Organizations are exposed to business
risks in varying degrees.
These risks can be categorized
as:
- Operational
/ strategic risk, which includes anything that could impede the
organization's performance due to
- external events (e.g. pandemics, natural catastrophes, climate change)
- internal events (e.g. labor issues, strike)
- technology problems (e.g. increasing technical debt)
- vendor choice / turnover
- security issues (e.g. CyberSecurity)
- Reputational risk, which summarizes
potential harm to the organization's
- internal perception by its employees and shareholders
- external perception by customers and the general public
- Compliance risk, which is related to the organization's responsibilities under applicable laws and regulations
- Environmental, Social and Governance (ESG) risk, which pertains to the organization's business ethics and practices (e.g. environmental management, respect for human rights, anti-bribery/-corruption, financial reporting)
Since risks often affect multiple
business units or the whole organization, it is important to centralize
risk management, i.e. the responsibility for identifying, assessing and
mitigating threats that may significantly impact the organization in its ability
to conduct its current and future business. Particular attention needs to be
paid to cumulative risks, i.e. the organization’s total exposure that
amounts from the existence of several parallel, but independent risk factors
with the same impact (e.g. several vendors that process personal data on behalf
of a certain organization could independently suffer a data
breach).
Risk management is typically headed by a
corporate executive, the Chief Risk Officer (CRO). Small and medium sized
organization may not establish a separate position for risk management, but
assign the related responsibility to another executive (for the sake of
simplicity, hereinafter also called “CRO”). The CRO should ideally report to the
CEO or the Board. As most of the risks have a financial impact, the CRO may
instead report to the Chief Financial Officer
(CFO).
Having a horizontal responsibility (such
as the CFO, Chief Human Resources Officer (CHRO), or Chief Data Officer (CDO)),
the CRO needs to be an excellent communicator and influencer.
The CRO’s
responsibility includes the following tasks of risk
management:
- Document process maps with focus on risk to both information and material, both in transfer and in rest
- Analyze the organization’s risk profile in terms of potential operational, strategic, reputational, compliance and ESG risks
- Identify risk factors that could have the same impact
- Determine and quantify the organization's risk appetite
- Develop action plans to mitigate risks to the organization – both strategic and tactical
- Seek insurance coverage for remaining risks
- Integrate risk management priorities into the organization's overall strategy
- Plan and oversee budget for risk management and related projects
- Monitor the progress of risk mitigation efforts
- Communicate risk analysis and mitigation progress to the organization’s executives, board members and heads of business units
