Risk assessment

Risk management is the process of identifying, analyzing, and evaluating risks. The first part of this process, called risk assessment, involves spotting risks and rating them to understand which ones are most important for the organization, project, or strategy. Since risk management helps improve decision-making, risk assessment plays a major role in strategy planning. Risks can relate to company goals, stakeholder needs, key processes, or critical resources. No matter where you start, the goal of risk assessment is to identify the most important risks that could affect these areas. Risk assessment is only useful if its results are used to guide decisions or create suitable responses to the identified risks. It should be seen as the beginning of managing risk, not the end. When assessing risk, it’s important to decide if you should look at the inherent risk level (the risk without any controls in place) or the current level (the risk with existing controls). Internal auditors often recommend looking at inherent risks because it shows how much risk is reduced by controls. This comparison helps auditors identify which controls are essential and set audit priorities. Though helpful, it’s not always easy to determine inherent risk levels. Some, like health and safety professionals, prefer assessing risk based on current controls, as it’s simpler and assumes controls will always work effectively. For example, when assessing an x-ray machine, a safety specialist would assume the protective enclosure is working correctly. However, an auditor would note that this enclosure is a crucial control and should be regularly inspected to ensure it remains effective.

When planning a risk assessment, there are different approaches to consider, including who should be involved in the process. Risk assessments can sometimes be led by the board of directors in a top-down approach, where leadership identifies the main risks. Alternatively, a bottom-up approach can involve input from staff and department managers, which is also valuable. The CEO’s input is especially important, as it shapes the organization’s overall attitude towards risk. However, a CEO’s perspective might focus more on external risks, while internal risks like financial management or infrastructure might not receive as much attention. The risk assessment approach chosen should align with the organization’s culture. For example, if the organization usually communicates through reports rather than meetings, a written report might be better suited for risk assessment than a workshop. Some organizations use voting software in risk workshops, which can be useful for getting clear feedback on risks, as well as seeing the spread of opinions. If opinions are widely varied, this could indicate that participants have different understandings of the risk, which may need further discussion. Organizations also need to decide if the risk assessment should be top-down, bottom-up, or a combination of both. A top-down approach typically focuses on strategy, tactics, operations, and compliance, while a bottom-up approach usually focuses on compliance, hazards, controls, and opportunities. Combining both methods allows input from many stakeholders and is common for most organizations. However, a bottom-up approach often takes more time, as the risk management team must attend or facilitate multiple sessions to gather input from various levels. Ultimately, the organization should choose the risk assessment approach that best supports its goals and culture, balancing leadership input with broader employee involvement.

The advantage of Top down risk assessment is that this approach likely leads to a business-wide view of risk, as the main risks at the top level will affect the entire organization. Major strategic risks can be identified quickly, and the number of these key risks will be manageable. When leadership supports risk management, it encourages everyone in the organization to accept and follow risk management practices. Since it starts from the top, the methods used for managing risk are likely to be consistent across the organization. The disadvantage of Top down risk assessment is that Senior managers and directors often focus more on risks outside the organization and may not be as aware of internal risks or how different risks within the business connect. There’s a risk that their approach might be too shallow, as they may feel confident in handling crises as they arise. This focus could also mean that new risks coming from the organization’s daily operations might not be fully recognized.

The advantage of Bottom-up risk assessment is that everyone in the organization is likely to support this approach. It can follow the existing organization structure, allowing for discussion of risks beyond day-to-day operations. Operational staff have a strong understanding of local risks and their causes, which higher management might not fully see. The methods can also be adapted to fit local practices and culture, which is helpful for a multinational company. The disadvantage of Bottom-up risk assessment is thatThis approach may pay little attention to external or strategic risks. It can take a lot of time, which might be discouraging if it slows down getting results for the whole organization. There’s a risk it could become too detailed and narrow, causing different areas to assess risks in isolation. New risks arising from daily operations may also go unreported by staff.

Risk assignment techniques

The ISO/IEC 31010 standard, Risk Management: Risk Assessment Techniques, offers a range of methods for assessing risk. Here are some common techniques:

Flow Charts and Dependency Analysis: These analyze processes and operations to identify critical elements for success.
- Pros: Creates useful insights that can be applied in other areas and helps in understanding processes.
- Cons: Hard to apply to strategic risks, and can be very detailed and time-consuming.
Questionnaires and Checklists: These use structured forms to gather information on key risks.
- Pros: Consistent format ensures uniformity and allows for broad participation.
- Cons: The rigid structure might overlook certain risks, and questions rely on past knowledge.
Workshops and Brainstorming: These sessions bring people together to share ideas about events that could affect objectives, main processes, or essential resources.
- Pros: Brings together views from various participants and encourages interaction, leading to more ideas.
- Cons: Senior leaders might dominate, and some issues could be missed if the right people aren’t involved.
Inspections and Audits: These involve on-site inspections and reviews of compliance with established procedures.
- Pros: Observations are based on physical evidence, and audits offer a clear structure.
- Cons: Best for hazard risks, and audits tend to focus on past experiences.

The most common methods for risk assessment are checklists/questionnaires and brainstorming in workshops. Checklists and questionnaires are usually easy and quick to complete but may miss risks not covered by specific questions. Since risks can be connected to different aspects of an organization, a simple way to analyze them is by identifying the key factors essential for success. Most employees can point out these crucial aspects, or “key dependencies,” and then examine what might affect each one. For example, if focusing on hazards, ask, “What could threaten these key dependencies?” For control risks, ask, “What might create uncertainty around these dependencies?” For opportunity risks, ask, “What could strengthen them?” In many organizations, especially financial institutions, quantifying risk exposure is critical, so the chosen method should support this. This need for quantification is often part of operational risk management (ORM). Workshops with brainstorming sessions are also popular. Here, people can share views on the main risks the organization faces, helping to build a shared understanding of each risk. However, senior staff may dominate these discussions, and it can be hard to challenge their views. Structured brainstorming formats, like SWOT or PESTLE analysis, are often used in these workshops. SWOT analysis looks at strengths, weaknesses, opportunities, and threats, providing a chance to consider both risks and opportunities. It’s especially helpful for strategic decisions, though it might miss some risks since it doesn’t categorize them precisely. PESTLE analysis covers political, economic, social, technological, legal, and ethical/environmental risks. For organizations that need to measure the likelihood of risks more precisely, quantitative techniques like hazard and operability (HAZOP) studies and failure modes effects analysis (FMEA) are common. These methods provide a structured approach, ensuring no risks are overlooked. However, they require input from many experts for accurate results. HAZOP and FMEA are well-suited to industries like manufacturing, where they’re often used for chemical plants, railways, nuclear facilities, or product safety. These methods are detailed and time-consuming but necessary for certain complex or high-risk situations.

Risk Matrix

A Risk Matrix is a tool used in risk management to evaluate and prioritize risks by comparing the likelihood of an event occurring with its potential impact. It’s a visual representation that helps organizations assess which risks need more immediate attention and resources.

Likelihood: How likely it is that a specific risk event will occur. This is typically ranked from Unlikely to Almost certain.
Impact: The potential effect or consequence of the risk on the organization. This also ranges from low to high.

Example of Criteria for likelihood

Unlikely-Can reasonably be expected to occur, but has only occurred 2 or 3 times over 10 years in this organization or similar organizations.
Possible– Has occurred in this organization more than 3 times in the past 10 years or occurs regularly in similar organizations, or is considered to have a reasonable likelihood of occurring in the next few years
Likely– Occurred more than 7 times over 10 years in this organization or in other similar organizations, or circumstances are such that it is likely to happen in the next few years
Almost certain– Has occurred 9 or 10 times in the past 10 years in this organization, or circumstances have arisen that will almost certainly cause it to happen

Example of Criteria for Impact

Small: No impact on health; minor reduction of reputation in the short run; no violation of law; negligible economic loss which can be restored
Moderate: Minor temporary impact on patient health; small reduction of reputation that may influence trust for a short time; violation of law that results in a warning; small economic loss that can be restored.
Severe: Serious impact on health; serious loss of reputation that will influence trust and respect for a long time; violation of law that results; large economic loss that cannot be restored.
Catastrophic: Death or permanent reduction of health ; serious loss of reputation that is devastating for trust; serious violation of law; considerable economic loss that cannot be restored

Here’s a risk matrix structure based on the likelihood levels of Unlikely, Possible, Likely, and Almost Certain, combined with impact levels of Small, Moderate, Severe, and Catastrophic. This structure helps determine the level of risk by placing each risk on the matrix grid according to its likelihood and impact.

Explanation of Each Category

Low Risk: Minor concern, may not require immediate action but should be monitored.
Moderate Risk: Medium priority, needs some attention to reduce risk or monitor developments.
High Risk: Significant concern, requiring action to mitigate or manage.
Critical Risk: High priority; immediate action is required to address or control the risk.
Extreme Risk: Top priority; must be addressed urgently to prevent severe consequences.

This risk matrix structure helps organizations assess where they need to allocate more resources or take preventative measures based on the likelihood and impact of various risks. Once a risk is identified as important, the organization needs to rate it to pinpoint which risks are top priorities. There are established methods to rate risks, but it’s also essential to assess if there’s room to further improve control over each risk in a cost-effective way. This helps prioritize significant risks. The organization must define how it measures both the likelihood and impact of risks consistently across the company. Using four clear options can prevent people from always choosing a middle option, though some organizations may opt for more than four, depending on their size and complexity. A common risk matrix visually shows the relationship between how likely a risk is to happen and the impact if it does. Other factors can also be added, such as the potential for further risk control. In this setup, a matrix can show the current level of risk and the target level, reflecting what more can be done to manage it. The matrix offers a simple visual of the organization’s most critical risks. During risk assessment, risks should also be ranked against the company’s risk tolerance or set criteria. Rating risks is called risk analysis, while ranking them based on importance is risk evaluation. A risk is considered significant if it exceeds a set threshold for impact. To identify key risks, it’s essential to assess:

How severe the event would be if the risk occurs,
The size of its impact on the organization,
The likelihood it will happen at or above the set threshold,
Opportunities for further improvement in managing it.

Usually, workshops identify between 100 and 200 risks, which are then narrowed down to about 10–20 top-priority risks. ISO 31000 uses the term “level of risk” based on likelihood and impact, though it’s sometimes called “risk severity.” Organizations need to develop their own definitions for these terms, tailored to their specific needs and structure.

During risk assessment workshops, people may have different views on a given risk. There are several ways to handle these differences. One option is to use voting software to find the group’s average opinion while showing the range of views. However, it’s often helpful to discuss why people see the risk differently. Talking it over can lead to a shared view, making it easier to choose effective control measures. People’s perception of risk can be influenced by factors like:

Whether the risk is involuntary (like pollution) versus voluntary (like extreme sports),
If the risk affects some people unfairly,
Whether personal precautions can prevent it,
If the source is new or unfamiliar,
If it’s human-made rather than natural,
If it causes hidden, irreversible harm, like long-term health effects,
If it especially endangers vulnerable groups like children or pregnant women, and
If it involves a dreaded outcome like severe illness.

People at different levels in a company may see the same risk differently, so it’s helpful to gather perspectives from all levels. This approach improves communication, understanding, and helps find practical ways to manage the risk. Accurately assessing risks for an organization requires thorough knowledge of it. Doing a complete assessment to identify significant risks and essential controls can take time and resources. The public’s perception of risk may be shaped by limited information or the influence of lobbying groups. This can make their understanding less informed or biased. Journalists have a responsibility to report objectively, which can be challenging when the audience lacks full context on the risks involved.

Level of Risk

**Inherent, current and target levels of risk**

Most risk managers evaluate risk at its current level, also known as the “residual” level. However, internal auditors often prefer assessing risk at its “inherent” level (the level without any controls) since it helps to see how much control measures actually reduce the risk. The idea is that, by looking at the inherent risk, the effect of individual controls can be better understood. In a risk matrix, three key levels of risk are shown. The “inherent” or “gross” level is the risk without any controls. The “current” level, also called the “residual” level, is the risk with the existing controls in place (like Control 1 in the example). Control 1 mainly reduces the likelihood of the risk happening. The “target” level is the risk level the organization aims for, often achieved by adding new controls (such as Control 2, which reduces the impact of the risk but has little effect on likelihood). Using “current level” rather than “residual level” makes risk management seem more active, as it suggests the organization can keep reducing risk if needed. The target level of risk usually falls in a lower-risk area on the matrix, often in a “comfort” or “acceptable” zone. In health and safety, practitioners aim to keep risks as low as reasonably practicable (ALARP), meaning risks should be reduced as much as possible without excessive cost for further control measures. Organizations need clear definitions for “likelihood” and “impact,” which are often rated as low, medium, high, or very high. However, organizations may need to be more specific based on the type of risk and their own needs. Since “impact” describes the range of possible consequences, it’s essential for organizations to define low, medium, high, and very high impact levels clearly.The ALARP (As Low As Reasonably Practicable) principle means that risks should be reduced as much as possible, as long as it’s reasonable to do so. Usually, this doesn’t involve a detailed comparison of costs and benefits but instead relies on following established good practices and standards. These standards are often designed with ALARP in mind, so meeting them is usually enough. However, if there are no clear standards, or they don’t fully apply, additional measures should be taken until the costs (in money, time, or effort) are clearly too high compared to the safety benefits or further risk reduction they would bring.

Level of Risk	Level for vertical axis
Gross or Inherent i.e. the level of risk before controls are applied	Impact
Current or Net. residual i.e. the level of risk after the application of existing controls	Magnitude
Target i.e. the desired level of risk after the application of planned controls	Magnitude

For example in FIRM risk Scorecard,

the typical benchmark test for risk significance for Financial may be
- Impact on balance sheet of 0.25%
- Profit and loss impact of 2.5% annual profit
the typical benchmark test for risk significance for Infrastructural may be
- Disruption to normal operations of ½ day
- Increased cost of operation exceeds 10% budget
the typical benchmark test for risk significance for Reputational may be
- Share price falls by 10%
- Event is on national TV, radio or newspapers
the typical benchmark test for risk significance for Marketplace may be
- Impact on balance sheet of 0.5% turnover
- Profit and loss impact of 1% annual profit

Risk Matrix application

A risk matrix is a simple tool for showing how much risk a particular event poses to an organization. It’s usually used to show the current or “residual” level of risk (also called “net risk”) after controls are applied, with the vertical axis labeled as “impact.” It can also show the “gross” or “inherent” level of risk, meaning the level of risk before any controls are put in place, where the vertical axis may instead be labelled “magnitude.” The term “consequences” is slightly different from “impact.” “Impact” reflects the overall level of risk the organization faces, while “consequences” provides more detail on how effectively the risk is managed. For example, a warehouse fire might represent a high-magnitude event, but if the organization is fully insured, the financial impact could be minimal. However, the consequences might still be serious if nearby stakeholders are affected or the organization’s reputation suffers. Using this risk matrix or “issues grid,” people can identify which risks are most critical and prioritize them accordingly. After risks are placed on the matrix, the organization can see whether the overall risk profile is within acceptable levels and fits within the organization’s risk appetite and capacity. Large organizations often use a risk matrix to summarize their risk profile. This tool is flexible, helping not only to assess risks but also to decide the most suitable responses. Importantly, impact isn’t the same as magnitude. A risk event may be high in magnitude, but the impact and consequences might be smaller. For example, if a transport company loses a vehicle, the magnitude of the loss is high, but the overall impact might be small if that type of vehicle wasn’t in full use.

Control Confidence

An organization can’t always be sure that controls will work exactly as intended. Controls need to be audited to confirm they’re well-designed, properly applied, and delivering the desired results. On a risk matrix, the level of confidence in a control’s effectiveness can be shown by using a circle or ellipse around a risk point instead of a single point. This shape shows any uncertainty in how well the control will manage the risk in terms of likelihood and impact. When assessing risks and evaluating controls, it’s important to consider how confident we are that the control chosen is the right one and that it’s fully effective in practice. If there’s limited confidence in a control, internal audit can step in to test it and provide information on how much the outcome might vary if the risk occurs. Internal auditors ensure that the correct controls are chosen and that they work effectively and efficiently in practice. Testing controls is an essential function of internal audit, and risk managers also need to recognize the importance of this testing. Management needs assurance that controls are adequate, which can come from audits, activity and project performance, and management reports. Risk management documentation should outline who is responsible for designing, implementing, and auditing controls.

Risk Attitude

The figure above illustrates an organization’s attitude toward risk using a standard risk matrix. This example represents a risk-averse organization and is typically divided into four sections, referred to as the 4Cs: comfort, cautious, concerned, and critical. These sections reflect the organization’s long-term approach to handling risk. They can also describe short-term risk decisions on a “risk appetite matrix.” In the matrix, the red zone includes critical risks. For a risk-seeking organization, fewer risks are flagged as critical, so the “risk universe” that leaders monitor is more limited, often just the red zone. The term “risk universe” is sometimes used by auditors to define audit priorities. A narrow “risk universe” can increase the chance of missing important risks. Different stakeholders will view the risk universe differently. A risk manager, for instance, considers both identified risks and emerging ones. Each organization has a comfort level with certain risks that have minimal impact or are very unlikely, so they are deemed acceptable. For example, most businesses do not plan for the rare event of a plane crashing on their site. The global financial crisis highlighted how some risks—like the collapse of money markets—were seen as too unlikely to consider, leading to a lack of contingency planning. Typically, low-impact, low-likelihood risks are acceptable; medium-impact, medium-likelihood risks may need careful judgment; and high-impact, high-likelihood risks are usually intolerable. An organization’s overall risk approach is set by “risk criteria,” and risk attitude is more stable or long-term, while risk appetite is the immediate willingness to take on risk to meet goals. The risk attitude, much like a general preference for food, is consistent over time, whereas risk appetite is more situational. Organizations often review all risks together (cumulative risk assessment) to determine if the combined risk exposure aligns with their risk tolerance. Differences in individual risk concerns can affect risk prioritization; for instance, some people may worry more about a likely, low-impact event than about a rare, high-impact one, which influences how risks are ranked. Once significant risks are identified, they can be prioritized either by likelihood or by impact. In the first approach, risks are ranked by how likely they are to exceed the significance threshold (high, medium, or low likelihood). In the second approach, they’re ranked by impact if they occur (high, medium, or low impact). Which method is used depends on the organization’s risk criteria and board preferences. The impact of a risk is usually measured in terms of finances, infrastructure, reputation, or marketplace (FIRM). Effective risk management requires that the effects of high-impact events on strategy, tactics, operations, and compliance (STOC) are well-managed.

The graph visually represents three types of risk attitudes:

Risk-Seeking (Green):
- High willingness to take risks for potentially greater rewards.
- The curve rises steeply, showing a preference for high-risk, high-reward scenarios.
Risk-Neutral (Blue):
- A balanced approach weighs risk and reward equally.
- The relationship between risk level and potential reward is linear.
Risk-Averse (Red):
- Preference for caution, avoiding risks even if it means lower rewards.
- The curve flattens as risk increases, showing reluctance to take on higher risks.

These curves illustrate how organizations or individuals might approach risk differently depending on their risk attitude.

Risk significance

When an organization decides how much risk to take, it has to consider several things. Different types of risks require different responses:

Hazard risks need a tolerance level.
Control risks need an acceptance level.
Opportunity risks need an investment appetite.

Together, these create the organization’s total risk exposure or the overall amount of risk it is taking. Additionally, there are compliance risks—risks related to legal and regulatory standards—which most organizations try to minimize by building compliance controls into their processes. The actual risk exposure may differ from the risk appetite (the amount of risk the board is comfortable with), and the organization also has a risk capacity—how much risk it can afford to take based on its resources. The board’s risk appetite should fit within this capacity and ideally should match or exceed the actual risk exposure. Some financial institutions during the global financial crisis took on risks that exceeded their capacity, which led to trouble. An organization’s capacity to handle risk depends on factors like its finances, infrastructure, reputation, and market competitiveness. Rapidly changing markets require organizations to handle higher risks. For instance, a company making DVD players would face high risk if streaming technology became popular. Adapting to this change would require new business strategies, equipment, and skills. If these adjustments exceed the company’s resources, it may need to explore options like finding a partner, selling the business, or even exiting the market. Sometimes, organizations face risks that, if realized, could destroy them. In such cases, risk management needs to identify situations that could trigger these major risks.

Risk classification

A risk classification system is a method for categorizing risks into different types or groups to help an organization understand, evaluate, and manage them effectively.To identify all the risks an organization faces, a structured approach is needed. A formal risk classification system helps the organization find similar risks across different areas. It also makes it clear who should set the strategy for managing related risks. Additionally, classifying risks in this way helps the organization better understand its risk tolerance, capacity, and overall risk exposure for each risk type or group of similar risks. Here are some common ways risks are classified:

By Source:
- External Risks: Risks originating from outside the organization (e.g., economic downturns, regulatory changes, natural disasters).
- Internal Risks: Risks arising within the organization (e.g., process failures, fraud, employee errors).
By Impact Area:
- Financial Risks: Risks affecting an organization’s finances, such as market risk, credit risk, and liquidity risk.
- Operational Risks: Risks associated with day-to-day operations, such as system failures, supply chain disruptions, or quality control issues.
- Strategic Risks: Risks impacting long-term goals and objectives, such as competition or changes in customer demand.
- Compliance Risks: Risks related to failing to adhere to laws, regulations, or standards.
- Reputational Risks: Risks that affect public perception and trust in the organization.
By Likelihood and Impact:
- High Likelihood, High Impact: Risks that are likely to happen and could significantly harm the organization. These are typically prioritized for control and mitigation.
- High Likelihood, Low Impact: Risks that are frequent but cause minor harm; often managed but with less focus.
- Low Likelihood, High Impact: Rare but severe risks (e.g., natural disasters), often with contingency planning.
- Low Likelihood, Low Impact: Risks that require minimal management and are often accepted.
By Control Type:
- Hazard Risks: Risks that can cause harm and are usually managed through safety and preventive measures (e.g., occupational hazards).
- Control Risks: Risks managed through policies, procedures, and internal controls.
- Opportunity Risks: Risks that may present potential for gain if managed well (e.g., entering a new market).
By Risk Response:
- Avoidable Risks: Risks that can be eliminated by avoiding certain actions.
- Transferable Risks: Risks that can be transferred to another party, often through insurance or outsourcing.
- Retainable Risks: Risks that are accepted due to their low impact or likelihood, with no specific action taken.
- Mitigated Risks: Risks reduced through specific actions to minimize impact or likelihood.
ISO 31000 Classification:
- Strategic Risks: Aligned with high-level objectives.
- Operational Risks: Connected to internal processes.
- Financial Risks: Affecting revenue, costs, and financial stability.
- Compliance Risks: Related to regulations and ethical standards.
COSO ERM:
- Strategic:
- Operations:
- Reporting:
- Compliance:
IRM standard:
- Financial
- Strategic
- Operational
- Hazard
FIRM risk scorecard
- Financial
- Infrastructure
- Reputational
- Marketplace

A structured risk classification system helps ensure a comprehensive approach to identifying, assessing, and managing risks across the organization. It also enables prioritization by focusing on the most impactful risks and allocating resources efficiently.Like many decisions in risk management, an organization needs to choose a classification system that best meets its needs. Risks can be grouped by the timing of their impact, their type, their source, or the nature and scale of their consequences. An organization should select a system that fits its size, nature, and complexity. For instance, banks and financial institutions usually classify risks as market, credit, and operational risks. Other widely used systems, like SWOT and PESTLE analysis, can also help organize risk assessment workshops.

The advantage of risk classification system is

Enhanced Risk Visibility: By categorizing risks systematically, organizations can more easily recognize and track different types of risks across departments, making it easier to maintain an organization-wide view.
Improved Prioritization: Risk classification helps identify which risks require immediate attention, enabling organizations to focus on those with the highest impact or likelihood.
Efficient Resource Allocation: Resources for risk management can be allocated more effectively by focusing on risk categories that pose the most significant threat, saving time and money.
Better Communication: A structured classification system creates a common language for discussing risks, improving understanding among stakeholders at all levels and promoting consistent messaging.
Consistent Risk Management: Classification systems encourage a standardized approach to risk assessment and management, ensuring that similar types of risks are managed consistently throughout the organization.
Facilitates Compliance and Reporting: Many regulations and standards require organizations to identify and categorize risks. A classification system supports compliance efforts and simplifies the reporting process to regulators and stakeholders.
Enhanced Decision-Making: By grouping risks, leaders can make more informed strategic decisions based on an organized view of risks and their potential impacts on objectives.
Supports Strategic Alignment: Risk classification aligns risk management activities with strategic goals, as it highlights which risks impact critical areas like strategy, operations, or compliance.
Encourages Proactive Management: Classifying risks can help identify emerging risks within each category, allowing for early intervention and preventative action.
Facilitates Performance Measurement: A classification system allows organizations to track the effectiveness of risk mitigation measures across different types of risks, supporting continuous improvement in risk management processes.

Classification based on impact due to time.

Dividing risks into short, medium, and long-term categories can be useful, even though it’s not a strict system. Generally, short-term risks relate to operations, medium-term risks relate to tactics, and long-term risks relate to strategy. However, this isn’t a perfect split. Sometimes, short-term risks can affect strategic processes, and longer-term risks might impact operations. All three areas—operations, tactics, and strategy—must also meet compliance standards, and most organizations aim to keep compliance risks low. Short-term risks are those that can immediately disrupt the organization’s goals, critical processes, and operations when they happen. They are often sudden and unexpected events, mainly hazard risks, but they can also relate to cost control. These risks can quickly impact the organization’s ability to keep operations running smoothly, so it’s important to reduce them. Medium-term risks usually show effects a few months to a year after the event occurs. These risks impact the organization’s ability to manage tactical initiatives like projects and change programs. They are often tied to ongoing projects or enhancements, and it’s important to actively manage them to prevent issues. Long-term risks tend to have an effect one to five years (or more) after the event. These risks impact the organization’s ability to sustain core processes that support its long-term strategy. While they are connected to strategic goals, they aren’t just about opportunities—they can significantly harm an organization if not managed well. Long-term risks that threaten the success of strategic plans can cause more damage than operational or tactical risks, though a balanced level of strategic risk is essential to support growth.

Risks come from an organization’s operations, tactics, strategy, and compliance needs. Compliance is included as a separate category alongside the other three. To handle risks, we can match each type to a response approach: strategic risks are to be embraced, tactical risks managed, operational risks mitigated, and compliance risks minimized (EM3). The risk management model shows how sources of risk can lead to events that then have consequences. When a risk event happens, it affects specific parts of the organization, which may disrupt its functions. These impacted areas are grouped into four main components: people, premises, processes, and products (4Ps). The 4Ps can also serve as a system for classifying different types of risks.

Example Damage to premise

The main risk classification systems include COSO, IRM, BS 31100, and the FIRM risk scorecard, each with its similarities. However, simple labels like “hazard,” “control,” or “opportunity” and terms like “high, medium, or low” or “short-, medium-, or long-term” aren’t formal classifications. Many organizations struggle with classification because they don’t fully consider the specific nature of the risks involved. The bow-tie model shows that risks can be categorized by their source, the affected area in the organization, and the potential impact. Short-, medium-, and long-term risk labels generally reflect operational, tactical, and strategic risks, respectively.

Each classification system has unique features; for instance, FIRM refers to operational risk as “infrastructure risk,” while COSO focuses heavily on financial and reporting risks. The systems were developed by different organizations for different purposes, so while they share common aspects, they aren’t identical. British Standard BS 31100 highlights that a classification system can help define the scope of risk management, organize risk identification, and group similar risks across the organization. Unlike BS 31100, ISO 31000 doesn’t suggest a specific classification system, recommending instead that each organization tailor categories to its size, nature, and complexity. COSO and IRM are widely used frameworks, although COSO has limitations, such as the potential overlap of strategic risks across operations, reporting, and compliance. Despite this, COSO is widely used due to its alignment with Sarbanes–Oxley Act requirements. In short, a well-defined risk classification system can:

Make it easier to spot groups of risks that could threaten key objectives or dependencies.
Clarify who is responsible for managing different risk types.
Support informed decisions on risk controls.
Highlight when risks exceed the organization’s risk appetite or don’t align with risk criteria.

FIRM risk scorecard

The FIRM Risk Scorecard is a risk classification system designed to help organizations categorize and manage risks across different areas of their business. The acronym “FIRM” stands for:

Financial Risks – Risks associated with financial performance, such as cash flow, capital availability, market risks, credit risks, and other financial exposures.
Infrastructure Risks – Often synonymous with operational risks, these involve the organization’s internal structures, systems, and processes. Infrastructure risks include issues related to equipment, technology, facilities, and logistical processes.
Reputational Risks – Risks that could affect the organization’s public perception and reputation. This category includes risks from customer satisfaction, corporate governance, ethics, and compliance, as well as any issues that could impact the trust and credibility of the organization.
Marketplace Risks – These risks relate to the external business environment, including changes in competition, customer preferences, industry trends, regulatory changes, and other market forces that can affect the organization’s strategic position.

The FIRM Risk Scorecard provides a structured approach to identifying, categorizing, and prioritizing risks by dividing them into these four areas. By doing so, organizations can better understand where their biggest vulnerabilities lie and take focused action to manage them. This system also encourages balanced attention to both internal and external risks, supporting comprehensive risk management across different business functions.

1) Financial

Description – Risks that can impact the way in which money is managed and profitability is achieved
Internal or external risk– Internal
Quantifiable– Usual
Measurement (performance indicator)– Gains and losses from internal financial control
Performance gap– Procedures Failure of procedures to control internal financial risks
Control mechanisms– CapEx standards Internal control Delegation of authority

2) Infrastructure

Description– Risks that will impact the level of efficiency and dysfunction within the core processes
Internal or external risk– Internal
Quantifiable– Sometimes
Measurement (performance indicator)– Level of efficiency in processes and operations
Performance gap– Process Failure of processes to operate without disruption
Control mechanisms– Process control Loss control Insurance and risk financing

3) Reputational

Description– Risks that will impact desire of customers to deal or trade and level of customer retention
Internal or external risk– External
Quantifiable– Not always
Measurement (performance indicator)– Nature of publicity and effectiveness of marketing profile
Performance gap-Perception Failure to achieve the desired perception
Control mechanisms-Marketing, Advertising, Reputation and brand protection

4) Marketplace

Description– Risks that will impact the level of customer trade or expenditure
Internal or external risk– External
Quantifiable– Yes
Measurement (performance indicator)– Income from commercial and market activities
Performance gap– Presence Failure to achieve required presence in the marketplace
Control mechanisms-Strategic and business plans Opportunity assessment

Financial and infrastructure risks are seen as internal to the organization, while reputational and marketplace risks come from external factors. Financial and marketplace risks are relatively easy to measure in monetary terms, whereas infrastructure and reputational risks are harder to quantify. Including reputational risks as a separate category in the FIRM scorecard is sometimes debated. Some argue that reputational damage is just a result of other risks and shouldn’t be its own category. However, reputation is crucial, especially when a company relies on its brand to expand into new markets or broaden its brand presence. More broadly, all risks can be viewed as a result of business decisions. Choosing a strategy, starting a project, or maintaining operations all involve risks, and if these activities weren’t undertaken, the risks wouldn’t exist.

PESTLE risk classification system

The PESTLE Risk Classification System is a framework that helps organizations categorize risks by considering external factors in six key areas.PESTLE stands for political, economic, social, technological, legal, and environmental risks. In some versions, the last “E” refers specifically to environmental factors. This classification system is mainly used to assess hazard risks and is less suited for financial, infrastructure, and reputational risks. “PESTLE” stands for:

Political Risks – Risks arising from changes in government policies, regulations, political stability, trade restrictions, and other factors related to government actions that can impact the organization’s operations. Tax policy, employment laws, environmental regulations, trade restrictions and reform, tariffs and political stability are some examples.
Economic Risks – Risks related to economic conditions, such as inflation, currency fluctuations, economic growth or recession, interest rates, and unemployment rates, which can affect the organization’s financial health and market conditions. Economic growth/decline, interest rates, exchange rates and inflation rate, wage rates, minimum wage, working hours, unemployment (local and national), credit availability, cost of living, etc are some examples.
Social Risks – Risks associated with societal changes and trends, such as shifts in demographics, cultural values, consumer behaviors, and lifestyle changes, which can influence demand for the organization’s products or services. Cultural norms and expectations, health consciousness, population growth rate, age distribution, career attitudes, emphasis on safety, global warming are some examples.
Technological Risks – Risks stemming from changes in technology, including advances, cyber threats, and technology obsolescence, which can affect operational efficiency and competitive positioning. Technology changes that impact your products or services, new technologies, barriers to entry in given markets, financial decisions like outsourcing and supply chain are some examples.
Legal Risks – Risks related to changes in laws, regulations, and legal actions that could impact the organization’s compliance, liability, or operating environment. Changes to legislation that may impact employment, access to materials, quotas, resources, imports/exports, taxation, etc are some examples.
Ethical or Environmental Risks – Risks associated with Ethical or Environmental aspects, environmental factors, such as climate change, natural disasters, resource scarcity, and sustainability pressures, which can affect operations, reputation, and compliance.

The PESTLE classification system encourages organizations to look beyond internal factors and consider the wider environment in which they operate. By analyzing these areas, organizations can better understand how external forces might pose risks to their strategies and operations, helping to inform their risk management and planning activities.The PESTLE system helps analyze risks from external factors—things the organization can’t fully control but can take some steps to manage. It’s often recommended to use PESTLE with a SWOT analysis (strengths, weaknesses, opportunities, and threats) for each of the six PESTLE areas. PESTLE guides organizations in focusing on key external issues and is especially useful in the public sector, where outside factors greatly impact operations. It’s a popular tool in risk assessment workshops and helps classify different types of risks.

