Evaluate Risks

The activities associated with the determination of the appropriate response ('controls') for each risk. Risk responses should focus on both sides of the Risk Bow Tie:
  • Preventive controls reduce or eliminate the probability or likelihood of the occurrence of the risk event. This is the left side of the Risk Bow Tie
  • Corrective controls reduce or eliminate the impact or consequence once the risk event occurred/ This is the right side of the Risk Bow Tie

The objective of risk management is to prevent the occurrence of a root cause (right side) to reach the left side (consequence or impact). These controls serve as barriers. It is considered a Best Practice to implement multiple barriers or controls for each risk.

A common approach to identification of risk responses is known as the Four-Ts:

  • Tolerate = Accept the risk as-is. No actions are taken to mitigate or reduce the risk. This should only be applied if the consequence of the risk event is smaller than the Risk Appetite
  • Terminate = Change the process for the purpose of removing the risk
  • Treat = Implement measures/controls that reduce the likelihood of the risk event occurring or minimizing its consequences once it has occurred
  • Transfer = Buy insurance or other forms of payment to third parties who are prepared to accept the consequences of the risk event occurrence

It is strongly recommended to include risks for all Ts in the Monitor Risks process.

Use Cases

  • Fire or flooding insurance to reduce the financial impact of a fire or flooding ('transfer')
  • Multi-sourcing to reduce the occurrence of supply shortages from a single supplier ('treat likelihood')
  • Distributed inventories to reduce the impact of logistics network congestion ('treat consequence')
  • Implement Three-Way Matching to eliminate payment of incorrect invoices fro suppliers or service providers ('Terminate')


OpenReference recommends adoption of ISO 31000 processes to build Supply Chain Risk Management governance processes, systems and behaviors. Manage Supply Chain Risk (G3) provides the processes to describe an enterprise's Supply Chain Risk Management processes.

Compare to: ISO 31000:2009:5.4.4 Risk Evaluation.


ISO 31000 is copyright ISO. Risk Appetite Supply Chain Risk Management Risk Register


G3Manage Supply Chain Risk2G3
G304Evaluate Risks3G304


AppetiteRisk AppetiteAppetite
RBTRisk Bow TieRBT
Risk RegisterRisk RegisterRisk Register
SCRMSupply Chain Risk ManagementSCRM


G303Risk Register
Risk RegisterG305
Note: Common inputs and outputs are listed in alphabetical order. Other inputs and outputs may be required to support varying use cases.Evaluate Risks Manage Supply Chain Risk 4230400 3 Evaluate, Risk, Management, SCRM, Supply Chain, Governance