You’ve Identified the Risk… But That Was the Easy Part

4 May

Written By Leana van der Merwe, Technical Manager, Chartered Institute for Business Accountants (CIBA)

This article will count 0.25 units (15 minutes) of unverifiable CPD. Remember to log these units under your membership profile.

In many professional environments, particularly in accounting and advisory work, there is a quiet but persistent misconception about what good risk management looks like. It often begins with energy and focus, teams gather, processes are reviewed, risks are identified, and detailed registers are compiled. There is a sense of progress, even achievement, once everything that could go wrong has been carefully documented.

But then, almost without noticing, the process loses momentum.

The risk register is filed away, the meeting concludes, and the business continues exactly as it did before. The same processes run, the same exposures exist, and the same vulnerabilities remain. The only real difference is that the risks are now written down. As the material rightly points out, identifying a risk does not change the risk itself; until a decision is made about what to do next, nothing has actually improved.

This is the point where many well-intentioned professionals fall into what can only be described as the “identification trap.” It is the belief that recognising risk is enough, when in reality it is merely the starting point. True risk management only begins once a deliberate response is chosen and implemented.

From Awareness to Action

At its core, responding to risk is about moving from awareness to action. It requires more than technical knowledge; it demands judgement, discipline, and, in many cases, the willingness to make uncomfortable decisions.

A proper response is not accidental. It is deliberate. It reflects an understanding of the nature of the risk, its likelihood, and its potential impact. Most importantly, it results in something changing in the real world. A control is introduced, a process is redesigned, a contract is amended, or a decision is made not to proceed with a particular course of action. Without this shift from theory to practice, risk management remains an academic exercise rather than a protective one.

This distinction matters because risk environments are not static. Regulations evolve, businesses grow, systems change, and new threats emerge. A risk that seemed manageable six months ago may no longer be acceptable today. If responses are not actively chosen and revisited, the organisation is effectively allowing its risk exposure to be determined by default rather than by design.

Understanding the Choices Available

One of the most useful ways to simplify risk response is to recognise that, regardless of complexity, every response falls into one of four categories: avoid, reduce, share, or accept.

These four options provide a practical framework for decision-making. They are not theoretical constructs but real choices that shape how businesses operate on a daily basis.

Avoiding risk is often the most straightforward, although not always the easiest, option. It involves stepping away from the activity that creates the risk in the first place. In practice, this might mean declining to take on a client whose background cannot be adequately verified or choosing not to offer a service that falls outside the firm’s expertise. While this approach can feel counterintuitive, particularly when there is revenue at stake, it is sometimes the most effective way to protect the business. The absence of exposure is, after all, the most certain form of risk control.

Reducing risk, on the other hand, is the most common response in professional practice. Many business activities cannot simply be avoided, as they are essential to operations. Instead, the focus shifts to making those activities safer. This is achieved through the introduction of controls, improvements in processes, and the development of staff competence. Examples range from implementing approval limits and segregation of duties to redesigning workflows and providing targeted training. When applied thoughtfully, these measures can significantly lower both the likelihood of a risk materialising and the severity of its impact.

Sharing risk introduces another dimension. Rather than carrying the full burden, the organisation transfers part of the exposure to another party. This is typically done through insurance, contractual arrangements, or outsourcing to specialists. While this can be highly effective in managing financial consequences, it is important to recognise that the underlying risk does not disappear. The business may still face operational disruption or reputational damage, even if the financial impact is partially mitigated. As such, sharing risk should be seen as a tool for managing exposure rather than eliminating it.

Finally, there is the option to accept risk. This is perhaps the most misunderstood response, often confused with inaction. In reality, acceptance is a conscious and informed decision that the risk is either too small to justify further intervention or that the cost of managing it would exceed the potential loss. For this approach to be valid, it must be properly considered, documented, and periodically reviewed. Without these elements, what appears to be acceptance may in fact be negligence.