Advantages of using PESTLE:

Simple and easy-to-use framework
Builds awareness of the broader business environment
Encourages strategic, externally-focused thinking
Helps foresee potential future threats
Identifies ways to reduce or prevent risks
Helps spot business opportunities

Disadvantages of using PESTLE:

Can oversimplify information for decision-making
Needs regular updates to remain useful
Requires input from diverse perspectives
Finding good external data can be time-consuming and costly
Difficult to predict future changes accurately
Risk of too much data, making it hard to prioritize
Relies on assumptions that may later prove inaccurate

The Orange Book – Risk Categories

Strategy– Risks arising from identifying and pursuing a strategy, which is poorly defined, is based on flawed or inaccurate data or fails to support the delivery of commitments, plans or objectives due to a changing macro-environment (e.g. political, economic, social, technological, environment and legislative change).
Governance– Risks arising from unclear plans, priorities, authorities and accountabilities, and/or ineffective or disproportionate oversight of decision-making and/or performance.
Operations– Risks arising from inadequate, poorly designed or ineffective/ inefficient internal processes resulting in fraud, error, impaired customer service (quality and/or quantity of service), non-compliance and/or poor value for money.
Legal– Risks arising from a defective transaction, a claim being made (including a defence to a claim or a counterclaim) or some other legal event occurring that results in a liability or other loss, or a failure to take appropriate measures to meet legal or regulatory requirements or to protect assets (for example, intellectual property).
Property– Risks arising from property deficiencies or poorly designed or ineffective/ inefficient safety management resulting in non-compliance and/or harm and suffering to employees, contractors, service users or the public.
Financial- Risks arising from not managing finances in accordance with requirements and financial constraints resulting in poor returns from investments, failure to manage assets/liabilities or to obtain value for money from the resources deployed, and/or non-compliant financial reporting.
Commercial– Risks arising from weaknesses in the management of commercial partnerships, supply chains and contractual requirements, resulting in poor performance, inefficiency, poor value for money, fraud, and/or failure to meet business requirements/objectives.
People-Risks arising from ineffective leadership and engagement, suboptimal culture, inappropriate behaviours, the unavailability of sufficient capacity and capability, industrial action and/or non-compliance with relevant employment legislation/HR policies resulting in negative impact on performance.
Technology: Risks arising from technology not delivering the expected services due to inadequate or deficient system/ process development and performance or inadequate resilience.
Information: Risks arising from a failure to produce robust, suitable and appropriate data/ information and to exploit data/information to its full potential.
Security: Risks arising from a failure to prevent unauthorised and/or inappropriate access to the estate and information, including cyber security and non-compliance with General Data Protection Regulation requirements.
Project/Programme: Risks that change programmes and projects are not aligned with strategic priorities and do not successfully and safely deliver requirements and intended benefits to time, cost and quality.

Boxes shaded in yellow denote the suggested risk appetite level.

Strategy
- Averse: Guiding principles or rules in place that limit risk in organisational actions and the pursuit of priorities. Organisational strategy is refreshed at 5+ year intervals
- Minimal– Guiding principles or rules in place that minimise risk in organisational actions and the pursuit of priorities. Organisational strategy is refreshed at 4-5 year intervals
- Cautious-Guiding principles or rules in place that allow considered risk taking in organizational actions and the pursuit of priorities. Organizational strategy is refreshed at 3-4 year intervals
- Open-Guiding principles or rules in place that are receptive to considered risk taking in organizational actions and the pursuit of priorities. Organizational strategy is refreshed at 2- 3 year intervals
- Eager– Guiding principles or rules in place that welcome considered risk taking in organizational actions and the pursuit of priorities. Organizational strategy is refreshed at 1-2 year intervals
Governance
- Averse– Avoid actions with associated risk. No decisions are taken outside of processes and oversight / monitoring arrangements. Organizational controls minimize risk of fraud, with significant levels of resource focused on detection and prevention.
- Minimal– Willing to consider low risk actions which support delivery of priorities and objectives. Processes, and oversight / monitoring arrangements enable limited risk taking. Organisational controls maximise fraud prevention, detection and deterrence through robust controls and sanctions.
- Cautious-Willing to consider actions where benefits outweigh risks. Processes, and oversight / monitoring arrangements enable cautious risk taking. Controls enable fraud prevention, detection and deterrence by maintaining appropriate controls and sanctions.
- Open– Receptive to taking difficult decisions when benefits outweigh risks. Processes, and oversight / monitoring arrangements enable considered risk taking. Levels of fraud controls are varied to reflect scale of risks with costs.
- Eager-Ready to take difficult decisions when benefits outweigh risks. Processes, and oversight / monitoring arrangements support informed risk taking. Levels of fraud controls are varied to reflect scale of risk with costs.
Operations
- Averse-Defensive approach to operational delivery – aim to maintain/protect, rather than create or innovate. Priority for close management controls and oversight with limited devolved authority.
- Minimal– Innovations largely avoided unless essential. Decision making authority held by senior management.
- Cautious– Tendency to stick to the status quo, innovations generally avoided unless necessary. Decision making authority generally held by senior management. Management through leading indicators.
- Open- Innovation supported, with clear demonstration of benefit / improvement in management control. Responsibility for non- critical decisions may be devolved.
- Eager– Innovation pursued – desire to ‘break the mould’ and challenge current working practices. High levels of devolved authority – management by trust / lagging indicators rather than close control.
Legal
- Averse -Play safe and avoid anything which could be challenged, even unsuccessfully.
- Minimal– Want to be very sure we would win any challenge.
- Cautious– Want to be reasonably sure we would win any challenge.
- Open-Challenge will be problematic; we are likely to win, and the gain will outweigh the adverse impact.
- Eager– Chances of losing are high but exceptional benefits could be realised.
Property
- Averse– Obligation to comply with strict policies for purchase, rental, disposal, construction, and refurbishment that ensures producing good value for money
- Minimal– Recommendation to follow strict policies for purchase, rental, disposal, construction, and refurbishment that ensures producing good value for money.
- Cautious– Requirement to adopt arrange of agreed solutions for purchase, rental, disposal, construction, and refurbishment that ensures producing good value for money.
- Open-Consider benefits of agreed solutions for purchase, rental, disposal, construction, and refurbishment that meeting organisational requirements.
- Eager– Application of dynamic solutions for purchase, rental, disposal, construction, and refurbishment that ensures meeting organizational requirements.
Financial
- Averse– Avoidance of any financial impact or loss, is a key objective.
- Minimal– Only prepared to accept the possibility of very limited financial impact if essential to delivery.
- Cautious– Seek safe delivery options with little residual financial loss only if it could yield upside opportunities.
- Open- Prepared to invest for benefit and to minimise the possibility of financial loss by managing the risks to tolerable levels.
- Eager– Prepared to invest for best possible benefit and accept possibility of financial loss (controls must be in place).
Commercial
- Averse-Zero appetite for untested commercial agreements. Priority for close management controls and oversight with limited devolved authority.
- Minimal– Appetite for risk taking limited to low scale procurement activity. Decision making authority held by senior management.
- Cautious– Tendency to stick to the status quo, innovations generally avoided unless necessary. Decision making authority generally held by senior management. Management through leading indicators.
- Open-Innovation supported, with demonstration of benefit / improvement in service delivery. Responsibility for non- critical decisions may be devolved.
- Eager– Innovation pursued – desire to ‘break the mould’ and challenge current working practices. High levels of devolved authority – management by trust / lagging indicators rather than close control.
People
- Averse-Priority to maintain close management control & oversight. Limited devolved authority. Limited flexibility in relation to working practices. Development investment in standard practices only
- Minimal– Decision making authority held by senior management. Development investment generally in standard practices.
- Cautious– Seek safe and standard people policy. Decision making authority generally held by senior management.
- Open- Prepared to invest in our people to create innovative mix of skills environment. Responsibility for noncritical decisions may be devolved.
- Eager– Innovation pursued – desire to ‘break the Mould’ and challenge current working practices. High levels of devolved authority – management by trust rather than close control.
Technology
- Averse– General avoidance of systems / technology developments.
- Minimal– Only essential systems / technology developments to protect current operations.
- Cautious– Consideration given to adoption of established / mature systems and technology improvements. Agile principles are considered.
- Open- Systems / technology developments considered to enable improved delivery. Agile principles may be followed.
- Eager– New technologies viewed as a key enabler of operational delivery. Agile principles are embraced.
Data Info and Management
- Averse-Lock down data & information. Access tightly controlled, high levels of monitoring.
- Minimal– Minimize level of risk due to potential damage from disclosure.
- Cautious-Accept need for operational effectiveness with risk mitigated through careful management limiting distribution.
- Open– Accept need for operational effectiveness in distribution and information sharing.
- Eager– Level of controls minimized with data and information openly shared.
Security
- Averse-No tolerance for security risks causing loss or damage to HMG property, assets, information or people. Stringent measures in place, including: Adherence to FCDO travel restrictions Staff vetting maintained at highest appropriate level.Controls limiting staff and visitor access to information, assets and estate.Access to staff personal devices restricted in official sites
- Minimal– Risk of loss or damage to HMG property, assets, information or people minimized through stringent security measures, including: Adherence to FCDO travel restrictions All staff vetted levels defined by role requirements. Controls limiting staff and visitor access to information, assets and estate. Staff personal devices permitted, but may not be used for official tasks.
- Cautious- Limited security risks accepted to support business need, with appropriate checks and balances in place: Adherence to FCDO travel restrictions Vetting levels may flex within teams, as required Controls managing staff and limiting visitor access to information, assets and estate. Staff personal devices may be used for limited official tasks with appropriate permissions.
- Open- Considered security risk accepted to support business need, with appropriate checks and balances in place: New starters may commence employment at risk, following partial completion of vetting processes. Permission may be sought for travel within FCDO restricted areas. Controls limiting visitor access to information, assets and estate. Staff personal devices may be used for official tasks with appropriate permissions.
- Eager– Organizational willing to accept security risk to support business need, with appropriate checks and balances in place: New starters may commence employment at risk, following partial completion of vetting processes Travel permitted within FCDO restricted areas. Controls limiting visitor access to information, assets and estate.Staff personal devices permitted for official tasks.
Project / Program
- Averse– Defensive approach to transformational activity – aim to maintain/protect, rather than create or innovate. Priority for close management controls and oversight with limited devolved authority. Benefits led plans fully aligned with strategic priorities, functional standards.
- Minimal– Innovations avoided unless essential. Decision making authority held by senior management. Benefits led plans aligned with strategic priorities, functional standards.
- Cautious– Tendency to stick to the status quo, innovations generally avoided unless necessary. Decision making authority generally held by senior management. Plans aligned with strategic priorities, functional standards.
- Open– control. Responsibility for noncritical decisions may be devolved. Plans aligned with functional standards and organisational governance.
- Eager- Innovation pursued – desire to ‘break the Mould’ and challenge current working practices. High levels of devolved authority – management by trust rather than close control. Plans aligned with organizational governance.

Challenges and Approaches to Risk Classification

Using just one system to classify risks may not always work well, as it’s not enough to just know the timing of risks. The type of impact matters, too, and that makes it challenging to rely on a single classification system. Each organization should find a risk classification method that fits its specific needs and the types of risks it faces. Risks should be categorized by their source, impact, and timing. To get a full picture, a mix of the FIRM risk scorecard and categorizing risks as hazard, control, or opportunity can be helpful. A custom risk matrix can combine the FIRM scorecard with classifications for short-, medium-, and long-term risks, creating an issues grid that makes it easier to identify key risks. Many risk systems overlook compliance risks, which don’t always fit neatly into timing-based categories. Compliance risks also often require a “trigger event,” making it hard to know exactly which compliance issues could become a problem. Hazard risks usually relate to infrastructure issues, while strategic risks are often linked to marketplace changes. The classification systems discussed here work best for analyzing hazard risks, although some frameworks, like IRM and COSO, include strategic risks as a separate category. Each organization needs to decide if it’s helpful to include strategic risks as a category. The FIRM scorecard classifies strategic and project risks based on their main impact if the risk happens. Classifying project risks is important to ensure the right response to each risk. For project requirements like timelines, budgets, and quality standards, risks can be classified as those that threaten timelines, those that affect the budget, and those that impact the final quality or performance. There’s no universal risk classification system that suits all organizations. For example, banks face a variety of risks, often grouped into three categories: market risk, credit risk, and operational risk. The framework for managing these risks varies. Market risk comes from changes in financial markets, such as interest rates or currency exchange rates, and is mainly seen as an opportunity risk for the bank. Credit risk, which is the chance a client won’t repay a loan, is a control risk that needs active management. Operational risk includes failures in systems, processes, or people and can involve external events like natural disasters. Basel II defines it as the risk of loss from inadequate or failed processes, people, or external events, making it a hazard risk that needs mitigation.

Setting objectives for ERM

Setting objectives for Enterprise Risk Management (ERM) is a critical step in aligning risk management practices with an organization’s strategic goals as it is associated with the objective for organization as a whole. Well-defined ERM objectives ensure that risks are identified, assessed, and managed in a way that supports the organization’s mission and vision. These objectives typically focus on risk identification, mitigation, and exploiting opportunities to create value. Key Steps in Setting Objectives for ERM:

Align with Organizational Strategy: Ensure that the ERM objectives are directly tied to the overall strategy and mission of the organization. The risk management framework should support the achievement of business objectives, whether they focus on growth, innovation, operational efficiency, or compliance.
Support Stakeholder Needs: Understand the risk tolerance and appetite of key stakeholders, including investors, customers, employees, regulators, and partners. The ERM objectives should balance risk and reward in a way that meets these stakeholders’ expectations.
Address Different Types of Risk: Define objectives around the various categories of risks, such as:
- Strategic Risks: Relating to long-term goals and strategic initiatives.
- Operational Risks: Impacting day-to-day operations and processes.
- Financial Risks: Associated with cash flow, investments, or market exposure.
- Compliance Risks: Arising from regulatory requirements or legal obligations.
- Reputational Risks: Affecting public perception or brand value.
Foster Risk Awareness and Culture: Set objectives that promote a strong risk-aware culture across the organization. Everyone from top management to operational staff should be encouraged to understand and manage risks proactively. Training and communication should be part of the ERM framework.
Integrate ERM into Decision-Making: Objectives should focus on integrating risk considerations into day-to-day decision-making processes. This includes incorporating risk assessments into capital investments, mergers and acquisitions, product launches, and any other major business decisions.
Encourage Risk Innovation: Beyond managing traditional risks, ERM objectives can promote the identification of risks as opportunities. For example, organizations can leverage new technologies, markets, or partnerships to create value from emerging risks, such as cyber threats or regulatory changes.
Monitor and Adapt to Change: One key objective of ERM should be to establish a dynamic and responsive risk management process. Risk environments change over time (e.g., through market volatility, technological advances, or new regulations), and the ERM framework should include regular reviews and updates of risk assessments and controls.
Establish Metrics and KPIs for Risk: Define specific metrics to measure the success of ERM. These key performance indicators (KPIs) may include:
- Reduction in financial losses due to risk events.
- Improvement in risk mitigation and control effectiveness.
- Timeliness of response to risk events.
- Alignment of risk exposure with risk appetite.

Example of ERM Objectives can be :

Protect Organizational Assets- Ensure that physical, financial, and intellectual assets are protected through a comprehensive risk assessment and control program.
Enhance Decision-Making- Improve decision-making processes by ensuring that risk data and analysis are incorporated into strategic business decisions.
Achieve Regulatory Compliance- Maintain compliance with applicable laws and regulations by continuously monitoring legal and regulatory changes and implementing necessary adjustments.
Improve Operational Efficiency- Identify operational risks that may impact business continuity and implement risk management strategies to minimize disruptions.
Maximize Opportunities from Emerging Risks: Proactively assess and respond to emerging risks (e.g., technological, environmental, or geopolitical changes) to turn potential threats into competitive advantages.
Maintain Stakeholder Confidence- Strengthen stakeholder confidence by providing transparency in how risks are managed, showing the organization’s resilience and adaptability.

When setting objectives, it’s useful to apply the SMART criteria:

Specific: Clearly define the risk areas (e.g., financial, operational, compliance).
Measurable: Establish metrics to track performance (e.g., number of risk incidents).
Achievable: Ensure objectives are realistic given the organization’s resources.
Relevant: Align objectives with the organization’s strategy and risk appetite.
Time-bound: Set timelines for when each objective should be achieved.

For example Reduce operational disruptions due to supply chain risks by 15% over the next 12 months by enhancing supplier risk assessments and improving supplier diversification.

Implementing objectives in ERM

Implementing objectives in Enterprise Risk Management (ERM) requires a structured approach that ensures that risk management processes are integrated into all aspects of an organization. The ERM framework seeks to align risk management objectives with the organization’s strategic goals, improve decision-making, and enhance resilience across the enterprise. Below are the steps and key considerations for implementing ERM objectives

Align ERM Objectives with Organizational Strategy: ERM objectives must be aligned with the organization’s strategy to ensure that risk management efforts support overall business goals. To achieve this, the organization must:
- Understand strategic goals: Identify the organization’s short-term and long-term goals and the risks that could impact them.
- Set risk appetite and tolerance: Define how much risk the organization is willing to accept in pursuit of its objectives (risk appetite) and the thresholds of acceptable risk (risk tolerance).
- Ensure executive buy-in: Senior leadership should endorse and actively promote the alignment of risk management with the strategic objectives of the organization.
Establish a Governance Structure: An effective governance structure is essential for implementing ERM objectives. Governance ensures that roles, responsibilities, and accountability for risk management are clearly defined across the organization.
- Define roles and responsibilities: Identify key stakeholders (e.g., risk managers, department heads, executive leadership) who are responsible for identifying, assessing, and managing risks.
- Create a risk committee: Establish a risk management or governance committee that oversees the ERM implementation process and reports to the board on risk-related issues.
- Set up reporting lines: Ensure that there are clear lines of communication for reporting risks from all levels of the organization to senior management and the board.
Identify and Prioritize Risks: For ERM to be effective, risks must be systematically identified, assessed, and prioritized based on their potential impact on the organization’s objectives.
- Risk identification: Conduct a comprehensive risk assessment across departments to identify potential risks that could affect achieving the organization’s goals. Use tools like SWOT analysis, scenario planning, and risk workshops to gather input from various stakeholders.
- Risk categorization: Categorize risks based on their source (e.g., operational, financial, regulatory, strategic, cybersecurity) and their potential impact on organizational performance.
- Risk prioritization: Assess risks based on their likelihood and impact. This can be visualized using a risk heat map or risk matrix, which ranks risks according to priority.
Develop Risk Response Strategies: Once risks are identified and prioritized, organizations need to develop strategies to manage these risks effectively. ERM offers several ways to respond to risks:

Risk avoidance: Eliminating activities or exposures that may lead to risk.
Risk mitigation: Implementing controls or processes to reduce the likelihood or impact of risks.
Risk transfer: Shifting risk to a third party (e.g., through insurance or outsourcing).
Risk acceptance: Acknowledging that some risks are worth taking based on their potential rewards, provided they fall within the organization’s risk tolerance.

Each risk should have a designated response plan based on the organization’s risk appetite and tolerance.

5. Integrate ERM into Business Processes: Risk management objectives must be embedded into core business processes and decision-making. This includes:

Operational integration: Embed risk management practices into day-to-day operations, ensuring that managers at all levels consider risk in their decision-making processes.
Strategic planning: Incorporate risk assessments into strategic planning sessions to ensure that risks are accounted for when setting long-term goals and plans.
Project management: Integrate ERM into project management frameworks to identify and manage project-specific risks from the start.

6. Build a Risk-Aware Culture: To successfully implement ERM objectives, the entire organization must develop a risk-aware culture where employees understand the importance of managing risk and are empowered to raise concerns about potential risks.

Training and education: Provide regular training for employees at all levels to help them understand the importance of risk management and how they can contribute to managing risks within their roles.
Risk communication: Foster open communication about risks, encouraging staff to report risks or concerns without fear of negative consequences.
Leadership support: Senior leadership should demonstrate commitment to risk management by emphasizing its importance in all business decisions and promoting a culture of risk awareness.

7. Monitor and Review Risk Management Performance: Continuous monitoring and review are essential to ensure that risk management objectives are met and that the ERM framework is functioning effectively.

Risk monitoring: Implement systems to monitor key risk indicators (KRIs) and other performance metrics related to risk. Automated tools and dashboards can provide real-time monitoring of risks.
Regular reviews: Schedule periodic reviews of the risk management framework to ensure that it remains relevant as the organization evolves and new risks emerge.
Internal audits: Conduct internal audits of the risk management framework to assess the effectiveness of controls and processes.
Performance metrics: Use metrics such as the number of risks identified, risk incidents, or the success of risk mitigation strategies to evaluate the effectiveness of the ERM process.

8. Reporting and Communication: Transparent reporting and communication about risks and risk management activities help ensure accountability and support continuous improvement.

Risk reporting: Develop regular risk reports for senior management and the board that outline key risks, how they are being managed, and any changes in the risk landscape.
Stakeholder communication: Keep internal and external stakeholders informed about significant risks and how they are being managed. This includes investors, regulators, and employees.
Risk dashboards: Use visual tools, such as risk dashboards, to provide an overview of key risks and trends across the organization in a clear, concise manner.

9. Leverage Technology for ERM Implementation: Technology can enhance the efficiency and effectiveness of ERM implementation by automating key processes and providing real-time risk data.

Risk management software: Use ERM software to streamline the process of risk identification, assessment, and monitoring. These tools can also facilitate collaboration and improve transparency.
Data analytics: Leverage data analytics to identify trends, predict potential risks, and assess the effectiveness of risk mitigation strategies.
Risk visualization: Tools like dashboards and heat maps help in visualizing risk data, enabling better decision-making.

In Enterprise Risk Management (ERM), objectives are set at different levels—strategic, tactical, and operational—each with distinct purposes and timeframes. These levels of objectives help align ERM efforts with the overarching goals of the organization, ensuring that risk management supports decision-making across all areas of the business. Here’s an overview of the differences between these objective levels:

1. Strategic Objectives

Strategic objectives in ERM are long-term goals aligned with the organization’s mission, vision, and overarching strategy. They focus on high-level risks that could impact the organization’s ability to achieve its long-term vision and sustain its competitive advantage. Strategic objectives are typically set by top leadership and have a broad, organization-wide impact.

Characteristics of Strategic Objectives:

Timeframe: Long-term (often 3–5 years or more).
Scope: Organization-wide; aligns with the mission, vision, and overall business strategy.
Focus: Deals with significant, high-level risks that could impact long-term sustainability or growth.
Examples:
- Ensuring business continuity in case of major disruptions (natural disasters, economic downturns).
- Expanding into new markets while managing regulatory and geopolitical risks.
- Maintaining a specific market share by managing risks related to innovation and competition.
- Achieving sustainable growth by integrating ESG (Environmental, Social, and Governance) risk management into core operations.

In ERM, managing strategic objectives involves:

Risk identification and prioritization of potential threats and opportunities.
Scenario analysis and stress testing to understand the impact of uncertain, high-impact events.
Developing risk appetite statements that outline the level of risk the organization is willing to accept in pursuit of strategic goals.

2. Tactical Objectives

Tactical objectives are medium-term goals that bridge the gap between strategic objectives and operational activities. These objectives focus on specific departments or functions within the organization and are typically aligned with achieving strategic goals. Tactical objectives involve implementing policies, programs, and processes that help mitigate risks at the functional or departmental level.

Characteristics of Tactical Objectives:

Timeframe: Medium-term (typically 1–3 years).
Scope: Departmental or functional level, such as finance, IT, or marketing.
Focus: Addresses risks that affect the ability to achieve strategic objectives, focusing on functional areas.
Examples:
- Enhancing cybersecurity measures in the IT department to protect against data breaches.
- Improving supply chain resilience in procurement to mitigate supplier-related risks.
- Strengthening internal controls in finance to prevent fraud and ensure regulatory compliance.
- Developing training programs in HR to reduce risks related to talent retention and compliance.

In ERM, managing tactical objectives involves:

Setting risk tolerance levels for each department or function based on its role in the overall strategy.
Establishing key risk indicators (KRIs) and metrics to monitor risks in specific areas.
Cross-functional coordination to ensure that tactical objectives align with and support strategic goals.

3. Operational Objectives

Operational objectives are short-term goals focused on day-to-day activities. These objectives are narrow in scope and detail the specific actions needed to ensure the efficient and risk-free functioning of business processes. Operational objectives are often set at the management or supervisory level and focus on mitigating immediate risks that could disrupt routine operations.

Characteristics of Operational Objectives:

Timeframe: Short-term (usually less than 1 year).
Scope: Process or activity level; focuses on day-to-day operations within specific teams or units.
Focus: Addresses specific, immediate risks to ensure smooth functioning of daily activities.
Examples:
- Ensuring workplace safety protocols are followed to reduce accident risks.
- Monitoring compliance with data handling processes to prevent data loss.
- Maintaining equipment regularly to avoid downtime in manufacturing.
- Implementing daily transaction monitoring in finance to detect anomalies or potential fraud.

In ERM, managing operational objectives involves:

Real-time risk monitoring to identify and respond to risks as they arise.
Implementing standard operating procedures (SOPs) that integrate risk controls into daily activities.
Training and awareness programs for staff to ensure compliance with risk management protocols.

Key Differences

Strategic objectives are broad and involve managing high-level risks that impact the organization’s future.
Tactical objectives support strategic goals through specific departmental initiatives.
Operational objectives are immediate and focus on the daily actions that minimize disruptions to essential activities.

The first step in implementing tactical objectives is translating the organization’s long-term strategic goals into actionable, department-specific objectives. Each department or business unit must identify how its role contributes to the broader strategy and what risks might prevent it from meeting those objectives.

Key Actions:

Break Down Strategic Objectives: Identify how strategic objectives (such as entering a new market or improving customer satisfaction) apply to each department. For example, if the strategic goal is digital transformation, the IT department might focus on enhancing infrastructure and cybersecurity, while HR may focus on reskilling employees.
Risk Identification: Each department should identify the specific risks that might impact their ability to achieve tactical objectives. These risks could be related to technology, finance, compliance, or operations.
Align Departmental Goals: Ensure that tactical objectives align with both strategic goals and the organization’s risk appetite. Departments should work within the risk tolerance set at the strategic level, while considering specific risks within their functional areas.

Example:

A manufacturing company with a strategic goal to expand production capacity may translate this into tactical objectives for different departments:

IT Department: Enhance automation systems to support higher production volumes.
Operations Department: Streamline supply chain processes to reduce lead times.
HR Department: Hire and train additional staff to meet increased production demands.

2. Develop Risk Response Plans at the Functional Level

Once risks are identified at the departmental level, it’s important to develop specific risk response plans that address those risks in a way that aligns with both tactical and strategic objectives. Risk responses may include mitigation, avoidance, transfer, or acceptance strategies tailored to the specific needs of each department.

Key Actions:

Mitigation Strategies: Implement risk controls specific to each department. For instance, the finance department may enhance internal controls to prevent fraud, while the IT department may upgrade cybersecurity protocols.
Risk Transfer: Some departments may choose to transfer risks, such as outsourcing certain processes or purchasing insurance for key assets.
Contingency Plans: Develop contingency plans for high-impact risks that could disrupt departmental functions. These should be detailed and actionable, with clear steps for managing risks if they materialize.

Example:

A finance department might develop mitigation strategies for risks related to cash flow management, while the operations team could establish contingency plans to manage supply chain disruptions (e.g., alternate suppliers, safety stock).

3. Establish Departmental Key Risk Indicators (KRIs)

Tactical objectives require measurable indicators to track risk performance and monitor progress. Establishing Key Risk Indicators (KRIs) at the departmental level allows teams to monitor risks and take proactive measures before they escalate into bigger problems.

Key Actions:

Identify KRIs: Each department should identify specific KRIs relevant to their tactical objectives. KRIs act as early warning signals of potential risk exposures and should be aligned with department goals.
Integrate KRIs with KPIs: Where possible, integrate KRIs (which measure risks) with Key Performance Indicators (KPIs), which measure success against department objectives. This ensures that risk and performance are managed together.
Monitor in Real-Time: Use dashboards or reporting tools to monitor KRIs in real-time, providing insights into how well departments are managing risks and where adjustments may be needed.

Example:

For the IT department, KRIs might include system downtime or the number of cybersecurity incidents. For HR, KRIs could be employee turnover rates or the number of compliance violations related to labor laws.

4. Foster Cross-Departmental Coordination

ERM requires collaboration between departments to ensure that risks are managed consistently and effectively. Cross-departmental coordination ensures that different functions are working towards common tactical objectives, and that interdependencies between departments are understood and managed.

Key Actions:

Cross-Functional Risk Committees: Establish cross-functional risk committees to facilitate collaboration. These committees can help identify and address risks that span multiple departments (e.g., risks that affect both IT and operations).
Shared Risk Databases: Use shared risk management databases or tools where departments can report and track risks in a centralized manner. This promotes transparency and ensures that all departments have access to critical risk information.
Regular Communication: Facilitate regular communication between departments to share insights on emerging risks, mitigation strategies, and lessons learned. Cross-departmental workshops or meetings can be useful for aligning on shared objectives.

Example:

If the finance department is concerned about liquidity risks that could impact project funding, it should coordinate with the operations department to ensure that cash flow risks are considered when planning production schedules.

5. Assign Risk Ownership and Accountability

Each department should have clear ownership of its risks and be accountable for managing them effectively. Assigning risk ownership ensures that individuals or teams are responsible for monitoring, reporting, and mitigating risks within their functional areas.

Key Actions:

Appoint Risk Owners: Designate specific risk owners within each department who are accountable for monitoring and managing departmental risks. Risk owners should report directly to departmental heads and coordinate with the ERM team.
Establish Accountability Structures: Develop clear accountability structures that define who is responsible for specific risk management actions. This could include creating risk response teams or assigning risk managers to oversee specific areas (e.g., compliance, technology, health and safety).
Performance Reviews Linked to Risk Management: Consider linking risk management performance to departmental evaluations. This ensures that departments are rewarded for effectively managing risks and meeting tactical objectives.

Example:

In the marketing department, a senior manager might be responsible for overseeing risks related to brand reputation, while the operations department assigns risk owners to manage supply chain risks.

6. Implement Risk Control Mechanisms

For each tactical objective, it’s important to put in place specific risk control mechanisms that ensure risks are managed in day-to-day activities. These controls help minimize exposure to risks and ensure that departments can meet their objectives effectively.

Key Actions:

Internal Controls: Implement internal controls within each department to mitigate specific risks. For example, finance departments may introduce stronger financial oversight processes, while IT departments can enhance access control systems to reduce cybersecurity risks.
Standard Operating Procedures (SOPs): Develop SOPs that embed risk management into daily operations. SOPs should include steps for identifying and addressing risks as they arise, ensuring consistency in how risks are handled.
Risk Audits: Conduct regular audits of risk management practices within each department to ensure that controls are working as intended. Audits can identify weaknesses in risk controls and highlight areas for improvement.

Example:

An internal audit team may regularly review how the procurement department manages supplier risks, ensuring that SOPs for vetting suppliers and managing contracts are being followed.

7. Monitor and Report on Tactical Risks

Tactical risks should be monitored continuously to ensure that departments remain on track to achieve their objectives. Reporting mechanisms should be in place to provide regular updates to senior leadership on how well departments are managing risks in relation to tactical objectives.

Key Actions:

Continuous Risk Monitoring: Use risk monitoring tools and dashboards to provide real-time updates on departmental risks. This allows for quick responses to emerging threats.
Regular Reporting: Implement a reporting structure where department heads report on risk management efforts and outcomes. Reports should focus on how well risks are being managed in alignment with tactical objectives and how this supports the organization’s overall strategy.
Risk Reviews: Conduct regular risk reviews where department heads and the ERM team assess whether risk management efforts are effective. These reviews should also consider any changes in the external environment that could impact tactical objectives.

Example:

The finance department might provide quarterly reports on liquidity risks and how these are being managed to support broader financial objectives, while the IT department could report on cybersecurity risks and the effectiveness of controls.

8. Adjust and Improve Based on Feedback

Finally, implementing tactical objectives in ERM is an ongoing process. As departments monitor risks and assess the effectiveness of their controls, they should adjust their approaches based on feedback and changing conditions.

Key Actions:

Continuous Improvement: Use feedback from audits, reviews, and risk reporting to continuously improve risk management practices within each department. This might involve refining risk controls, updating SOPs, or reallocating resources to address emerging risks.
Risk Learning Culture: Foster a culture where departments are encouraged to learn from past risk management experiences. Regular debriefs after risk events (e.g., cybersecurity breaches, supply chain disruptions) can help departments improve future risk responses.
Adapt to External Changes: Departments should be agile in adjusting their risk management practices in response to changes in the external environment, such as new regulations, market trends, or technological developments.

Enterprise-wide approach for Risk management

In recent years, risk management has seen some key changes. First, specialized types of risk management have emerged, such as project, energy, finance, operational, and clinical risk management. Second, organizations are now focusing on a broader, more comprehensive approach to managing risk. This broader approach is often called enterprise or enterprise-wide risk management (ERM), which is now the most commonly used term. The main idea of ERM is to stop managing risks separately and instead take a unified, integrated approach. With ERM, organizations consider all the risks they face across all their operations. ERM focuses on managing risks that could impact an organization’s goals, important dependencies, or key processes. It also covers both opportunities and risks related to control and hazards. ERM also considers how risks are connected, which is something traditional risk management often overlooks. For example, multiple risks can affect the same activity or goal. ERM evaluates risks by looking at goals, key processes, or dependencies and considering all the risks that could impact them. Most organizations now use ERM because it provides a way to manage all risks in a coordinated way. However, specialized functions like health and safety or business continuity still play an important role.

Risk management has seen major advancements, with its role in corporate governance becoming widely integrated. What was once called “integrated” or “holistic” risk management is now commonly referred to as enterprise risk management (ERM), which applies across the entire organization. Similarly, operational risk management (ORM) has grown significantly in a short time. While the evolving nature of risk management is positive, changing how risk analysis is conducted or communicated can confuse senior leaders and reduce interest. Taking on too much risk can lead to organizational failure, but risk awareness shouldn’t stop bold strategic decisions. Instead, decisions should be made with a clear understanding of the risks involved.

