Risk Management Process Guide for ISO 27001 & ISO 42001

Risk is no longer a back-office checkbox. From supply-chain shocks to AI-induced model drift and escalating cyber threats, leaders must treat risk management as strategic decision support — not just control maintenance. In fact, recent CEO surveys show executives are increasingly worried about cyber and technology risks as they adopt AI and other digital innovations. Cybersecurity ranks among the top CEO concerns in PwC’s 2024 Global CEO Survey, and independent surveys of executive risk priorities highlight cyber and technology as persistent, high-impact threats.

This guide uses a simple, executive-friendly structure — the standard five-step risk management process — and shows how to apply it practically (including ISO 42001 and COSO relevance for AI governance).

Five steps

1. Risk Identification
2. Risk Assessment / Analysis
3. Risk Mitigation / Treatment
4. Risk Reporting
5. Risk Monitoring

Step 0 — Set context first (pre-step)

Before you start the five steps, establish context: business objectives, stakeholders, regulatory landscape (e.g., ISO 27001, ISO 42001 for AI, COSO), risk appetite, and governance ownership. This ensures the entire process is aligned to strategy and measurable outcomes.

Step 1 — Risk Identification

Goal: Capture what could threaten (or enable) your objectives.

Techniques

• Brainstorming workshops (cross-functional)
• SWOT analysis (Strengths, Weaknesses, Opportunities, Threats)
• Structured interviews with stakeholders (CISO, Head of Product, Legal)
• Scenario analysis & tabletop exercises (cyberattack, model failure)
• Review historical incidents, near-miss logs, audit findings
• Environmental scanning (regulation, market, geopolitical, supplier health)

Deliverables

• Initial risk register entries (ID, description, owner)
• Asset inventory & value mapping (data, systems, people, models)
• Risk categories (strategic, financial, cyber, operational, compliance, AI)

Tip: Include “upside” risks (opportunities) — COSO encourages risk-aware pursuit of opportunity, not only downside avoidance.

Step 2 — Risk Assessment / Analysis

Goal: Evaluate likelihood and impact to prioritize resources.

Assessment approaches

• Qualitative: Low / Medium / High; good for early-stage or cross-functional scoring.
• Quantitative: Numeric loss estimates, scenario modelling, Monte Carlo for financial exposures.
• Hybrid: Qualitative likelihood + quantitative impact (financial or operational).

Tooling & models

• Risk matrix / heatmap (commonly 3×3 or 5×5) — quick visual prioritization.
• Bow-tie diagrams — show causes and consequences and link controls.
• Attack trees / fault trees — technical decomposition for cyber or AI model threats.

Monte Carlo / Expected loss — for financial/insurance decisions.

Risk Heat Map Visualization for a 5x5 Risk Matrix

Step 3 — Risk Mitigation / Treatment

Goal: Decide how to respond to prioritized risks, in line with risk appetite.

Four classic responses

• Avoid — stop the activity that creates the risk (e.g., cancel a risky project).
• Reduce / Mitigate — apply controls, redesign, add monitoring (most common).
• Transfer — insurance, outsourcing, contractual risk transfer.
• Accept — consciously accept with monitoring when the cost of mitigation outweighs benefit.

Mitigation design

• Link treatments to specific risk owners and deadlines.
• Use cost-benefit analysis — estimate residual risk after controls.
• For AI risks: adopt dataset validation, differential privacy, model explainability, and human-in-the-loop checks. (ISO 42001 and NIST AI RMF guidance are helpful here.)

Quick comparison of risk strategies

Implementation

• Create Risk Treatment Plans (RTPs) with owner, actions, timeline, budget.
• Map each treatment to frameworks (COSO/COSO ERM: performance & controls; ISO 27001 Annex A for technical controls).

Step 4 — Risk Reporting

Goal: Communicate status, decisions, and residual exposure to stakeholders so leadership can act.

Who to inform

• Board / Audit Committee — high-level KRIs, trends, top risks
• Executive Team — horizon scanning, strategic trade-offs
• Operational owners — action items and control efficacy
• Auditors & regulators — evidence and compliance metrics

Formats

• Board dashboard (monthly/quarterly): Top risks, risk appetite alignment, trend arrows, heatmap snapshot
• Operational scorecards (weekly/monthly): Control tests, incidents, treatment progress
• Audit trail & evidence packs: For certification or compliance review (ISO 27001, SOC 2)

Report essentials

• Risk title, owner, current score, target score, treatments, status, next steps
• Clear escalation logic: when to escalate to execs or Board

Step 5 — Risk Monitoring (continuous)

Goal: Ensure the risk posture remains within appetite and treatments are effective.

What to monitor

• KRIs (Key Risk Indicators): e.g., number of critical vulnerabilities, model drift alerts per week, vendor SLA breaches
• KPIs (for treatments): % of controls tested, patching cadence, training completion rates
• Alerts & incidents: Automated feeds from SIEM, CSPM, model monitoring systems

Processes

• Scheduled reviews (weekly ops, monthly exec, quarterly board)
• After-action reviews post-incident to update likelihood/impact or treatment
• Continuous improvement cycle — the “Plan-Do-Check-Act” loop

Technology

• GRC platforms (EnterpriseRM.ai, MetricStream, AuditBoard-type tools) to centralize register, automate scoring, track RTPs, and produce dashboards
• Telemetry tools (SIEM, XDR) and model monitors (for AI) provide data feeds into your GRC

Worked Example: Full Walkthrough (fictional but realistic)

Context: Mid-size fintech launching a new AI credit scoring feature.

Pre-step: Board approved moderate risk appetite for innovation; legal requires privacy safeguards.

Step 1 – Identify

• Risks captured: model bias, data exfiltration, vendor model dependency, regulatory non-compliance, system outage.

Step 2 – Assess

• Model bias: Likelihood = 3 (possible), Impact = 5 (critical) → Score 15 (High)
• Data exfiltration: Likelihood = 2 (unlikely), Impact = 5 (critical) → Score 10 (Medium)
• Vendor dependency: Likelihood = 4 (likely), Impact = 3 (moderate) → Score 12 (Medium)

Step 3 – Treat

• Model bias → Mitigate: bias testing, representative data, human review before high-risk decisions; owner = ML Lead; target residual score 6.
• Data exfiltration → Mitigate: encryption, restricted access, SIEM alerts; owner = Cloud Sec; target residual score 4.
• Vendor dependency → Transfer+Mitigate: SLAs with penalty + fallback model; owner = Procurement.

Step 4 – Report

• Monthly exec dashboard shows top 5 risks; model bias flagged in red; request for additional budget to support bias testing.

Step 5 – Monitor

• KRI: weekly drift alerts; if drift > threshold, automatic model rollback; quarterly audit of model lineage and training data.

Outcome: The product launches with controls and monitoring in place; the board is comfortable approving pilot scale over 6 months — the enterprise took a calculated risk in line with appetite.

ISO 42001 & COSO relevance

• ISO 42001 (AI management) — Add model governance, explainability, and dataset integrity into identification, assessment, and monitoring steps.
• COSO ERM — Use its emphasis on linking risk appetite with strategy (step 0/context + reporting) to ensure executives are empowered to take calculated risks instead of reflexively avoiding them.

A disciplined five-step process allows modern organizations to convert uncertainty into informed decisions. With clear context, cross-functional identification, rigorous assessment, purposeful treatment, transparent reporting, and continuous monitoring — organizations can take calculated risks (not reckless gambles) and create durable value.