Risk Categories

• Financial
• IT and Systems
• Legal/Compliance
• Operational 
• Reputational
• Strategic

Risk Identification and Assessment

Risk identification is the process of determining risks that could potentially prevent the enterprise from achieving its objectives. It includes documenting and communicating the concerns in a Risk Register.  Once risks have been identified and categorized, the potential hazards are analyzed according by probability and impact which allows the identification of high risk items.

Risk Treatment

Once risks are identified and prioritized, how will we respond to them?  The risk treatment involves the strategies to address the various risks - low or high, acceptable or unacceptable. By evaluating data in the Risk Register, ERM develops a response, or risk treatment, for those risks.  For each risk, a treatment is determined from options such as:

• Avoid
• Transfer
• Mitigate 
• Accept

The method of transferring risk is exemplified when we transfer risk from one party to another through the purchase of insurance.

Examples

General Liability Insurance – broad protection from injury, property, and other liability claims

Cyber Liability Insurance – protection from data breaches, hacking attacks and computer or network related crimes against your company that compromise confidential customer or company data

Errors and Omissions Insurance – Professional Liability Insurance: liability protection for claims against your organization for negligence, errors, oversights and mistakes

Key Definitions

Risk – uncertainty about outcomes that can be either negative or positive

Risk Appetite –  amount of risk (volatility of expected results) an organization is willing to accept in pursuit of a desired financial performance (returns)

Risk Management – process of making and implementing decisions that will minimize the adverse effects of accidental losses on an organization

Risk Transfer – process to determine which risks to assume (self insure) or transfer through insurance or bonds