Reviewing the Five Types of Risk  (2024)

The recent announcement of the official end of the COVID-19 pandemic makes this a good time to review the five types of risk. During COVID, business tended to focus on only two of the five risk types; however, organizations that want to prosper over the long term need to be cognizant of and plan for all five kinds of risk.

Related on MHA Consulting: The ABCs of ERM: The Rise of Enterprise Risk Management

The government recently announced the official end of the COVID pandemic. This makes this an opportune moment to remind everyone that there are five types of risk—and that the prudent organization takes all of them into account.

During COVID, business focused mainly on two types of risk: operational and financial. This made a certain amount of sense during the most acute phases of the pandemic. In many cases, operations- and finance-related risks pose the most immediate threat.

However, for long term security, businesses need to balance a concern for those areas with vigilance about the other types of risk: strategic, compliance, and reputational. Over the medium and long term, these last three risk types have the power to do grave injury to the company. The wise organization develops strategies and plans to mitigate and prepare for all five types of risk.

In one respect, COVID continues to distort people’s approach to risk. It does so because recency bias makes recent past events loom the largest in people’s expectations of the future. Today many business continuity professionals are worrying disproportionately about the possibility of another pandemic, to the exclusion of other threats. Another pandemic could occur. But it’s also possible the next threat that impacts your organization will be something totally different. Organizations need to consider all types of risks, not just focus on preventing what has happened in the past.

The Five Types of Risk

As indicated above, the five types of risk are operational, financial, strategic, compliance, and reputational. Let’s take a closer look at each type:

• Operational. The possibility that things might go wrong as the organization goes about its business. Reflects the fact that assets, processes, and people can fail, leading to consequences for the business ranging from negligible to catastrophic.
• Financial. The potential costs or loss related to threats. This is often included in other risks but should be considered separately as well. Can include lost revenue; delayed revenue; restricted cash flow; and cost increases (such as for labor or supplies).
• Strategic. The potential to limit the ability to execute strategies, achieve objectives, and make decisions. Strategic risks are those pertaining to the possibility the company is moving in the wrong overall direction. Could include changes in business demand or need; competitive changes or pressure; technological changes; senior management turnover; and stakeholder concerns or pressure.

• Compliance. The potential to fall out of compliance with the guidelines, laws, or contracts the organization is obliged to operate under. This could happen if, for example, the company becomes unable to perform a certain function or loses the ability to monitor compliance activities. Common compliance areas include: regulatory requirements; best practices (as in accounting); elective compliance with standards such as ISO or ITL; and contractual terms and conditions.
• Reputational. The potential to lose financial, market, and social standing due to damage to reputation. This damage could be either warranted or unwarranted. Reputational risks include: management gaffes; criminal proceedings against the company or its employees; technology issues; strategic decisions; issues with product or service quality; and associations with vendors or partners. In recent years, social media has added a volatile new element to reputational risk.

The company that wants to protect its future continuously assesses and mitigates its risks across all five of these areas.

Negative Repercussions of COVID

I mentioned previously that COVID has distorted some people’s assessment of likely future risks due to recency bias. That’s only one way in which our experience with the pandemic has pushed people’s planning and thinking in the wrong direction. Another repercussion of COVID is, we’ve noticed that some of our clients have concluded that the measures they took in response to the pandemic have left them fully prepared for all possible operational risks. This type of thinking has led some companies to develop a false sense of security.

In fact, at many of these organizations, long-term risks such as system outages caused by cyber events, human errors, and technological-implementation errors still have the potential to impact operational capabilities.

And last one point pertaining to the end of the pandemic: In situations where unwilling employees are required to return to the office, the potential exists for resentment, division, and damage to morale. This could potentially lead to new operational and financial risks. The prudent planner will take this possibility into account.

Managing Your Risks Across the Board

The following are some steps you could take to help your company manage its risks across the board:

• Assess your risks over all five areas and identify those that have the highest probability of occurring and those that would have the greatest impact if they did occur.

• Develop a set of actions (such as avoiding, accepting, sharing, or reducing the risk) to align the risks with the company’s risk tolerance and risk appetite.
• Establish and implement policies and procedures to help ensure that risk responses are effectively carried out.
• Identify, capture, and communicate important information in a format and timeframe that enables people to carry out their responsibilities.
• Monitor the company’s risk management process and position and modify them if necessary.
• Assess the residual risk after you have developed plans and mitigation strategies.

Managing Risk Across All Five Areas

In analyzing and managing risk, organizations must guard against letting recent past events over control their current thinking. While operational and financial risks may pose the most immediate threat, businesses must balance concern for those areas with vigilance about the other types of risk: strategic, compliance, and reputational.

Companies should assess their risks across all five areas and identify those with the highest probability of occurring and the greatest impact if they did occur. The suggestions given above point the way toward a rational, comprehensive approach to assessing and mitigating risk.

Further Reading

For more information on risk management, and other hot topics in business continuity and IT disaster recovery, check out the following recent posts from MHA Consulting:

• The Risk Management Process: Manage Uncertainty, Then Repeat
• Everything You Always Wanted to Know About Managing Risk but Were Afraid to Ask
• Don’t Just Hope: Choosing Strategies to Mitigate Risk
• Every Single Day: Make Risk Management Part of Your Company’s Culture
• The ABCs of ERM: The Rise of Enterprise Risk Management