The concept of risk and risk assessments has a long history, and risk continues to be of cultural significance in contemporary society in nearly all aspects of life. Should I cross the road or wait? Are our assets going to experience flooding this year? Will economic uncertainty continue, or do I need to plan for trade sanctions? While it is unlikely that anyone would dispute the importance of actively managing risks, more focus needs to put on risk definitions.
The choice of definitions can affect more than just the layout of a risk register. It can change the outcome of policy debates, budget and resource allocation, safety strategies, and political leadership within companies and societies. Each aspect focuses on different concerns and priorities, exposing just how fragmented and diverse our understanding of risk is.
With regulators starting to ask organizations to go beyond providing a list of key risks and explain how they reached those conclusions, being ready to answer those questions is essential. That starts with revisiting your understanding and risk definitions to understand why these risks matter – or challenge if they really do.
To help you better understand and identify risk, we explore:
When talking risk does everyone share the same understanding? This can be a hidden question, or it can drive organizations to document everything. Driven by the need to ensure shared understanding, the Department for Homeland Security (DHS) created a risk definition Lexicon that sets 746 pages of a unified controlled vocabulary and framework guidance to use when communicating and sharing data between teams. [1] While this brings total clarity, keeping up to date with it would be a full-time job.
Definitions should drive value and support organizational frameworks. In our Emerging and Interconnected Risks Survey we provided the International Risk Governance Council definition emerging risks “a risk that is new, or a familiar risk in a new or unfamiliar context or under new context conditions (re-emerging)” alongside definitions for the 48 survey risks that fit on two pages to provide shared understanding.
Risks and opportunities arising from changes in the global financial environment, including: insurability, economic outlook, volatility, sanctions, financial shocks and business finances
Table 1 provides a view of the six financial risks and a full view of the taxonomy risks can be found in the appendix of the report. By considering the full taxonomy you can challenge your own view of risk, especially as these risks rarely operate in isolation. Human capital risks are a good example of this, as they can fit in talent and performance, governance, business and operational, and societal.
| Category | Risk | Description |
|---|---|---|
| Financial | ||
| Insurance gaps | Uninsurable risks or underinsurance leaving some markets, regions or socio-economic groups vulnerable. | |
| Economic outlook | The uncertainty or potential challenges associated with the future trajectory of the economy. Including: Inflation, recession, market crash. | |
| Trade sanctions | Restriction of trade activities with certain foreign targets, including: trade embargoes, tariffs, protectionism. | |
| Financial shock | Unexpected disturbance which originates from the financial sector and has a significant effect on an economy. Including: market crash, sovereign default, asset bubble. | |
| Business financial risk | Inability to finance operations due to loss of market share, M&A, costs, intangible assets. | |
| Volatility | Rapidly changing financial dynamics, including price of raw materials and inputs, access to and cost of capital, commodities, credit risk. |
The discussion of risk definitions for organizations often manifests itself in the risk register. This important piece of documentation has a critical role in ensuring the risk strategies and culture of the company are aligned. One aspect it seems all risk strategies can agree on is, that when it comes to the identification of risks, it is essential for organizations to determine which risks will have the most impact on their long-term strategy and overall purpose so they can prioritize accordingly when it comes time for treatment strategies.
Risk registers are often a collection of risks with varying levels of detail about the causes, the impact of consequences, risk owners, the probability of the event and the likelihood of occurrence. Risk registers can be a response to legally required mandates or risk assessments. It can also be a key piece to a risk manager’s strategy.
