Types of risks

ISO 31000:2018 18 Minutes
https://preteshbiswas.com/wp-content/uploads/2024/10/Understanding-and-Categorizing-Business-Risks.wav

Managing risks in a clear and organized way brings benefits. By actively addressing risks, organizations can improve in these four areas:

  1. Strategy: They can make better decisions by fully analyzing the risks of different strategic options.
  2. Tactics: They can choose better methods by considering the risks of alternative approaches.
  3. Operations: They can identify potential disruptions early, take steps to reduce the chances of these events happening, and limit the damage if they do occur.
  4. Compliance: By recognizing the risks of noncompliance, they will be better prepared to meet legal and customer requirements.

Organizations can no longer afford to be caught off guard by unexpected events that cause financial loss, disrupt operations, harm their reputation, or reduce their market presence. Stakeholders now expect companies to fully consider risks that could disrupt their activities, delay projects, or prevent them from achieving their goals.The exposure from a specific risk can be understood by looking at how likely the risk is to happen and what the impact will be if it does. As the risk exposure increases, the potential impact gets bigger too. This combination of likelihood and impact is called the “level of risk.” This level of risk should be compared to the organization’s attitude and appetite for risks of that kind. Risk appetite is sometimes explained as a set of guidelines for acceptable risk levels. The word “magnitude” refers to how big an event is or could be. The word “impact” describes how that event affects the organization’s finances, operations, reputation, and market position (FIRM). This definition of “impact” is also used in business continuity planning to measure risk at the current level. The term “consequences” refers to how much the event causes failure in achieving the organization’s strategy, tactics, operations, and compliance (STOC) goals.

.Risk appetite refers to the amount and type of risk an organization is willing to take to achieve its objectives. It’s the boundary within which risks are considered acceptable or manageable. For example, a company may have a higher risk appetite for innovative projects with potential high rewards, but a lower appetite for risks related to safety or regulatory compliance. It acts as a guide for decision-making, helping leaders know which risks are worth taking and which ones should be avoided. Risk attitude is the organization’s overall mindset or approach toward taking risks. It reflects the company’s values, culture, and comfort level with uncertainty.Some organizations may be more risk-averse (preferring to avoid risk as much as possible), while others may be more risk-seeking (more comfortable with taking risks to pursue bigger opportunities).Risk attitude shapes how the organization interprets and responds to risk in practice, influencing whether it takes a cautious or bold approach to decision-making.Risk Appetite provides clear guidelines or limits on how much risk is acceptable when pursuing goals. It’s formally defined in ERM processes and is used to assess whether current risks align with the organization’s capacity and willingness to take them. Risk Attitude is broader, capturing the culture and philosophy toward risk, influencing how risk appetite is set and decisions are made when facing uncertainty. Together, these concepts help an organization align its strategy with its risk management approach, ensuring risks are managed in a way that supports long-term objectives without taking on unnecessary dangers.

Impact of hazard risks

Hazard risks threaten a company’s goals, and the impact of these risks shows how serious they are. Managing hazard risks is one of the oldest forms of risk management, closely tied to managing insurable risks. Hazard risks always have negative effects and include things like workplace safety, fire prevention, property damage, and product defects. These risks can disrupt operations, increase costs, and lead to bad publicity. Hazard risks also involve key business dependencies, such as IT systems. Most organizations rely heavily on IT, which can be disrupted by equipment failure, fires, viruses, hacking, or cyberattacks. Theft and fraud are also significant hazard risks, especially for companies handling cash or a large number of transactions. Preventing these risks involves security measures, separating financial duties, and screening staff before hiring. If a hazard risk occurs, like a fire in a major warehouse, it could be a large event (magnitude) with potential financial loss, destruction of property, damage to reputation, and disruption of business. However, controls in place (like insurance, safety measures, and crisis management) reduce the impact of the event. The “impact” refers to how much damage remains after these controls work. The consequences of such an event, like the fire, affect the organization’s strategy, operations, and compliance activities. While the financial loss may be covered by insurance, good crisis management can ensure customers are hardly aware the fire happened. Lastly, compliance risks are important, especially in highly regulated industries. Failure to meet regulatory requirements can hurt a company’s reputation and disrupt business operations. Compliance can be essential for continuing to operate.

