Risk management involves understanding, analysing and addressing risk to make sure organisations achieve their objectives. So it must be proportionate to the complexity and type of organisation involved. Enterprise Risk Management (ERM) is an integrated and joined up approach to managing risk across an organisation and its extended networks.
Business risk is a broad category. It applies to any event or circumstance that has the potential to prevent you from achieving your business goals or objectives. Business risk can be internal (such as your strategy) or external (such as the global economy).
Different types of risk should be managed and treated differently.
You should understand exactly what type of risk you are facing before you consider how to deal with it.
The main four types of risk are:
Strategic risk – eg a competitor coming on to the market
Compliance and regulatory risk – eg introduction of new rules or legislation
Financial risk – eg interest rate rise on your business loan or a non-paying customer
Operational risk – eg the breakdown or theft of key equipment
These categories of risks are not rigid and some parts of your business may fall into more than one category. The risks attached to data protection, for example, could be considered when reviewing both your operations and your business’ compliance.
Strategic Risks
These are risks that arise from an organization’s business strategy and objectives. For example, entering a new market or launching a new product may have strategic risks associated with them.
Operational Risks
These are risks that arise from an organization’s day-to-day activities and processes. Examples include technology failures, employee errors or supply chain disruptions.
Financial Risks
These are risks that arise from an organization’s financial operations and management. Examples include credit risk, market risk and liquidity risk.
Legal/Compliance Risks
These are risks that arise from an organization’s failure to comply with laws, regulations or industry standards. Examples include contract disputes, intellectual property disputes, employment law violations, data privacy violations or noncompliance with environmental regulations.
Reputational Risks
These are risks that arise from damage to an organization’s reputation, image or brand. Examples include product recalls, lawsuits or negative media coverage.
| Strategic | Reduction in business vitality due to competition, healthcare reforms and increasing pricing pressures Loss of intellectual property and trade secrets Increasing geopolitical barriers to trade in the form of protectionism and nationalism Barriers to affordable quality care, including suboptimal healthcare systems that limit access to medicines or products Negative impact to reputation/loss of public trust |
| Operational | Breakdown in movement of goods and information within the organization and/or with suppliers and consumers Loss of business continuity or resilience Procurement and supplier risks, including those related to human rights Availability of key materials and/or labor Inefficient use of resources/increased product cost |
| Compliance | Increasing regulatory changes and enforcement in areas such as: Clinical trial subject/patient safety Protection and handling of personal information in accordance with data protection/data privacy requirements Employee health and safety Selling and promotion of products, including healthcare compliance, Foreign Corrupt Practices Act/global anti-corruption laws, U.S. government contracts/programs Product quality, safety and effectiveness concerns Significant legal proceedings, including product liability |
| Financial | Poor financial results or economic performance Changes in tax laws or exposures to additional tax liabilities Fluctuating currency exchange rates; inflation and currency devaluation Financial misstatement Credit risks |
| Environmental | Increased severe-weather events such as storms and flooding Increased pollution due to inadequate waste management Use of unsustainable materials in the product lifecycle |
| Social | Human capital development risks, including leadership sustainability, management succession and capability, employee engagement and accountability Unfair labor practices, including collective bargaining, freedom of association and grievance processes |
| Cybersecurity | Data breach or fraud Impact to availability of critical information systems Security incident at critical third party affecting business operations |
Health and safety risk
General health and safety risks can be presented in a variety of forms, regardless of whether the workplace is an office or construction site. The key is identifying the types of hazards that could occur, such as physical, ergonomic, chemical and biological, assessing the risks and putting the appropriate control measures in place to make sure that your employees feel safe and taken care of, physically and mentally. The best workplace health and safety measures offer the greatest amount of protection and the most reliability.
Reputational risk
All businesses have a reputation to maintain, with their stakeholders, including investors, employees and of course, customers. Decisions made by organisations, as well as incidents where they are liable, can create negative press and significantly affect brand perception. Reputational risk has become of even greater concern for organisations in recent years due in large part to the rise of social media, which allows for almost immediate global communications that make it more challenging for companies to control how they are perceived. Understanding threats to your reputation and how to manage those situations is a must.
Operational risk
Although day-to-day operations are often tried and tested to minimise dangers, incidents or unexpected circumstances could still take place, as the last several months have made blatantly clear. Operational risk refers to the risk of loss resulting from failed internal processes, people or systems or external events. Examples include global crises, IT systems failure, data breaches, fraud, loss of people and litigation, among others. Organisations, therefore, must know the daily functions, processes and systems that are critical to their business operating normally and have plans and procedures in place to manage those risks and ensure ‘business as usual’.
Strategic risk
While the day-to-day operations of your organisation are important, managing your organisation’s strategic goals is just as fundamental to future success. Strategic risks refers to external causes or circumstances that, if they were to occur, would be serious enough to alter the strategic direction of your business, impacting its future success or failure. All organisations are open in varying degrees to strategic opportunities and threats. Exploring how such changes might affect your organisation will help mitigate the issues that might be created.
Compliance risk
Government bodies have in place an array of industry laws, regulations, policies and best practices in place to ensure ethical business practices. Not complying with these obligations can present great financial and legal implications for organisations, posing risks to achieving business objectives and operating in general. That said, in today’s globally interconnected and fast-paced world, rules and regulations can change quickly and the legal frameworks can be difficult to navigate. This is why compliance management should be prioritised.
Financial risk
Most types of risk have financial consequences, like extra costs or lost revenue. Financial risk, though, specifically refers to money flowing in and out of your business and the chance for sudden financial loss. For example, if your company expands internationally, fluctuating exchange rates impose a financial risk you should take into account, because they will affect the dollar amount your company receives. Ultimately, the goals of any organisation cannot be achieved without sound financial management and it is crucial to anticipate financial risks, assess the impact of those risks and be prepared to react to or avoid adverse events.