There are recommendations for risk register content such as ISO 31000 and COSO’s guidelines, but experience with companies of all sizes and sectors, reveals little in the way of consistency for risk naming within companies, let alone between different companies. In today’s risk environment, while research is scarce, those companies which engage with their risks and embrace strategic risk management are performing ahead of their peers. In a study of Taiwan’s financial industry, enterprise risk management (ERM) adoption was found to significantly help organizations improve revenue (9.22%) and cost efficiencies (16.34%). [2]
Risk identification, by itself, is not enough to manage risk on its own but it is the first step in informing the design and management of effective risk control interventions. Thus, companies attempting to mature in their risk strategies move from strategies founded on inexperience or a strategy of avoidance, to those which enable them to actively engage with risks – moving towards taking advantage and finding opportunities from risk rather than be victims of it. For example, empirical evidence from U.S. bank holdings companies that had active risk management strategies with balance sheets displaying higher risk taking were less likely to become insolvent during the 2007-2009 financial crisis. [3]
Risk registers and risk descriptions can tell you a lot about the risk maturity of an organization. As an organization matures and with the passing of time, risks can and should change as understanding buildings on how they may represent risks or opportunities, and awareness increases internally on the impacts across risk and strategy. If this information is not created in a collaborative fashion, this may lead departments to work off different data. Inevitably these disparities can lead to some or all departments having incomplete or inaccurate data, which, according to IBM estimates, costs the US alone $3 Trillion per year. [4]
| Environmental | Geopolitics | Technology | |
|---|---|---|---|
| Low risk maturity | Climate change | Geopolitics | Disruptive technologies |
| High risk maturity | Increased hurricane activity and tornado alley moving east, causing workforce and production disruption | Geopolitical tensions and uncertainty leading to supply-side shocks such as inflation and economic downturn | Adoption of new digital technologies requiring new skills, and the ability to access a labour pool with those skills |
The choice of definition can affect more than just the layout of a risk register. It can change the outcome of policy debates, budget and resource allocation, safety strategies, and political leadership within companies and societies. Each aspect focuses on different concerns and priorities, exposing just how fragmented and diverse our understanding of risk is.
When challenging your risk definitions, it is essential to seek additional viewpoints than just your own. 40% of the wider employees who responded to our Emerging and Interconnected Risks survey feel they’ve never been consulted on their organization’s emerging risks. Are views from across the business being fed into your organizational view on an ongoing basis? If not, you have an opportunity to decide what to prioritize and build that from the ground up.
By having internal stakeholders throughout the company provide insights and challenges for your risk definitions and registers, you can combat the inaccuracies of data found in siloed companies and equip your company with a wider, more complete view, for a more effectual knowledge base.
Connecting to your employee engagement survey is a way to harness pre-existing resources and diverse perspectives from colleagues at the frontlines of risk. This is particularly the case for large and complex organizations, where this type of analysis can identify interconnected risks that have the potential to impact strategic objectives.
Organizations need an approach that supports value and not just giving stakeholders comfort through annual reporting that they are secure. To effectively manage emerging risks, it is crucial to go beyond merely identifying them and to thoroughly analyze their causes and consequences.
By integrating your risk management strategy with your strategic planning and business goals, you get more than just a safety net—you get a powerful tool for uncovering opportunities in the face of uncertainty. Design a framework with built-in repeatability and continuous review as new risks and interdependencies emerge.
A robust risk framework is the foundation of a company’s approach to identifying, assessing and preparing your priority enterprise risks to align with your strategic objectives and improve long-term profitability. It promotes a systematic, unified approach to risk management, crucial to avoiding fragmented or inconsistent responses to threats. Understanding where your organization is on its maturity journey, and how you benchmark against industry standards and peers can support decision making across the various elements of an ERM approach:
For instance, in risk identification and assessment, an undeveloped framework lacks a formal process, relying on siloed or ad hoc approaches. On the other hand, an embedded framework features a robust, cross-functional risk identification process with scaled prioritization criteria consistently applied at both Group and business unit levels, where significant risks are quantified by frequency and severity.
A strong risk strategy must do more than equip organizations with consistent resiliency to the everyday risks of business operations. The frequency of crises is on the rise, where “black swan” events are increasing with such frequency that there are overlapping shocks. To thrive in this environment, business leaders need to have access risk assessments to understand what, when and where organizations could be impacted. A cohesive view on which aspects of a risk are of highest importance, i.e. the causes, the events itself or the consequences, will foster more consistent additions to the risk register in terms of risks and causal factors. This, in turn, will lead to a stronger tool for decision making.
Periodically assessing your risk registers for concentrations is a good exercise in determining risks of highest concern. In this exercise, it is important to challenge why risk concentrations occur.
Note that these options are not mutually exclusive. These questions can give insight into whether more controls are needed in these areas. Similarly, assessing your risk registers for gaps, allows a risk register to adapt to changing circumstances and identify areas for improvement.
We’ve seen how transparency around the process and the methodology and a common language are essential to ensure your risk management strategy is aligned with your organization's overall objectives.
By looking at your organization’s risks collectively, risk management can break down silos and foster collaboration and, with this, drive a risk management approach that’s aligned with, and is crucial to delivering better financial performance.