Most definitions of risk focus on risks connected to corporate objectives, but risks can also affect the key dependencies that support an organization’s core processes. Corporate objectives and stakeholder expectations shape these core processes, which are essential for the business model and its future growth. Core processes include operations, tactics, corporate strategy, and compliance. This shows that risks can impact other parts of an organization beyond just corporate objectives.

Risk Identification Beyond Corporate Objectives

Significant risks can be identified by looking at key dependencies, corporate objectives, and stakeholder expectations, or by analyzing core processes. For example, LG faced major problems because its supply chain—something it relied on—failed. Risks can be assessed from various perspectives, like asking, “What do stakeholders expect?” and “What risks could prevent us from meeting those expectations?” During the financial crisis, banks identified risks related to their operational and strategic objectives, but risk management failed to prevent the crisis because it focused too much on achieving high-risk goals without fully considering other factors. Risks tend to increase in times of change, so linking risks to change objectives makes sense. However, simply analyzing objectives may not be enough to identify all risks. Corporate objectives often operate at too high a level to pinpoint risks effectively. Objectives should outline the organization’s short-, medium-, and long-term goals in detail. Change objectives, like internal annual goals, may not capture all the operational, competitive, or strategic needs. One drawback of focusing only on objectives is that risks might be considered without understanding the context that created them, leading to incomplete analysis. A better approach might be to consider risks concerning key dependencies.

Many organizations still use corporate objectives to identify risks, as this method offers some benefits. It helps analyze risks related to both positive and negative events. If risks are attached to objectives, these objectives must be well-defined and supported by solid assumptions. Core processes, which drive an organization, can also have risks attached to them. For example, in a sports club, the core process might be “delivering successful results on the field.” Risks can be linked to this process, as well as to objectives and key dependencies. Core processes can be classified into four types: strategic, tactical, operational, and compliance (STOC). Effective risk management improves the efficiency of these processes. Although it’s standard to attach risks to corporate objectives, risks can also be linked to other parts of the organization, like key dependencies and stakeholder expectations. Identifying risks through key dependencies is becoming more common and can be done by assessing the organization’s strengths, weaknesses, opportunities, and threats (SWOT). Once key dependencies are identified, the risks that impact them can be evaluated.

Rewards

Another aspect of risk and risk management is that many organizations take risks to achieve a reward. There is a connection between the level of risk and the expected reward. For example, a company might launch a new product because it believes it can make a profit from it. By doing so, the company puts resources at risk, accepting a certain amount of risk to pursue the potential reward. The value of what’s at risk reflects the company’s risk appetite for that activity. When taking such a risk, the organization should fully understand its risk exposure, ensure it’s within the company’s risk tolerance, and confirm that it has enough resources to handle any negative outcomes. This means the risk must be measured, the company must be willing to take that risk, and it must be sure it can survive any potential losses.

Not all business activities provide the same return for the same level of risk. Start-ups, for example, are typically high-risk with lower initial returns. As the business grows, it usually moves into a phase where returns increase without adding more risk. As the business or product matures, the rewards may remain high, but the risks should decrease. Eventually, in a fully mature market, the business may enter a stage of low risk and low return, often leading to decline.

Managers must identify the specific risks their organization faces and apply appropriate risk management strategies. This risk-reward relationship mostly applies to opportunity risks. In the case of hazard risks, the reward for better risk management is fewer disruptions. For project risks, the benefit is that projects are more likely to be completed on time, on budget, and according to plan. With opportunity risks, better risk management can lead to fewer failed new products and higher profits, or at least lower losses from new ventures. Ultimately, the reward for taking risks is either profit or improved service.

Risk Attitude

Different organizations have different views on risk. Some may avoid risk, while others are more willing to take risks. An organization’s attitude toward risk depends on factors like the industry it operates in, the market conditions, and the opinions of its board members. Risks must be seen in the context they arise from. Sometimes, a company may seem risk-seeking, but the board may just see a big opportunity that they don’t want to miss, even if the risks involved haven’t been fully considered. One of the key roles of risk management is to ensure that risky strategic decisions are made with all the necessary information. This leads to better decision-making, which is a major benefit of good risk management. The attitude toward risk is complex and closely related to an organization’s risk appetite, though they are not the same. Risk attitude reflects the long-term view on risk, while risk appetite shows the short-term willingness to take risks. This is like the difference between someone’s general approach to food and their hunger at a specific time. Other factors, like the organization’s stage in its growth cycle, also affect its risk attitude. Start-ups may need to take more risks compared to growing or mature businesses. Companies in mature markets or facing decline tend to be more risk-averse. This is why some successful entrepreneurs excel at starting businesses but may struggle with managing mature companies. Different stages in a business’s life require different attitudes toward risk.

