Managing risk in plain English

You do not need a three-day course to start. Risk management, at its core, is answering a few honest questions on a repeat cycle—then keeping a record so the organisation does not forget what it decided.

1. Notice what could go wrong

Walk through your normal week: customer data, payroll, email, the app everyone relies on, the supplier who hosts something important. For each, ask: “What would hurt if this broke, leaked, or disappeared?” Write those scenarios in normal words—not “T-107 exploit chain,” but “someone could read our clients’ files from a stolen laptop.”

2. Write it down once, in one place

Risks that live only in someone’s head leave when that person does. A short register entry (title, owner, what “bad” looks like) is enough to start. The goal is shared visibility, not a novel.

3. Decide how big a deal it is

You do not need fancy math. Ask two questions: How likely is it? and If it happened, how bad would it be? Use simple scales (low / medium / high) and be consistent. That combination tells you what to tackle first—before you spend money on tools.

4. Pick what you will actually do

For each important risk, choose a path: reduce it (controls), share it (insurance, contract), avoid it (stop the activity), or accept it explicitly because the cost of control outweighs the harm. “Do nothing” without a recorded acceptance is not risk management—it is drift.

5. Check that it worked—and repeat

Controls age: people change roles, software updates, attackers adapt. Put dates on reviews. When audits, incidents, or complaints find gaps, log them as findings and close the loop with evidence. That rhythm—identify, assess, treat, review—is the same loop ISO 27001 expects, just expressed formally in an ISMS.

When you are ready to align that habit with ISO 27001 language, read what ISO 27001 requires for risk. For tooling that supports the register, controls, and follow-up, see managing risks in ISMSVision.