The Importance of Residual Risk

A critical concept in evaluating any response is the distinction between inherent and residual risk. Inherent risk represents the exposure before any action is taken, while residual risk is what remains after the chosen response has been applied.

The effectiveness of a response is ultimately judged by the level of residual risk. It is not enough to say that controls are in place or that insurance has been obtained. The key question is whether the remaining risk falls within what the organisation can tolerate. If it does not, then the response is insufficient, regardless of how comprehensive it may appear.

This perspective shifts the focus away from activity—what has been done—to outcome—what remains. It encourages professionals to think critically about whether their actions have genuinely reduced exposure to an acceptable level.

When Decisions Become Embedded in Practice

Risk responses do not exist in isolation. They become embedded in the everyday decisions and processes of the business. A decision to reduce risk by strengthening controls will influence how transactions are authorised, how systems are designed, and how responsibilities are allocated. Similarly, a decision to avoid certain risks may shape the types of clients the firm engages with or the services it chooses to offer.

Controls, in particular, play a central role in translating decisions into practice. These can be broadly categorised as preventive, detective, and corrective. Preventive controls aim to stop issues before they occur, detective controls identify problems quickly when they arise, and corrective controls limit the damage and restore operations. A well-balanced system incorporates all three, recognising that no single approach is sufficient on its own.

Balancing Cost and Benefit

One of the most challenging aspects of responding to risk is determining how much is enough. There is always a cost associated with any response, whether in the form of financial investment, time, or reduced efficiency. At the same time, failing to act can lead to losses, regulatory penalties, and reputational harm.

The principle is straightforward: the cost of managing the risk should not exceed the cost of the risk itself. However, applying this principle requires careful judgement. Over-engineering controls for minor risks can create unnecessary complexity, while underestimating significant risks can leave the business exposed. Striking the right balance is where professional expertise becomes most valuable.

Common Pitfalls and Practical Lessons

Despite the availability of clear frameworks, certain mistakes continue to appear in practice. One of the most frequent is treating risk identification as the end of the process rather than the beginning. Another is defaulting to risk reduction without considering whether avoidance or acceptance might be more appropriate.

There is also a tendency to overcomplicate responses, particularly for low-impact risks, which can lead to inefficiencies without delivering meaningful protection. Equally problematic is the informal acceptance of risk without proper documentation or approval, which can create significant issues if the risk materialises.

Finally, there is the failure to revisit decisions. Risk responses should not be static. As the business environment evolves, so too should the strategies used to manage risk.

A More Practical Way Forward

Responding to risk effectively does not require complex models or sophisticated tools. It requires clarity of thought and a willingness to engage with the implications of each decision. For every identified risk, the key questions remain consistent: What are we going to do about it? Why is this the right approach? What will change as a result? And how will we know if the response remains appropriate over time?

By consistently addressing these questions, professionals can move beyond documentation and towards meaningful risk management.

Conclusion

Risk management is often perceived as a technical discipline, but at its heart, it is about decision-making. It is about choosing how to act in the face of uncertainty and ensuring that those choices are aligned with the organisation’s capacity to absorb potential losses.

Identifying risk is an essential first step, but it is only the beginning. The real value lies in what follows—in the decisions made, the actions taken, and the discipline to revisit and refine those choices as circumstances change.

In the end, the question is not whether risks have been identified. It is whether anything has been done about them.

Access our full CPD on Risk Management Here

Responding to Risk: What You Do After You’ve Identified It

Most professionals can spot risk — but what you do next is what really matters.

Join this practical 1-hour session and learn how to respond to risk in a way that actually protects your business and strengthens your professional judgement. We’ll break down when to avoid, reduce, share, or accept risk, and how to apply these decisions in real life without overcomplicating things.

📅 30 April 2026 (Recording Available)
⏰ 14:00
⏱ 1 Hour | 2 CPD Units
📂 Category: Independent Review
💻 Format: Live Online / Recorded