Risk Triggers and Bow tie diagram

Risk is sometimes described as the uncertainty of outcomes. While this is a technical definition, it is helpful, especially when talking about managing control risks. Control risks are hard to identify and describe, but they are often linked to projects. The goal of a project is to achieve the desired results on time, within budget, and up to the required quality or performance standards. For example, when building a structure, the ground conditions might not be fully known at the start. As work progresses, more details about the ground will become clear. This new information could be good news, like discovering that the ground is stronger than expected, requiring less foundation work. On the other hand, there could be bad news, such as finding that the ground is weaker, or contaminated, or that there are archaeological remains.

Since these conditions are uncertain, they should be considered control risks, and the project management should account for this uncertainty. It would be unrealistic for the project manager to assume only bad ground conditions, just as it would be unwise to assume everything will go better than expected. Control risks bring uncertainty, and organizations may be more concerned with managing the variability in outcomes than the risks themselves. Some level of deviation from the plan can be acceptable, but it shouldn’t be too extreme.

This idea of “tolerance” is similar to the manufacturing of engineering components, where parts must meet specific size requirements within certain limits. New tools, like the bow-tie method, have been developed to make the risk management process easier for managers and others involved in risk-related activities.

The left side of the bow-tie diagram shows where a particular risk comes from, based on how the organization classifies risks. These sources of risk are grouped into four main types: strategic, tactical, operational, and compliance (STOC). On the right side of the diagram, it shows the possible impacts if the risk happens, using four main impact areas: financial, infrastructure, reputational, and marketplace (FIRM). In the middle of the diagram is the risk event itself, which can disrupt the organization in different ways, such as affecting people, premises, processes, or products. The bow-tie diagram helps illustrate how the organization classifies risks and what the possible consequences could be if a risk occurs. It also shows how controls can be used to prevent the event from happening (represented by lines on the left side) and how recovery measures can help after an event (shown on the right side). This bow-tie approach can also be used to represent opportunities, not just hazards.

Risk Classification

Risks can be categorized in many ways. Hazard risks, for example, can be broken down into risks to property, risks to people, and risks that threaten business continuity. There are also formal risk classification systems. One useful way to classify risks, though not formal, is by the timeframe of their impact. This method divides risks into long-term, medium-term, and short-term, which helps analyze how much exposure the organization faces. Long-term risks are connected to strategic decisions and typically affect the organization several years after an event happens or a decision is made, possibly up to five years. For instance, when launching a new product, it might take time to see whether it’s successful, so this is a long-term risk. Medium-term risks usually take about a year to show their impact and are often linked to projects or work programs. For example, deciding which software to install is a long-term decision, but the actual project of installing it involves medium-term risks. Short-term risks happen right after an event, like accidents, fires, or thefts. These risks have immediate effects on operations and are often easier to identify and manage. Insurable risks, like these short-term risks, have known impacts but unpredictable timing. Insurance covers risks with immediate consequences, but it’s uncertain when or if the event will happen. An important factor for organizations is identifying what might trigger a risk. Some risks, if they happen, could have catastrophic effects, so management needs to recognize what might set off those significant events. Understanding what could trigger a risk event is just as important as knowing its source and impact.

Risks can be divided into four categories and they are:
● compliance risks;
● hazard risks;
● control risks;
● opportunity risks.

For effective risk management, it’s important for everyone in an organization to use the same language when talking about risk. This helps the organization have a shared understanding of risk and how to handle it. A big part of this is agreeing on a system for classifying risks. Hazard risks are dangers that only cause harm to the company’s goals. These are usually things that can be insured, like fire, floods, storms, or injuries. Managing these types of risks has always been a key focus in risk management because they can disrupt normal operations by causing losses or damage. These risks can come from various sources like people, buildings, processes, or products (known as the 4Ps). Control risks involve uncertainty about whether the organization can achieve its goals. A good example is internal financial controls. If these controls are removed, it’s hard to know what might happen. Control risks are often related to compliance issues, fraud, or the mismanagement of people and resources. Even though companies work hard to manage control risks, they can still be a major concern. Opportunity risks are risks that companies take on purpose in hopes of achieving greater success. These risks are taken to improve the company’s chances of achieving its goals, but if things go wrong, they could harm the company. Companies that take on high-risk strategies often hope for high returns and may have a high risk tolerance in this area. However, the same company might be very cautious with hazard risks because it doesn’t want to waste resources dealing with dangers while focusing on opportunities. Compliance risks are especially important in regulated industries like energy, finance, and transportation. These risks involve following laws and regulations. Many companies aim to have zero risk in this area, ensuring full compliance with all rules. While this might be possible for compliance risks, it’s unlikely for hazard, control, or opportunity risks, which require careful management. In summary, understanding and managing these different types of risks—hazard, control, opportunity, and compliance—helps an organization make better decisions and manage its overall risk exposure.

