When I wrote How to be a Chief Risk Officer, I found it helpful to organise risks into this pyramid. It doesn’t mean that the risks at the bottom are less important than the ones at the top. And not all of these apply in all situations. However, I feel it’s a logical progression and an aide-memoire as I think through the risks in an organisation.
Starting at the top, if your Strategy is poorly defined or not being properly executed, all your other efforts are for nought. Start here.
Then I looked at People Risk. There are a ton of risks to manage through the whole employee lifecycle. In addition, you have Conduct Risk, which is the risk that the actions of your people cause detriment to others.
After that, Technology is so pervasive, I put it next. This is where you consider Information Security Risk, Cyber Risk and Data Privacy Risk.
Next came Financial Risk. These are some of the most visible and well-understood risks. You have to consider solvency, liquidity, market risk (e.g. the risk of interest rate and currency changes) and the sometimes overlooked Financial Reporting risk – everything to do with the preparation of your financial statements.
Finally, there are the Operational Risks. Here I capture ten of the most-common risks facing organisations today, from physical security to transaction processing.
How does this resonate with you? What risks do you put at the top of your list? What have I missed?
