Image: Warner Bros.

3 Simple Steps to Prioritising your Critical Risks

February 27, 2024

“It’s a dangerous business, Frodo, going out your door. You step onto the road, and if you don’t keep your feet, there’s no knowing where you might be swept off to.” (B. Baggins)

The same applies in business in general – no company operates without risks. For you to have started a business, you have already made an assumption that the business opportunities outweigh the risks – else you would not have done it.

After having identified organisational risks, it is time to weigh the risks that you are willing to take (Risk Appetite) and set a Risk Tolerance level for them.

1. Determine your Risk Tolerance

Risk tolerance is what you as an organisation can handle (and for how long) without having a devastating impact on achieving your goals. You can determine the risk tolerance in a brainstorming session together with your (risk) management team.

Examples of the questions to answer could be the following:

Is a possible financial loss of 5K a high or medium impact to your company? What about 1M? If we will lose 1 key customer? If we lose 10 or more smaller customers? Possible result of a negative customer feedback in either a public article or social media post on how we conduct our business? Customer, employee, stakeholder satisfaction?

This exercise will help you define your company’s Risk Tolerance. It will also provide you with insight into how to assess each organisational risk, so that you will know exactly which are the most critical risks that you should address first. These may have a fatal impact to your business.

2. Define a Risk Assessment Model to quantify your risks

In the Risk Model you will have to determine the impact (severity of damage a risk can create) and likelihood (probability of the risk occurring) levels.

You may categorise impact levels as: Low-Medium-High.

Similarly, the likelihood levels may consist of: Unlikely-Probable-Likely.

Using these levels in a simple Risk Model, you will have a Matrix that looks like the image below.

Each of the coloured cell refers to either a Low (Green )- Medium (Amber) – High (Red) Risk.

3. Prioritise your Business Critical Risks

Once you have done the assessment of individual risks, you will have determined specific critical risks in your organisation – High Impact & Likely to Occur. These should be prioritised for risk controls/mitigation to manage the possible impact to your business.

More on how to control or mitigate critical risks, like Frodo having Sam with him on his adventure, in the next post.

Image: Warner Bros.

SoftComply Risk Manager Plus is the most advanced risk management app on Jira Cloud today. Thanks to its high level of configurability and out-of-the-box templates for Risk Models and Risk Registers to kick-start your risk management in Jira, it is one of the fastest growing risk apps in Jira Cloud. Join our Live Demo on Fridays, schedule a demo with our risk management experts or try out the app for 30 days for free.

Table of Contents

Ready to get started?

Contact us to book a demo and learn how SoftComply can cover all your needs

Compliance Workshop cover page
Picture of Marion Lepmets

Marion Lepmets

CEO
October 15, 2025

During Atlassian Team25 Europe, the Compliance Alliance hosted the 4th Compliance Workshop in Barcelona. Despite a wild thunderstorm, nearly 30 compliance enthusiasts braved the rain to join the workshop – a session packed with insights on AI in regulated industries, Atlassian Isolated Cloud, Cybersecurity of Marketplace Cloud apps, and selling...

Vendor Security Risk Assessment in Jira
Picture of Marion Lepmets

Marion Lepmets

CEO
October 1, 2025

Every company depends on others to survive. From your cloud provider to your payroll processor, your business is connected to a web of vendors. But here’s the reality: over 60% of data breaches originate from third-party vendors. This is why managing your vendor security risks has become more important than...

31000
Picture of Marion Lepmets

Marion Lepmets

CEO
September 22, 2025

Most companies have informal risk discussions in meetings. You know the type – “What happens if our lead developer leaves?” or “What if this big deal doesn’t close?”. These conversations usually end without any real action plan and you find yourself talking about the same risks over and over again....