Organizations should continue pursuing opportunities, even if they seem risky, as long as the risks are managed within the organization’s capacity. Boards need to be aware of the actual risks being taken. If a company is “risk aggressive,” meaning it’s willing to take on higher risks, the range of risks the board considers may be limited. This can restrict important discussions about significant risks. While being risk aggressive isn’t necessarily wrong, it requires frequent reassessment and careful management at all levels. The ideas of “risk appetite” and “the upside of risk” are useful but need more refinement to deliver clear benefits.

Key Features of Enterprise Risk Management (ERM):

Covers all risk areas (financial, operational, compliance, strategic, reputational, etc.).
Manages risks as an interconnected portfolio rather than separate, isolated risks.
Considers risks within both internal and external contexts, systems, and stakeholder concerns.
Recognizes that risks are linked, and combined, they can create different exposures than when viewed individually.
Uses a structured process to manage all types of risks, whether measured by numbers or judgment.
Integrates risk management into critical decisions across the organization.
Helps the organization identify risks it is willing to take in pursuit of strategic goals.
Creates a way to communicate risk, ensuring a shared understanding of risks and their importance.
Supports internal audit by offering a structured way to provide assurance to the board.
Views effective risk management as a competitive advantage that helps the organization achieve its goals.

Example: Enterprise Risk Management (ERM) in an Oil and Gas Company

1. Risk Identification:

The company identifies risks across several categories:

Operational Risks: Equipment failure, oil spills, worker safety, and project delays.
Financial Risks: Oil price volatility, exchange rate fluctuations, and funding shortfalls for major projects.
Compliance and Regulatory Risks: Environmental regulations, fines for emissions, and political instability in regions of operation.
Strategic Risks: Shifts in global energy demand (e.g., the rise of renewable energy), geopolitical risks affecting supply, and competition from other energy sources.
Reputational Risks: Negative media coverage due to environmental incidents, community protests, and shareholder dissatisfaction.
Technology Risks: Cybersecurity threats to operational systems, and data breaches.

2. Risk Assessment and Prioritization:

Once risks are identified, they are assessed based on their potential impact on key objectives and the likelihood of occurrence. For example:

High Impact, High Likelihood: An environmental spill could cause significant financial, operational, and reputational damage.
Low Impact, Low Likelihood: A minor price fluctuation of a local currency may not have a strong impact on overall revenue. Risks are mapped in a risk matrix, prioritizing high-impact risks for more immediate attention.

3. Risk Response Planning:

The company develops strategies to manage these risks, using the following approaches:

Risk Avoidance: Deciding not to operate in politically unstable regions to avoid geopolitical risk.
Risk Mitigation: Implementing stricter safety protocols and investing in more advanced equipment to reduce the chance of oil spills or equipment failures.
Risk Transfer: Purchasing insurance for natural disasters or significant equipment failure to reduce financial impact.
Risk Acceptance: Accepting minor fluctuations in oil prices as part of normal market conditions and planning budgets accordingly.

4. Integration Across the Organization:

ERM is embedded across departments, ensuring each unit understands its role:

Operations: Works to mitigate operational risks through better safety standards and by adopting new technology to prevent equipment failure.
Finance: Manages financial risks through hedging strategies to stabilize the impact of fluctuating oil prices.
Legal and Compliance: Regularly reviews and updates the company’s compliance with environmental and safety regulations in every region of operation.
Risk Committees: Established at various levels to ensure regular communication and reporting of emerging risks, ensuring alignment with the company’s risk appetite.

5. Risk Monitoring and Reporting:

Risk data is continuously gathered from various departments and updated in a risk register, which forms part of the ERM system. This register:

Tracks all identified risks, including their status and any mitigating actions.
Provides visibility to senior management and the board through regular reports.
Links risk performance metrics to key company objectives, such as operational uptime or financial targets.

In the event of significant risk, such as a major accident, immediate reviews are conducted to update the risk profile and revise mitigation strategies. The Board of Directors receives quarterly updates on risk exposures and mitigation strategies, ensuring strategic alignment.

6. Continuous Improvement:

ERM is dynamic, requiring regular updates to respond to:

New regulations, such as stricter environmental laws.
Changing market conditions, like the rise of renewable energy.
New technologies that offer better safety measures or operational efficiency. The company conducts annual reviews of its ERM framework to ensure that it remains aligned with best practices and any emerging risks.

Definitions of ERM

ERM involves the identification and evaluation of significant risks, assignment of ownership, implementation and monitoring of actions to manage these risks within the risk appetite of the organization. The output is the provision of information to management to improve business decisions, reduce uncertainty and provide reasonable assurance regarding the achievement of the objectives of the organization. The impact of ERM is to improve efficiency and the delivery of services, improve allocation of resources (capital) to business improvement, create shareholder value and enhance risk reporting to stakeholders.

As per COSO the definition of Enterprise Risk Management( ERM), “Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, manage risk to be within its risk appetite and to provide reasonable assurance regarding the achievement of entity objectives.“

As per Institute of Internal Auditors the definition of Enterprise Risk Management( ERM), “A rigorous and coordinated approach to assessing and responding to all risks that affect the achievement of an organization’s strategic and financial objectives.“

As per HM Treasury the definition of Enterprise Risk Management( ERM), “All the processes involved in identifying, assessing and judging risks, assigning ownership, taking actions to mitigate or anticipate them and monitoring and reviewing progress.“

As per RIMS the definition of Enterprise Risk Management( ERM), “Enterprise risk management is a strategic business discipline that supports the achievement of an organization’s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio.“

A complete definition of the ERM (Enterprise Risk Management) process involves three key parts: a description of the process itself, identifying the results or outcomes of that process, and understanding the benefits or impacts of those outcomes. Many definitions focus on the ERM process by explaining the steps involved, which is a good start. However, the results of the process—such as managing risks within acceptable limits and ensuring that objectives are met—are more important. Some definitions mention these results, but to be complete, the definition should also highlight the intended impact. In short, the main outcomes of ERM are better decision-making, improved core processes (sometimes through specific projects), and smooth, efficient operations with fewer disruptions. These outcomes can be summarized as mandatory obligations fulfilled, assurance obtained, decision making enhanced and effective and efficient core processes introduced (MADE2).

FIRM	Benefits
Financial	Reduced cost of funding and capital Better control of CapEx approvals Increased profitability for organization Accurate financial risk reporting Enhanced corporate governance
Infrastructure	Efficiency and competitive advantage Achievement of the state of no disruption Improved supplier and staff morale Targeted risk and cost reduction Reduced operating costs
Reputational	Regulators satisfied Improved utilization of company brand Enhanced shareholder value Good reputation and publicity Improved perception of organization
Marketplace	Commercial opportunities maximized Better marketplace presence Increased customer spend (and satisfaction) Higher ratio of business successes Lower ratio of business disasters

Taking a complete approach to enterprise risk management (ERM) offers many benefits. Each organization decides how to set up its ERM process and achieve these benefits. The main idea of ERM is to evaluate all major risks the organization faces. It’s also important to understand how these risks are connected, so the organization can calculate its total risk exposure. Once the total risk exposure is measured, it can be compared to the organization’s risk limits and the board’s risk tolerance.

Energy and Finance

Enterprise Risk Management (ERM) in the energy and finance sectors addresses unique risks, but the core principles are similar. Here’s a simplified overview for both sectors:

ERM in the Energy Sector:

In the energy industry, risks are diverse and range from operational to environmental, regulatory, and market risks. Some key aspects of ERM include:

Operational Risks: Managing equipment failures, supply chain disruptions, and safety hazards. This could involve strategies to ensure the safe operation of oil rigs, power plants, and pipelines, along with contingency plans for equipment failure or accidents.
Environmental and Regulatory Risks: Energy companies face significant environmental risks, such as oil spills or gas leaks. Regulatory risks include changing environmental laws, carbon taxes, and renewable energy regulations. ERM helps ensure compliance and manage the impact of regulations.
Market Risks: Energy prices can be highly volatile due to global market conditions, supply and demand, and geopolitical events. ERM helps manage price fluctuations and financial exposure through strategies like hedging or diversified investments.
Strategic Risks: These include decisions around investments in new energy sources, such as renewable energy, which may require large capital expenditure and long-term planning.

ERM in the Finance Sector:

The finance sector primarily deals with risks related to market fluctuations, credit, operational failures, and regulatory compliance. Key components of ERM include:

Credit Risk: Managing the risk of borrowers defaulting on loans. ERM strategies help assess the creditworthiness of clients and set appropriate credit limits.
Market Risk: Finance firms are exposed to changes in interest rates, foreign exchange rates, and stock market movements. ERM provides tools to manage these fluctuations, such as portfolio diversification and hedging strategies.
Operational Risk: This includes risks from internal processes, system failures, or cybersecurity threats. ERM helps identify these risks and implement controls to minimize disruptions, such as using advanced cybersecurity measures or having backup systems in place.
Regulatory Risk: The finance industry is heavily regulated. ERM ensures that financial institutions comply with various laws and regulations, avoiding penalties or legal actions.
Liquidity Risk: Managing liquidity is critical, ensuring that a firm has enough cash or easily convertible assets to meet its short-term obligations.

Both energy and finance sectors use ERM to maintain stability, make better decisions, and enhance resilience against internal and external risks. Risk management in the energy and finance sectors has developed into a specialized field. In the finance sector, the goal of an ERM (Enterprise Risk Management) program is to increase shareholder value by:

Improving capital and efficiency: Providing a clear method for distributing resources wisely and taking advantage of natural risk balances and portfolio benefits.
Supporting financial decisions: Focusing on areas that may have big negative impacts and finding opportunities where risk can be turned into an advantage.
Building investor confidence: Stabilizing financial results and protecting them from disruptions, showing that risks are managed proactively.

ERM in the energy sector often relies on the treasury department and experts who specialize in managing risks related to oil prices. This type of financial risk management is well-established, with many energy companies having large teams dedicated to it. However, ERM in energy companies is still mainly focused on managing financial risks. In the finance sector, regulations are a key driver for risk management. For example, banks must comply with Basel III rules, and the insurance industry in Europe follow similar guidelines under the Solvency II Directive. These regulations require financial institutions to measure their exposure to operational risks.

Operational risk management (ORM) in financial institutions helps determine how much capital should be kept aside to handle the potential impact of identified risks. The better risks are identified and managed, the less capital is needed to cover those risks. ORM is a specific part of the broader enterprise risk management (ERM) process. The global banking crisis raised doubts about how well risk management worked in banks, especially in managing operational risks. After the crisis, media reports often claimed that: 1) risk is bad, and 2) risk management had failed. However, taking risks is necessary for organizations to succeed.It’s hard to argue against the idea that risk management failed in banks, but the real issue wasn’t with the principles of risk management. The problem was that these principles weren’t applied correctly. Many banks made two key mistakes:

They didn’t properly analyze the balance between risk and reward, focusing too much on potential rewards without fully considering the risks.
They underestimated the level of risk because they were so aggressive in taking risks that they ignored the possibility of unlikely, but serious, events.

Business continuity and resilience

Enterprise risk management (ERM) and business continuity management (BCM) are closely linked. The risk assessment done in ERM and the business impact analysis used in business continuity planning (BCP) work together. In ERM, the usual process is to look at goals and find the specific risks that might affect those goals. The business impact analysis helps identify the essential activities that must be maintained for the organization to keep running. Both ERM and business impact analysis focus on identifying the key activities and dependencies necessary for a business to thrive. However, the next steps differ between ERM and BCP. ERM deals with managing risks that could affect core processes, while BCM focuses on the actions to take to keep individual activities going. In this way, BCM specifically identifies steps to take after a risk occurs to reduce its effects, addressing the need to limit damage and control costs.

Resilience is the capacity of an organization to consistently achieve a desired state following a change in circumstances. As per ISO 22300:2021, Resilience may be defined as the ability to absorb and adapt in a changing environment. Resilience in risk management refers to an organization’s ability to anticipate, prepare for, respond to, and recover from adverse events or disruptions. It emphasizes not just avoiding risks but also adapting to challenges and bouncing back stronger. Integrating organizational resilience into governance practices should ensure that the board considers the risks to critical infrastructure from natural disasters, major accidents, and deliberate harm. Recognizing the importance of resilience will guide decisions about investments, purchasing, risk management, and conversations with supply chain partners. This approach will help infrastructure owners and operators better understand how resilient their systems are, regularly evaluate how well their strategies are working, and make any needed changes to ensure they can deliver services effectively and adapt to shifting organizational goals. Here are some key aspects of resilience in risk management:

Proactive Planning: Organizations should identify potential risks and develop plans to mitigate them before they occur. This includes conducting risk assessments and scenario planning to understand possible threats.
Agility and Flexibility: Resilient organizations can quickly adapt their strategies and operations in response to unexpected challenges. This requires flexible processes, a culture of innovation, and the ability to make quick decisions.
Crisis Management: Effective crisis management strategies help organizations respond to and manage crises when they occur. This includes having clear communication plans, designated teams, and predefined roles during a crisis.
Continuous Improvement: After experiencing a disruption, organizations should analyze their responses and outcomes to learn from the event. This helps in refining risk management strategies and improving resilience for the future.
Stakeholder Engagement: Involving employees, customers, suppliers, and other stakeholders in risk management efforts helps build a supportive network that enhances resilience. Open communication and collaboration are essential.
Technology and Data Utilization: Leveraging technology and data analytics can improve risk detection and response capabilities. Real-time monitoring of risks enables organizations to make informed decisions quickly.
Culture of Resilience: Fostering a culture that values resilience encourages employees to be proactive and prepared. Training, awareness programs, and leadership support are vital in building this culture.
Resource Management: Adequate resources, including financial, human, and technological, are crucial for maintaining operations during disruptions. Organizations should ensure they have reserves and backup plans in place.

By integrating resilience into risk management, organizations can better navigate uncertainties and emerge stronger from challenges, ultimately safeguarding their long-term success.

A broad approach to risk management helps an organization create a solid plan to prevent, prepare for, reduce, respond to, and recover from disruptions. A resilient organization must focus on “preventing, protecting, and preparing” its resources and assets, while also being ready to “respond, recover, and review” during a crisis. The concept of resilience offers a chance for risk management and business continuity experts to collaborate for a more coordinated approach. To boost resilience, organizations need to:

Be ready to respond quickly to disruptions, learn from them, and make improvements for the future.
Stay aware of changes in both internal and external environments and keep resilience a priority.
Focus on preventing, protecting, and preparing all types of resources, including assets, networks, and intellectual property.

The ‘plan–do–check–act’ (PDCA) structure of many standard is entirely consistent with the plan, implement, measure, learn (PIML) approach to implementing a risk management initiative

Managing emerging risks

All organizations are concerned about changes in both the external and internal environment, as these changes bring new challenges, uncertainties, and opportunities. These changes are considered emerging risks. However, it can be hard to address these risks unless the organization clearly understands what they are. Emerging risks fall into three categories:

New risks in a familiar context: New risks that arise in the external environment but relate to the organization’s existing strategy.
Known risks in a new context: Risks that the organization was already aware of but have evolved or been triggered by new circumstances.
New risks in a new context: Risks the organization hasn’t faced before, related to changes in its core processes.

Recent business changes have raised the level of risk for organizations, such as expanding into new markets, adopting new technologies, and building more complex supply chains. These risks are usually within the organization’s control. However, there are other emerging risks that organizations cannot control, such as:

Climate change
Government debt
National security issues
Shifting demographics.

When managing emerging risks, an organization should assess whether to treat them as hazards, controls, or opportunities. Depending on the organization’s activities, these risks may be threats or potential opportunities for growth. In some cases, they may just add uncertainty that needs to be handled. A key factor to consider is how quickly these risks can become important. Some risk management experts call this the “risk velocity,” referring to the speed at which risks develop and change.

Establishing the Risk management context

The first step in the risk management process is to establish the context, which includes three parts: the risk management context, the internal context, and the external context.

Risk management context: This refers to the organization’s risk management framework, which includes its structure, strategy, and processes for managing risks. The framework should do two things: 1) support the risk management process within the organization, and 2) ensure that the results of risk management are shared with both internal and external stakeholders.
Internal context: This is about the organization itself, including its activities, the skills and resources it has, and how it is organized. It also includes internal stakeholders and their expectations. This is essentially the organization’s strengths and weaknesses.
External context: This involves the environment in which the organization operates, including its business sector, external stakeholders, and financial conditions. It represents the opportunities and threats the organization faces from outside.

When setting up the context for risk management, it’s important to consider the scope and purpose of the risk management process. The key question is: what is the organization trying to achieve with its risk management efforts? The risk management context also involves determining who will be responsible for managing risks and identifying the resources needed to carry out risk management activities.

Another key part of this context is establishing the organization’s risk appetite (the level of risk it is willing to accept) or risk criteria. This helps decide what controls should be in place and whether the remaining level of risk is acceptable. The context should also allow the organization to assess its overall risk exposure and compare it with its risk appetite and capacity to handle risks. The internal context relates to the organization’s culture, the resources available, and how the results of the risk management process will influence behaviour and support risk governance. It includes the organization’s objectives, capacity, capabilities, and core business processes. An important aspect of this is how the organization makes decisions. The external context involves understanding stakeholder expectations, industry regulations, competitor behaviour, and the broader economic environment. It also considers external trends and factors that could impact the organization’s success and ability to meet its goals.

External context

The first step in the risk management process is to “establish the context.” This is a crucial part of successful risk management and an important early step when implementing any management system standard. For instance, the ISO 9001:2015 quality standard also requires organizations to consider their context during strategic planning. External context involves understanding the expectations of external stakeholders, with customers often being the most important group for many organizations. The external context is shaped by who the customers are and what products or services the organization offers them. Considering the needs of customers is a key part of the organization’s business model, which is closely tied to risk management. Once the expectations of external stakeholders are clear, the organization can look more closely at factors influencing the external environment. The FIRM risk scorecard can help structure a detailed evaluation of the organization’s context. It covers areas like reputation and marketplace (linked to the external context) and finances and infrastructure (related to the internal context).

The reputational part of the external context for an organization refers to how others view the company, how willing customers are to do business with it, and how well it retains customers. When assessing reputation, the following factors should be considered:

Public opinion about the industry the company is in.
How well the company meets corporate social responsibility (CSR) standards.
The level of governance standards and whether the industry is highly regulated.
The quality of the products or services and the standards of after-sales service.

The marketplace component of the external environment focuses on the organization’s position in the market, which affects customer spending. When evaluating this, consider:

Revenue generated in the market and the return on investment.
The presence of strong competitors or high customer expectations.
The level of economic stability, including risks from interest and foreign exchange rates.
The complexity of the supply chain and fluctuating raw material costs.
Risks from international disruptions, such as political risks, war, or terrorism.

The FIRM risk scorecard is one way to assess an organization’s external environment, but other methods like a SWOT analysis (which looks at strengths, weaknesses, opportunities, and threats) can also be used. The main goal of evaluating the external context is to understand the level of risk in the environment where the organization operates. This helps the organization confirm if its current business model is still appropriate and develop strategies and tactics for future success.

Internal context

When setting up the internal context of an organization, it’s important to consider the expectations of internal stakeholders. These stakeholders include the people the organization depends on most, such as employees and those providing outsourced or contracted services. After identifying their expectations and their importance to the organization’s operations and compliance, you can look more closely at the factors influencing the internal environment. The FIRM risk scorecard helps with this detailed evaluation. The financial and infrastructure parts of the scorecard relate mainly to the internal context, while reputation and marketplace focus on the external context.

The financial part of an organization’s internal context refers to how money is managed and how profits are made. When assessing this, consider:

Whether there are enough funds to support strategic plans.
If there are solid procedures for properly allocating money for investments.
How strong the internal financial controls are to prevent fraud.
Whether there are enough funds to cover past and future liabilities.

The infrastructure component also affects the internal context, as it impacts the organization’s internal processes. Infrastructure risks relate to inefficiencies or problems that may occur. When evaluating this, consider:

The structure of senior management and the organization’s risk culture.
Whether there are enough skilled people and intellectual property.
Whether there are enough physical assets to support operations.
If the IT infrastructure is strong enough to ensure resilience and protect data.
Whether there are business continuity plans to keep things running after a major disruption.
If there are reliable systems for service delivery, transportation, and communication.

The FIRM risk scorecard is one way to evaluate an organization’s internal context, but other methods, like a SWOT analysis, can also be used. Many organizations also apply the PESTLE framework, which looks at political, economic, social, technological, legal, and environmental/ethical risks. Some of these factors relate to the external environment, some to the internal, and some to both. There are many tools and checklists available to help identify the external and internal risks an organization faces. The specific method used is less important than making sure all relevant risks are identified. This helps confirm that the current business model, its resources, and its resilience are appropriate.

Risk management context

The risk management context looks at the organization’s risk architecture, strategy, and protocols (RASP). These elements define how the organization structures its risk management efforts and how they are put into action to achieve the desired outcomes from its enterprise risk management (ERM) program. It’s important that the risk management context can support the organization’s strategy and help build a risk-aware culture. A good risk-aware culture is built on leadership, involvement, learning, accountability, and communication (LILAC). The terms of the risk architecture, strategy and protocols (RASP) developed by the organization. The RASP of an organization defines the structure of the risk management context and how the components of that context are implemented to achieve the desired benefits from the enterprise risk management initiative.

A key part of the risk management context is the mandate given by senior management, which outlines the scope and authority for managing risks within the organization. This mandate, assigned to roles like the risk manager or head of internal audit, should be clearly defined in the organization’s risk management policy. The organization’s risk attitude and risk appetite, set by the risk criteria for different risks, help shape the risk management context and guide the risk assessment process. These assessments are recorded in a risk register, and how this information is communicated across the organization also influences the risk management context. The success of an enterprise risk management (ERM) initiative largely depends on how well it is implemented. The PIML (Plan, Implement, Measure, Learn) model is useful for guiding this implementation.

The risk management context should support the organization’s success and align with the expectations of both internal and external stakeholders. It should also be capable of identifying emerging risks, which are often unpredictable. A risk radar mechanism is needed to provide early warnings and timely reviews of emerging risks. This system should also help the organization spot future opportunities. In summary, the organization must identify important factors from the external, internal, and risk management context that could affect it. It should gather and analyze information, assess risks and opportunities, and take the right actions to manage risks and seize opportunities. All of this should be documented in the risk architecture, strategy, and protocols (RASP).

Architecture, strategy and protocols

This section explains the risk architecture, strategy, and protocols (RASP) for an organization. RASP outlines the risk management framework, which helps define the risk management context. The most important part of RASP is the risk management policy statement, which sets the organization’s overall approach to managing risk. Other parts of the risk management manual describe the roles and responsibilities related to risk management and outline the procedures to follow (protocols). The risk architecture, strategy, and protocols create a framework that supports the risk management process. This framework should include the objectives, mandate, and commitment to manage risk (strategy), the organizational structure, plans, relationships, accountabilities, and processes (architecture), and it should be integrated into the organization’s overall strategic and operational policies (protocols). In short, the RASP represents the context for risk management within the organization. The risk strategy is often presented as a brief, one-page statement outlining what the organization aims to achieve in terms of managing risk.

Risk management architecture	Risk management strategy	Risk management protocols
Documentation and record-keeping	Risk management philosophy	Tools and techniques
Roles and responsibilities	Arrangements for embedding risk management	Risk classification system
Internal reporting requirements	Risk appetite and attitude to risk	Risk assessment procedures
External reporting controls	Benchmark tests for significance	Risk control rules and procedures
Risk management assurance arrangements	Specific risk statements/policies	Responding to incidents, issues and events
	Risk assessment techniques	Documentation and record keeping
	Risk priorities for the present year	Training and communications
		Audit procedures and protocols
		Reporting/disclosures/certification

The risk management policy is usually part of a larger risk management manual in many organizations. Large organizations often document their risk protocols as a set of guidelines. The guidelines needed will depend on the organization’s size, type, and complexity. The types of documents that need to be maintained include:

Records for risk management administration,
Risk response and improvement plans,
Event reports and related recommendations,
Reports on risk performance and monitoring.

One key document organizations use in their risk management efforts is the risk register, which can be used for different purposes, including operational, project, and strategic planning. It’s crucial for risk management and internal audit to work closely together. Risk management focuses on assessing risks and identifying controls, while internal audit evaluates and tests the effectiveness of those controls. For a risk management program to succeed, cooperation and understanding between these two functions are essential. The RASP should explain how this cooperation will work in practice. The risk architecture outlines how risk information is communicated within the organization. The risk strategy defines the organization’s overall goals related to risk management. The risk protocols are the systems, standards, and procedures put in place to carry out the risk strategy. The risk architecture is part of the risk management framework, which in turn is part of the organization’s broader risk governance structure.

XYZ Corporation Risk Management Policy

1. Purpose

The purpose of this policy is to establish a structured approach to managing risk at XYZ Corporation. This ensures that risks are identified, assessed, managed, and monitored effectively to support our strategic goals and safeguard our assets, reputation, and stakeholders.

2. Scope

This policy applies to all employees, departments, and operations at XYZ Corporation. It covers all forms of risk that could impact our ability to achieve our objectives, including strategic, operational, financial, legal, and reputational risks.

3. Objectives

The objectives of XYZ Corporation’s risk management process are to:

Identify and evaluate risks that could affect our business.
Minimize the impact of risks by implementing appropriate controls.
Ensure risks are aligned with the company’s risk appetite.
Encourage a proactive risk-aware culture.
Provide a structured framework for risk management that integrates with our corporate governance and decision-making processes.

4. Risk Management Framework

XYZ Corporation adopts the RASP approach (Risk Architecture, Strategy, and Protocols):

Risk Architecture: Defines roles and responsibilities for managing risk throughout the organization.
Risk Strategy: Sets our approach to managing risk to achieve business objectives, balancing risk and reward.
Risk Protocols: Establishes the processes for risk identification, assessment, mitigation, reporting, and monitoring.

5. Roles and Responsibilities

Board of Directors: Oversees risk management efforts and ensures risks are managed within agreed risk appetite levels.
Risk Committee: Monitors risk exposure and ensure that risk management activities are being carried out effectively.
Risk Manager: Coordinates risk management activities, maintains the risk register and reports to senior management and the Board.
Employees: Responsible for identifying and managing risks within their areas of responsibility.

6. Risk Appetite

XYZ Corporation will only accept risks that support its strategic objectives. Risk tolerance levels are set for different categories of risk and are regularly reviewed by the Risk Committee.

7. Risk Management Process

The risk management process involves the following steps:

Risk Identification: Identifying potential risks that may affect the company’s objectives.
Risk Assessment: Evaluating the likelihood and impact of identified risks.
Risk Mitigation: Developing strategies to manage or reduce risks to acceptable levels.
Monitoring and Reporting: Continuously monitoring risks and reporting significant changes to the Risk Committee.

8. Monitoring and Review

This policy will be reviewed annually or more frequently if needed to ensure it remains relevant and aligned with the company’s objectives.

Risk architecture

The organization’s structure for managing risk is called the risk architecture. It outlines how information about risks is communicated and reported. The risk architecture must make it clear that the person responsible for a particular risk must manage it. To make sure risk management is part of the organization’s main operations, it’s necessary to clearly state who is responsible for managing risks. For each major risk, responsibilities should be assigned for the following:

Developing the risk strategy and standards,
Implementing the agreed standards and procedures,
Auditing compliance with the set standards.

The risk architecture helps identify which committees are responsible for managing risk and how they interact with each other. It includes details about the purpose, membership, and responsibilities of these committees, as well as how they share risk information. The architecture also outlines which reports are received by each committee and which reports they are responsible for submitting. A key part of the risk architecture is ensuring that risk escalation procedures, like whistleblowing policies, are in place. Organizations should differentiate between static documents, like the risk management manual (which records processes and procedures), and dynamic documents, like the risk register, which tracks ongoing actions and improvements. Essentially, the risk register serves as the risk management action plan.

The risk architecture should be outlined in the organization’s risk management manual. It should also include the terms of reference for various committees and a schedule of risk management activities, which should align with other company activities. The role of the audit committee and the head of internal audit is crucial in implementing the organization’s risk management strategy. Large organizations must ensure that all disclosed information is accurate, which often leads to the formation of a disclosure committee. This committee verifies the source and accuracy of all disclosed information, especially financial data. The risk architecture outlines the committee hierarchy and responsibilities related to risk management and internal control, with the corporate risk management committee handling executive risk management tasks.

Risk management responsibilities at the divisional or unit level should be given to divisional management. They are in charge of identifying key risks, maintaining the division’s risk register, and ensuring that appropriate controls are in place. The group risk management committee should guide divisional management. If a divisional risk committee exists, it should send reports to the group risk management committee to maintain an overall view of risk priorities. Reporting structures can vary based on the organization’s risk level and complexity. In high-risk industries like finance, the risk committee may report directly to the board, often led by the finance director with senior board members involved. Generally, the risk management committee should consist of executive directors, as managing risk is an executive task, while non-executive directors focus on audit and risk assurance. Typically, the risk management committee will report to the audit committee, where non-executive directors can review risk performance and gain assurance.

Risk management responsibilities at the divisional or unit level should be given to divisional management. They are in charge of identifying key risks, maintaining the division’s risk register, and ensuring that appropriate controls are in place. The group risk management committee should guide divisional management. If a divisional risk committee exists, it should send reports to the group risk management committee to maintain an overall view of risk priorities. Reporting structures can vary based on the organization’s risk level and complexity. In high-risk industries like finance, the risk committee may report directly to the board, often led by the finance director with senior board members involved. Generally, the risk management committee should consist of executive directors, as managing risk is an executive task, while non-executive directors focus on audit and risk assurance. Typically, the risk management committee will report to the audit committee, where non-executive directors can review risk performance and gain assurance.

Risk management responsibilities at the divisional or unit level should be given to divisional management. They are in charge of identifying key risks, maintaining the division’s risk register, and ensuring that appropriate controls are in place. The group risk management committee should guide divisional management. If a divisional risk committee exists, it should send reports to the group risk management committee to maintain an overall view of risk priorities. Reporting structures can vary based on the organization’s risk level and complexity. In high-risk industries like finance, the risk committee may report directly to the board, often led by the finance director with senior board members involved. Generally, the risk management committee should consist of executive directors, as managing risk is an executive task, while non-executive directors focus on audit and risk assurance. Typically, the risk management committee will report to the audit committee, where non-executive directors can review risk performance and gain assurance. For organizations not operating in a high-risk environment, it may not be necessary for the risk committee to report directly to the main board. Instead, the risk committee could be a sub-committee of the executive or operations committee. The structure for managing risk should match the organization’s risk level, size, complexity, and exposure. There’s no one “correct” way to design a risk architecture. As long as the risk committee achieves its goals, the organization can decide on its membership and roles. However, it’s important to note that managing risk is an executive responsibility, while audit tasks should be overseen by non-executive directors.

Risk management strategy

An organization needs to have a clear plan for managing risks. This plan called the risk management strategy, is outlined in the organization’s risk management policy. The strategy should reflect the organization’s overall approach to handling risks. A key part of this plan is ensuring that risk management is involved in strategy, tactics, operations, and compliance (STOC). To create the strategy, the organization must decide on its risk appetite, which balances opportunities, control measures, and risk tolerance. The risk appetite should not exceed the organization’s capacity to handle risk, and decisions must be made on how to calculate this capacity and track overall risk exposure. Managing the total risk exposure is an important part of operational risk management. The organization must decide on the risk management processes it will use and how it will design and implement its risk management efforts to meet the strategy’s goals. The strategy will also outline what the organization wants to achieve in terms of risk management, including the desired level of risk maturity and the expected contributions from risk management. In short, the strategy will ensure that risk management activities align with the organization’s broader goals and contribute effectively.

Risk management protocols

Risk management protocols are the specific guidelines, procedures, and standards an organization follows to manage risks effectively. These protocols ensure that risk management practices are consistent, organized, and aligned with the organization’s overall strategy. Risk management protocols form the backbone of a company’s ability to handle risks in a structured, consistent, and effective manner. They ensure all staff are aware of their roles and the actions required to manage risks properly. Here are the key elements typically included in risk management protocols:

Risk Identification Process:
- Guidelines on how to identify potential risks that could impact the organization.
- Tools and methods to be used (e.g., risk assessments, risk registers, brainstorming sessions, SWOT analysis).
Risk Assessment:
- Procedures to assess and prioritize risks based on their likelihood and potential impact.
- Use of risk scoring methods (e.g., qualitative or quantitative analysis).
Risk Response and Treatment:
- Clear steps on how the organization will respond to identified risks.
- Options like avoiding, transferring, mitigating, or accepting risks.
- Procedures for developing risk treatment plans to reduce risks to an acceptable level.
Risk Monitoring and Reporting:
- Guidelines for ongoing monitoring of risks to ensure that they remain within acceptable limits.
- Protocols for updating risk registers and other documentation.
- Regular reporting structures to ensure that senior management is kept informed about the current risk status.
Roles and Responsibilities:
- Clear allocation of responsibilities to individuals or teams for risk management tasks.
- Establishing roles for risk owners, risk managers, and committee members who monitor risks at different levels (e.g., project, departmental, organizational).
Communication Protocols:
- Procedures for communicating risk-related information both internally (within departments or teams) and externally (to stakeholders or regulators).
- Ensuring transparency and consistency in communication about risks, particularly in emergencies.
Internal Controls and Audit:
- Specific internal control measures that will be implemented to prevent or reduce risks.
- Regular audits or checks to ensure that controls are functioning correctly and risks are managed effectively.
Crisis and Emergency Response Plans:
- Guidelines for responding to crises or unforeseen events, including clear steps for managing emergencies.
- Protocols for business continuity and disaster recovery plans.
Risk Documentation:
- Requirements for maintaining accurate records related to risk management activities, such as risk assessments, incident reports, risk mitigation actions, and audits.
Review and Improvement:
- Procedures for regularly reviewing risk management processes and protocols to ensure they remain effective.
- Mechanisms for updating protocols based on lessons learned or changes in the organization’s risk environment.

