There are several bodies that lay down the principles and guidelines for the process of risk management. The steps involved remain the same more or less. There are small variations involved in the cycle in different kinds of risk.
The risks involved, for example, in project management are different in comparison to the risks involved finance. This accounts for certain changes in the entire risk management process. However the ISO has laid down certain steps for the process and it is almost universally applicable to all kinds of risk. The guidelines can be applied throughout the life of any organization and a wide range of activities, including strategies and decisions, operations, processes, functions, projects, products, services and assets.
As per ISO 31000 (Risk Management - Principles and Guidelines on Implementation), risk management process consists of the following steps and sub-steps:
Source analysis means that the source of risks is analyzed and appropriate mitigation measures are put in place. This risk source could be either internal or external to the system. Examples of the risk source could be employees of the company, operational inefficiency in a certain process etc.
Problem analysis on the other hand means the effect rather than the cause of the risk is analyzed. For example a drop in production, threat of losing money etc!
The choice of the method varies across industry, organizational culture and other factors. However some common methods of risk identification are:
The industry practice or formula for arriving upon the risk is:
Frequency of occurring × Impact