Compliance Risks

All organizations understand they have to follow various compliance rules, which can be very different depending on the industry. Some industries are highly regulated and have their own specific regulatory bodies. For example, companies in the tourism sector face strict regulations in many countries. If they don’t follow the rules, regulators can take away their ability to operate, which could eventually shut the company down. Any organization that handles financial transactions must have procedures in place to prevent money laundering. Banks and businesses that deal with large amounts of cash are required to have systems for this, and often hire a senior executive specifically for handling money-laundering issues. In the insurance industry, compliance is also very important and can be complicated. For example, if an insurance policy is issued in one country but covers assets or liabilities in other countries, it can create challenges with following all the regulations. If the organization doesn’t comply with the rules, claims might not be paid, or, in severe cases, the insurance could be illegal in that country.

Even if an organization doesn’t have a specific regulator for its industry, it still needs to follow many regulatory rules. For example, most countries have health and safety laws that require businesses to protect the health, safety, and well-being of their employees and others affected by their activities. These rules often apply not just at the company’s direct worksite but also to employees working in other countries. Companies that own vehicles, especially those involved in transporting people or hazardous goods, also need to follow strict road safety regulations. Generally, businesses aim to fully comply with all the rules to reduce compliance risks. Many companies hire specialized teams of experts to handle specific areas like health and safety, preventing money laundering, and security. It’s crucial for organizations to recognize and manage their compliance risks. Different parts of the company that handle risk management should work together to ensure a well-organized and coordinated approach to meeting compliance requirements.

Hazard risks

Organizations face different types of risks, including hazard risks, control risks, and opportunity risks. They must tolerate some hazard risks, accept control risks, and invest in opportunity risks. For health and safety risks, companies should try to eliminate them, but in reality, they reduce these risks to a cost-effective level while staying within legal requirements. For instance, installing an automatic braking system on trains to prevent passing red lights is technically possible but may be too expensive for the train company. Similarly, companies may tolerate minor theft, like office supplies, because the cost of preventing such theft entirely would be too high. Organizations must identify the different types of hazard risks they face. Hazard risks can cause unplanned disruptions, which lead to inefficiency. Disruptions should be avoided unless they are planned, like maintenance or emergency tests. Ideally, organizations aim for no unplanned disruptions or inefficiencies. These risks can involve people, premises, processes, or products. Companies need to evaluate what incidents might happen, what causes them, and how they would affect normal operations. Managing hazard risks involves three steps: preventing the incident, limiting the damage if it happens, and managing recovery costs. Insurance is a common way to handle financial losses from hazard risks. Organizations must understand their hazard tolerance, meaning how much loss they can handle before needing insurance. For example, a company might tolerate a few motor accidents and cover the costs from its budget, but beyond a certain point, it will buy insurance to cover larger losses. Some hazard risks also relate to regulatory compliance, and companies typically work to minimize these compliance risks.

CategoryExamples of Hazards
PeopleAccidents: Workplace injuries or accidents (e.g., slips, trips, and falls).
Health Issues: Illness outbreaks (e.g., flu, COVID-19) affecting employee attendance and productivity.
Workplace Violence: Incidents of violence or harassment among employees or between employees and customers.
Skill Shortages: Lack of qualified personnel to perform necessary tasks due to resignations or labor market changes.
Employee Strikes: Labor disputes leading to work stoppages.
PremisesNatural Disasters: Events like earthquakes, floods, or hurricanes damaging facilities and disrupting operations.
Fire: Outbreaks of fire in buildings causing evacuation and operational halts.
Theft or Vandalism: Break-ins or property damage leading to financial loss and operational disruption.
Facility Failures: Breakdowns of essential building systems (e.g., HVAC, plumbing) affecting the work environment.
Regulatory Violations: Non-compliance with building codes or safety regulations leading to fines or closures.
ProcessesEquipment Breakdown: Failures in machinery or technology halting production lines.
Supply Chain Interruptions: Delays or disruptions in the supply chain affecting the availability of materials or products.
IT System Failures: Crashes or outages in computer systems impacting data access and business operations.
Quality Control Issues: Defective products resulting from flawed processes leading to recalls or customer dissatisfaction.
Poor Communication: Miscommunication within teams leading to mistakes or delays in project completion.
ProductsProduct Recalls: Issues with product safety leading to recalls, damaging reputation and financial loss.
Market Changes: Shifts in consumer preferences or trends making current products obsolete.
Supply Shortages: Insufficient supply of raw materials affecting product availability and production schedules.
Counterfeit Products: The emergence of fake products harming brand reputation and customer trust.
Regulatory Compliance: Changes in regulations requiring modifications to existing products, leading to additional costs and delays.

