The categorisation of risk is more complex than it might initially look. Setting the right categories for your organisation is an essential part any risk management framework. There are many models to choose from but the best approach is to take bits from each to suit your needs.
Some examples of categories along with a brief description are shown below. And remember, once you have them you can use them to help you report on your risks or even start your own Assurance Map.
Organisations generally have forward looking business plans and strategies, risks that impact on these are strategic risks, they make your strategy less effective or even completely ruin the ability to achieve your goals.
For example, Kodak had such a dominant position in the film photography market that when one of its own engineers invented a digital camera in 1975, it saw the innovation as a threat to its core business model and failed to develop it.
If Kodak had analysed the strategic risk more carefully, it would have concluded that someone else would start producing digital cameras eventually, so it was better for Kodak to cannibalise its own business than for another company to do it. Failure to adapt to a strategic risk led to bankruptcy for Kodak.
Operational risk refers to an unexpected failure in the organisations day-to-day operations. It could be a technical failure, like a server outage, or it could be caused by people or processes. In some cases, operational risks can also stem from events outside your control, such as a natural disaster, or a power cut, or a problem with a website host. Anything that interrupts your core operations comes under the category of operational risk.
Are you complying with all the necessary laws, regulations and polices that apply to what you are doing? Laws change all the time, and there’s always a chance that you will face additional regulations in the future. As the organisation evolves what it does, you might find yourself needing to comply with new rules that didn’t apply to you before.
Most categories of risk have a financial impact in terms of extra costs or lost revenue. But the category of Financial Risk refers specifically to the money flowing in and out of the organisation, and the possibility of a sudden financial loss.
For example, the desire to maximise available funds has in the past led a lot of organisations to invest in products offered by Icelandic Banks, themselves driving their growth by easy access to credit in international financial markets. When their ability to obtain funds was reduced they were unable to meet the demands placed on them by investors, ultimately leading to their collapse, and in turn investors being unable to retrieve the full value of their deposits.
These are risks which are created by decisions to pursue new endeavours beyond current capability. They can be driven by the implementation of new targets, a desire to provide new services or redesign existing ones, or perhaps the application of new policies.
Not all change risks are managed under the banner of a formal project, lots are managed as part of the normal business as usual activities.
Environmental Risks can be described as the actual or potential threat of adverse effects on living organisms and the environment. This can be caused by emissions, waste, resource depletion, pollution or climate change etc.
The cause of these types of risks may not be directly attributable to a single activity or organisation. They can be difficult to mitigate in isolation and any actions to address them are likely to be costly.