Risk classification.

To manage risk effectively we first need to develop a common approach to risk management and a shared understanding of key terminology. This starts with how we classify risk. At the macro level that might involve organizing enterprise risk into broad categories, for example; Financial Risk, Non-Financial Risk and External Risk. Then each of these categories will have its own sub-categories. Let's look at how this might work using Non-Financial Risks because these tend to be the most common risks we face.

There are no set rules or categories when it comes to the classification of Non-Financial Risk, the aim is to simply organize risks into manageable lots for treatment and oversight purposes. In this case we've chosen seven sub-categories including; People, Business Interruption, Legal, Information Security, Product, Sales and Growth and finally Innovation. Let’s examine each of these categories in more detail.

Firstly, People Risk, refers to Talent Risk or the challenges associated with attracting and retaining key personnel; Conduct Risk where people intentionally or unintentionally fail to follow the organizations rules or procedures resulting in damage to the organizations performance or reputation; and lastly Health, Safety and Environmental (HSE) Risk which refers to the possibility of harm arising from a workplace hazard.

The second category, Business Interruption (BI) refers to the risks associated with operational downtime, lost revenue and other operational interdependencies. Common BI risks include Technology Risk, such as hardware, software or network failures, damage to key assets arising from an accident or natural disaster, and Supply Chain Risk where the inbound or outbound flow of goods is disrupted.

Third, Legal Risk usually relates to a lack of awareness, misunderstanding, ambiguity or reckless indifference to, the way laws and regulation apply to the business. This could involve litigation arising from product liability issues, regulatory or compliance failure or more general litigation arising from contractual disputes or occupational health and safety claims.

Next, Information Security Risk refers to the threats and vulnerabilities associated with the operation and use of information systems and the environments in which those systems operate. The most prevalent of which is Cyber Risk.

Then we have, Product Risk which refers to all risks related to the product lifecycle that might impact quality, customer satisfaction or worst case lead to product failure. Followed by, Sales and Growth which refers to any specific risks that might impact the organizations overall sales and growth strategy, and finally Innovation Risk which refers to risks related to research and development, competitor innovation and the organizations ability to keep pace with market developments in order to meet their customers needs and sustain growth.

Developing a shared understanding of key terminology and a common approach to risk classification is both a foundation and a pre-requisite for effective risk management. In a future post we’ll examine some of the practical tools we can use to manage risk.

Stay safe.