The risk management manual will outline who is responsible for managing risks and how the risk policy will be put into action. Risk management protocols will be provided through various procedures and guidelines. Written procedures for assessing risks related to strategy, projects, and operations must be established. The organization will also need to specify how often risk reports should be created, what information they should include, and who will be responsible for preparing them. Typically, risk management protocols should be reviewed annually to ensure they stay current. The protocols should also explain the level of record-keeping required. A wide range of risk management documents might be needed. These protocols describe the activities involved in risk management, specifying what actions need to be taken and how they should be carried out. Risk management guidelines usually indicate the standards that should be met and, in some cases, outline the controls in place, especially for procedures that must be followed. These procedures offer guidance for directors, managers, and staff within the organization.

Risk management protocols

Risk assessment procedures
- Governance procedures
- Response to significant risks
- Projects and CapEx approvals
- Procedures for strategy and budgets
Risk control objectives
- Brand management guidelines
- Health and safety at work
- Environmental protection
- Contract risk management
Risk resourcing arrangements
- Opportunity management
- Project resource allocation
- Insurance programme
- Captive insurance company
Reaction planning requirements
- Loss and claims management
- Disaster and recovery planning
- Cost containment procedures
- Risk management record keeping
Risk assurance systems
- Maintenance of risk register
- Corporate RM committee
- Terms of reference for audit committee
- Control self-certification arrangements

Risk management manual

The amount of documentation an organization produces for risk management will differ based on the level of risk it faces. The documentation should match the organization’s risk level and follow risk management principles. Whatever is created needs to be organized in a way that fits the organization and aligns with its other activities. The first section of the risk management manual is the risk management policy, which outlines the organization’s risk strategy. This policy sets the intent and provides the context for risk management. It should help the organization implement risk management successfully.

The manual contains all responsibilities, procedures, protocols, and guidelines related to the risk management process and framework. It outlines how to carry out the activities specified in the risk guidelines. These guidelines might be kept in separate documents for easier updates. The manual will also include the organization’s risk management strategy and details on how performance will be monitored, reported, and communicated. Essentially, it defines the framework for risk management activities.

Various risk management protocols or guidelines will need to be created, providing instructions on how they should be interpreted and followed. These protocols act as standing instructions for risk management, often requiring record-keeping, like maintaining a risk register. The specific risk management protocols or guidelines will include:

Procedures for assessing risks
Objectives for controlling risks.
risk resourcing arrangements;
reaction planning requirements;
risk assurance systems.

The framework, or risk architecture, for managing risks, should be outlined in the risk management manual. Individual companies within the group are then expected to follow this framework and set up their own additional procedures and protocols if needed. The risk management manual should cover at least the following:

The board member responsible for risk management
How the organization talks about and understands risk
The process for identifying significant risks
The roles of the risk manager and internal auditors
Terms of reference for the risk management committees
The structure or risk architecture for managing risks

Many organizations update their risk management manual every year, even if the overall strategy stays the same. This is done to ensure that risk management activities stay aligned with best practices. Updating the manual, including the policy, also helps the organization highlight risk priorities for the year and make sure important risks get the right attention. By issuing an updated policy annually, the board remains focused on risk management, and the organization understands that managing risk is an ongoing process that requires continuous attention. A risk management manual should include these sections in simple terms:

Objectives for managing risks and internal controls
The organization’s overall approach to risk (risk strategy)
Overview of the control environment
The acceptable level and type of risk
The structure and setup for managing risks (risk architecture)
How risk information is communicated
Standard steps for identifying and evaluating risks (risk assessment)
List of documents for analyzing and reporting risks (risk protocols)
Requirements for managing risks and control methods
Who is responsible for managing different risks
How risks will be monitored and compared to standards
Resources allocated for managing risks
Risk priorities and goals for performance
A calendar of risk management activities for the upcoming year

ISO 31000:2018 Example of Enterprise Risk Management Manual

Risk management documentation

Risk management documentation refers to the collection of records, reports, and guidelines that an organization uses to manage risks effectively. The extent of this documentation can vary depending on the organization’s size, complexity, and risk exposure. Key elements of risk management documentation typically include:

Risk Management Policy: Outlines the organization’s risk strategy, objectives, and approach to risk management.
Risk Register: A dynamic record listing identified risks, their assessments, and controls. It tracks risk status and mitigation actions.
Risk Assessment Procedures: Guidelines for identifying, assessing, and evaluating risks across various operations, projects, or strategies.
Risk Response Plans: Documents outlining actions to mitigate, transfer, avoid, or accept specific risks.
Internal Control Documentation: Records of procedures and controls in place to manage risks and ensure compliance.
Risk Performance Reports: Reports monitoring the effectiveness of risk controls and the overall risk management system.
Event Reports and Recommendations: Documentation of risk events, lessons learned, and any changes implemented as a result.
Risk Management Guidelines: Standards, systems, and processes that provide detailed instructions for managing and controlling risks.
Risk Committee Reports: Records from meetings detailing risk discussions, decisions, and escalation processes.
Audit and Review Reports: Evaluations of risk controls, testing their effectiveness, and identifying areas for improvement.
Training and Communication Records: Documentation of risk-related training and communication activities within the organization.

This documentation helps ensure a structured approach to risk management, enabling clear communication, proper oversight, and continuous improvement.

Creating a risk management manual, including the policy statement, is a good opportunity for an organization to outline clear procedures on various risk management topics and set risk management priorities for the upcoming year. For instance, many organizations produce annual health, safety, or environmental policies, and these should be part of the risk management documentation.

Some organizations face major risks that require regular or constant attention. This is especially true for hazard risks, where policies like health and safety, business continuity plans, and disaster recovery plans need frequent updates. Many organizations document their risk guidelines in writing, while others may take a more informal approach to embedding risk management into daily activities.

The risk guidelines often include details about the organization’s risk management structure, strategy, and protocols. They should also clarify managers’ responsibilities for internal controls. While the guidelines don’t have to list specific control standards, they should explain how decisions on risk control will be made, implemented, and monitored. Given the diversity within large organizations, risk guidelines cannot cover physical control standards for every unit, division, or department. Each part of the organization should set its own risk control standards for areas like health and safety, fire safety, security, information protection, and environmental protection.

The risk guidelines should outline how risk management will be integrated throughout the organization. Strategy, standards, and procedures must be defined within the framework of these guidelines. The format and content of the guidelines will depend on the organization and its risk exposure but should typically include information on:

Physical risk control goals and responsibilities.
Financial and authorization procedures
Insurance arrangements
Managers’ control responsibilities
Project risk management
Incident reporting and investigation
Event response and action planning

Types of RM documentation

Risk governance	Risk management policy (and priorities) Specific risk statements (health and safety policy) Terms of reference of the risk /audit committees Risk protocols and procedures Risk awareness training records
Risk response	Results of risk assessments (risk register) Risk control standards Risk improvement recommendations Risk assurance reports Business continuity plans/disaster recovery plans
Event reports	Loss/claim reports and recommendations Legal and litigation reports Enforcement action/customer complaints Incident and near-miss investigations Business performance reports/key performance indicators
Risk performance	Control risk self-assessment (CRSA) returns Audit procedures and protocols Internal audit reports Unit risk management reports External disclosure reports

To successfully embed risk management in an organization, it’s essential to keep various records related to risk management activities, such as:

Risk management administration
Risk response and improvement plans
Event reports and recommendations
Risk performance and certification reports

Risk management becomes fully integrated when these activities align with the organization’s planning cycle. The main goal of the risk guidelines is to help managers understand the organization’s risk management framework. This understanding ensures they consider risks when making decisions. The guidelines also provide practical advice for managers on how to fulfill their risk management duties. Keeping the right records is important to show that the risk guidelines are being followed. The aim is not to make record-keeping overly complicated, but enough records must be maintained to inform decision-making, provide managers with the right guidance, and assure auditors that the necessary controls are in place. There are many advantages to managing records effectively. Good records management increases efficiency and offers several business benefits, including:

Reducing the time spent searching for information
Making it easier to share information
Avoiding unnecessary duplication of information
Clarifying how long records should be kept
Enhancing the legal strength of records to defend against litigation
Supporting risk management and business continuity

In short, records management improves control over information, saves staff time and resources, and helps protect both individuals and the organization from various risks. It also prevents over-reliance on the memories of a few people.

The main reason for conducting a risk assessment is to check if current controls are effective and to identify any additional actions needed to improve risk management. The risk register is used to record details about current controls and planned improvements. However, the risk register should not be a static document; it needs to be dynamic, serving as a risk action plan for a department or the whole organization. Along with the risk response plans, information about who is responsible for specific controls should be documented. If new controls are needed, deadlines and responsibility for their implementation must be recorded as well. For hazard and control risks, the risk register is where details about significant threats are noted. Improvement plans for managing these risks often require capital investment, which may need approval according to the organization’s expenditure rules. It is now common practice to create a risk register for projects, especially in construction and software development, as these projects involve a lot of uncertainty. The risk register should remain dynamic, tracking actions taken to reduce uncertainty and planning further actions. One criticism of risk registers is that they are only updated once or twice a year, providing a static snapshot of risks. For risk management to be effective, it must be an ongoing process that leads to meaningful changes. The risk register should drive improvements and may be better referred to as the “risk management action plan.”

Event reports and recommendations are also important for managing risk, as they document incidents, assess their impacts, and recommend improvements to prevent future issues. These records are especially important for hazard and control risks. Analyzing incidents and business operations can highlight weaknesses and suggest ways to eliminate future risks. Tracking events, particularly in projects, is crucial. Annual evaluations of risk performance also generate reports that require careful analysis, and internal audit plays a key role in this evaluation process.Risk performance and certification reports involve reviewing and analyzing both early reports on the company’s operations and formal certified reports for stakeholders. Sometimes, these certified reports are required as formal proof of the company’s operational results, like under the Sarbanes-Oxley Act for financial reporting. This certification is often done by an external auditor and may also include evaluating the effectiveness of the company’s control measures. Management is particularly interested in risk performance, especially when the company faces a range of risks that bring the total risk exposure near its risk appetite or capacity. For example, if a company has budgeted for a certain amount of loss due to hazard risks, close monitoring is necessary to ensure that actual losses do not exceed this limit. In situations where the tolerance for hazard risk is low, it’s crucial for the organization to track losses carefully. For instance, a transport company would need to keep a close watch on vehicle accidents and breakdowns to manage risk exposure properly.

Risk register

A risk register is a tool used to document and track risks within an organization. It records important details about each risk, such as current controls in place, potential consequences, and any planned actions to further mitigate or manage the risk. The risk register serves as a dynamic document that helps guide the organization’s response to risks, making it more of an “action plan” rather than just a static list. Key elements typically included in a risk register are:

Description of risks: An explanation of each identified risk.
Current controls: Existing measures in place to manage or reduce the risk.
Responsibility: Identifies the person or team responsible for managing the risk.
Planned actions: Additional steps to improve risk control, along with deadlines for implementation.
Risk rating: How likely the risk is to occur and the potential impact if it does.
Status: Regular updates on the progress of managing each risk.

In some industries, such as construction or software development, risk registers are commonly used to manage project risks. To be effective, the risk register should be regularly updated and actively used to drive risk management efforts, rather than just reviewed once or twice a year. In this way, it helps ensure risks are continuously monitored, managed, and reduced. When a risk assessment is undertaken of strategic options, it is more usual for the risk assessment to be used as part of decision-making activities. Typically, this information will not be recorded in the format of a risk register, but will be presented to the decision maker as part of the full range of information available for making that strategic decision. The purpose of the risk register is to form an agreed record of the significant risks that have been identified. Also, the risk register will serve as a record of the control activities that are currently undertaken. It will also be a record of the additional actions that are proposed to improve the control of the particular risk. Other information about risks will also be included in the risk register.

Using risk registers has become a common practice for many risk managers, but there are some drawbacks. One issue is that the information in the register might not be actively used, turning it into a static record instead of an action plan. A risk register is a document that records identified risks and the risk management process. Its purpose is to assign ownership and ensure proper management of each risk. A risk register typically focuses on the major risks faced by the organization or a specific project. It records the outcomes of risk assessments related to a process, operation, business unit, or project. When assessing strategic options, the risk assessment is usually part of the decision-making process, but not always recorded in the same format as a risk register. Instead, it’s presented as part of the information needed for the decision. The goal of the risk register is to keep an agreed record of the significant risks, the current control measures, and any additional actions planned to improve the management of each risk.

A well-organized and active risk register is key to successful risk management. However, there’s a risk that the register could become a static document, merely capturing the status of risks at a certain point. This could lead senior management to think that attending a risk workshop and creating the register is enough, with no further action needed. Instead, the risk register should be treated as a living “risk action plan” that not only tracks the organization’s current risk management but also lists the essential controls in place and any additional controls required. This way, responsibilities for implementing actions are clearly defined. Some organizations use a Risk Management Information System (RMIS) to manage the data in the risk register, or they make it accessible through the company intranet to enhance understanding and communication. In certain cases, the risk register is treated as a controlled document, reviewed by internal auditors during audits of risk management processes. Regardless of its formal status, the risk register must be carefully prepared. Risks should be clearly defined, including the cause, source, event, impact, and size of any risk event. Existing controls and proposed improvements should also be precisely recorded to allow for proper auditing. This is especially important for daily operations, but risk registers are also essential for projects and strategic decisions. Project risk registers should be regularly updated and reviewed at every project meeting. For business decisions, the format of a risk register may be less formal, but it’s still important. For major decisions, the risk assessment should be attached to proposals, showing both the risks of proceeding with the strategy and the risks of not moving forward. Similarly, a risk register should accompany business plans to highlight risks that could affect success. The board will likely review the risk register quarterly or more often if major changes arise, ensuring it remains active and up to date, and that necessary actions are taken and reported.

Finance Department Risk Register (Oil and Gas Industry)

Risk ID	Risk Description	Risk Category	Impact	Likelihood	Current Controls	Proposed Actions	Risk Owner	Deadline	Status
F01	Volatility in oil prices impacting cash flow and profitability	Financial	High	Likely	– Regular monitoring of global oil prices – Hedging strategies to stabilize price fluctuations	– Increase hedging limits – Diversify revenue streams	Finance Manager	Q4 2024	In progress
F02	Foreign exchange (FX) risk due to international contracts	Market	Medium	Possible	– FX forward contracts in place – Monitoring exchange rates daily	– Explore new FX derivatives – Adjust contract terms for high volatility currencies	Treasury Head	Q3 2024	Ongoing
F03	Tax regulation changes in key operating countries	Regulatory	High	Unlikely	– Annual review of tax policies by external consultants – Compliance with international tax laws	– Conduct scenario analysis for potential tax law changes – Lobby for stable tax regulations	Tax Compliance Officer	Q1 2025	Under review
F04	Credit risk due to counterparty defaults	Credit	Medium	Possible	– Credit assessment and limits set for all counterparties – Use of trade credit insurance	– Tighten credit assessments for high-risk clients – Diversify client base	Credit Risk Analyst	Q4 2024	Active
F05	Delays in capital projects impacting financial forecasting	Operational	High	Likely	– Regular financial updates on project milestones – Contingency planning	– Improve collaboration with operations team for accurate updates – Adjust cash flow models to account for delays	Project Finance Lead	Q2 2024	Delayed
F06	Cybersecurity breach affecting financial systems	Operational	High	Possible	– Secure financial systems with firewalls, encryption, and multi-factor authentication – Regular IT audits	– Implement continuous threat monitoring – Invest in advanced cyber defenses	IT Security Officer	Q3 2024	In progress
F07	Liquidity risk due to sudden market downturns	Financial	High	Possible	– Maintain a liquidity buffer – Access to credit lines from multiple banks	– Reassess liquidity levels monthly – Strengthen relationships with lenders	CFO	Q2 2024	Ongoing
F08	Non-compliance with financial reporting standards (IFRS, GAAP)	Regulatory	Medium	Unlikely	– Regular training for finance staff on reporting standards – Use of audit firms for compliance checks	– Update internal financial policies – Conduct frequent internal audits	Financial Controller	Q1 2025	Planned
F09	Impact of geopolitical risks on asset valuation	Strategic	High	Possible	– Regularly review geopolitical updates – Conduct country risk assessments	– Increase focus on stable markets – Adjust asset valuation models for geopolitical risks	Risk Manager	Q4 2024	Ongoing
F10	Fraudulent activities affecting financial integrity	Fraud	High	Unlikely	– Strong internal controls, including separation of duties and regular audits – Whistleblower policy in place	– Implement stronger fraud detection software – Increase frequency of internal audits	Internal Audit Head	Q2 2024	Active

Key Points:

Risk ID: Unique identifier for each risk.
Risk Description: Brief description of the risk.
Risk Category: Type of risk (Financial, Market, Regulatory, Operational, etc.).
Impact: Assessment of how severe the risk’s effect would be (Low, Medium, High).
Likelihood: Probability of the risk occurring (Unlikely, Possible, Likely).
Current Controls: Actions or measures currently in place to manage the risk.
Proposed Actions: Additional steps to further mitigate or control the risk.
Risk Owner: Person responsible for overseeing the management of the risk.
Deadline: Target date for the completion of mitigation actions.
Status: Ongoing updates on the current state of risk management actions (In progress, Delayed, Active, etc.).

Risk management standards

There are several well-known risk management standards and frameworks. The first one came from Australia in 1995, and others have been developed in countries like Canada, Japan, the UK, and the United States. Many other national standards bodies and government agencies have also created their own versions. It’s important to know the difference between a risk management standard and a framework. A risk management standard outlines the general method for managing risks, including the process to follow and a suggested framework to support it. In simple terms, a risk management standard describes both the process and the recommended framework. There are three main approaches used in different standards:

The ‘risk management’ approach, is used by ISO 31000, British Standard BS 31100, and the IRM Standard.
The ‘internal Control’ approach, is found in the COSO Internal Control framework and the FRC risk guidance.
The ‘risk-aware culture’ approach, was created by the Canadian Institute of Chartered Accountants in the CoCo framework.

Several internationally recognized standards for risk management provide frameworks and guidelines for organizations to manage risks effectively. Here are some of the key ones:

1. ISO 31000:2018 – Risk Management Guidelines

Developed by: International Organization for Standardization (ISO)
Overview: ISO 31000 provides a set of guidelines for managing risk. It is applicable to any organization, regardless of size, industry, or sector. The standard emphasizes that risk management is an integral part of governance and leadership and focuses on embedding risk management into all aspects of the organization.
Key Features:
- Establishing a risk management framework
- Continuous improvement of risk management
- Leadership and commitment from top management
- Communication and consultation with stakeholders

2. COSO ERM – Enterprise Risk Management Framework (2017)

Developed by: Committee of Sponsoring Organizations of the Treadway Commission (COSO)
Overview: COSO ERM is a widely used framework that helps organizations manage enterprise risks holistically, aligning risk management with the entity’s strategy and performance. It emphasizes that risk management should be embedded into decision-making processes.
Key Features:
- Governance and culture
- Strategy and objective-setting
- Performance
- Review and revision
- Information, communication, and reporting

3. ISO/IEC 27005 – Risk Management in Information Security

Developed by: ISO/IEC
Overview: This standard focuses on risk management in the context of information security, forming part of the broader ISO/IEC 27000 family of standards, which deal with information security management systems (ISMS).
Key Features:
- Risk assessment, including risk identification, risk analysis, and risk evaluation
- Risk treatment
- Communication and consultation with stakeholders about risks
- Monitoring and reviewing the risk management process

4. AS/NZS 4360:2004 – Risk Management

Developed by: Standards Australia/Standards New Zealand.
Overview: The standard that had the widest recognition was the Australian Standard AS 4360 (2004), but this was withdrawn in 2009 in favour of ISO 31000. This standard was one of the first formal risk management standards and laid the foundation for many modern risk management practices.
Key Features:
- Establishing the context for risk management
- Risk identification, assessment, and control
- Regular review and improvement of the risk management process

5. NIST Risk Management Framework (RMF) – (NIST SP 800-37)

Developed by: National Institute of Standards and Technology (NIST)
Overview: This is a U.S.-based framework that provides a process for integrating security, privacy, and risk management into the system development life cycle. It is heavily used in cybersecurity and information systems risk management.
Key Features:
- Categorizing information systems
- Selecting and implementing appropriate security controls
- Continuous monitoring and improvement

6. FERMA Risk Management Standard

Developed by: Federation of European Risk Management Associations (FERMA)
Overview: The FERMA standard provides guidelines for risk management specifically tailored for European organizations. It offers a practical approach to embedding risk management across various sectors.
Key Features:
- Risk assessment process
- Risk treatment
- Risk monitoring and reporting
- Involvement of stakeholders and continuous communication

7. Basel III – Risk Management for Banks

Developed by: Basel Committee on Banking Supervision
Overview: Basel III is a global regulatory framework for banks that strengthens risk management, particularly in the areas of credit risk, market risk, and operational risk. It provides measures to improve the banking sector’s ability to handle financial stress.
Key Features:
- Capital adequacy requirements
- Stress testing
- Enhanced risk reporting
- Liquidity management

8. OCEG GRC Capability Model

Developed by: Open Compliance and Ethics Group (OCEG)
Overview: This framework focuses on governance, risk management, and compliance (GRC) practices. It helps organizations align their risk management efforts with compliance and ethical business conduct.
Key Features:
- Integration of risk management with governance and compliance
- Development of risk-aware decision-making
- Continuous improvement and monitoring

9 CoCo (Criteria of Control) framework

Developed by: the Canadian Institute of Chartered Accountants (CICA) in 1995
Overview: It was designed to help organizations assess and improve their internal controls, with a broader focus than traditional financial controls. The CoCo framework emphasizes that control is not just about compliance and accounting but about an organization’s overall governance, management, and performance. The Canadian Criteria of Control (CoCo) framework emphasizes that an organization’s risk culture is key; if the culture is right, effective risk management will follow naturally. According to the CoCo framework, a person completes a task by understanding its goal (what needs to be achieved) and having the necessary skills, information, resources, and tools. To perform well consistently, the person must be committed to the task. They will also need to monitor their performance and their environment to learn and improve. This applies to teams and groups, too. For any organization, control comes down to clear purpose, commitment, capability, and continuous monitoring and learning.
Key Features:
- Assess and strengthen control environments
- Enhance governance practices
- Foster continuous improvement
- Operational performance
- Compliance and ethical standards

Risk management context

There are many risk management standards and frameworks created by different organizations. A standard is generally understood as a document that explains both the risk management process and the framework that supports it. Many standards make a distinction between the process and the framework, but this isn’t always clear in every standard or framework.

Some of the most well-known risk management approaches are ISO 31000, BS 31100, and the COSO ERM framework. ISO 31000, BS 31100, and the IRM Standard focus more on the process of managing risks, while COSO mainly focuses on the framework itself, without making a clear distinction between the two.

The risk management process usually follows a plan–implement–measure–learn (PIML) structure, which is similar to the plan–do–check–act (PDCA) format found in many international standards. PIML is intended to be a more structured and analytical method.

Many risk management standards emphasize that risk management should be done in the context of the organization, its business environment, and the specific risks it faces. To properly understand this context and support the process, a framework is needed. ISO 31000 stresses the importance of considering the internal and external factors, as well as the specific risk management context.

All major risk management standards mention the framework, but they do so in different ways. To simplify the concept of a risk management framework, the acronym RASP (Risk, Architecture, Strategy, and Protocols) is used.

Components of the RM context

Risk architecture • Risk architecture defines roles, responsibilities, communication, and risk-reporting structure	Risk strategy • Risk strategy, appetite, attitudesand philosophy are defined in the risk management policy
Risk management process
Risk protocols • Risk protocols are defined in the risk guidelines for the organization and include the rules and procedures, as well as the risk management methodologies, tools and techniques that should be used

The RASP approach fits well with the idea of the risk management context or framework explained in ISO 31000. These elements—risk architecture, strategy, and protocols—are essential for effective risk management. It’s important to first understand the risk management process, then clearly define the framework that supports it. The framework helps with communication and ensures the smooth flow of risk information. It has two key roles: supporting the risk management process and making sure the results from the process are shared within the organization to bring the expected benefits. If an organization follows the structure of a Risk Management Standard, it needs to set up a framework that covers things like structure, responsibilities, administration, reporting, and communication. All these procedures would be documented in a risk management manual.

COSO ERM cube

The COSO Enterprise Risk Management (ERM) framework covers both risk management and internal controls. COSO ERM describes the framework by stating: ‘Within the context of the established mission or vision of an organization, management establishes strategic objectives, selects strategy and sets aligned objectives cascading through the enterprise.’ It views ERM as a flexible, ongoing process where different parts can influence each other, rather than a step-by-step sequence where one action leads to the next. In this framework, there’s a strong link between an organization’s goals (what it wants to achieve) and the components of risk management (what it needs to do to reach those goals). The COSO ERM cube is an important framework that consists of eight connected parts, which reflect how an organization is managed and are built into the management process. The framework explains that, based on the organization’s mission or vision, management sets strategic goals, chooses a strategy, and then establishes related objectives throughout the organization. The COSO ERM Cube is a visual representation of the COSO Enterprise Risk Management (ERM) Framework, which helps organizations manage risks effectively across all levels. It was developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and provides a structured approach to identifying, assessing, managing, and monitoring risks.The COSO ERM framework calls the control environment the “internal environment,” similar to how it’s described in the CoCo framework. CoCo offers a structured way to analyze and assess the control environment, allowing organizations to identify areas for improvement. To evaluate a risk-aware culture within an organization using CoCo, the typical focus areas are:

Learning and development of competence
Purpose, vision, and mission
Commitment to integrity and ethical values
Capability, authority, and responsibilities

Structure of the COSO ERM Cube:

The cube has three dimensions, each representing a critical aspect of the ERM framework:

Objectives (Top Side of the Cube): The cube highlights four categories of objectives that organizations need to focus on:
- Strategic: High-level goals aligned with the organization’s mission.
- Operations: Efficient and effective use of resources.
- Reporting: Reliability of internal and external financial and non-financial reporting.
- Compliance: Compliance with laws, regulations, and internal policies.
Components (Front Side of the Cube): These are the eight components of the ERM process that provide a structured method for managing risk:
- Internal Environment: Establishing a risk-conscious culture and philosophy.
- Objective Setting: Ensuring risk management aligns with organizational goals.
- Event Identification: Recognizing potential events that could impact objectives.
- Risk Assessment: Evaluating the likelihood and impact of identified risks.
- Risk Response: Deciding how to respond to risks (e.g., avoid, mitigate, transfer, or accept).
- Control Activities: Implementing policies and procedures to manage risks.
- Information and Communication: Ensuring relevant information flows within the organization to support decision-making.
- Monitoring: Continuously reviewing the ERM framework and adjusting as necessary.
Organizational Levels (Side of the Cube): This dimension reflects the idea that risk management should be integrated across all levels of the organization, including:
- Entity Level: Company-wide risks.
- Division Level: Risks that affect specific divisions or business units.
- Business Unit Level: Risks relevant to specific units or functions.
- Subsidiary Level: Risks affecting subsidiary operations.

Purpose of the COSO ERM Cube:

The COSO ERM Cube is designed to illustrate how the different components of risk management interact with organizational objectives and levels. It emphasizes that effective risk management requires an integrated approach that aligns with an organization’s overall strategy and operations. Each component of the framework works together to help an organization manage risk in a way that drives value and performance while ensuring compliance and accurate reporting.

Key Points:

The cube shows how risk management activities support various objectives (strategic, operational, reporting, and compliance) across all levels of an organization.
It emphasizes the importance of embedding risk management into an organization’s culture and decision-making processes.
The cube also serves as a reminder that risk management is a continuous process that requires regular monitoring and communication.

This enterprise risk management framework is geared to achieving corporate objectives, set out in four risk categories:
● strategic: high-level goals, aligned with and supporting its mission;
● operations: effective and efficient use of its resources;
● reporting: reliability of reporting;
● compliance: compliance with applicable laws and regulations.

King III corporate governance code

The King III Code on Corporate Governance, developed in South Africa in 2009, provides a framework for ethical and effective corporate governance, emphasizing leadership, sustainability, and corporate responsibility. King III is the third in a series of governance guidelines established by the King Committee on Corporate Governance and is widely recognized for its principle-based approach, which is adaptable to various organizations. Here are its key principles:

Ethical Leadership and Corporate Citizenship: King III emphasizes that companies should be led ethically and responsibly, promoting integrity, fairness, transparency, and accountability. Boards and leaders are expected to serve as role models for ethical behaviour.
Sustainability: King III highlights the importance of considering social, environmental, and economic factors in business strategies. It encourages a “triple bottom line” approach, where companies pursue not only financial performance but also positive social and environmental impact.
Effective Governance Structures: The code advocates for well-defined roles within the board and management. It recommends a balanced board structure, including non-executive and independent directors, to ensure objectivity and effective decision-making.
Risk Management: King III calls for a proactive approach to risk management, where risks are identified, assessed, and managed as part of strategic planning. The board is responsible for overseeing a sound risk management process, including internal controls.
Accountability and Transparency: Organizations should provide accurate and clear information to stakeholders, ensuring transparency in financial and non-financial reporting. This includes disclosing material information on governance, strategy, and performance.
Stakeholder Inclusivity: Recognizing that businesses impact various stakeholders (shareholders, employees, customers, society), King III emphasizes engaging with stakeholders and considering their interests in decision-making.
Internal Audit and IT Governance: King III recommends regular internal audits to assess internal controls and ensure alignment with governance objectives. Additionally, it stresses the importance of IT governance, recognizing technology’s role in business operations and risk management.

King III uses the “apply or explain” principle, where organizations are expected to apply the code’s principles but may explain non-compliance if certain principles aren’t applied. This flexibility allows organizations to adopt governance practices suited to their specific circumstances while still promoting responsible and effective management. In the updated code, risk management is still a key focus, with more specific guidance on how it should be managed. The board is responsible for overseeing risk and disclosure, while management handles the planning, execution, and monitoring of risk management. King III outlines specific responsibilities for the board in managing risk:

The board ensures there are processes for clear, timely, accurate, and accessible risk disclosure to stakeholders.
The board oversees risk governance.
The board sets the organization’s risk tolerance and appetite.
A risk or audit committee should help the board manage risk.
The board assigns management the task of designing, implementing, and monitoring the risk management plan.
The board ensures regular risk assessments are done.
The board ensures that methods are in place to anticipate unexpected risks.
The board ensures that management takes suitable risk responses.
The board ensures management continuously monitors risks.
The board receives confirmation that the risk management process is effective.

Control Objectives for Information and Related Technology (COBIT)

The IT sector has developed several well-known standards, with Control Objectives for Information and Related Technology (COBIT) being one of the most popular. COBIT provides best practices through a structured framework of domains and processes, focusing on controls rather than specific actions. These practices, formed by experts, help optimize IT investments, ensure reliable service, and offer benchmarks for assessing issues when they arise. To ensure IT meets business needs, management should establish a control system or framework. The COBIT framework supports this by:

Connecting IT to business requirements
Organizing IT tasks into a widely accepted process model
Identifying key IT resources to use
Defining management control goals to consider

COBIT’s business-oriented approach links business and IT goals uses metrics and maturity models to track progress, and clarifies the roles of business and IT process owners. The Control Objectives for Information and Related Technology (COBIT) is a comprehensive framework created by ISACA to help organizations effectively manage and govern their information technology (IT) systems. COBIT provides guidelines for aligning IT strategies with business goals, ensuring that IT operations support organizational objectives while managing risks and compliance requirements. Here are its key elements:

Governance and Management of IT: COBIT distinguishes between governance (oversight) and management (day-to-day operations). Governance involves setting objectives, defining responsibilities, and ensuring accountability. Management is responsible for implementing IT practices and achieving set goals.
Principles and Enablers: COBIT is built on principles, including stakeholder needs, end-to-end coverage, and a holistic approach. Enablers are tools and resources, such as frameworks, policies, culture, and information, that support successful IT governance and management.
Processes and Domains: COBIT organizes IT governance and management activities into domains and processes:
- Governance Domain (Evaluate, Direct, Monitor): The board’s role in setting objectives and policies.
- Management Domains (Align, Plan, Organize; Build, Acquire, Implement; Deliver, Service, Support; Monitor, Evaluate, Assess): Processes for implementing and sustaining IT solutions.
Process Capability Model: COBIT uses a capability model to assess the maturity of IT processes. This model helps organizations understand how well they meet the requirements of each process and identify areas for improvement.
Goals Cascade: COBIT provides a “goals cascade” to ensure alignment between organizational goals and IT goals, helping organizations identify how IT can support business priorities and create value.
Risk and Compliance Management: COBIT emphasizes managing IT risks and ensuring compliance with regulations. It supports identifying, assessing, and mitigating IT-related risks to safeguard business operations.
Performance Measurement: COBIT includes performance metrics for evaluating IT processes and identifying gaps. It enables organizations to assess the effectiveness of IT operations and improve continuously.

COBIT is commonly used in industries requiring strict control over IT, such as finance and healthcare, but it is adaptable to any organization aiming to align IT with business goals, manage IT risks, and improve IT performance.

IRM Risk Management Process

The IRM Risk Management Standard was developed by the Institute of Risk Management (IRM) along with other professional bodies, and it provides practical guidance for implementing risk management in organizations. The standard is designed to help organizations identify, assess, and manage risks in a structured and consistent way. It aims to improve decision-making, enhance performance, and support the achievement of objectives while minimizing potential losses or disruptions.