Control Risks

When an organization starts projects or makes changes, it has to deal with uncertainty. This uncertainty, or control risk, is a natural part of any project. To handle unexpected events, the project budget should include extra funds, and the timeline should have extra time built in. To manage control risks, the organization needs to provide enough resources to identify and implement controls and deal with any consequences if the risk happens. The type of control risks and how to manage them depend on the level of uncertainty and the kind of risk involved. Uncertainty means that results may differ from what was expected. For example, if an organization is improving a process, the project must be completed on time, within budget, and meet the required specifications. It also needs to deliver the expected benefits. If the project doesn’t meet these expectations, this deviation represents uncertainty, which can only be accepted to a certain extent. Managing control risks is a key focus of internal auditors and accountants. In the UK, corporate governance rules (as of September 2016) emphasize internal control over risk assessment. Control management aims to reduce uncertainty related to significant risks and minimize unpredictable results. However, if an organization focuses too much on control management, it can stifle creativity and innovation. Excessive focus on controlling risks might limit entrepreneurial efforts and opportunities for growth.

Opportunity Risks

Some organizations intentionally take risks to reach their goals. These are usually commercial or marketplace risks that they expect will lead to a good return. Known as opportunity risks, they can also be called commercial, speculative, or business risks. While these risks can help achieve the organization’s mission, they can also hold it back if things don’t go as planned. Every organization wants to take advantage of opportunities and is willing to invest in them. They aim for effective and efficient operations, tactics, and strategies. Opportunity risks often come from developing new strategies, improving operations, or making changes. Organizations must decide how much risk they are willing to take on and how much they should invest. For example, if a company sees a demand for a new product that it could create, but lacks the resources to develop it, it might not be wise to pursue that high-risk path. Management needs to determine if they are willing to go after these opportunities. Just because they are eager to take a chance doesn’t mean it’s the right choice. The company’s board should understand that even if they want to seize an opportunity, the organization may not have the capacity to handle the associated risks. Opportunity management focuses on maximizing the benefits of taking risks. Organizations often want to invest in opportunity risks, and there’s a clear connection between opportunity management and strategic planning. The goal is to increase the chances of achieving significant positive results from investing in business opportunities.

Examples of compliance, hazard, control, and opportunity risks

In an oil company, the key risks can be categorized into compliance, hazard, control, and opportunity risks. Here’s how each type might apply:

  1. Compliance Risks: These relate to following laws, regulations, and industry standards. For an oil company, compliance risks could involve environmental regulations, health and safety laws, and government policies on emissions or drilling permits. Failure to comply can lead to fines, legal issues, or shutdowns.
  2. Hazard Risks: These are risks that can cause physical harm to people, property, or the environment. For example, oil spills, explosions, fires, equipment failures, or natural disasters like hurricanes pose significant hazard risks to oil companies. These events can lead to costly damage, loss of life, and environmental harm.
  3. Control Risks: Control risks affect the ability to complete projects or operations within planned timeframes, budgets, and quality standards. In an oil company, control risks could arise during exploration, drilling, or refining processes. For instance, a drilling project might face delays due to unexpected ground conditions or equipment malfunctions, affecting the project’s budget and timeline.
  4. Opportunity Risks: These are risks taken to gain potential rewards. For an oil company, opportunity risks might include investing in new drilling sites, developing renewable energy projects, or expanding into new markets. While the rewards could be substantial (e.g., new oil reserves or entering a profitable market), the risk of failure is also present, such as the site not producing enough oil or the market not growing as expected.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a ReplyCancel reply