Managing Multiple Facets of Risk

Oftentimes I see an interesting discussion among industry professionals over the types of risk or risk taxonomy (the science and technique of classification). But the question is if there is a best practice. The short answer is No. Risk is categorized in different ways by different BoK’s such as Basel II top level categories are credit, market and operational while COSO’s are operational, financial reporting and compliance.

Before delving any further into the subject matter, let’s set the context first. Every business operates within an external and internal environment. External environment encompasses everything from supply and demand conditions to economic and non-economic influences to industry forces such as competition, customer, supplier and products. This is ground zero for strategy formulation.

 

The internal environment defines the business model of a firm i.e. how the business will create value for the customer and for other stakeholders. This includes goals setting and supporting financial and operational processes, assets, products and services for value creation.

These goals or highest level objectives set the context for risk assessment process. The goal setting itself is a decision making risk, therefore, also subject to risk assessment (risk identification, analysis and evaluation) since risk management is part of decision making process.

So far it comes out that external and internal evaluation (situation analysis) is a precondition to  goals setting (also called highest level objectives) which in turn is a precondition to risk assessment of all activities – from strategy (re)formulation to execution to monitoring & review (including risk assessment process and internal controls/treatment plans).

Keeping this in mind, in the Global SPR Framework, I come up with the following top level risk classification schema along with potential sub categories which covers every aspect of a business model plus external factors outside the control of a business.

Strategic Risk: Risk during the strategic planning process. It is akin to decision risk w.r.t. to customer value proposition that deals with influences other than economic as part of business environment such as customer needs and wants, market segmentation, targeting and positioning, competition, brand, packaging, pricing, distribution channels, mergers and acquisitions, partnerships and alliances, stakeholder expectations, political and regulatory environments, social and demographics, technological changes, environmental (the famous PESTEL), business model, investment valuation, purpose values and vision, strategic options, organizational structure, and goals setting.

Risk factors can be taken care of with a user friendly GRC Software like Predict360

Operational Risk: These are the risks that arise in strategy execution. In other words “Conduct Risk” referring to business practices developed and adopted by a firm to implement its competitive strategy to create a competitive advantage in the marketplace. There is also an established industry definition by Basel II that defines operational risk as “the risk of loss resulting from inadequate or failed processes, people and systems or from external events.” These external events are the same environmental influences other than economic that are part of strategic risk thus provide a linkage between strategic and operational risks in the sense that once strategy is executed it becomes part of routine operations or operating strategy. However, unlike Basel, I would also include reputational risk to this category along with legal, governance, compliance and organizational culture that may cause the strategy or the entire enterprise to fail if they were to occur. Business continuity and disaster recovery planning are also part of operational risk category to cope in the event of control failures.

Financial Risk: The exposure of earnings or net worth due to economic influences as part of business environment such as interest rates, currency and commodity prices, financial instruments, liquidity and cash flow, credit/default risk are what I will refer to as financial risk.

Project Risk: These are the risks associated with the execution of capital projects and other initiatives in pursuit of strategy. PMI’s PMBOK 4^th edition defines project risk management as the processes involved with identifying, analyzing, and controlling risks for the project.

Black Swans: Though a subset of operational risk category, Nassim Talib’s black swan events have a very low likelihood but catastrophic consequences should they occur. Dr. Kaplan and Anette Mikes, in their HBR article “Managing Multiple Dimensions of Risk” termed these events as “Unknown Unknowns” that are not only external and uncontrollable but also outside the realm of known experience.

In one of his articles “Learning to Love Volatility”, Nassim Talib writes,

 

“To deal with black swans, we instead need things that gain from volatility, variability, stress and disorder. My (admittedly inelegant) term for this crucial quality is “anti-fragile. In short, in a world that constantly throws big, unexpected events our way, we must learn to benefit from disorder. We should try to create institutions that won’t fall apart when we encounter black swans—or that might even gain from these unexpected events.”

Risk is the likelihood of an event occurring. This (risk) event has both causes and potential consequences such as financial, customer, legal etc. Every cause is associated with a source. For example fraud is a (risk) event the cause of which could be IT malfunctioning and the associated source is IT/systems which is one of the elements of operational risk as defined above. So it seems that the best sub categorization is not by cause or consequence but by source such as people, process, systems, customer, governments, economic and environmental forces and so forth.

 

*The author’s views and opinions are entirely his or her own and may not reflect the views and opinions of 360factors.