Key Features of the IRM Risk Management Standard:

Risk Management Process: The standard outlines a clear risk management process, which typically includes the following steps:
- Risk Identification: Identifying potential risks that could affect the achievement of objectives.
- Risk Assessment: Analyzing and evaluating the identified risks in terms of their likelihood and impact.
- Risk Control: Developing strategies and actions to manage or mitigate risks (e.g., avoid, transfer, mitigate, or accept the risks).
- Risk Monitoring and Review: Continuously monitoring risks and the effectiveness of control measures, and updating the risk management process as needed.
Risk Management Framework: The IRM standard emphasizes the need for a risk management framework that supports the risk management process. The framework includes:
- Risk Architecture: The structure of roles and responsibilities related to managing risk across the organization.
- Risk Strategy: The approach the organization takes to manage risks, aligned with its objectives and risk appetite.
- Risk Protocols: The procedures, tools, and reporting mechanisms that guide how risks are managed and communicated.
Integration with Organizational Objectives: The standard encourages organizations to align risk management with their overall strategy and objectives. This means integrating risk management into decision-making processes at all levels of the organization.
Risk Appetite and Tolerance: The standard stresses the importance of defining the organization’s risk appetite (the amount of risk the organization is willing to take) and risk tolerance (acceptable levels of risk). This helps ensure that risks are managed within acceptable boundaries.
Risk-Aware Culture: The IRM standard promotes the development of a risk-aware culture within the organization. This involves ensuring that employees understand the importance of managing risk and are actively engaged in the process.
Communication and Reporting: The standard highlights the importance of clear communication and reporting on risks. Regular reporting to stakeholders, including top management and the board, is essential to ensure that risks are properly understood and addressed.

Benefits of the IRM Risk Management Standard:

Consistency: It provides a consistent and structured approach to managing risks across the organization.
Better Decision-Making: By managing risks effectively, organizations can make better-informed decisions and achieve their objectives more reliably.
Enhanced Performance: Proactively managing risks can help improve overall performance by minimizing disruptions and maximizing opportunities.
Compliance and Governance: The standard helps organizations meet regulatory requirements and supports good governance practices.

ISO 31000 Standard

The ISO 31000 standard provides internationally recognized guidelines for risk management. It is designed to help organizations of any size and industry manage risks effectively, providing a framework that ensures risk management is integrated into all organizational processes and decision-making.

Key Features of ISO 31000

Risk Management Principles: The standard outlines key principles that should guide an effective risk management system:
- Creates and protects value: Risk management should contribute to the achievement of organizational objectives and add value by improving decision-making.
- Part of decision-making: Risk management needs to be a core part of decision-making and integrated into all levels of the organization.
- Tailored: The approach to risk management should be customized to fit the organization’s external and internal context.
- Structured and comprehensive: A structured and methodical approach is essential to ensure that all significant risks are identified and managed effectively.
- Inclusive: Involving stakeholders in the risk management process is crucial for ensuring that different perspectives are considered.
- Dynamic and responsive to change: Risk management must be flexible and adaptive to evolving risks and changing circumstances.
- Continuous improvement: Risk management processes should be continually monitored, reviewed, and improved.
Risk Management Framework: The framework is designed to ensure risk management is integrated into the organization’s overall governance, strategy, and management processes. The key elements of the framework include:
- Leadership and Commitment: Top management must demonstrate a strong commitment to risk management, ensuring that it becomes part of the organization’s culture.
- Integration: Risk management should be embedded into the organization’s structure, strategy, processes, and operations.
- Resources and Responsibilities: The organization must allocate the necessary resources and clearly define responsibilities for managing risk.
- Communication and Reporting: Effective risk management requires clear communication across all levels of the organization and consistent reporting on risk status and performance.
- Monitoring and Review: The risk management framework should be regularly reviewed and improved to ensure it remains effective.
Risk Management Process: ISO 31000 outlines a structured, iterative risk management process that helps organizations systematically address risks:
- Establish the context: Understand the external and internal environment, including stakeholders, regulatory requirements, and the organization’s risk appetite.
- Risk Identification: Identify potential risks that could affect the organization’s objectives.
- Risk Assessment: Evaluate risks by considering their likelihood and impact.
  - Risk Analysis: Understand the nature of the risk and how it could affect objectives.
  - Risk Evaluation: Compare the results of the risk analysis with the organization’s risk appetite to determine the significance of each risk.
- Risk Treatment: Decide how to respond to risks (e.g., avoid, mitigate, transfer, or accept them) and implement appropriate controls.
- Monitoring and Review: Continuously monitor risks and the effectiveness of risk controls, and make adjustments as needed.
- Communication and Consultation: Engage stakeholders throughout the process to ensure risks are fully understood and managed.

Benefits of ISO 31000

Improves Organizational Resilience: By identifying and managing risks proactively, organizations can better anticipate and respond to potential challenges, improving overall resilience.
Increases Stakeholder Confidence: Effective risk management builds trust with stakeholders, including employees, customers, and regulators, by demonstrating that risks are well managed.
Enhances Decision-Making: A structured approach to risk management helps leaders make more informed decisions, considering both risks and opportunities.
Aligns Risk Management with Strategy: The ISO 31000 framework ensures that risk management supports the organization’s strategic objectives, aligning with its goals and performance.
Universal Applicability: The standard can be applied to any organization, regardless of size, industry, or sector, making it highly flexible and adaptable.

ISO 31000 vs. Other Risk Management Standards

ISO 31000 is not prescriptive and does not provide detailed instructions on risk management techniques. Instead, it offers a broad set of guidelines that can be adapted to suit different organizational needs. Unlike standards like COSO ERM, which also focus on internal control and governance, ISO 31000 focuses more broadly on managing all types of risks, not just financial ones.

Continuous Improvement

ISO 31000 emphasizes the need for continuous improvement. It encourages organizations to regularly assess their risk management framework and process, ensuring that it evolves in response to changes in the business environment, emerging risks, and the organization’s objectives.

Features of RM standards

Risk management standards highlight the need for a framework to support the risk management process, which should be systematic, effective, and efficient for managing risks across different levels of an organization. Most of these standards focus on describing the risk management framework and providing guidance on how to develop risk management activities. Standards organizations review these guidelines regularly, usually every four years, to ensure they stay current and useful.

In addition to risk management standards, there are also internal control standards. There is an ongoing effort to keep both risk management standards and corporate governance codes up-to-date and relevant. Regulators learn from corporate failures and from each other to improve these standards. There is also a growing trend to develop management standards that cover broader topics like business continuity, information security, corporate governance, and compliance management. Over the past 20 years, various standards have been published, including the Association of Project Management’s Project Risk Analysis and Management (PRAM) and the UK Office of Government Commerce’s (OGC) Management of Risk (MoR) guidance.

Standards organizations face the challenge of ensuring that risk management standards remain relevant for future organizational success. When updating the COSO ERM framework, COSO emphasized the importance of considering stakeholder expectations and the link between risk and strategy. They suggest that organizations that integrate risk management into their strategic planning can benefit by:

Expanding opportunities by considering both risks and potential rewards.
Improving performance through organization-wide risk management.
Reducing negative surprises and taking advantage of positive developments.
Decreasing performance variability by minimizing disruptions.
Enhancing resource use and allocation.

While there are clear benefits to using established risk management standards, organizations must adapt these standards to fit their unique needs and circumstances. Risk management will be more effective if it is customized for each organization. One emerging trend in risk management is adopting the plan–implement–measure–learn (PIML) approach, also known as the plan–do–check–act (PDCA) cycle.

Future of risk management

The creation of the ISO 31000 standard has been a significant step for risk management, along with stronger corporate governance codes that have raised the profile of risk practices worldwide. The effects of the global financial crisis are still relevant, sparking discussions on why risk management didn’t play a larger role in preventing it. Other trends include stricter reporting rules, especially for publicly listed companies, and the growing use of advanced risk management information systems, which bring benefits to many organizations. Even with these advances and the increasing skill level of risk managers, there’s still room to consider the future of risk management. The concept of “governance, risk, and compliance” (GRC) has brought a new structure to risk activities, along with better adoption of the “three lines of defence” model, helping organizations manage risk more effectively. However, risk professionals know that risk management must be integrated into other management activities, not just seen as part of auditing. Organizations need to fully integrate risk activities throughout, rather than isolating them or relying solely on static risk registers, which are snapshots and may not be updated regularly. Risk activities, including assessments and action plans, should be part of the everyday management data that informs the organization’s decisions.

In short, risk managers should ensure that risk practices are proportional, aligned, complete, embedded, and dynamic (PACED). But with the growing knowledge of risk management, there’s a challenge to keep it meaningful, avoiding the risk of it becoming routine and losing impact. Risk discussions should connect to strategy, budgets, and daily operations. Risk management, unlike some management trends, is unlikely to fade due to regulatory requirements and lessons from the financial crisis. Risk management, especially enterprise risk management (ERM), is here to stay, driven by governance needs and societal expectations and has been embraced by many sectors.

Risk management doesn’t have to be complicated or resource-heavy. It can be customized to fit an organization’s needs, adapting as the organization becomes more experienced. This systematic, proactive approach focuses on identifying and controlling high-risk areas to an acceptable level, protecting the organization from major negative impacts and helping focus efforts on what’s most important to manage.

Principles of risk management

Risk management is the set of activities within an organization undertaken to deliver the most favorable outcome and reduce the volatility or variability of that outcome. ISO Guide 73 BS 31100 defines risks as “Co-ordinated activities to direct and control an organization about risk .” HM Treasury defines risks as “All the processes involved in identifying, assessing and judging risks, assigning ownership, taking actions to mitigate or anticipate them, and monitoring and reviewing progress.”

Risk management has evolved and is used by many different professionals. It became more organized in the 1950s when insurance became too expensive and didn’t cover enough risks. In Europe, by the 1970s, a combined approach to risk control and financing was developed, and the idea of managing the total cost of risk became important. In the U.S., risk management in the 1950s mostly involved buying insurance. During the 1960s, companies started focusing on contingency planning. In the 1970s, businesses began using self-insurance and keeping some risks themselves. In the 1980s, risk management started to be applied more in managing projects. By the 1990s, new financial products combined insurance and derivatives, and corporate governance pushed companies to take enterprise risk management (ERM) more seriously, leading to the first chief risk officers (CROs). In the 2000s, companies, especially in the financial and energy sectors, developed internal risk management systems and hired more CROs. The Sarbanes-Oxley Act of 2002 made U.S. companies focus even more on ERM. However, the 2008 financial crisis raised questions about how much risk management can help businesses, particularly in finance. Today, risk management is a more mature field, with less focus on insurance alone, as risks related to finance, markets, and reputation are now seen as very important and often fall outside of traditional insurance coverage.
One of the most well-known areas of risk management is health and safety at work. Another important area is disaster recovery and business continuity planning. Quality management is also a well-established part of risk management, especially with systems like ISO 9000 being widely recognized. Over the years, other specialized areas of risk management have emerged, such as:

Project risk management
Clinical/medical risk management
Energy risk management
Financial risk management
IT risk management.

All these specialized areas of risk management have played a big role in developing risk management tools and techniques. Project risk management is especially advanced, focusing on managing uncertainty and controlling risks. Besides project and clinical risk management, these tools have been widely used in industries like finance and energy. In finance, risk management focuses on operational, market, credit, and other financial risks. The title “Chief Risk Officer” first emerged in the finance sector. In the energy sector, risk management often deals with future energy prices and exploration risks, which are similar to treasury functions that use hedging and other financial strategies. Financial risk management has become highly important, particularly in addressing operational risks. However, it also covers credit and market risks. The finance and insurance industries are heavily regulated by global standards like Basel III and Solvency II. IT risk management is another well-established branch, focusing on data management and security. Specific standards, such as COBIT, have been developed to guide IT risk management.

8R and 4T of (hazard) risk management

Risk management follows a series of well-defined steps, which together create an effective process. Each step plays a key role in managing risks. This process is known as the 8R and 4T of hazard risk management. The main activities involved in managing risks are:

Recognizing risks
Rating the risks
Ranking them based on criteria
Responding to the most important risks
Allocating resources for controls
Planning for reactions or events
Reporting on risk performance
Reviewing the overall risk management system

Here is a simple breakdown of the 8R and 4T of hazard risk management:

Recognize: Identify potential risks.
Rank: Prioritize risks based on their potential impact and likelihood.
Respond: Develop appropriate strategies to address each risk.
- 4Ts of Risk Response: These represent the specific strategies for handling identified risks.
  - Tolerate: Accept the risk when the cost of mitigation exceeds the benefits.
  - Treat: Take actions to reduce the likelihood or impact of the risk (e.g., controls).
  - Transfer: Shift the risk to another party (e.g., insurance or outsourcing).
  - Terminate: Eliminate the risk by stopping the activity that causes it.
Report: Communicate risk status and strategies to stakeholders.
Review: Continuously monitor and reassess risks.
Reduce: Implement measures to lower the impact or likelihood of a risk.
Recover: Plan how to recover from the impacts if a risk materializes.
Remedy: Correct issues and improve future responses.

Risk management helps improve how an organization handles its main processes by making sure that important factors are analyzed, monitored, and reviewed. Tools and techniques in risk management assist in handling hazard, control, and opportunity risks that could affect these key areas. Organizations should regularly repeat the risk management process to avoid relying on a one-time view of the risks they face. This ensures that risk management stays active and up-to-date.

Enterprise risk management

A newer development in risk management is called enterprise or enterprise-wide risk management (ERM). Enterprise Risk Management (‘ERM’) is a strategic business discipline that supports the achievement of an organization’s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio. What makes ERM different from traditional risk management is its more integrated and holistic approach. It brings together the management of all types of risks rather than introducing a completely new method. When an organization looks at all the risks it faces and considers how these risks might affect its strategy, projects, and operations, it is using the ERM approach.

Risk management sophistication

An organization must be both advanced in how it views risk management and mature in how it carries it out. Initially, an organization might not be aware of its legal or contractual responsibilities. In that case, it needs to be informed about its duties regarding risk. As the organization becomes more sophisticated, it will realize the importance of complying with obligations and improving risk management. When the organization understands its responsibilities, it will need to make changes to manage hazard risks better (reform). Next, the organization will work to meet the necessary risk control standards (conform). After reaching this point, the organization may see opportunities within the risks and start to take advantage of them (perform). However, if it becomes overly focused on control, it may stop progressing (deform).

Unaware of obligations – INFORM
Awareness of non-compliance – REFORM
Taking action to comply – CONFORM
Seizing opportunities – PERFORM
Stalling due to over-focus – DEFORM

The terms “Inform, Reform, Conform, Perform, and Deform” in risk management describe different levels of sophistication or maturity in how organizations handle risk management. Here’s an overview of what they represent:

Inform: At this stage, the organization is primarily focused on gathering and sharing information about risks. The risk management process is basic, often involving simple risk identification and reporting. The organization understands some risks but doesn’t actively manage them in an integrated way. Communication about risks may be limited to compliance or awareness purposes.
- Situation: A tech start-up is rapidly growing and focusing on product development. However, the founders are unaware of specific legal requirements related to data privacy laws (such as GDPR or CCPA) that apply to their app, which collects user data.
- Risk Management Action: The start-up is informed by a legal advisor or risk consultant that it needs to comply with data protection laws to avoid penalties and protect customer trust.
- Outcome: The start-up becomes aware that not addressing these risks could lead to significant financial and reputational damage.
Reform: At this level, the organization starts to improve its risk management practices. There’s an effort to address shortcomings in the current system by revising processes and introducing more structured approaches. Risk management becomes more organized and proactive, aiming to control known risks and better respond to new ones.
- Situation: After becoming aware of the need for compliance, the start-up realizes that it is currently not meeting these privacy regulations. It has no privacy policy, security measures, or processes to handle customer data safely.
- Risk Management Action: The start-up begins to reform its processes by introducing proper data protection policies and procedures, hiring a compliance officer, and starting to train staff on data security.
- Outcome: The company takes the first steps toward rectifying its risk exposure and begins the journey to compliance.
Conform: Here, the organization focuses on adhering to established risk management standards, regulations, and frameworks. It seeks to meet regulatory requirements and industry best practices. Compliance is key, and risk management is typically structured and formalized. However, the focus remains on following the rules rather than integrating risk management into decision-making.
- Situation: The start-up has implemented new systems and policies to comply with data protection regulations. They ensure customer data is handled correctly, with encryption, regular audits, and privacy policy updates in place.
- Risk Management Action: The company now regularly monitors its compliance with laws, performs internal audits, and ensures that all new product features meet regulatory standards.
- Outcome: The start-up meets all necessary compliance requirements and avoids legal risks, fines, or penalties.
Perform: At this more advanced level, the organization uses risk management as a tool for enhancing overall performance. Risk management is integrated into the business’s strategy, operations, and decision-making processes. It helps the organization manage risks effectively while also capitalizing on opportunities, driving growth, and ensuring resilience.
- Situation: Now that the start-up has a solid risk management framework and is fully compliant, it uses its strong reputation for data security as a competitive advantage. Customers trust the start-up more than its competitors due to its high standards for privacy and security.
- Risk Management Action: The start-up begins marketing its strong data protection measures as part of its value proposition to attract new customers, including corporate clients who prioritize security.
- Outcome: The company’s improved risk management not only mitigates risks but also drives business growth, as it can now expand into new markets and partner with larger organizations.
Deform: This stage reflects a situation where risk management practices have weakened or become dysfunctional. The risk management system may be ineffective, overly rigid, or bureaucratic, leading to poor outcomes. Risks may be ignored or mismanaged, and the organization could be vulnerable to unexpected disruptions or failures.
- Situation: After reaching a high level of compliance and success, the start-up becomes overly focused on minimizing every possible risk. They spend excessive resources on adding layers of protection and compliance, even where it is not needed.
- Risk Management Action: The company becomes overly risk-averse, avoiding innovation or new opportunities because of fear of potential regulatory or operational risks. This slows down product development and expansion efforts.
- Outcome: The start-up stalls in its growth as it becomes so obsessed with managing risks that it loses agility and misses out on business opportunities.

These stages help assess how mature an organization’s risk management practices are, ranging from basic information-sharing to highly integrated risk management, or in some cases, a decline in effectiveness.

As organizations and risk management professionals become more advanced, they should recognize and appreciate the value of different methods of managing risks. The development of risk management can be summarized as follows:

Compliance management should be done in a unified way, even if the organization already meets high standards.
Hazard management specialists may notice a shift toward keeping more risks in-house (instead of relying on insurance) due to a broader approach to risk management.
Control management specialists should avoid stifling innovation and creativity within the organization.
Strategic planners need to understand that using risk management tools can lead to better decisions and help seize business opportunities.

Another way to view increasing sophistication in risk management is through the FOIL (fragmented, organized, influential, leading) model, which represents different stages of maturity.

PACED Principle of Risk Management

The main idea of risk management is to provide value to the organization. It aims to achieve the best possible results while reducing uncertainty. The principles describe what risk management should look like and what it should accomplish. A successful risk management plan should be:

Proportionate to the level of risk faced by the organization
Aligned with other business activities
Comprehensive, systematic, and structured
Embedded in the organization’s procedures
Dynamic, meaning it adapts to change and is repeated as needed

These principles form the acronym PACED, providing a solid foundation for effective risk management in any organization, based on the idea that risks can be identified and controlled.

Proportionate: Risk management activities must be proportionate to the level of risk faced by the organization.
Aligned: ERM activities need to be aligned with the other activities in the organization.
Comprehensive: The risk management approach must be comprehensive to be effective.
Embedded: Risk management activities need to be embedded within the organization.
Dynamic:Risk management activities must be dynamic and responsive to emerging and changing risks.

The acronym PACED represents a strong set of principles for effective risk management in any organization. These principles are based on the idea that risks can be identified and managed. The principles describe the key features of risk management in practice. In addition to explaining how risk management should work, some lists also outline what risk management should accomplish. It’s helpful to separate these into two categories:

What risk management should be:
- Proportionate, Aligned, Comprehensive, Embedded, and Dynamic (PACED)
What risk management should achieve:
- Meeting mandatory obligations
- Assuring that significant risks are managed
- Ensuring decisions consider risks
- Enhancing the effectiveness and efficiency of core processes

To get the most out of risk management, these principles should guide both the planning and framework of the organization’s risk management activities. The primary goal is to determine what the organization aims to accomplish. Risk management can serve various purposes: compliance, assurance, informed decision-making, and improved efficiency in core processes (MADE2). By applying these principles, risk management reduces disruptions, minimizes uncertainty in tactics, and leads to better decision-making for strategy. A key part of risk management is improving organizational decisions. Since resources for managing risk are limited, the goal is to prioritize and respond to risks in a way that balances the organization’s capacity with the level of risk it faces. The type of response will depend on the nature, size, and complexity of the organization and its risks.

Risk management objectives

Mandatory – The basic objective for any risk management initiative is to ensure conformity with applicable rules, regulations and mandatory obligations.
Assurance– The board and audit committee of an organization will require assurance that risk management and internal control activities comply with PACED.
Decision making-The board and audit committee of an organization will require assurance that risk management and internal control activities comply with PACED.
Effective and efficient core The basic objective of any risk management initiative is to ensure conformity with applicable rules, regulations and mandatory obligations.

Risk management has gained more attention recently due to the global financial crisis and many high-profile corporate failures. It has also become more important because of growing stakeholder expectations and the ease of communication. Besides helping organizations make better decisions and operate more efficiently, risk management provides greater assurance to stakeholders. This assurance involves two key elements:

Directors need to be confident that all risks have been identified and managed appropriately.
Organizations must accurately report information, including details on risk management, to meet stakeholder expectations.

The Sarbanes–Oxley Act (SOX) in the U.S. focuses on ensuring accurate financial reporting and full disclosure of all relevant information about the organization. Although SOX only applies in certain situations, its principles are important for all risk management professionals. When implementing risk management, organizations should consider why they are doing so, based on MADE2 (mandatory, assurance, decision making, and effective core processes). These reasons, or “drivers,” can differ for each organization. For example, some companies focus on reducing accidents and damage through a loss control manager, while others aim to improve their reputation through better compliance and ethical behaviour.

Effective and efficient core processes

Insurable or hazardous risks can quickly affect operations, which is why risk management initially focused on keeping normal operations running smoothly. As risk management has evolved, it now also emphasizes improving core business processes through better project and program management. Processes must not only be efficient but also effective in delivering the required results. For example, having an efficient software program is not helpful if it doesn’t provide all the necessary functions. Strategic decisions are the most critical for an organization. Risk management helps by providing better information, allowing for more confident decision-making. The chosen strategy must be capable of delivering the desired outcomes. Many companies have failed because they chose the wrong strategy or couldn’t implement it properly. This is especially challenging when technology or customer expectations change, such as in grocery stores. A good strategy should take advantage of opportunities while considering risks to ensure success. Projects and programs are the tactics used to execute the strategy. Even if an organization has effective operations and compliance, it will still fail if the overall strategy is flawed. More businesses have failed due to poor strategy than due to inefficient operations or tactics, though compliance activities remain crucial.

Benefits of Risk Management

Organizations may see advantages in adopting risk management, but to implement it successfully, it needs to be approached as a project. The key factor is having support from senior management and, ideally, sponsorship from a board member. Additionally, a plan must be created to address the concerns of employees and other stakeholders. Although risk management is crucial for organizational success, many managers might need convincing that the proposed approach is the right one. It’s important to recognize that not all tasks and functions handled by managers should be labeled as risk management. While risk is embedded in every decision, process, and activity, not all of them are driven by risk management principles. Operations are typically affected by hazard risks, so the focus here is often on managing those hazards. To get the most out of risk management in operations, organizations should prioritize loss control, which involves preventing losses, limiting damage, and controlling costs. Projects must be delivered on time, within budget, and meet required quality standards. However, there is always uncertainty with projects. The role of risk management is to reduce these uncertainties. Managing project risks is a form of control management. When it comes to strategy, risk management helps by assessing the risks associated with different strategic options, thus contributing to better decision-making.

Principles of ERM as per COSO ERM structure:

Component 1: Governance & Culture

Risk governance sets the tone and reinforces the importance of ERM oversight. Culture is reflected in decision-making and includes ethical values and responsible business behavior. Both governance and culture are needed for effective ERM. There are five principles for this component.

Exercises Board Risk Oversight
Establishes Operating Structures
Defines Desired Culture
Demonstrates Commitment to Core Values
Attracts, Develops and Retains Capable Individuals

Principle 1 Exercises Board Risk Oversight – Risk governance and culture start at the top with the influence and oversight of the board. Board members must be accountable and responsible for risk oversight and possess the required skills, experience and business knowledge.

Principle 2 Establishes Operating Structures – Strategy is executed by the organization and execution of day-to-day operations to achieve business objectives. How the operating model is administered and governed can introduce new and different risks or complexities.

Principle 3 Defines Desired Culture – COSO frames desired behaviors within the context of culture, core values and attitudes toward risk. Whether an organization considers itself to be risk-averse, risk-neutral or risk-aggressive, it should have a risk-aware culture.

Principle 4 : Demonstrates Commitment to Core Values – Culture and tone at the top is defined by the operating style and personal conduct of management and the board of directors and it must be driven deep down into the organization.

Principle 5: Attracts, Develops and Retains Capable Individuals – Management must define the knowledge, skills and experience needed to execute strategy; set appropriate performance targets; attract, develop and retain appropriate personnel and strategic partners; and arrange for succession.

Component 2: Strategy & Objective-Setting

ERM, strategy and objective setting work together in the strategic planning process. Risk appetite should be aligned with strategy and business objectives to successfully implement strategy. The updated COSO framework elevates the discussion of strategy and the integration of ERM with strategy by asserting that all aspects and implications of strategy need to be considered when setting strategy. There are four principles for this component.

Analyses Business Context
Defines Risk Appetite
Evaluates Alternative Strategies
Formulates Business Objectives

Principle 6: Analyses Business Context – The updated framework considers business context and the role of internal and external stakeholders. The point is that management must consider risk from changes in the business context and adapt accordingly in executing strategy.

Principle 7: Defines Risk Appetite – The organization defines risk appetite in the context of creating, preserving and realizing value. The risk appetite statement is considered during strategy setting, communicated by management, embraced by the board and integrated across the organization.

Principle 8 : Evaluate Alternative Strategies – Alternative strategies are built on different assumptions – and those assumptions may be sensitive to change. The organization evaluates strategic options and sets its strategy to enhance value, considering the risk resulting from the strategy chosen.

Principle 9: Formulates Business Objectives – Management establishes objectives that align with and support the strategy at various levels of the business. These objectives should consider, and be aligned with risk appetite.

Component 3: Performance

Risks that could impact the achievement of strategy and objectives should be identified and assessed. These risks must be prioritized in terms of severity in the context of risk appetite. Risk responses should be selected to form a portfolio view of risk. There are five principles for this component.

Identifies Risk
Assesses Severity of Risk
Priorities Risk
Implements Risk Responses
Develops a Portfolio View

Principle 10: Identifies Risk – The organization identifies new and emerging risks, as well as changes to known risks to the execution of its strategy. The risk identification process should consider risks arising from a change in business context and risks currently existing but not yet known.

Principle 11: Assesses Severity of Risk – Depending on the anticipated severity of the risk, COSO suggests the use of qualitative and quantitative approaches in assessment processes. Scenario analysis may be appropriate in assessing risks that could have an extreme impact.

Principle 12: Priorities Risk – The organization priorities risks as a basis for selecting risk responses using appropriate
criteria. Risk criteria might include adaptability, complexity, velocity, persistence and recovery, as well as acceptable variation in performance.

Principle 13: Implements Risk Responses – Risk responses may accept, avoid, exploit, reduce and share risk. In selecting risk responses, management considers such factors as the business context, costs and benefits, severity of the risk, and the appetite for risk.

Principle 14: Develops Portfolio View – Portfolio view is a composite view of the risks the organization faces relative to business objectives, which allows management and the board to consider the nature, likelihood, relative size and interdependencies of risks, and how they may affect performance.

Component 4: Review & Revision

The fourth component focuses on monitoring risk management performance. Effective monitoring provides insight into the relationship between risk and performance, how strategic risks are affecting performance, and emerging risks. There are three principles for this component.

Assesses Substantial Change
Reviews Risk and Performance
Pursues Improvement in the ERM

Principle 15: Assesses Substantial Change – Change can create significant competitor performance gaps or invalidate critical assumptions underlying strategy. Monitoring substantial change is built into business processes in the ordinary course of running the business.

Principle 16: Reviews Risk and Performance – Risk responses must be evaluated to ensure they are performing as intended. The task of assessing risk responses is typically owned by those accountable for the effective management of identified risks and by assurance providers.

Principle 17: Pursues Improvement in ERM – ERM should be improved continuously over time. Even mature ERM
processes can become more efficient and effective in increasing its value contributed. Embedding continuous valuations can systematically identify improvements.

Component 5: Information, Communication & Reporting

ERM requires a continual process of obtaining and sharing necessary information, from both internal and external sources, which flows up, down, and across the organization. The final component recognizes the vital need for a continuous process to obtain and share relevant information. This information for decision-making must flow up, down and across the organization and provide insight to key stakeholders. There are three principles for this component.

Leverages Information Systems
Communicates Risk Information
Reports on Risk, Culture and Performance

Principle 18 : Leverages Information and Technology – Information systems provide the organization with the data and information to support ERM. Factors influencing technology selection include the strategy, marketplace needs, competitive requirements, and the associated costs and benefits.

Principle 19: Communicates Risk Information – The organization reports on risk at multiple levels across the organization. Organizations use different channels to communicate risk data and information to internal and external stakeholders.

Principle 20 Reports on Risk, Culture and Performance – Risk reporting encompasses information required to support decision-making and enable the board and others to fulfill their risk oversight responsibilities. There are many different types of reports on risk, culture and performance.

Principles as per ISO 31001:2018

The principles are:
a) Integrated: Risk management is an integral part of all organizational activities.
b) Structured and comprehensive: A structured and comprehensive approach to risk management contributes to consistent and comparable results.
c) Customized: The risk management framework and process are customized and proportionate to the organization’s external and internal context related to its objectives.
d) Inclusive: Appropriate and timely involvement of stakeholders enables their knowledge, views and perceptions to be considered. This results in improved awareness and informed risk
management.
e) Dynamic: Risks can emerge, change or disappear as an organization’s external and internal context changes. Risk management anticipates, detects, acknowledges and responds to those changes and events in an appropriate and timely manner.
f) Best available information: The inputs to risk management are based on historical and current information, as well as on future expectations. Risk management explicitly takes into account any limitations and uncertainties associated with such information and expectations. Information should be timely, clear and available to relevant stakeholders.
g) Human and cultural factors: Human behaviour and culture significantly influence all aspects of risk management at each level and stage.
h) Continual improvement: Risk management is continually improved through learning and experience.

Elaborating it further :

1. Integrated

An organization should integrate its risk management efforts into all parts and activities of the organization.
Risk management is not separated from the main activities and processes of the organization as it is a part of decision-making in every department.
Risk management is embedded into the organization’s processes and is a part of management’s responsibilities

2. Structured and Comprehensive

Creating and following a comprehensive, structured risk management approach leads to the most consistent, desirable risk management outcomes.
Systematically approaching risk management contributes to efficiency and consistent results within the organization as well as comprehension for everyone involved
Risk management is structured with guidelines and procedures to follow to maintain productivity and efficacy

3. Customized

An organization’s risk management approach should be customized to its own needs, including the organization’s objectives and the external and internal context in which the organization operates.
Risk management processes are not one-size-fits-all and must be tailored to the organization’s external and internal context to reach objectives.
When the context is established in both internal and external environments, objectives can be captured and risk management can be customized to the unique organization

4. Inclusive

To be most effective, risk management should involve all stakeholders in appropriate and timely ways. This allows the different knowledge sets, views, and perceptions of all stakeholders to be considered and implemented into risk management efforts.
The involvement of stakeholders allows their knowledge and views to be considered, guaranteeing that risk management is relevant and up to date
Risk management is transparent; it is easy to understand and doesn’t include confusing jargon, allowing stakeholders to be included in the framework

5. Dynamic

As the organization changes, including its external and internal context, the organization’s risk management program and efforts should change, too. Change is inevitable and successful organizations know how to work with change. A risk management program should help the organization anticipate, identify, acknowledge, and respond to changes in an appropriate and timely way.
Context and knowledge within an organization change constantly and should be acknowledged as they do
Risk management must respond to change continually and promptly to maintain efficiency and results
Risks emerge, change, and disappear as internal and external events occur, so risk management must be anticipatory

6. Best Available Information

An organization will never have all of the information needed, but action must be taken when an organization has the best available data
Historical and current information, as well as the limitations of these, must be taken into account
All known information should be available to stakeholders
Effective risk management is done by considering information from the past and present as well as anticipating the future. Therefore, the information from the past and present must be as reliable as possible, and risk managers must consider the limitations and uncertainties with that past and present information. All relevant stakeholders should receive necessary information in a timely and clear manner.

7. Human and Cultural Factors

Risk management is influenced significantly by human behavior and culture
The organization’s capabilities, as well as the goals of the people within and around it, must be recognized by risk management to achieve, or inhibit, the goals of the business.
Risk management is a human activity and it takes place within one or more cultures (organizational culture, etc.). Risk managers must be aware of the human and cultural factors that the risk management effort takes place in and know the influence that human and cultural factors will place on the risk management effort.

8. Continual Improvement

Improving continually through experience ensures the organization’s resiliency
PDCA is a risk management process: plan, do, check, adjust. This is a cycle that keeps the organization continually improving while factors change over time
Appropriately adapting to results in risk management allows the organization to grow exponentially in every aspect, and continue to do so.
Through experience and learning, risk managers must strive to continually improve an organization’s risk management efforts.

Types of risks

Managing risks in a clear and organized way brings benefits. By actively addressing risks, organizations can improve in these four areas:

Strategy: They can make better decisions by fully analyzing the risks of different strategic options.
Tactics: They can choose better methods by considering the risks of alternative approaches.
Operations: They can identify potential disruptions early, take steps to reduce the chances of these events happening, and limit the damage if they do occur.
Compliance: By recognizing the risks of noncompliance, they will be better prepared to meet legal and customer requirements.

