manager in order to speak to the ‘best available information’ risk management principle under the ISO standards. Being conscious of things like this will help you to stay on track with your time and therefore your implementation plan as a whole.

Identifying where, when and how different types of decisions are made across the organisation, and by whom

As part of the implementation process, you need to identify where, when and how different types of decisions are made across your organisation. On top of this, you also need to identify the key people who are making these decisions.

Regardless of the size of your organisation, this is a critical step for identifying the people who can help lead, support, and therefore implement your plan. It also helps to identify any roadblocks that may arise in your implementation journey so that you can overcome them sooner rather than later.

Top management, for example, would be better to make a decision to implement your risk management framework from more of a strategic viewpoint, whereas department managers, for example, would be better to implement your framework from a day-to-day operations perspective. You should rely on your understanding of your organisation’s structures and context to identify and approach these decision-makers in order to best ensure the success of your framework’s implementation.

The people you identify as key decision-makers can also provide valuable insight into the inefficiencies or faults with decision-making processes relating to risk management, of which may or may not need to be changed. For those processes that need to be changed, we’ll turn our attention to the next step.

Modifying the applicable decision-making processes where necessary

For the decision-making processes which don’t align with the risk management framework that you’re trying to implement, it may be a good idea to modify them to better accommodate and support that framework. Doing so aligns with the holistic and well-integrated approach that we’ve touched on in previous articles.

Modification may include improving the operational efficiency of your organisation’s decision-making processes, or it may also involve creating entirely new decision-making mechanisms all together. Regardless of what you do or don’t choose to do, it needs to be appropriate and relevant to the needs and goals of your organisation.

If you work in a large organisation for example, you may find that traditional decision-making lines are inefficient or ineffective for supporting your implementation plan. To combat this, you may choose to create a risk management committee, for example, of whom may have exclusive oversight of matters and decisions needed to be made in respect of your framework. A committee like this can also help to keep your plan on track, as well as to reflect and improve upon the implementation process more generally.

From a strategic management perspective, creating mechanisms like committees can help to ensure that implementation of your plan is actually followed due to the buy-in that is created by assigning individual accountability and responsibility for doing so.

Ensuring that the organisation’s arrangements for managing risk are clearly understood and practised

There is little benefit in having a plan that no one understands and therefore no one practices. This comes back to the point that we discussed in our previous article relating to communication and consultation.

Your implementation needs to be clear, concise and relevant, and the language that you choose to use should match the language that best speaks to the workforce you’re targeting. For example, if you have a ground heavy workforce that operates machinery all day, they may not have the time to read a hundred-page long policy on your risk management framework. Something more succinct and easily understandable such as a visual poster may be more effective.

Beyond communication, your framework needs to be practised. The decision makers you identified in previous steps can be useful for monitoring this, as they are more than likely to be in managerial positions and therefore have oversight of the behaviours of the workers within their managerial scope. Not only can they monitor the implementation of your plan from an operational perspective, they also have the requisite authority to control behaviour to ensure compliance.


Beyond these specific steps to implementation, your approach should be one which focuses on engagement and awareness from stakeholders. This is helpful for overcoming any concerns that your workforce has in respect of implementation, as well as harnessing those concerns to help improve and iterate the framework itself.

All together, these steps and approaches help contribute to an effective risk management framework which will help manage risk throughout all aspects of your organisation.

On the basis that you have designed your framework well and that you have implemented it in accordance with the steps above, you should now be ready for the next step of the process: evaluation. We’ll be looking into this in our next article, so stay tuned.

If you have any stories – good or bad – about how you’ve implemented your risk management framework, I would love to hear them.

If you’re looking to implement a risk management framework and would like some guidance or a conversation to help you on your journey, please contact me. I’m more than happy to guide you.

About the author

Peter is the Founder and Director of Holtmann Professional Services, a global provider of executive coaching, business excellence consulting and career path development. Peter has 20 years of experience in executive roles and has been the President and CEO of a global non-profit. Peter has written for many journals and blogs, is a keynote speaker and is a champion of prosperity through excellence of leadership.

If you are interested in working with Peter, please reach out to