The first step in tailoring the risk management practice is identifying the organization's success criteria: goals, objectives, requirements, and constraints. The success criteria are then analyzed to determine the consequences of non-achievement. This serves to prioritize the success criteria. Risks analysis criteria are devised that weigh the risk impact on the high-priority success criteria. Threats, or risk categories, are identified to determine the most likely sources of risk. Risk identification tools are developed to ensure that risks in these areas are targeted.
The organizational structure is an input in determining the appropriate risk management organization and assigning risk management roles and responsibilities within that organization. The intent is to assign responsibility as low in the organization as possible to take advantage of functional expertise, promote ownership and involvement in the risk management practice, and ease the management burden. The activities of the risk management organization are integrated into the existing decision-making and governance processes. By not creating separate processes, the practice remains efficient and the impact of change is reduced.