Organizations can no longer afford to be caught off guard by unexpected events that cause financial loss, disrupt operations, harm their reputation, or reduce their market presence. Stakeholders now expect companies to fully consider risks that could disrupt their activities, delay projects, or prevent them from achieving their goals.The exposure from a specific risk can be understood by looking at how likely the risk is to happen and what the impact will be if it does. As the risk exposure increases, the potential impact gets bigger too. This combination of likelihood and impact is called the “level of risk.” This level of risk should be compared to the organization’s attitude and appetite for risks of that kind. Risk appetite is sometimes explained as a set of guidelines for acceptable risk levels. The word “magnitude” refers to how big an event is or could be. The word “impact” describes how that event affects the organization’s finances, operations, reputation, and market position (FIRM). This definition of “impact” is also used in business continuity planning to measure risk at the current level. The term “consequences” refers to how much the event causes failure in achieving the organization’s strategy, tactics, operations, and compliance (STOC) goals.

.Risk appetite refers to the amount and type of risk an organization is willing to take to achieve its objectives. It’s the boundary within which risks are considered acceptable or manageable. For example, a company may have a higher risk appetite for innovative projects with potential high rewards, but a lower appetite for risks related to safety or regulatory compliance. It acts as a guide for decision-making, helping leaders know which risks are worth taking and which ones should be avoided. Risk attitude is the organization’s overall mindset or approach toward taking risks. It reflects the company’s values, culture, and comfort level with uncertainty.Some organizations may be more risk-averse (preferring to avoid risk as much as possible), while others may be more risk-seeking (more comfortable with taking risks to pursue bigger opportunities).Risk attitude shapes how the organization interprets and responds to risk in practice, influencing whether it takes a cautious or bold approach to decision-making.Risk Appetite provides clear guidelines or limits on how much risk is acceptable when pursuing goals. It’s formally defined in ERM processes and is used to assess whether current risks align with the organization’s capacity and willingness to take them. Risk Attitude is broader, capturing the culture and philosophy toward risk, influencing how risk appetite is set and decisions are made when facing uncertainty. Together, these concepts help an organization align its strategy with its risk management approach, ensuring risks are managed in a way that supports long-term objectives without taking on unnecessary dangers.

Impact of hazard risks

Hazard risks threaten a company’s goals, and the impact of these risks shows how serious they are. Managing hazard risks is one of the oldest forms of risk management, closely tied to managing insurable risks. Hazard risks always have negative effects and include things like workplace safety, fire prevention, property damage, and product defects. These risks can disrupt operations, increase costs, and lead to bad publicity. Hazard risks also involve key business dependencies, such as IT systems. Most organizations rely heavily on IT, which can be disrupted by equipment failure, fires, viruses, hacking, or cyberattacks. Theft and fraud are also significant hazard risks, especially for companies handling cash or a large number of transactions. Preventing these risks involves security measures, separating financial duties, and screening staff before hiring. If a hazard risk occurs, like a fire in a major warehouse, it could be a large event (magnitude) with potential financial loss, destruction of property, damage to reputation, and disruption of business. However, controls in place (like insurance, safety measures, and crisis management) reduce the impact of the event. The “impact” refers to how much damage remains after these controls work. The consequences of such an event, like the fire, affect the organization’s strategy, operations, and compliance activities. While the financial loss may be covered by insurance, good crisis management can ensure customers are hardly aware the fire happened. Lastly, compliance risks are important, especially in highly regulated industries. Failure to meet regulatory requirements can hurt a company’s reputation and disrupt business operations. Compliance can be essential for continuing to operate.

Most definitions of risk focus on risks connected to corporate objectives, but risks can also affect the key dependencies that support an organization’s core processes. Corporate objectives and stakeholder expectations shape these core processes, which are essential for the business model and its future growth. Core processes include operations, tactics, corporate strategy, and compliance. This shows that risks can impact other parts of an organization beyond just corporate objectives.

Risk Identification Beyond Corporate Objectives

Significant risks can be identified by looking at key dependencies, corporate objectives, and stakeholder expectations, or by analyzing core processes. For example, LG faced major problems because its supply chain—something it relied on—failed. Risks can be assessed from various perspectives, like asking, “What do stakeholders expect?” and “What risks could prevent us from meeting those expectations?” During the financial crisis, banks identified risks related to their operational and strategic objectives, but risk management failed to prevent the crisis because it focused too much on achieving high-risk goals without fully considering other factors. Risks tend to increase in times of change, so linking risks to change objectives makes sense. However, simply analyzing objectives may not be enough to identify all risks. Corporate objectives often operate at too high a level to pinpoint risks effectively. Objectives should outline the organization’s short-, medium-, and long-term goals in detail. Change objectives, like internal annual goals, may not capture all the operational, competitive, or strategic needs. One drawback of focusing only on objectives is that risks might be considered without understanding the context that created them, leading to incomplete analysis. A better approach might be to consider risks concerning key dependencies.

Many organizations still use corporate objectives to identify risks, as this method offers some benefits. It helps analyze risks related to both positive and negative events. If risks are attached to objectives, these objectives must be well-defined and supported by solid assumptions. Core processes, which drive an organization, can also have risks attached to them. For example, in a sports club, the core process might be “delivering successful results on the field.” Risks can be linked to this process, as well as to objectives and key dependencies. Core processes can be classified into four types: strategic, tactical, operational, and compliance (STOC). Effective risk management improves the efficiency of these processes. Although it’s standard to attach risks to corporate objectives, risks can also be linked to other parts of the organization, like key dependencies and stakeholder expectations. Identifying risks through key dependencies is becoming more common and can be done by assessing the organization’s strengths, weaknesses, opportunities, and threats (SWOT). Once key dependencies are identified, the risks that impact them can be evaluated.

Rewards

Another aspect of risk and risk management is that many organizations take risks to achieve a reward. There is a connection between the level of risk and the expected reward. For example, a company might launch a new product because it believes it can make a profit from it. By doing so, the company puts resources at risk, accepting a certain amount of risk to pursue the potential reward. The value of what’s at risk reflects the company’s risk appetite for that activity. When taking such a risk, the organization should fully understand its risk exposure, ensure it’s within the company’s risk tolerance, and confirm that it has enough resources to handle any negative outcomes. This means the risk must be measured, the company must be willing to take that risk, and it must be sure it can survive any potential losses.

Not all business activities provide the same return for the same level of risk. Start-ups, for example, are typically high-risk with lower initial returns. As the business grows, it usually moves into a phase where returns increase without adding more risk. As the business or product matures, the rewards may remain high, but the risks should decrease. Eventually, in a fully mature market, the business may enter a stage of low risk and low return, often leading to decline.

Managers must identify the specific risks their organization faces and apply appropriate risk management strategies. This risk-reward relationship mostly applies to opportunity risks. In the case of hazard risks, the reward for better risk management is fewer disruptions. For project risks, the benefit is that projects are more likely to be completed on time, on budget, and according to plan. With opportunity risks, better risk management can lead to fewer failed new products and higher profits, or at least lower losses from new ventures. Ultimately, the reward for taking risks is either profit or improved service.

Risk Attitude

Different organizations have different views on risk. Some may avoid risk, while others are more willing to take risks. An organization’s attitude toward risk depends on factors like the industry it operates in, the market conditions, and the opinions of its board members. Risks must be seen in the context they arise from. Sometimes, a company may seem risk-seeking, but the board may just see a big opportunity that they don’t want to miss, even if the risks involved haven’t been fully considered. One of the key roles of risk management is to ensure that risky strategic decisions are made with all the necessary information. This leads to better decision-making, which is a major benefit of good risk management. The attitude toward risk is complex and closely related to an organization’s risk appetite, though they are not the same. Risk attitude reflects the long-term view on risk, while risk appetite shows the short-term willingness to take risks. This is like the difference between someone’s general approach to food and their hunger at a specific time. Other factors, like the organization’s stage in its growth cycle, also affect its risk attitude. Start-ups may need to take more risks compared to growing or mature businesses. Companies in mature markets or facing decline tend to be more risk-averse. This is why some successful entrepreneurs excel at starting businesses but may struggle with managing mature companies. Different stages in a business’s life require different attitudes toward risk.

Risk Triggers and Bow tie diagram

Risk is sometimes described as the uncertainty of outcomes. While this is a technical definition, it is helpful, especially when talking about managing control risks. Control risks are hard to identify and describe, but they are often linked to projects. The goal of a project is to achieve the desired results on time, within budget, and up to the required quality or performance standards. For example, when building a structure, the ground conditions might not be fully known at the start. As work progresses, more details about the ground will become clear. This new information could be good news, like discovering that the ground is stronger than expected, requiring less foundation work. On the other hand, there could be bad news, such as finding that the ground is weaker, or contaminated, or that there are archaeological remains.

Since these conditions are uncertain, they should be considered control risks, and the project management should account for this uncertainty. It would be unrealistic for the project manager to assume only bad ground conditions, just as it would be unwise to assume everything will go better than expected. Control risks bring uncertainty, and organizations may be more concerned with managing the variability in outcomes than the risks themselves. Some level of deviation from the plan can be acceptable, but it shouldn’t be too extreme.

This idea of “tolerance” is similar to the manufacturing of engineering components, where parts must meet specific size requirements within certain limits. New tools, like the bow-tie method, have been developed to make the risk management process easier for managers and others involved in risk-related activities.

The left side of the bow-tie diagram shows where a particular risk comes from, based on how the organization classifies risks. These sources of risk are grouped into four main types: strategic, tactical, operational, and compliance (STOC). On the right side of the diagram, it shows the possible impacts if the risk happens, using four main impact areas: financial, infrastructure, reputational, and marketplace (FIRM). In the middle of the diagram is the risk event itself, which can disrupt the organization in different ways, such as affecting people, premises, processes, or products. The bow-tie diagram helps illustrate how the organization classifies risks and what the possible consequences could be if a risk occurs. It also shows how controls can be used to prevent the event from happening (represented by lines on the left side) and how recovery measures can help after an event (shown on the right side). This bow-tie approach can also be used to represent opportunities, not just hazards.

Risk Classification

Risks can be categorized in many ways. Hazard risks, for example, can be broken down into risks to property, risks to people, and risks that threaten business continuity. There are also formal risk classification systems. One useful way to classify risks, though not formal, is by the timeframe of their impact. This method divides risks into long-term, medium-term, and short-term, which helps analyze how much exposure the organization faces. Long-term risks are connected to strategic decisions and typically affect the organization several years after an event happens or a decision is made, possibly up to five years. For instance, when launching a new product, it might take time to see whether it’s successful, so this is a long-term risk. Medium-term risks usually take about a year to show their impact and are often linked to projects or work programs. For example, deciding which software to install is a long-term decision, but the actual project of installing it involves medium-term risks. Short-term risks happen right after an event, like accidents, fires, or thefts. These risks have immediate effects on operations and are often easier to identify and manage. Insurable risks, like these short-term risks, have known impacts but unpredictable timing. Insurance covers risks with immediate consequences, but it’s uncertain when or if the event will happen. An important factor for organizations is identifying what might trigger a risk. Some risks, if they happen, could have catastrophic effects, so management needs to recognize what might set off those significant events. Understanding what could trigger a risk event is just as important as knowing its source and impact.

Risks can be divided into four categories and they are:
● compliance risks;
● hazard risks;
● control risks;
● opportunity risks.

For effective risk management, it’s important for everyone in an organization to use the same language when talking about risk. This helps the organization have a shared understanding of risk and how to handle it. A big part of this is agreeing on a system for classifying risks. Hazard risks are dangers that only cause harm to the company’s goals. These are usually things that can be insured, like fire, floods, storms, or injuries. Managing these types of risks has always been a key focus in risk management because they can disrupt normal operations by causing losses or damage. These risks can come from various sources like people, buildings, processes, or products (known as the 4Ps). Control risks involve uncertainty about whether the organization can achieve its goals. A good example is internal financial controls. If these controls are removed, it’s hard to know what might happen. Control risks are often related to compliance issues, fraud, or the mismanagement of people and resources. Even though companies work hard to manage control risks, they can still be a major concern. Opportunity risks are risks that companies take on purpose in hopes of achieving greater success. These risks are taken to improve the company’s chances of achieving its goals, but if things go wrong, they could harm the company. Companies that take on high-risk strategies often hope for high returns and may have a high risk tolerance in this area. However, the same company might be very cautious with hazard risks because it doesn’t want to waste resources dealing with dangers while focusing on opportunities. Compliance risks are especially important in regulated industries like energy, finance, and transportation. These risks involve following laws and regulations. Many companies aim to have zero risk in this area, ensuring full compliance with all rules. While this might be possible for compliance risks, it’s unlikely for hazard, control, or opportunity risks, which require careful management. In summary, understanding and managing these different types of risks—hazard, control, opportunity, and compliance—helps an organization make better decisions and manage its overall risk exposure.

Compliance Risks

All organizations understand they have to follow various compliance rules, which can be very different depending on the industry. Some industries are highly regulated and have their own specific regulatory bodies. For example, companies in the tourism sector face strict regulations in many countries. If they don’t follow the rules, regulators can take away their ability to operate, which could eventually shut the company down. Any organization that handles financial transactions must have procedures in place to prevent money laundering. Banks and businesses that deal with large amounts of cash are required to have systems for this, and often hire a senior executive specifically for handling money-laundering issues. In the insurance industry, compliance is also very important and can be complicated. For example, if an insurance policy is issued in one country but covers assets or liabilities in other countries, it can create challenges with following all the regulations. If the organization doesn’t comply with the rules, claims might not be paid, or, in severe cases, the insurance could be illegal in that country.

Even if an organization doesn’t have a specific regulator for its industry, it still needs to follow many regulatory rules. For example, most countries have health and safety laws that require businesses to protect the health, safety, and well-being of their employees and others affected by their activities. These rules often apply not just at the company’s direct worksite but also to employees working in other countries. Companies that own vehicles, especially those involved in transporting people or hazardous goods, also need to follow strict road safety regulations. Generally, businesses aim to fully comply with all the rules to reduce compliance risks. Many companies hire specialized teams of experts to handle specific areas like health and safety, preventing money laundering, and security. It’s crucial for organizations to recognize and manage their compliance risks. Different parts of the company that handle risk management should work together to ensure a well-organized and coordinated approach to meeting compliance requirements.

Hazard risks

Organizations face different types of risks, including hazard risks, control risks, and opportunity risks. They must tolerate some hazard risks, accept control risks, and invest in opportunity risks. For health and safety risks, companies should try to eliminate them, but in reality, they reduce these risks to a cost-effective level while staying within legal requirements. For instance, installing an automatic braking system on trains to prevent passing red lights is technically possible but may be too expensive for the train company. Similarly, companies may tolerate minor theft, like office supplies, because the cost of preventing such theft entirely would be too high. Organizations must identify the different types of hazard risks they face. Hazard risks can cause unplanned disruptions, which lead to inefficiency. Disruptions should be avoided unless they are planned, like maintenance or emergency tests. Ideally, organizations aim for no unplanned disruptions or inefficiencies. These risks can involve people, premises, processes, or products. Companies need to evaluate what incidents might happen, what causes them, and how they would affect normal operations. Managing hazard risks involves three steps: preventing the incident, limiting the damage if it happens, and managing recovery costs. Insurance is a common way to handle financial losses from hazard risks. Organizations must understand their hazard tolerance, meaning how much loss they can handle before needing insurance. For example, a company might tolerate a few motor accidents and cover the costs from its budget, but beyond a certain point, it will buy insurance to cover larger losses. Some hazard risks also relate to regulatory compliance, and companies typically work to minimize these compliance risks.

Category	Examples of Hazards
People	Accidents: Workplace injuries or accidents (e.g., slips, trips, and falls). Health Issues: Illness outbreaks (e.g., flu, COVID-19) affecting employee attendance and productivity. Workplace Violence: Incidents of violence or harassment among employees or between employees and customers. Skill Shortages: Lack of qualified personnel to perform necessary tasks due to resignations or labor market changes. Employee Strikes: Labor disputes leading to work stoppages.
Premises	Natural Disasters: Events like earthquakes, floods, or hurricanes damaging facilities and disrupting operations. Fire: Outbreaks of fire in buildings causing evacuation and operational halts. Theft or Vandalism: Break-ins or property damage leading to financial loss and operational disruption. Facility Failures: Breakdowns of essential building systems (e.g., HVAC, plumbing) affecting the work environment. Regulatory Violations: Non-compliance with building codes or safety regulations leading to fines or closures.
Processes	Equipment Breakdown: Failures in machinery or technology halting production lines. Supply Chain Interruptions: Delays or disruptions in the supply chain affecting the availability of materials or products. IT System Failures: Crashes or outages in computer systems impacting data access and business operations. Quality Control Issues: Defective products resulting from flawed processes leading to recalls or customer dissatisfaction. Poor Communication: Miscommunication within teams leading to mistakes or delays in project completion.
Products	Product Recalls: Issues with product safety leading to recalls, damaging reputation and financial loss. Market Changes: Shifts in consumer preferences or trends making current products obsolete. Supply Shortages: Insufficient supply of raw materials affecting product availability and production schedules. Counterfeit Products: The emergence of fake products harming brand reputation and customer trust. Regulatory Compliance: Changes in regulations requiring modifications to existing products, leading to additional costs and delays.

Control Risks

When an organization starts projects or makes changes, it has to deal with uncertainty. This uncertainty, or control risk, is a natural part of any project. To handle unexpected events, the project budget should include extra funds, and the timeline should have extra time built in. To manage control risks, the organization needs to provide enough resources to identify and implement controls and deal with any consequences if the risk happens. The type of control risks and how to manage them depend on the level of uncertainty and the kind of risk involved. Uncertainty means that results may differ from what was expected. For example, if an organization is improving a process, the project must be completed on time, within budget, and meet the required specifications. It also needs to deliver the expected benefits. If the project doesn’t meet these expectations, this deviation represents uncertainty, which can only be accepted to a certain extent. Managing control risks is a key focus of internal auditors and accountants. In the UK, corporate governance rules (as of September 2016) emphasize internal control over risk assessment. Control management aims to reduce uncertainty related to significant risks and minimize unpredictable results. However, if an organization focuses too much on control management, it can stifle creativity and innovation. Excessive focus on controlling risks might limit entrepreneurial efforts and opportunities for growth.

Opportunity Risks

Some organizations intentionally take risks to reach their goals. These are usually commercial or marketplace risks that they expect will lead to a good return. Known as opportunity risks, they can also be called commercial, speculative, or business risks. While these risks can help achieve the organization’s mission, they can also hold it back if things don’t go as planned. Every organization wants to take advantage of opportunities and is willing to invest in them. They aim for effective and efficient operations, tactics, and strategies. Opportunity risks often come from developing new strategies, improving operations, or making changes. Organizations must decide how much risk they are willing to take on and how much they should invest. For example, if a company sees a demand for a new product that it could create, but lacks the resources to develop it, it might not be wise to pursue that high-risk path. Management needs to determine if they are willing to go after these opportunities. Just because they are eager to take a chance doesn’t mean it’s the right choice. The company’s board should understand that even if they want to seize an opportunity, the organization may not have the capacity to handle the associated risks. Opportunity management focuses on maximizing the benefits of taking risks. Organizations often want to invest in opportunity risks, and there’s a clear connection between opportunity management and strategic planning. The goal is to increase the chances of achieving significant positive results from investing in business opportunities.

Examples of compliance, hazard, control, and opportunity risks

In an oil company, the key risks can be categorized into compliance, hazard, control, and opportunity risks. Here’s how each type might apply:

Compliance Risks: These relate to following laws, regulations, and industry standards. For an oil company, compliance risks could involve environmental regulations, health and safety laws, and government policies on emissions or drilling permits. Failure to comply can lead to fines, legal issues, or shutdowns.
Hazard Risks: These are risks that can cause physical harm to people, property, or the environment. For example, oil spills, explosions, fires, equipment failures, or natural disasters like hurricanes pose significant hazard risks to oil companies. These events can lead to costly damage, loss of life, and environmental harm.
Control Risks: Control risks affect the ability to complete projects or operations within planned timeframes, budgets, and quality standards. In an oil company, control risks could arise during exploration, drilling, or refining processes. For instance, a drilling project might face delays due to unexpected ground conditions or equipment malfunctions, affecting the project’s budget and timeline.
Opportunity Risks: These are risks taken to gain potential rewards. For an oil company, opportunity risks might include investing in new drilling sites, developing renewable energy projects, or expanding into new markets. While the rewards could be substantial (e.g., new oil reserves or entering a profitable market), the risk of failure is also present, such as the site not producing enough oil or the market not growing as expected.

Introduction to Risk Management

We all encounter risks in our daily lives. These can come from personal activities, like travelling or making financial decisions. There are also significant risks at home, such as fire hazards or the financial challenges of owning a house. Beyond that, risks can arise from relationships, work, and business activities. Evaluating these risks and figuring out how to handle them is something we do every day, both at work and in our personal lives. Recent world events, like terrorism, severe weather, and the global financial crisis, have made people more aware of risks. These major risks add to the more common ones we deal with regularly. Evaluating different ways to handle risks and choosing the best option is a key part of risk management. Dealing with risks can bring benefits to both individuals and the organizations they work for. In our personal lives, many risk responses are automatic. For example, avoiding fires or car accidents comes naturally through learned behaviour. These types of risks, like fire and accidents, are seen as purely negative, often called “hazard risks.” legal compliance like adhering to data protection laws like the GDPR is called a “compliance risk”, some can view them as a hazard risk, where failing to comply leads to negative consequences. However, some believe that following regulations can also bring benefits, showing the “upside of risk.” Some risks come with mandatory responses, such as the legal requirement to have car insurance. While house insurance isn’t always required by law, it is still considered smart risk management. Maintaining your car reduces the risk of breaking down, but it doesn’t guarantee you won’t experience a breakdown at all. These kinds of risks, where there’s uncertainty even with precautions, are often called “control risks.” There are also risks people take hoping for a positive outcome, like investing money in the stock market or placing a bet on a sports event. These are examples of “opportunity risks,” where the goal is to gain something, even if it’s not always financial—like pride or respect, as seen in activities like motorsports or other risky hobbies. Organizations face many different types of risks that can affect their operations. These risks can either prevent them from reaching their goals (hazard risks), help them achieve their goals (opportunity risks), or cause uncertainty about the results (control risks). Risk management involves evaluating, controlling, and monitoring all three types of risks in a coordinated way.

Risk management plays a key role in the success of non-profit organizations like charities, clubs, and other membership groups. While the risk management process is widely understood, it is presented differently depending on the organization and its terminology. Risk management cannot work in isolation; it needs to be supported by a framework within the organization. This framework is often explained differently in various standards and guides, but its main components are the communication and reporting structure (architecture), the organization’s risk management plan (strategy), and the guidelines and procedures (protocols) in place. Together, the risk management processes and supporting framework form what is known as a risk management standard. There are several standards available, such as the IRM Standard, the British Standard BS 31100:2021, and the American COSO ERM framework. One of the most well-known international standards is ISO 31000. Organizations engage in risk management for several reasons, which can be grouped into four main categories: mandatory, assurance, decision-making, and improving core processes (MADE2). “Mandatory” refers to risk management actions taken to ensure the organization meets legal and regulatory requirements, as well as the expectations of customers or clients. The board of an organization needs to be confident that major risks have been identified and properly controlled. To make sure the right business decisions are made, the organization should carry out risk management activities that provide clear and structured information to support decision-making. One of the key benefits of risk management is improving the effectiveness and efficiency of the organization’s operations. It also helps ensure that business processes, including any improvements or changes, work smoothly. Lastly, the chosen strategy must also be effective and efficient, delivering exactly what is needed. Risk management is important for making strategic decisions, successfully delivering projects and programs, and ensuring smooth daily operations. The benefits of risk management apply to all three areas: strategy, tactics, and operations. By using risk management, organizations can achieve more effective and efficient results in each of these areas. These processes—strategic, tactical, operational, and compliance (STOC)—cover all of an organization’s core functions. Analyzing these core processes offers a complete approach to risk management. For risk management to be successful, the expected benefits must be clearly identified. Without knowing the intended outcomes, it’s impossible to measure whether the risk management effort has worked. Therefore, effective risk management must have clear goals and desired benefits. It’s also essential to focus on every step of the process, including the design, implementation, and monitoring of the framework that supports risk management activities.

Failure to properly manage an organization’s risks can happen for several reasons: not recognizing risks well enough, not analyzing important risks properly, or failing to identify effective responses. Additionally, if a clear risk management strategy is not established and communicated, it can lead to poor risk management. Sometimes, the procedures themselves may be flawed and unable to achieve the intended results. The impact of not managing risks well can be severe. It can lead to inefficient operations, delayed projects, and ineffective or misguided strategies. Successful risk management needs to be

PACED: proportionate, aligned, comprehensive, embedded, and dynamic.
Proportionate: The effort in risk management should match the level of risk the organization faces.
Aligned: Risk management activities should be in sync with other organizational activities.
Comprehensive: It must cover all areas of the organization and all possible risks.
Embedded: Risk management should be integrated into the organization’s processes.
Dynamic: It should be flexible and adapt to changing environments.

Like other management activities, risk management needs to fit with the organization’s core processes and culture. First, it must meet any legal and regulatory requirements. After that, the best approach is whatever works for the organization and delivers the needed results and benefits.

Risk management is evolving quickly, both in the tools and techniques used and in the governance structures that ensure risks are managed successfully. Organizations are becoming more focused on reducing costs, which has led to approaches like Governance, Risk, and Compliance (GRC). GRC aims to be both effective and cost-efficient in managing risks. With many organizations facing cost-cutting measures and tough market conditions, emerging risks are more critical than ever. It’s a challenge for organizations to keep their risk exposure within acceptable limits. Unexpected events can have severe consequences, so it’s essential to analyze what could trigger significant risks and have plans in place to handle potential crises. The organizations should take several steps:

Use common processes, terminology, and practices for managing all types of risks.
Clearly understand, communicate, and monitor risk tolerance levels throughout the organization.
Integrate risk management into all important business processes and decisions.
Make risk-related decisions using high-quality, specific risk information.

Risk defination

The Oxford English dictionary definition of risk is as follows: ‘a chance or possibility of danger, loss, injury or other adverse consequences, and the definition of at risk is ‘exposed to danger’.
The Institute of Risk Management (IRM) defines risk as the combination of the probability of an event and its consequences. Consequences can range from positive to negative.
ISO Guide 73, defines risk as the ‘effect of uncertainty on objectives’. It also notes that an effect may be positive, negative, or a deviation from the expected. The guide notes that risk is often described by an event, a change in circumstances, a consequence, or a combination of these and how they may affect the achievement of objectives.
The Institute of Internal Auditors (IIA) defines risk as the uncertainty of an event occurring that could have an impact on the achievement of objectives. The IIA adds that risk is measured in terms of consequences and likelihood.
The definition used by health and safety professionals is that risk is a combination of likelihood and magnitude

From fundamental of Risk management by Paul Hopkin

Risk is generally understood as an event, as explained in definitions like ISO 31000 and by the Institute of Internal Auditors. For a risk to happen, an event must take place, so risks can be thought of as “an unplanned event with unexpected results.” Focusing on events helps clarify the risk management process. Since there are many ways to define risk, each organization should choose a definition that best fits its needs, whether it’s broad or specific.

Types of risks

Risk can have positive or negative outcomes, or simply cause uncertainty. Risks can be linked to opportunities, potential losses, or unpredictability for an organization. Risks are generally categorized into four types:

Compliance (mandatory) risks
Hazard (pure) risks
Control (uncertainty) risks
Opportunity (speculative) risks

Organizations typically aim to reduce compliance risks, minimize hazard risks, manage control risks, and embrace opportunity risks. However, there is no single “correct” way to classify risks. Some texts might use different categories, such as dividing risks into pure or speculative. What’s important is that the organization adopts a system that fits its needs.

Hazard risks, also known as pure risks, usually lead to negative outcomes. These are operational or insurable risks, like theft, which organizations manage within acceptable limits. Control risks are linked to uncertainty, especially in project management. Organizations often avoid control risks because they can create uncertainty around project outcomes, timelines, and budgets. The goal is to keep actual results as close as possible to expected outcomes.

Opportunity risks, on the other hand, are risks organizations take to gain a positive return. These involve making decisions that carry risk but offer the chance for rewards, such as investments. Managing hazard risks is one of the oldest forms of risk management, and this text focuses on that. Hazard risks are linked to potential harm, and managing them involves reducing negative impacts, such as in health and safety programs.

Control risks involve unpredictable events and are common in project management. These risks are known to occur, but their outcomes are hard to predict, so the focus is on managing the uncertainty around them.

Opportunity risks come with both the risk of taking action and the risk of missing out on potential gains. These risks are often financial and might not be obvious, but they offer a chance for positive outcomes, though they aren’t guaranteed. For small businesses, opportunity risks can include moving to a new location, acquiring property, expanding, or launching new products.

Risk Description

To fully understand a risk, it’s important to describe it in detail. This ensures that everyone has a shared understanding and knows who is responsible for managing the risk. To gather the right information about each risk, it’s important to clearly differentiate between compliance, hazard, control, and opportunity risks. A risk description might include the following details:

Name or title of the risk
A statement explaining the risk, its scope, possible events, and dependencies
Type of risk, including its classification and when it might have an impact
The people or groups affected by the risk, both inside and outside the organization
Attitude towards the risk, including the organization’s risk appetite, tolerance, and limits
The likelihood of the risk happening, and the size of the impact if it does
The standard of control needed and the target level of risk
History of incidents or losses related to the risk
Existing control measures in place
Who is responsible for developing the risk strategy and policy
Potential for improving how the risk is managed and confidence in current controls
Recommendations for improving risk management and deadlines for action
Who is responsible for putting improvements into effect
Who is responsible for checking that risk compliance is being followed?

Inherent level of risk

It’s important to understand the original level of all identified risks before any actions are taken to reduce them. This is known as the inherent level of risk, which shows how risky something is without any controls in place. Knowing this helps highlight how important the control measures are. According to the Institute of Internal Auditors (IIA), risk assessment looks at the inherent risks first, before considering any controls. Although there’s some debate about whether to assess risks at the inherent level or the current level, the goal is always the same: to figure out the current risk level and identify the key controls in place to achieve that level. A risk matrix is often used to show the inherent risk in terms of how likely it is and how big the impact might be. After controls are applied, the reduced or current level of risk can then be identified. The effort to bring the risk down from its inherent level to the current level can be clearly shown on the matrix. Different terms are sometimes used: the inherent level of risk can also be called the absolute or gross risk, while the current level can be referred to as the residual, net, or managed risk level.

Example

Scenario: Data Breach in a Company

Inherent Risk (Before any controls are in place):

Let’s say a company stores sensitive customer data (personal information, credit card details) online.

Risk event: A potential data breach where hackers could steal customer information.
Likelihood: High (because cyberattacks are common).
Impact/Magnitude: Very high (since a breach would harm the company’s reputation, result in legal penalties, and lead to financial losses).

Inherent Risk Level: High likelihood + high impact = Severe Risk (This is the risk before any protective measures like firewalls, encryption, or employee training are put in place).

Current Risk (After controls are in place):

Now, the company implements several controls:

Strong firewalls and encryption for the data.
Multi-factor authentication for accessing sensitive data.
Regular staff training on cybersecurity practices.
A dedicated team that monitors and responds to any suspicious activity.
Likelihood: Reduced to Medium (because controls reduce the chance of a breach but don’t eliminate it entirely).
Impact/Magnitude: Still high (a breach would be very damaging, but the chance is lower).

Current Risk Level (Residual Risk): Medium likelihood + high impact = Moderate Risk (This is the remaining risk after controls are applied).

Risk likelihood and impact

A risk matrix is a great way to show the likelihood and impact of risks. It can come in different formats, but no matter the style, it’s a helpful tool for those managing risks. A basic risk matrix compares the chance of an event happening with how big the impact would be if it does happen. This makes it easier for organizations to see if a risk is acceptable and if it fits within their ability to handle it or their comfort level with taking risks.

The top-right quadrant (High Likelihood, High Magnitude) is marked as very high risk (red).
The bottom-right quadrant (High Likelihood, Low Magnitude) is high risk (dark red).
The top-left quadrant (Low Likelihood, High Magnitude) is medium risk (yellow-orange).
The bottom-left quadrant (Low Likelihood, Low Magnitude) is low risk (green).

This visualization helps easily identify and prioritize risks based on their likelihood and potential impact. The figure above shows a basic risk matrix, sometimes called a risk map or heat map. It’s a common way to display the likelihood of a risk happening and the size or seriousness of the event if it does occur. A risk matrix helps organizations visualize individual risks to decide if they are acceptable and within their risk tolerance or capacity. In this figure, the vertical axis represents the magnitude of the risk. The term “magnitude” is used instead of “severity” so the matrix can be applied to different types of risks, like compliance, hazard, control, and opportunity risks. “Severity” often suggests a negative event, which applies more to compliance and hazard risks, while “magnitude” can refer to the inherent risk before any controls are applied. This risk matrix plots the likelihood of an event against its magnitude. However, risk managers are usually more concerned with the event’s impact and the resulting consequences. For example, a large fire may destroy a warehouse, but if the company has good insurance and backup plans, the financial impact could be minimal. The magnitude of an event can be seen as the inherent risk level, while the impact can be considered the managed or controlled risk level. The matrix can also indicate potential control measures for different risks, showing inherent, current (or residual), and target levels of risk. Colour-coding is often used to visually represent the importance of each risk. As risks move toward the top-right corner of the matrix, they become more likely and have a larger impact, meaning they require immediate and strong control measures.

Risk classification

Risks can be grouped based on different characteristics, like how quickly they will have an impact, the type of impact they cause, or how big the risk might be. They can also be classified by how long it takes for the effects to be felt after the event happens. Risks can be categorized by their source, such as credit risk or risks from a counterparty. Another way to classify risks is by looking at the type of impact they have. Some risks may affect a company’s finances, while others could disrupt operations or infrastructure. There are also risks that could harm the organization’s reputation or its public image. Risks can also be grouped based on which part of the business they affect, like people, buildings, processes, or products. When deciding how to classify risks, organizations need to think about whether to base the system on the source of the risk, the area affected, or the consequences of the risk. Each organization will choose a risk classification system that works best for its specific activities. Many risk management standards provide a classification system, and if an organization follows one of these standards, it will likely use the recommended system. There’s no single classification system that works for all organizations, so the system chosen should be relevant to the specific needs of the organization. It’s also common for a risk to be classified in multiple ways to fully understand its potential impact.

ISO 31000:2018 Example of Enterprise Risk Management Manual

1.0 Introduction

1.1 Company Information

Please provide company information

1.2 Purpose

The Enterprise Risk Management (ERM) Manual defines the overall related risk management practices for XXX. Contained within the ERM Manual is a description of the ERM practices to monitor, control, and track material risks to which XXX is exposed in its operations. The policy also contains individual and functional responsibilities required to achieve the business objectives of its ERM. The purpose is to ensure that the exposure to enterprise-wide risks, that have been identified, measured, and deemed appropriate for response, are treated using the most effective and efficient methods. Further, it provides a framework for XXX to identify opportunities and considers the implications of ignoring these opportunities. XXX management tasked with decision-making across Departments must consider associated risks, and the structure of XXX’s decision-making process to avoid risks when required. While many functions within XXX may differ in risk exposure, a common and practical risk taxonomy supported by risk categories will inform the appropriate use of risk data. As XXX changes in size, nature of operations and complexity over time, the ERM Manual should evolve to ensure that all significant new, emerging and increased risks are appropriately considered and addressed as part of the ongoing review and assessment process.

2.0 REFERENCES

The following International Standard has been used as reference documents for the development of Enterprise Risk Management.

Risk management — Guidelines – ISO 31000:2018

3.0 TERMS & DEFINITIONS

Risk	Effect of uncertainty on objectives
Risk Management Philosophy	A consolidation and segregation of the main and sub-categories of risks affecting an organization, typically segregated in to Environmental, Process and Information for Decision-Making risks.
Risk Management	A person or organization that can affect, be affected by, or perceive themselves to be affected by a decision or activity
Stakeholder	An event is an incident or occurrence from internal or external sources that affects the achievement of objectives. It can have negative impacts, positive impacts, or both. A risk is the possibility that an event will occur that would adversely affect the achievement of objectives. An opportunity is the possibility that an event will occur and positively affect the achievement of objectives
Event	A person or organization that can affect, be affected by or perceive themselves to be affected by a decision or activity
Consequence	An entity’s Risk Management Philosophy is a set of shared beliefs and attitudes characterizing how the entity considers risk in everything it does, from strategy development and implementation to its day-to-day activities.
control	measure that maintains and/or modifies risk
likelihood	chance of something happening
Risk Universe	Risk mitigation is the technique to treat the risk and reduce it to an acceptable level for the organization. It involves prioritizing, evaluating, and implementing the appropriate risk-reducing controls recommended from the risk assessment process. It is systematic reduction in the extent of exposure to a risk and / or the likelihood of its occurrence.
Risk Source	Element which alone or in combination has the potential to give rise to risk.
Risk Appetite	The degree of risk, on a broad-based Level, that the organization is willing to accept or take in pursuit of its objectives
Risk Tolerance	The level of risk that the organization is willing to accept in various risk areas. This can be measured in terms of both quantitative and qualitative dimensions
Risk Mitigation	A visual representation, accompanied by explanations, either of key or of the entire portfolio of risks facing an organization, typically depicted in a heat map.
Risk Profile	A visual representation, accompanied by explanations, either of key or the entire portfolio of risks facing an organization.

4.0 Principles

The Enterprise Risk Management Framework is guided by the following principles:

a) Integrated

Risk management constitutes an essential component of every organizational activity whether managed services, hard services or soft services.

b) Structured and comprehensive

An organized and thorough method towards risk management to fosters uniform and comparable results.

c) Customized

Risk assessments will be conducted on all new activities and projects (as appropriate) before commencement to ensure alignment with risk appetite, and strategic and organizational objectives.

d) Inclusive

Engaging stakeholders in a suitable and timely manner allow for the incorporation of their insights, perspectives, and expertise, leading to heightened awareness and well-informed risk management practices.

e) Dynamic

As the external and internal context of an organization evolves, risks may arise, evolve, or diminish. Risk management aims to foresee, identify, acknowledge, and address these shifts and occurrences promptly and suitably.

f) Best available information

Risk management relies on past and present data, alongside future projections, while acknowledging the inherent limitations and uncertainties. It emphasizes the importance of providing timely, transparent, and accessible information to pertinent stakeholders.

g) Human and cultural factors

Human behaviour and cultural norms exert a considerable influence on every facet of risk management across all levels and phases.

h) Continual improvement

Risk management is continually improved through learning and experience.

5.0 ERM Framework

5.1 General

The objective of the risk management framework is to aid the XXX in embedding risk management within key activities and functions. The efficacy of risk management hinges on its incorporation into organizational governance, notably in decision-making processes, necessitating backing from stakeholders, especially top management. Framework development involves integrating, designing, implementing, assessing, and enhancing risk management throughout the XXX. The XXX must assess its current risk management practices and processes, identify any deficiencies, and rectify them within the framework. The components of the framework and their interactions should be tailored to suit the organization’s requirements.

The XXX’S ERM Framework is customized to XXX’s operating environment and aligned with the recently published ISO 31000:2018 which contains standards relating to risk management codified by the International Organization for Standardization. The purpose of ISO 31000:2018 is to provide principles and generic guidelines on risk management. It seeks to provide a universally recognized standard for practitioners and companies employing risk management processes to replace the myriad of existing principles, standards and methodologies that differ between and among industries.

As part of its legal and regulatory compliance requirements, XXX implement this ERM Framework. To ensure its effective and sustainable implementation, XXX ensure the alignment with each other of the following components: the ERM process; ERM objectives and Group objectives; and key risk indicators (KRIs) and key performance indicators (KPIs). Specific accountabilities and responsibilities shall be established, and necessary resources shall be allocated to set the process into motion.

5.2 Leadership and Commitment

The Framework is anchored on the leadership and commitment of the top Management to implement the ERM Program across XXX. It is envisioned to be dynamic and shall be continuously improved to be responsive to the needs of XXX and attain their desired state. Senior management and relevant oversight bodies should ensure the integration of risk management across all organizational activities, demonstrating leadership and dedication by:

Customizing and implementing all elements of the framework.
Issuing a statement or policy that outlines a risk management approach, plan, or strategy.
Allocating necessary resources for risk management.
Designating authority, responsibility, and accountability at suitable levels within the XXX.

This will enable the XXX to:

Align risk management with its objectives, strategy, and culture.
Fulfill obligations and voluntary commitments.
Determine acceptable levels and types of risk through the development of risk criteria, ensuring transparent communication with the organization and stakeholders.
Articulate the value of risk management to both the organization and stakeholders.
Facilitate systematic risk monitoring.
Ensure ongoing appropriateness of the risk management framework to the organization’s context.

Senior management holds responsibility for risk management, while oversight bodies are tasked with supervising risk management processes. Oversight bodies typically:

Ensure adequate consideration of risks in setting organizational objectives.
Understand the risks associated with organizational objectives.
Verify the implementation and effectiveness of risk management systems.
Assess the appropriateness of risks concerning organizational objectives.
Ensure proper communication of information regarding risks and their management.

5.3 Integration

Everyone is a Risk Manager. This vision can only be achieved once the risk management mindset has been integrated and embedded into XXX’s organizational purpose, governance, leadership and commitment, strategy, objectives and operations. Integrating risk management in XXX is a dynamic and iterative process and was customized to address their needs and culture. The integration of risk management hinges on a thorough comprehension of organizational structures and context, which vary based on the XXX’s mission, objectives, and complexity. Risk management permeates every aspect of the organizational framework, with every individual bearing responsibility for its management.

Governance steers the trajectory of the XXX encompassing its external and internal relationships, as well as the regulations, procedures, and practices necessary for fulfilling its mission. Management structures translate the directives of governance into strategies and associated objectives aimed at achieving sustainable performance and long-term viability. Establishing accountability and oversight roles for risk management within an XXX is an essential component of its governance.

The process of integrating risk management into an XXX is dynamic and iterative, requiring customization to fit the XXX’s specific needs and culture. Risk management should seamlessly integrate with the organizational purpose, governance, leadership, commitment, strategy, objectives, and operations, rather than existing as a separate entity.

5.4 Design

5.4.1 Understanding the organization and its context.

When developing the risk management framework, the Senior Manager should thoroughly analyze and comprehend both its external and internal contexts. Designing XXX’s ERM Framework required a thorough understanding of both the internal and external environments in which it operates. The external environment includes but is not limited to, the cultural, technological, legal, financial, and regulatory environment, its relationships with stakeholders, as well as industry and international trends. Its internal context includes company culture and values, policies and procedures, guidelines, organizational structure, and other parameters that are internally driven.

Exploring the organization’s external context may involve, among other considerations:

Social, cultural, political, legal, regulatory, financial, technological, economic, and environmental factors, whether at international, national, regional, or local levels.
Key drivers and trends impacting the XXX’s objectives.
Relationships with external stakeholders encompass their perceptions, values, needs, and expectations.
Contractual agreements and commitments.
The intricacies of networks and dependencies.

Analyzing the XXX’s internal context may encompass, but is not restricted to:

Vision, mission, and values.
Governance structures, organizational hierarchy, roles, and responsibilities.
Strategies, objectives, and policies.
Organizational culture.
Adopted standards, guidelines, and models.
Capabilities include resources and knowledge such as capital, time, personnel, intellectual property, processes, systems, and technologies.
Data, information systems, and information flow.
Relationships with internal stakeholders, considering their perspectives and values.
Contractual obligations and commitments.
Interdependencies and interconnectedness within the XXX.

5.4.2 Articulating Risk Management Commitment

Expressing commitment to risk management Senior management and oversight bodies, where applicable, should exemplify and articulate their ongoing dedication to risk management through a policy statement or other mediums that clearly convey XXX’s objectives and commitment to risk management. This commitment should encompass, but not be limited to:

Clarifying the XXX’s rationale for managing risk and its connections to objectives and other policies.
Emphasizing the importance of integrating risk management into the organizational culture.
Spearheading the incorporation of risk management into core business activities and decision-making processes.
Defining authorities, responsibilities, and accountabilities.
Allocating necessary resources.
Addressing how conflicting objectives are managed.
Incorporating measurement and reporting into the XXX’s performance metrics.
Facilitating regular review and enhancement.

The commitment to risk management should be effectively communicated internally within the XXX and, as appropriate, to stakeholders.

Oversight Structure

The ERM oversight structure of XXX is illustrated in the diagram below:

5.4.3 Assigning organizational roles, authorities, responsibilities and accountabilities

Senior management and oversight bodies, where applicable, are responsible for ensuring that the necessary authorities, responsibilities, and accountabilities for key roles in risk management are assigned and communicated across all levels of XXX. They should emphasize the fundamental nature of risk management as a responsibility and identify individuals who hold the authority and accountability as risk owners to effectively manage risk.

The following describes the key roles and responsibilities of XXX‘s ERM stakeholders.

Board of Directors

Providing effective oversight for XXX’s risk management process.
Understanding the most significant risks affecting XXX and being informed of the mitigating actions taken by the senior management for key risks.
Monitoring priority risks of XXX through quarterly reports raised by the Risk Committee and make decisions in their regard.
Review and approve the ERM policy, risk appetite, risk infrastructure, and XXX Risk Strategy.
Approve XXX’s ERM manual and framework.
Maintain management commitment to improving ERM performance.
Issue directives for risk treatment to maintain risk levels within defined tolerance thresholds, and approve risk treatment expenditures.
Monitoring priority risks of XXX through quarterly reports raised by the Risk Committee and provide directions to the Risk Committee on risk mitigation and response plans.

2. Risk Committee

Review the ERM policy, risk appetite, risk infrastructure, and risk documentation such as risk tolerances, impact and likelihood scales, and risk rating boundaries.
Monitor XXX ERM position maturity versus XXX ERM strategy Assume overall responsibility and accountability For ERM. Endorse XXX’s ERM Manual and framework.
Ensure ERM objectives, plans, and procedures are developed to implement the policy. Make the necessary resources available to meet ERM’s Objectives and targets.
Approve XXX’s risk register.
Maintain an awareness and understanding of XXX’s risk appetite, the principal risks to achieving XXX’s strategic objectives, and the actions being taken to maintain overall risk levels within the stated risk appetite.
Recommend directives for risk treatment to maintain risk levels within defined tolerance thresholds, and approve risk treatment expenditures.

3. Risk Officer

Develop, implement, and administer the ERM manual.
Develop and maintain ERM policies, processes, procedures, standard tools, and information systems.
Develop and deliver ERM training.
Ensure that all activities are carried out consistently with the ERM Policy.
Ensure that appropriate processes and capabilities are in place to identify, assess measure, manage, monitor, and report risks.
Assist management in bringing risks back within established risk tolerance thresholds in the event of a breach. Determine the consequences of such a breach and take corrective action.
Assist management with resource allocation decisions so that they are based on the best and most correct and complete Information.
Establish ERM communication at all levels. Gather data and develop risk reports for the Risk Committee, and management as required.
Analyze ERM performance report. Aggregate, and prioritize risks, validate assumptions, and methodologies, report risks, and ensure information presented for decision-making and reporting is complete and correct.
Deploy and maintain tools that assist in estimating the likelihood and impact of risk events.
Facilitate the identification, measurement, monitoring, and reporting of risks through risk identification and assessment workshops.
Own and manage XXX’s risk register.

4. Risk Champion

Coordinating with the Risk Officer for periodic risk assessment which involves identifying, analyzing, describing and estimating the impact of identified and emerging risks.
Planning, designing, and implementing an overall risk management process for the respective department, all of which is performed in conjunction with the Risk Officer.
Monitoring controls, mitigation plans, and risk treatment plans.
Periodically reporting on risk mitigation activities for all identified risks to the Risk Management Department, ensuring accountability for risk management and providing status updates on action plans.
Monitor and report on the risk indicators to ensure that XXX has not exceeded the approved risk appetite.

5. Process owners

The process owner is the ultimate owner of the identified risks; thus process owners are responsible for managing risks and implementing risk mitigation plans and controls subject to monitoring and reporting of the risk champions The process owners are responsible for providing the risk champions with risks identified in their respective areas

6. Internal Audit Function

The Internal Audit function in XXX is responsible for monitoring compliance with ERM policies and procedures, evaluating the effectiveness of current ERM processes, including the effectiveness of controls and other risk treatment actions, and providing recommendations for improvement.

5.4.4 Allocating resources

Senior management and oversight bodies, when applicable, are tasked with ensuring the allocation of suitable resources for risk management, encompassing but not limited to:

Personnel with the requisite skills, experience, and competence.
Organizational processes, methodologies, and tools employed for risk management.
Documented processes and procedures.
Information and knowledge management systems.
Professional development and training requirements.

Senior management should assess the capabilities and limitations of current resources.

5.4.5 Establishing communication and consultation.

Senior management should devise an endorsed strategy for communication and consultation to bolster the framework and enable the efficient implementation of risk management. Communication entails disseminating information to specific audiences, while consultation entails participants offering input with the anticipation that it will influence decisions or other endeavours.

Methods and content for communication and consultation should align with stakeholders’ expectations, where applicable. Both communication and consultation should be timely, ensuring that pertinent information is gathered, organized, synthesized, and disseminated as necessary, and that feedback is received and used to make enhancements.

5.5 Implementation

Senior Management should execute the risk management framework by:

Formulating a suitable plan inclusive of time and resources.
Identifying the where, when, and how various types of decisions are made across the XXX, along with the responsible parties.
Adjusting relevant decision-making processes as needed.
Ensuring that the XXX’s risk management arrangements are comprehended and put into practice.

Successful implementation of the framework hinges on stakeholder engagement and awareness. This enables XXX to explicitly address uncertainty in decision-making, while also ensuring the incorporation of any emerging uncertainty as it arises.

When appropriately designed and implemented, the risk management framework guarantees that the risk management process is integrated into all organizational activities, including decision-making, and that changes in both external and internal contexts are adequately addressed.

The Facility Manager leads the implementation of the XXX ERM Program. Appropriate timing and strategy for implementation were determined. The facility Manager developed the plan to ensure that risk management is applied at all levels and functions and that decision-making and target-setting are aligned with the outcomes of the risk management process.

Each line management should ensure that it adheres to the following:

Hold the line management accountable for the management of risks that are significant to the fulfilment of business objectives.
Set appropriate goals, objectives, targets and performance indicators for all operations to ensure that risks are effectively managed under the set ERM Framework.
Allocate adequate financial and human resources for risk management consistent with corporate priorities, and;
Ensure that employees at all levels within their group have the competence and responsibility through selection, education, and training to carry out the ERM process.

5.6 Evaluation

The implementation of the ERM Program shall be assessed by the Internal Audit team during the internal audit. The Internal audit considers certain criteria to determine the level of the organization’s maturity in implementing the ERM Program. The criteria are grouped into components which are critical in ensuring the successful implementation of the program, namely, governance and organization, risk management strategy, reporting and communication structure, tools and technology and XXX’s culture and capability. To assess the efficacy of the risk management framework, Senior Management should Regularly gauge the performance of the risk management framework against its intended purpose, implementation strategies, indicators, and anticipated outcomes Ascertain whether the framework continues to be appropriate in aiding the organization in accomplishing its objectives.

5.7 Improvement

5.7.1 Adapting

Senior Management should continually monitor and adapt the risk management framework to address external and internal changes so as to improve its value.

5.7.2 Continually improving.

Senior management will consistently enhance the appropriateness, sufficiency, and efficiency of the risk management framework and its integration into the risk management process. Upon identifying pertinent gaps or opportunities for improvement, senior management should devise plans and allocate responsibilities for their execution. Upon implementation, these enhancements should contribute to the improvement of risk management practices. The ERM Framework, Process and Plan shall be reviewed and improved periodically, taking into consideration internal and external environment at each period. The results of the assessment by the Internal Audit shall also be used to determine gaps between the current and desired state of ERM maturity. Decisions shall be made on how the risk management program can be improved. The Manual shall be updated to reflect enhancements that may be made to the program. Changes shall be communicated to all stakeholders concerned.

6 Process

6.1 General

The ERM Process is customized to XXX’s operating environment and is also aligned with ISO 31000:2018. The risk management process can be applied to decisions at all levels within the XXX’s. At each stage of the risk management process, tools and techniques that are suited to XXX’s objectives, resources and capabilities shall be employed. Risk Management involves the identification and treatment of risks that impact on the XXX’s strategies, regulatory objectives and operations. The risk management process ought to seamlessly intertwine with management and decision-making, integrating into the organization’s structure, operations, and processes. It is applicable across strategic, operational, programmatic, or project levels. Numerous applications of the risk management process can be tailored within an organization to meet objectives and adapt to the external and internal contexts in which they are employed. Throughout the risk management process, the dynamic and variable aspects of human behavior and culture should be considered. While the risk management process is typically depicted as sequential, it operates as an iterative cycle.

6.2 Communication and consultation

The following actions are to be considered in ensuring clear lines of communication and consultation in relation to emerging XXX risks:

All internal and relevant external stakeholders, relevant to the risk context, are to be consulted in the identification and assessment of XXX risks.
Communication protocols to ensure staff are aware of operational and strategic risks to the XXX are to be established and implemented.
Consultation is to be made with all relevant XXX staff in the identification of the context and risks environments, the inherent risks to the operations of the XXX, the assessment of the risk rating and the determination of risk treatments.
XXX strategic and operational risks are to be reviewed as part of XXX governance processes on a regular basis during relevant meetings of the risk committee.
Risk management reviews are to be scheduled as a regular meeting agenda item at governance meetings.

The objective of communication and consultation is to aid relevant stakeholders in comprehending risk, the rationale behind decision-making, and the necessity for specific actions. Communication endeavors to foster awareness and understanding of risk, while consultation involves soliciting feedback and information to support decision-making. Effective coordination between the two should facilitate the exchange of information that is factual, timely, relevant, accurate, and understandable, while also respecting the confidentiality, integrity of information, and privacy rights of individuals. Communication and consultation with appropriate external and internal stakeholders should occur throughout all stages of the risk management process. Their aims include:

Bringing together diverse areas of expertise for each phase of the risk management process.
Ensuring that various perspectives are appropriately considered when defining risk criteria and evaluating risks.
Providing adequate information to facilitate risk oversight and decision-making.
Fostering a sense of inclusivity and ownership among those impacted by risk.

6.3 Scope, context and criteria

6.3.1 General

Establishing the scope, context, and criteria aims to tailor the risk management process, facilitating effective risk assessment and suitable risk treatment. This involves defining the process’s scope and comprehending both external and internal contexts.

6.3.2 Defining the scope.

XXX define the scope of its risk management activities. The scope of risk management would be every level of management activity, and all strategic planning and decision-making processes within XXX to support achievement of strategies and objectives. When strategizing the approach, factors to consider encompass:

Objectives and decisions requiring attention.
Anticipated outcomes resulting from the process steps.
Timeframes, locations, specific inclusions, and exclusions.
Suitable risk assessment methodologies and tools.
Necessary resources, delineation of responsibilities, and record-keeping.
Interconnections with other projects, processes, and activities.

6.3.3 External and internal context

The Context of the risk management process varies according to the needs of the organization and circumstances upon which risk management process is applied. Establishing the Context may involve defining the scope and objectives of the activity, defining the relationships that will be affected, determining liabilities and obligation connected with the activity, as well as the resources required. The Context must be properly established, otherwise, results of assessment could be inaccurate or inadequate. XXX reviews on an annual basis the risk appetite (the amount and type of risks that they may or may not take, in relation to their objectives) that is being presented during the annual strategic planning. The XXX Executive is to establish and document the various internal and external context and environments to ensure a broad spectrum of risk assessment and coverage over XXX operations.

External contexts include the following:

Legal and regulatory requirements
Social, cultural, political, financial, technological, and economic environments
Local, regional and state-wide context
Key business drivers and trends which may impact operations and resources
Relationships and perception of external partners and stakeholders, including the general public.

Internal contexts include the following:

Funding and resources
Organizational culture, structure and lines of authority
Internal policies and procedural requirements
Employee capabilities – knowledge, skills and experience
Information systems and decision-making processes.

6.3.4 Defining risk criteria.

The Risk committee should define the extent and nature of risk it is willing to accept in relation to its objectives and establish criteria for assessing risk significance and guiding decision-making processes. These risk criteria should be harmonized with the risk management framework and tailored to the specific purpose and scope of the activity in question. They should also reflect the organization’s values, objectives, resources, and be consistent with its risk management policies and statements. Moreover, they should consider the organization’s obligations and stakeholder perspectives. Although risk criteria should be determined at the outset of the risk assessment process, they are subject to change and should be regularly reviewed and adjusted, if necessary. When establishing risk criteria, the following factors should be considered:

The nature and variety of uncertainties affect outcomes and objectives (both tangible and intangible).
- Definition and measurement of both positive and negative consequences and likelihood.
Time-related considerations.
Consistency in measurement application.
Determination of risk level.
Incorporation of combinations and sequences of multiple risks.
Organizational capacity.

6.4 Risk Assessment

6.4.1 General

Risk Assessment is the overall process of risk identification, risk analysis and risk evaluation. The aim of risk treatment is to choose and execute strategies for managing risk. This process involves an iterative cycle of:

Developing and choosing risk treatment strategies.
Planning and executing risk treatment measures.
Evaluating the efficacy of the treatment.
Determining whether the residual risk is acceptable.
If deemed unacceptable, implementing additional treatment measures.

6.4.2 Risk identification

Risk identification is the process of finding, recognizing and describing risk. The first part of Risk Assessment is Risk Identification, which is the identification of events, consequences or changes in circumstances that could affect objectives, strategies, process or operations. This aims to generate a comprehensive list of risks that might create, enhance, prevent, degrade, accelerate, delay, or otherwise affect the achievement of objectives. It is recognized that comprehensive identification is critical because a risk that is not identified at this stage will not be included in further analysis. This step essentially aims to answer the question: What circumstances or events might affect the achievement of the objectives?

XXX adopts the ISO definition of Risk which is “the effect of uncertainty on objectives.” The effect may be positive, negative, or a deviation from the expected. Also, a risk is often described by an event, a change in circumstances or a consequence.

The organization should use Risk Identification techniques that are suited to its culture and capability. To facilitate enterprise risk identification, The risks are classified into the following:

Strategic Risks – These risks arise when there are forces in the external environment that could either put the organization out of business, or significantly change the fundamentals that drive its overall objectives and strategies.
Operations Risks – These risks arise when operations are inefficient and ineffective in executing the organization’s business model, satisfying customers and achieving the organization’s quality, cost and time performance objectives.
Compliance Risks – These risks arise when there is noncompliance with prescribed organization policies, procedures or laws and regulations that result in penalties, fines, etc.
Financial Risks – These risks arise when cash flows and financial risks are not managed cost effectively to maximize cash availability, reduce uncertainty of currency, interest rate, credit and other financial risks, or move cash funds quickly and without loss of value to wherever they are needed most.

The XXX Executive is to take the following actions to effectively identify risks associated with major projects, programs and change initiatives:

The Risk committee is to take the following actions in performing risk analysis associated with major projects, programs and change initiatives. Each risk identified shall be risk analyzed to ensure an in-depth understanding of the risk, including: Sources and causes of the risk. and negative consequences of the risk occurring. Likelihood of the risk occurring without controls being applied. Factors that may impact, encourage, limit the risk eventuating as described. Interdependence of risks to each other, including multiplicity affects

Process Risk Assessment is carried out by the Risk Assessment Team at Facility Management Division of Alghanim International comprising of Department Head & MR Process Risk Assessment is carried out for all key processes as well as support processes.

Risk Assessment Team shall carry out a Brainstorming Session, to identify all risks having a negative impact on the quality of the product/service and business reputation.

Risk Assessment is carried out, based on the Matrix/ guidelines given below:

Consider all sources of potential risk, potential impacts and changes in the regulatory environment. The risk categories identified below are to be used to ensure that all risk areas have been considered in the risk identification process. These categories outline the sources of risk:
- Human ResourcesReputationBusiness ContinuityCorruption & FraudFinancialData and Information ManagementStakeholder (Community & Political)Service/Product DeliveryWork Health & SafetySecurity & PropertyLegal & LegislativeEnvironment
- Technology.
Determine potential causes of risks without consideration of current controls to determine inherent risks associated with IPC functions/processes. Risk identification should include risks regardless of whether the risk source is under the control of the IPC or external parties;
Consideration should be made as to cumulative effects of multiple risks to IPC functions/operations.
Wide ranges of potential consequences should be considered, recorded and assessed;
A broad range of employees/stakeholders are to be consulted in determining the inherent risks to the IPC.

6.4.3 Risk analysis

Sources and causes of the risk.
Positive and negative consequences of the risk occurring.
Likelihood of the risk occurring without controls being applied.
Factors that may impact, encourage, and limit the risk eventuating as described.
Interdependence of risks to each other, including multiplicity affects

Process Risk Assessment is carried out by the Risk Assessment Team. Assessment is carried out for all key processes as well as support processes. Risk Assessment Team shall carry out a Brainstorming Session, to identify all risks having a negative impact on the quality of the product/service and business reputation.
Risk Assessment is carried out, based on the Matrix/ guidelines given below:

Some Techniques for Risk Assessment & Management include:

Interviews
Benchmarking
SWOT analysis
Risk questionnaires and risk surveys
Using technology

6.4.4 Risk evaluation

The Risk committee is to take the following actions in performing risk evaluation:

Identify the existing practices and procedures that currently exist that minimize the risk and assess their strengths and weaknesses. A control may be a process designed to provide reasonable assurance regarding the achievement of objectives. Controls may arise as outcomes of previous risk treatment activities. Types of controls include:
- Segregation of duties.
- Documentation trails.
- Physical security over assets.
- Checks and reconciliations.
- Authority for approvals.
- Risk Assessment details are entered in the Process Risk Assessment Format by the Risk Team.
For each risk element, Severity is assigned on a scale of 1 to 5, based on the consequences identified in terms of Quality of Product/ Service and Business Reputation.
Assign in a Probability scale from 1, 2, 3, 4, 5. Based on severity and consequences of the risk as per Risk Assessment Matrix guidelines.
Calculate the overall risk level i.e. Severity Multiplied by probability and see whether the overall risk level is Low, Medium or High as per Risk Matrix Guidelines.
Develop Mitigation Steps to reduce the probability that a risk (High, Medium or Low) will materialize.
Develop Contingency Plans for High Risks.
All Mitigate steps listed in the Process Risk Analysis Record and effectively implemented by the Department.
How much have reduced the Probability and Impact? Evaluate the Contingency and Mitigation strategies and reassign Effective Ratings to risks.
Residual Risk Analysis/ Monitoring of the effectiveness of mitigation steps is carried out by the Risk Assessment Team after the implementation of all mitigation Steps and the same is recorded in the Process Risk Analysis Format by the Risk Assessment Team.
Monitoring of the effectiveness of the implementation controls/mitigation steps is carried out by the team, at least once a year, based on which the risk assessment records may be modified.

6.5 Risk treatment

6.5.1 General

Risk Evaluation might show that certain risks need to be modified. In such case, Risk Owners shall develop strategies and implement actions that will treat or modify these risks. The objective of risk treatment is to choose and execute strategies for managing risk. Risk treatment encompasses a cyclical procedure that includes:

Developing and choosing risk management strategies.
Planning and executing risk management strategies.
Evaluating the efficacy of those strategies.
Determining if the residual risk is tolerable.
If deemed unacceptable, pursuing additional risk management measures.

6.5.2 Selection of risk treatment options

Choosing the most suitable risk treatment option(s) entails weighing the potential benefits in achieving objectives against the costs, efforts, or drawbacks of implementation. Risk treatment options may not always be mutually exclusive or universally appropriate.

Options for managing risk may include one or more of the following:

Avoiding the risk by opting not to initiate or continue the activity associated with the risk.
Embracing or escalating the risk to pursue an opportunity.
Eliminating the source of the risk.
Altering the likelihood or consequences of the risk.
Distributing the risk through contracts or insurance.
Retaining the risk through informed decision-making.

The rationale for risk treatment should extend beyond purely economic factors and consider all organizational obligations, voluntary commitments, and stakeholder perspectives. Selection of risk treatment options should align with XXX’s objectives, risk criteria, and available resources. When choosing risk treatment options, XXX considers stakeholder values, perceptions, and potential involvement, as well as the most suitable methods for communication and consultation. While certain risk treatments may be equally effective, they may vary in acceptability among different stakeholders. Despite careful design and implementation, risk treatments may not always yield anticipated outcomes and could lead to unintended consequences. Therefore, monitoring and review must be integral to the implementation of risk treatment to ensure effectiveness. Additionally, risk treatment may introduce new risks that require management. If no viable treatment options are available or if existing options do not sufficiently mitigate the risk, the risk should be documented and continually reviewed. Decision-makers and stakeholders should be informed about the nature and extent of residual risk following treatment. Remaining risk should be documented and subjected to ongoing monitoring, review, and, if necessary, further treatment.

6.5.3 Preparing and implementing risk treatment plans.

When determining appropriate risk treatments/mitigation actions in respect of identified risks the risk committee is to ensure a Risk Treatment Plan (typically in the form of the Strategic Plan, Business Plan and Regulatory Plan) is defined and implemented for all medium, high and extreme risks. Risk mitigation strategies may include:

Avoiding the risk by deciding not to commence or continue a particular activity.
Increasing the level of acceptable risk.
Remove the source of the risk.
Changing the likelihood through control management.
Change the consequences through control management.
Transferal of risk (i.e. insurance);
Risk Retention by informed decision and acceptance.

Select the best option in terms of feasibility and cost-effectiveness. Risk treatment is a cyclical process and after implementation of a treatment option, it should be monitored and reviewed regularly for effectiveness and modified if necessary.

Escalate any issues or events which pose a high or extreme level of risk to the risk champions. In determining what type of issues/events need to be escalated, managers and employees should have regard to the following:

Incidents which have occurred or are likely to occur very shortly have the potential to attract media coverage and/or adversely impact the management of the XXX, for example, failure to meet a statutory deadline, major disruption, such as industrial action or a major accident/incident.
Failure of a stakeholder relationship which will seriously impact a major or high-profile project, for example, a lead agency withdraws or threatens to withdraw its involvement or support for the initiative.
Significant budget shortfall or cost blowout of a project.
Failure to meet critical timeframes for completion of major or sensitive projects.
Breaches of probity
Identification of a serious breach under the Code of Conduct or significant fraud.

6.6 Monitoring and review

Risk priorities do not always stay fixed but alter with changing circumstances. Risk mitigation strategies, such as Risk Treatment Action Plans and Risk Registers need to be regularly reviewed and maintained as new risks emerge, old ones disappear, and existing risks change. The Risk Committee is to undertake a brief review of all Risk Treatment Action Plans monthly. Any significant issues should be addressed and recorded in the minutes of the meeting. A medium-level compliance review of selected Business process, major projects and change initiatives is to be undertaken through the internal audit plan. A comprehensive review of the Risk Register is to be performed annually by the risk committee and a new Risk Register or an updated version of the previous year’s Risk Register needs to be compiled and tabled at the Risk Committee. Review and Monitoring must also be done at each stage of the risk management process. Responsibilities for review and monitoring as well as frequency and scope, should be determined. The results of review and monitoring must be recorded and reported internally and externally as appropriate. XXX has a template for risk assessment. It contains information that is essential in monitoring and reviewing the risk. The template is scalable and can be modified to reflect the complexity of risk assessment required by the given situation.

6.7 Recording and reporting

Documentation and reporting of the risk management process and its results should be conducted through suitable channels. Recording and reporting serve the following purposes:

Disseminating risk management activities and outcomes throughout the organization.
Offering information to aid decision-making.
Enhancing risk management endeavours.
Facilitating engagement with stakeholders, including those responsible and accountable for risk management activities.

Decisions regarding the creation, retention, and management of documented information should consider, among other factors, their intended use, sensitivity, and the external and internal context. Reporting plays a crucial role in the organization’s governance, aiming to enrich dialogue with stakeholders and aid top management and oversight bodies in fulfilling their duties. Considerations for reporting encompass, but are not restricted to:

Identifying diverse stakeholders and their unique information needs and preferences.
Evaluating the cost, frequency, and timeliness of reporting.
Selecting appropriate reporting methods.
Assessing the relevance of information to organizational objectives and decision-making processes.

ISO 25102:2020 Clause 4.2.3 Customer and supplier perspective

Projects can be undertaken from two perspectives:
a) customer or sponsoring organization: the organization owns the requirements and can either undertake the work or contract some or all the work to a supplier organization;
b) supplier or contractor organization: the organization provides, as a core basis or part of the business, a service or product to other organizations.
EXAMPLE 1 Examples of a service or product delivered by a supplier or contractor, as a project for revenue, can include the construction of roads, airports, railways and information technology systems.
In most cases, the supplier’s project scope is a portion of the customer’s project scope. Each party to a contract should look after its organizational interests in the project and have its justification for undertaking the project. The customer–supplier relationship can be confusing as, for some projects, this relationship can be both inter-organizational and intra-organizational. In such cases, the supplier’s role is carried out in part by an outside contractor or supplier for a customer that is from another department or section within the same organization.
EXAMPLE 2 An organization’s information technology department can undertake a software upgrade using contracted resources or partners for the manufacturing department. In these situations, supplier–customer roles can be multidimensional.
The parties to the contract should determine:

how project governance should operate on both sides of, and across, a contractual boundary.
the structure of the organization’s project management team .
the appropriate people to be involved in the project.
working practices to be adopted in relation to the project life cycle, as necessary for delivery.

The customer perspective and supplier perspective refer to how the project is viewed and managed from the standpoint of the customer/client and the supplier/contractor, respectively. Understanding both perspectives is crucial for successful project execution and delivery. Here’s an overview of each:

Customer Perspective:
- Initiation and Requirements:
  - Initiation: From the customer’s perspective, a project begins with the identification of a need or opportunity. The customer initiates the project to address a specific goal or problem.
  - Requirements: Customers define the project requirements, specifying what they expect to be delivered by the end of the project. Clear communication and understanding of these requirements are essential.
- Expectations and Quality:
  - Expectations: Customers have expectations regarding the project outcomes, timeline, and budget. Managing and aligning these expectations with the project plan is crucial for customer satisfaction.
  - Quality: Customers often have quality standards that the project deliverables must meet. Ensuring that the final product or service aligns with these standards is a key customer-centric consideration.
- Communication and Feedback:
  - Communication: Regular and effective communication is important to keep the customer informed about project progress, issues, and changes.
  - Feedback: Customers provide feedback throughout the project life cycle, especially during key milestones or reviews. Addressing feedback helps ensure that the project aligns with their expectations.
- Acceptance and Closure:
  - Acceptance: The customer plays a crucial role in accepting or approving project deliverables. This is often done through formal acceptance processes or sign-offs.
  - Closure: From the customer perspective, project closure involves confirming that the project objectives have been met and that the deliverables align with the initial requirements.
Supplier Perspective:
- Bid and Contract:
  - Bid: Suppliers engage in bidding processes to win projects. This involves submitting proposals, cost estimates, and demonstrating their capability to meet the customer’s requirements.
  - Contract: Once awarded the project, the supplier and customer enter into a contract that outlines the terms, conditions, scope, and expectations.
- Execution and Delivery:
  - Execution: Suppliers are responsible for executing the project according to the agreed-upon plan. This includes managing resources, schedules, and budgets.
  - Delivery: Suppliers must deliver the agreed-upon products or services on time and within the specified quality standards.
- Risk Management and Issue Resolution:
  - Risk Management: Suppliers identify and manage risks that may impact project delivery, including factors that may arise from their own operations.
  - Issue Resolution: Suppliers address issues promptly, keeping the customer informed about challenges and proposing solutions.
- Invoicing and Payment:
  - Invoicing: Suppliers submit invoices based on the agreed-upon payment milestones outlined in the contract.
  - Payment: Customers make payments to suppliers based on the terms specified in the contract, often tied to project milestones.

Understanding and effectively managing both perspectives are essential for project success. A well-balanced relationship between the customer and supplier contributes to successful project outcomes and positive long-term partnerships. Effective communication, collaboration, and mutual understanding of each other’s expectations are key elements in managing these perspectives.

Projects can be undertaken from two perspectives: customer or sponsoring organization; and supplier or contractor organization

Projects typically involve two main perspectives: the customer (or sponsoring organization) and the supplier (or contractor) organization. Both perspectives are essential and play distinct roles in the successful execution of a project. In practice, the success of a project often depends on how well these two perspectives are integrated and managed. Projects benefit from a balanced and mutually beneficial relationship between the customer and the supplier. Each perspective brings unique strengths to the table, and their effective collaboration is what ultimately leads to project success.The effectiveness of a project depends on the collaboration, communication, and alignment of interests between the customer and the supplier.

Customer Perspective Importance:
- Initiation and Funding: The customer is crucial for initiating the project by identifying needs and providing financial resources.
- Oversight and Control: The customer’s oversight ensures the project aligns with organizational objectives, and their control helps in decision-making.
- Acceptance and Benefits Realization: Customers ensure the project meets expectations and works toward realizing the anticipated benefits.
Supplier Perspective Importance:
- Proposal and Execution: Suppliers bring expertise and resources to execute the project according to the customer’s requirements.
- Risk Management and Issue Resolution: Suppliers manage risks associated with project execution and promptly address issues to keep the project on track.
- Delivery and Invoicing: Suppliers are responsible for delivering the agreed-upon products or services and submitting invoices for payment.

Key Considerations:

Collaboration: Effective collaboration between the customer and the supplier is critical. Clear communication, mutual understanding, and a collaborative mindset contribute to project success.
Alignment of Objectives: Both parties must align their objectives to ensure that the project meets the customer’s needs and expectations while allowing the supplier to deliver value.
Communication: Open and transparent communication is key. Regular updates, feedback, and discussions between the customer and supplier help in addressing issues promptly.
Contractual Agreements: Well-defined contracts that outline roles, responsibilities, expectations, and deliverables contribute to a smoother project execution.

Customer or sponsoring organization is the organization owns the requirements and can either undertake the work or contract some or all the work to a supplier organization.

The customer or sponsoring organization is the entity that initiates the project, owns the requirements, and has the authority to undertake the work internally or choose to contract it out to a supplier organization. Let’s break down the key points:

Initiation and Ownership: The customer or sponsoring organization identifies a need, opportunity, or goal that necessitates a project. They own the project requirements and define the scope, objectives, and desired outcomes.
Decision to Undertake or Outsource: The customer organization has the option to undertake the project work using its internal resources or to contract some or all of the work to external supplier organizations. This decision is often influenced by factors such as expertise, resource availability, cost considerations, and the complexity of the project.
Contracting Work to Supplier Organizations: If the decision is made to contract out the work, the customer organization engages with supplier organizations through a bidding or proposal process. Contracts are established to formalize the relationship, outlining the terms, conditions, deliverables, and other relevant details.
Oversight and Control: The customer organization provides oversight to ensure that the project aligns with organizational goals and objectives. They retain control over major decisions, scope changes, and project direction.
Acceptance and Benefits Realization: The customer organization is responsible for accepting the final deliverables and ensuring that they meet the specified requirements. The organization aims to realize the anticipated benefits outlined in the project’s business case or objectives.

This dynamic illustrates the customer’s central role in shaping the project and deciding how the work will be executed. The flexibility to choose between undertaking the work internally and contracting it out provides the customer organization with strategic options to best achieve its goals. Effective collaboration and communication between the customer organization and the selected supplier organizations are crucial for project success.

Supplier or contractor organization is the organization provides, as a core basis or part of the business, a service or product to other organizations.

A supplier or contractor organization is an entity that operates by providing services or products as a core part of its business to other organizations. Let’s break down the key points:

Core Business Offering: A supplier or contractor organization’s primary business model revolves around offering specific services or products to meet the needs of other organizations.
Service or Product Provision: The organization specializes in delivering a particular service or product, and this offering is typically designed to cater to the requirements of its clients or customers.
External Engagement: Supplier organizations engage externally with various entities, such as businesses, government agencies, or non-profit organizations, to provide their specialized services or products.
Contracts and Agreements: Supplier organizations enter into contracts or agreements with their clients, specifying the terms, conditions, deliverables, and other relevant details of the services or products to be provided.
Operational Expertise: These organizations often possess expertise in their domain, leveraging their skills, knowledge, and resources to deliver high-quality services or products to their clients.
Client Satisfaction: The success of a supplier organization is often measured by client satisfaction, the ability to meet contractual obligations, and the delivery of value to the clients.
Diversified Client Base: Supplier organizations may serve a diverse client base across different industries or sectors, depending on the nature of their offerings.
Risk Management and Issue Resolution: Supplier organizations are responsible for managing risks associated with service or product delivery and addressing issues that may arise during the course of a project or engagement.

A supplier or contractor organization plays a pivotal role in the broader business ecosystem by providing specialized services or products to meet the needs of its clients. The relationship between the customer organization (that initiates a project) and the supplier organization is crucial for successful project outcomes, and effective communication and collaboration are key elements in this dynamic.

In most cases, the supplier’s project scope is a portion of the customer’s project scope.

That’s a common scenario in many projects, especially when a customer engages with a supplier or contractor to provide specific goods or services. The supplier’s project scope is often a defined portion of the overall project scope outlined by the customer. This approach allows organizations to leverage external expertise or resources for specific aspects of a project while maintaining control and oversight over the entire project. It also facilitates a more efficient and cost-effective execution of projects by allocating tasks to specialized suppliers who can deliver specific components with expertise and efficiency.Here are some key points to understand this relationship:

Customer’s Overall Project Scope: The customer, as the initiator of the project, outlines the overall project scope, including the goals, objectives, and the complete set of deliverables they aim to achieve.
Segmentation of Work: Within the customer’s project scope, specific tasks, activities, or components may be identified as suitable for outsourcing or contracting to a supplier. This segmentation is based on factors such as expertise, resource availability, or specialized capabilities.
Supplier’s Project Scope: The supplier’s project scope is defined within the parameters set by the customer. It includes the specific tasks or deliverables that the supplier is responsible for, often outlined in a contractual agreement or statement of work.
Collaboration and Integration: The supplier’s work is integrated into the broader project, and there is a need for close collaboration between the customer and the supplier to ensure alignment and consistency with the overall project objectives.
Clear Communication: Clear communication is crucial to delineate the boundaries of the supplier’s scope and to establish how it aligns with the customer’s larger project. This includes defining interfaces and dependencies between the different scopes.
Project Management Coordination: Project managers on both sides, i.e., the customer and the supplier, work together to coordinate and manage the interfaces, dependencies, and timelines associated with the supplier’s scope within the larger project.
Deliverable Integration: The supplier’s deliverables are integrated into the overall project, ensuring that they contribute effectively to achieving the customer’s project objectives.
Quality Assurance: The customer often maintains quality control and assurance over the entire project, including the work delivered by the supplier. This ensures that all components meet the necessary standards.

Each party to a contract should look after its organizational interests in the project and have its justification for undertaking the project.

When entering into a contract, each party—whether it’s the customer or the supplier/contractor—has a responsibility to protect and advance its organizational interests. A well-structured contract and a collaborative approach, where each party looks after its organizational interests, contribute to the success of the project. This involves a balance between protecting one’s interests and fostering a positive and mutually beneficial working relationship throughout the project lifecycle. Here’s an elaboration on this idea:

Customer’s Organizational Interests:
- Justification for the Project: The customer initiates a project to address a specific need, capitalize on an opportunity, or achieve strategic objectives. The project aligns with the customer’s overall organizational goals and mission.
- Return on Investment (ROI): The customer seeks a positive return on investment, expecting that the benefits derived from the project will outweigh the costs incurred.
- Organizational Growth: Projects are often undertaken to facilitate organizational growth, improve efficiency, enhance competitiveness, or enter new markets.
Supplier/Contractor’s Organizational Interests:
- Business Opportunities: Suppliers or contractors see projects as business opportunities that align with their expertise, capabilities, and core offerings. Winning and successfully completing projects contribute to their business growth.
- Financial Considerations: Suppliers aim for financial viability and profitability in delivering contracted services or products. Contractual terms, pricing, and payment schedules are crucial aspects.
- Reputation and Client Relationships: Successfully delivering projects enhances the reputation of the supplier. Building strong client relationships fosters repeat business and positive word-of-mouth referrals.
Mitigating Risks: Both parties have a vested interest in identifying and mitigating risks that could impact the successful completion of the project. This includes financial risks, timeline risks, and risks related to quality and scope.
Clear Agreements: The contract serves as a legal document that outlines the terms, conditions, responsibilities, and deliverables. Both parties should ensure that the contract is clear and comprehensive, protecting their respective interests.
Collaboration and Transparency: Open and effective communication between the customer and the supplier is crucial. Transparency about expectations, challenges, and changes ensures that both parties are well-informed and can address issues promptly.
Measuring Success: The success of the project is measured against predefined metrics and objectives. Both parties should be aligned on how success will be evaluated and what constitutes a satisfactory outcome.
Adapting to Changes: Organizational interests may evolve during the course of the project. Both parties should be flexible and willing to adapt to changes, with due consideration for the impact on the overall project goals.

The customer–supplier relationship can be confusing as, for some projects, this relationship can be both inter-organizational and intra-organizational.

The customer–supplier relationship can manifest in both inter-organizational and intra-organizational contexts. Understanding these dynamics helps organizations navigate the complexities of customer–supplier relationships, whether they occur between separate entities or different departments within the same organization. Effective management of these relationships is crucial for achieving project success and organizational goals.Let’s explore each of these dimensions:

Inter-organizational Customer–Supplier Relationship:
- Definition: In an inter-organizational context, the customer and the supplier are separate, distinct entities or organizations. They may have independent structures, goals, and operations.
- Examples: This could involve a company (customer) contracting services or products from an external vendor or supplier. For instance, a manufacturing company might engage a logistics firm for transportation services.
Intra-organizational Customer–Supplier Relationship:
- Definition: In an intra-organizational context, the customer and the supplier roles are maintained, but both entities exist within the same overarching organization. This could occur in large enterprises with diverse business units or departments.
- Examples: Consider a scenario where the marketing department (customer) requests graphic design services from the in-house design team (supplier) within the same company. Here, the roles are still customer and supplier, but they operate within the same organization.

Key Considerations:

Interdependence: In both scenarios, there is a level of interdependence. The success of the customer’s goals is linked to the supplier’s ability to deliver quality products or services, regardless of whether they are separate organizations or different units within the same organization.
Contractual Relationships: Both inter-organizational and intra-organizational customer–supplier relationships often involve the establishment of contracts or agreements that define expectations, deliverables, timelines, and other terms.
Communication and Collaboration: Effective communication and collaboration are essential in ensuring that the customer’s needs are met by the supplier. This is true whether they are distinct organizations or units within the same organization.
Resource Allocation: The allocation of resources, whether financial, human, or other, is a consideration in both types of relationships. This includes considerations about budgeting, staffing, and other resources required to fulfill the customer’s requirements.
Performance Measurement: Measuring the performance of the supplier in meeting customer expectations is a common factor in both scenarios. Metrics and key performance indicators may be established to assess the success of the relationship.
Organizational Alignment: In both cases, there is a need for alignment between the customer’s objectives and the supplier’s capabilities. Understanding organizational goals and ensuring that they are complementary contributes to a successful relationship.

The customer–supplier relationship can indeed be complex and, at times, challenging to navigate. Several factors contribute to the potential confusion in such relationships. Here are some reasons why this dynamic can be intricate:

Customer Goals vs. Supplier Goals: The customer and the supplier may have different overarching objectives. While the customer aims to meet specific project goals or organizational needs, the supplier may be focused on delivering services or products profitably.
Communication Gaps: Miscommunication or lack of clear communication can lead to misaligned expectations between the customer and the supplier. Different interpretations of project requirements or deliverables can create confusion.
Changing Requirements: As project dynamics evolve, the customer’s requirements may change. The supplier might find it challenging to adapt to these changes, leading to confusion about scope, timelines, and resource allocations.
Unclear Contracts: If the contractual agreement lacks clarity, ambiguity can arise regarding roles, responsibilities, deliverables, and other terms. This can lead to disputes or misunderstandings during the project.
Language and Cultural Differences: In international business relationships, language barriers and cultural differences can complicate communication and lead to misunderstandings.
Power Imbalances: Depending on the nature of the customer–supplier relationship, power imbalances can occur. A dominant customer or supplier might impose terms that the other party finds challenging.
Turnover: Changes in leadership or key personnel on either side can disrupt established communication channels and working relationships, causing confusion.
Budget Constraints: Customers might have tight budgets, leading to pressure on suppliers to cut costs. This can affect the quality of deliverables and strain the relationship.
External Market Conditions: Economic uncertainties, market fluctuations, or unforeseen external factors can impact the financial stability and operational capacity of both customers and suppliers.
Hidden Agendas: If there’s a lack of transparency between the customer and the supplier, suspicions about hidden agendas or motives can contribute to confusion.

Mitigating Confusion:

Clear Communication: Establish open channels of communication, clarify expectations, and ensure that both parties understand the project’s goals and requirements.
Comprehensive Contracts: Draft contracts with clear and comprehensive terms, including detailed specifications, timelines, and deliverables. Regularly review and update contracts as needed.
Collaborative Project Management: Foster a collaborative project management approach where both parties work together to address challenges, changes, and uncertainties.
Regular Review Meetings: Schedule regular review meetings to discuss project progress, address concerns, and ensure alignment between the customer’s expectations and the supplier’s capabilities.
Risk Management: Implement a robust risk management plan to identify, assess, and mitigate potential risks that could lead to confusion or project disruptions.

By addressing these factors and implementing effective communication and management strategies, organizations can navigate the complexities of customer–supplier relationships more successfully, minimizing confusion and fostering positive collaborations.

In such cases, the supplier’s role is carried out in part by an outside contractor or supplier for a customer that is from another department or section within the same organization.

In situations where the supplier’s role is partially fulfilled by an outside contractor or supplier for a customer from another department or section within the same organization, this scenario represents an intra-organizational customer–supplier relationship. Here are some key aspects of such a setup:

Internal Customer and Supplier Roles: The customer and supplier roles are maintained, even though they exist within the same organization. For example, one department (acting as a customer) seeks services or products from another department or an external contractor (acting as a supplier).
Project or Service Requests: The internal customer department initiates a project or service request, outlining its specific needs, requirements, and objectives. This request is directed toward an internal or external supplier.
Contractual Arrangements: There may be formal contractual arrangements or agreements, similar to those in external customer–supplier relationships. These agreements define the terms, conditions, deliverables, and expectations between the internal customer and supplier.
Resource Allocation and Billing: Resource allocations, including budgeting and staffing, are considerations in this relationship. Billing or cost allocation mechanisms may be established to ensure proper financial accounting for services or products rendered.
Communication and Collaboration: Effective communication and collaboration are crucial. Clear channels of communication help ensure that the internal customer’s needs are understood, and the internal or external supplier can deliver the required services or products.
Quality Assurance: Quality assurance and performance measurement are maintained. The internal customer department expects the same level of quality and adherence to standards from the internal or external supplier as it would from an external contractor.
Project Management Coordination: Project managers from both the customer and supplier sides collaborate to coordinate activities, manage timelines, and ensure that the internal project or service request is delivered successfully.
Budgeting and Financial Considerations: Both the customer and supplier departments need to manage their budgets effectively. Financial considerations, including cost estimates, billing, and financial reporting, may be integral to the relationship.
Flexibility and Adaptability: As with external customer–supplier relationships, internal relationships should be adaptable to changes in project scope, requirements, or organizational priorities.
Conflict Resolution: Mechanisms for resolving conflicts or disputes should be in place. Clear escalation paths and dispute resolution procedures can help address issues that may arise during the course of the internal project.

This intra-organizational customer–supplier relationship allows different sections or departments within the same organization to leverage each other’s expertise and resources efficiently. Effective management of these relationships is essential for promoting collaboration, ensuring project success, and maximizing the organization’s overall efficiency and effectiveness.

In these situations, supplier–customer roles can be multidimensional.

In intra-organizational scenarios where the supplier–customer roles are fulfilled within the same organization, the roles can indeed be multidimensional. This complexity arises from the interplay of various factors within the organizational structure.Understanding and effectively managing these multidimensional supplier–customer relationships within an organization require a strategic approach, effective communication, and a culture that encourages collaboration across departments. Clear governance structures, defined processes, and a focus on overall organizational success are essential components in navigating the complexities of these roles. Here’s a breakdown of how supplier–customer roles can be multidimensional in such situations:

Internal Supplier and Customer Relationships: Within a single organization, different departments or units often play both supplier and customer roles simultaneously. For instance, a marketing department might act as a customer when seeking services from the IT department (internal supplier), and vice versa.
Cross-Functional Collaboration: Multidimensional roles involve cross-functional collaboration. Departments with different specialties or functions collaborate to meet the needs of one another, creating a network of internal customer–supplier relationships.
Project-Based Relationships: Supplier–customer roles can shift based on project requirements. A department may act as a supplier for one project, providing expertise or resources, and as a customer in another project, seeking support or services from a different department.
Resource Sharing: Departments may share resources, skills, or knowledge across the organization. For instance, a research and development department might act as a supplier of innovative ideas to various customer departments seeking new concepts for products or services.
Service Centers and Shared Services: Organizations may establish internal service centers or shared services that act as suppliers to various internal customers. These service centers provide centralized support such as human resources, finance, or IT services to other departments.
Cost Allocation and Internal Billing: Multidimensional roles often involve internal cost allocation and billing mechanisms. Departments may allocate costs for shared resources or services, and internal billing may occur to track and manage these financial transactions.
Matrix Organizational Structures: Organizations with matrix structures amplify the multidimensional nature of supplier–customer roles. Employees may report both to functional managers (specialist roles) and project managers (project-based roles), leading to complex relationships.
Knowledge Transfer and Learning: Multidimensional roles provide opportunities for knowledge transfer. Supplier departments share expertise with customer departments, fostering a culture of learning and collaboration within the organization.
Strategic Alignment: The multidimensional nature of roles requires strategic alignment across departments. Clear communication and understanding of organizational goals ensure that supplier–customer relationships contribute to broader organizational objectives.
Performance Metrics: Departments involved in multidimensional roles may be evaluated based on performance metrics as both suppliers and customers. Metrics may include project delivery timelines, resource utilization, customer satisfaction, and more.

The parties to the contract should determine how project governance should operate on both sides of, and across, a contractual boundary.

Defining how project governance should operate is a crucial aspect of contract management, especially when there is a contractual boundary between parties. Project governance outlines the structure, processes, and decision-making mechanisms that guide how a project is managed and controlled. When parties to a contract collaborate on project governance, it helps ensure that both sides have a shared understanding of expectations, responsibilities, and the overall management framework. By jointly determining how project governance should operate, parties can foster a collaborative and effective working relationship. This proactive approach helps prevent misunderstandings, promotes accountability, and contributes to the overall success of the project. It also sets the foundation for a positive long-term partnership between the contracting parties.Here are key considerations in determining how project governance should operate across a contractual boundary:

Governance Structure: Clearly define the governance structure, including roles and responsibilities on both sides of the contractual boundary. Specify key decision-makers, project managers, and any relevant committees or boards.
Communication Protocols: Establish effective communication protocols. Define how information will be shared, the frequency of updates, and the channels through which communication will take place. Ensure transparency to foster a collaborative environment.
Project Reporting: Determine the reporting mechanisms for project progress, issues, and risks. Specify the format and frequency of project reports. This helps in keeping both parties well-informed and aligned on project status.
Decision-Making Processes: Clearly articulate decision-making processes. Define which decisions require joint approval, which can be made independently by each party, and how disputes or disagreements will be resolved.
Change Management: Establish a change management process. Outline how changes to the project scope, schedule, or other elements will be proposed, evaluated, and approved. Include mechanisms for addressing changes in contractual terms.
Risk Management: Define the approach to risk management. Identify how risks will be assessed, monitored, and mitigated. Clearly state each party’s responsibilities in managing and responding to project risks.
Performance Metrics: Determine key performance indicators (KPIs) and metrics that will be used to assess project success. Align these metrics with the overall objectives outlined in the contract. Regularly review and evaluate performance against these metrics.
Contractual Compliance: Ensure that project governance aligns with the contractual terms and conditions. This includes compliance with contractual milestones, deliverables, and any specific requirements outlined in the agreement.
Issue Resolution Mechanism: Establish a clear mechanism for issue resolution. Define how issues and disputes will be escalated, addressed, and resolved. This helps prevent minor disagreements from escalating into major conflicts.
Contract Management: Develop robust contract management processes. Outline how changes to the contract, renewals, or extensions will be managed. Clearly define the responsibilities of each party in maintaining the contractual relationship.
Continuous Improvement: Foster a culture of continuous improvement. Encourage feedback and lessons learned from both parties. Use this information to refine project governance processes for future collaborations.

The parties to the contract should determine the structure of the organization’s project management team .

Determining the structure of the organization’s project management team is a critical aspect of project governance, especially when parties are engaged in a contractual relationship. The project management team structure defines the roles, responsibilities, and reporting lines within the team. Collaboratively establishing this structure ensures that both parties are aligned on how the project will be managed. By collaboratively determining the structure of the project management team, the parties to the contract can promote effective communication, streamline decision-making processes, and enhance the overall management and coordination of the project. This proactive approach contributes to the success of the project and the maintenance of a positive working relationship between the contracting parties.Here are key considerations when determining the structure of the project management team:

Roles and Responsibilities: Clearly define the roles and responsibilities of each team member. This includes project managers, team leads, subject matter experts, and any other key positions. Ensure that responsibilities align with the project objectives and contractual requirements.
Reporting Lines: Establish reporting lines within the project management team. Determine who reports to whom, both within each organization and across the contractual boundary. This clarity helps streamline communication and decision-making.
Project Manager Selection: Decide how the project manager will be selected. In some cases, each party may have its own project manager responsible for internal coordination. Alternatively, a joint project manager may be appointed to represent both parties.
Collaborative Decision-Making: Specify how decision-making will be handled within the project management team. Determine whether decisions require consensus, joint approval, or if there’s a designated decision-maker for specific aspects of the project.
Cross-Functional Teams: Consider the need for cross-functional teams that involve members with diverse skills and expertise. This is particularly relevant if the project requires input from various disciplines or departments.
Communication Protocols: Establish communication protocols within the project management team. Define how information will be shared, the frequency of updates, and the preferred channels of communication.
Integration with Organizational Structures: Align the project management team structure with the organizational structures of both parties. Ensure that the team’s composition complements the strengths and capabilities of each organization.
Resource Allocation: Determine how resources will be allocated within the project management team. This includes human resources, budgetary considerations, and access to any shared resources.
Project Governance Team: Consider the establishment of a project governance team that includes key stakeholders from both parties. This team may have a strategic oversight role and be responsible for addressing high-level project issues.
Change Management Team: If changes to the project scope or requirements are anticipated, establish a change management team with representation from both parties. This team can assess proposed changes and recommend adjustments as needed.
Knowledge Transfer: If applicable, include mechanisms for knowledge transfer within the team. This is important for ensuring that expertise and insights are shared across team members from different organizational backgrounds.
Conflict Resolution Mechanism: Clearly define a mechanism for resolving conflicts within the project management team. Establish procedures for escalating issues and resolving disputes in a timely and effective manner.

The parties to the contract should determine the appropriate people to be involved in the project.

Determining the appropriate people to be involved in the project is a crucial step in project governance, particularly in a contractual relationship. Identifying the right individuals and stakeholders ensures that the project benefits from diverse skills, expertise, and perspectives. By collaboratively determining the appropriate people to be involved in the project, the parties can establish a well-rounded and capable team. This proactive approach contributes to effective communication, enhances decision-making processes, and supports the successful execution of the project.Here are key considerations when determining the people to be involved in the project:

Stakeholder Identification: Collaboratively identify all relevant stakeholders from both parties involved in the contract. This includes individuals directly involved in project execution, decision-makers, and those affected by the project outcomes.
Project Sponsorship: Determine who will serve as the project sponsor(s) from both the customer and supplier sides. Project sponsors play a crucial role in providing high-level support, advocating for the project, and ensuring alignment with organizational goals.
Project Management Team: Define the composition of the project management team. Identify project managers, team leads, subject matter experts, and any other key roles. Ensure that the team structure facilitates effective collaboration between the customer and supplier.
Cross-Functional Representation: Ensure cross-functional representation within the project team. Include individuals with diverse skills and expertise relevant to the project’s scope. This may involve members from different departments or disciplines within each organization.
Decision-Makers: Clearly identify decision-makers on both sides of the contractual boundary. Specify who has the authority to make decisions related to project scope, changes, and other critical aspects. Establish decision-making protocols.
Communication Liaisons: Appoint communication liaisons or coordinators responsible for facilitating communication between the customer and supplier. This helps in maintaining clear and open lines of communication throughout the project.
Subject Matter Experts: Identify and involve subject matter experts (SMEs) who possess specialized knowledge relevant to the project. SMEs contribute insights, guidance, and technical expertise to ensure the project’s success.
Change Management Team: If changes to the project scope are anticipated, establish a change management team with representatives from both parties. This team can assess proposed changes and evaluate their impact on project objectives.
Quality Assurance and Testing: Determine the individuals responsible for quality assurance and testing. This includes roles related to ensuring the quality and functionality of deliverables, as well as compliance with contractual requirements.
User Representatives: If the project involves the development of products or services for end-users, include user representatives who can provide insights into user needs and expectations.
Legal and Contractual Experts: Engage legal and contractual experts who can provide guidance on legal aspects, contractual obligations, and compliance issues. These individuals play a critical role in ensuring that the project aligns with legal requirements.
Project Governance Team: Establish a project governance team consisting of representatives from both parties. This team may have oversight responsibilities, monitor project progress, and address high-level issues.
Knowledge Transfer Facilitators: If applicable, designate individuals responsible for facilitating knowledge transfer within the project team. This helps ensure that expertise and insights are effectively shared across team members.
Risk Management Team: Form a risk management team with representatives from both parties. This team assesses, monitors, and mitigates risks throughout the project lifecycle.
Training and Onboarding Coordinators: If the project involves new technologies or processes, designate individuals responsible for training and onboarding team members. This ensures that the team is equipped to work effectively.

The parties to the contract should determine working practices to be adopted in relation to the project life cycle, as necessary for delivery.

Determining the working practices for the project life cycle is a critical aspect of project governance in a contractual relationship. The working practices define how the project will be executed, monitored, and controlled throughout its life cycle. By collaboratively determining working practices for the project life cycle, the parties involved can ensure a common understanding of how the project will be executed and controlled. This proactive approach supports effective collaboration, minimizes misunderstandings, and contributes to the overall success of the project.Here are key considerations when determining working practices for the project life cycle:

Project Initiation: Clearly define the processes and activities for project initiation. This includes the identification of project objectives, scope, stakeholders, and the establishment of project governance structures.
Project Planning: Specify the approach to project planning. Determine how the project scope will be defined, how tasks will be scheduled, and how resources will be allocated. Define the planning methodologies and tools to be used.
Roles and Responsibilities: Clearly outline the roles and responsibilities of team members, stakeholders, and decision-makers at each stage of the project life cycle. Define who is accountable for what and establish reporting lines.
Communication Protocols: Establish communication protocols for the entire project life cycle. Define how information will be shared, the frequency of updates, and the preferred channels of communication. Ensure transparency and accessibility.
Risk Management: Define the approach to risk management. Specify how risks will be identified, assessed, monitored, and mitigated throughout the project. Establish a risk management plan that guides decision-making.
Change Management: Determine how changes to the project scope, requirements, or other aspects will be managed. Establish a change management process that includes the identification, evaluation, and approval of changes.
Project Execution: Clearly outline the processes and practices for project execution. This includes how tasks will be performed, how progress will be monitored, and how issues will be addressed in real-time.
Quality Assurance: Establish quality assurance practices. Define how the quality of deliverables will be ensured, including processes for testing, validation, and adherence to quality standards.
Monitoring and Reporting: Specify the mechanisms for monitoring project progress and generating reports. Define the key performance indicators (KPIs) that will be tracked and establish the frequency and format of project reports.
Decision-Making Processes: Clearly articulate decision-making processes. Define which decisions require approval from specific stakeholders, the criteria for decision-making, and the escalation path for unresolved issues.
Project Reviews and Audits: Determine the frequency and process for project reviews and audits. Establish when and how project performance, deliverables, and processes will be reviewed to ensure alignment with project objectives.
Closure and Handover: Define the processes for project closure and handover. Specify how project completion will be verified, how documentation will be archived, and how knowledge transfer will occur.
Collaboration Tools and Technologies: Identify the collaboration tools and technologies to be used throughout the project life cycle. This may include project management software, communication platforms, and other collaborative tools.
Performance Metrics: Establish performance metrics to measure the success of the project. Define the criteria for success and ensure that metrics align with the overall objectives outlined in the contract.
Continuous Improvement: Foster a culture of continuous improvement. Encourage feedback from team members and stakeholders, and use lessons learned to refine working practices for future projects.