When identifying and evaluating the various types of risks that can threaten a business, enterprises sometimes combine these risks into buckets that are specific to an area of concern, such as enterprise risks, operational risks, financial risks, reputational risks, competitive risks, economic risks and compliance risks.
To manage and mitigate these risks as part of an enterprise risk management (ERM) plan, companies need to focus on four fundamental elements upon which most organizations are built -- people, processes, technologies and facilities -- and how they can cascade into other types of business risks.
1. People risks
People are almost always an underlying factor in positive or negative outcomes for an enterprise. Risks to people can affect -- or create -- virtually any other risk.
Market risks can evolve from someone making a poor decision on how to approach the development and release of a new product, resulting in a product that doesn't sell, that is inappropriate for the market, released too early or too late, priced too high, poorly designed or doesn't perform as advertised. Competitive risks could be exacerbated if another firm makes better decisions and achieves a market "win" over its competitors.
Compliance risks evolve when someone within an organization accidentally or deliberately doesn't adhere to specific regulations, standards or other benchmarks, potentially resulting in legal risks, litigation, costly penalties and bad publicity that could morph into reputational risks.
Without enough people, a business would have difficulty functioning and even cease to exist. The COVID-19 pandemic has shown the types of business risks that people can bring to an organization. Remote work, for example, evolved practically overnight as a principal strategy to address the risks of losing employees during the pandemic. Media stories of businesses suffering and teetering on the edge of failure probably numbered in the tens of thousands.
2. Process risks
From assembly lines to supply chains to digital workflows, failure to execute important business processes properly can become a strategic risk to an organization and create downstream risks to other parts of an enterprise, especially if a process malfunction disrupts strategic planning efforts.
Numerous business risks can ensue if an incident disrupts a manufacturer's ability to produce a product, a weak link in the supply chain slows scheduled deliveries or unlocked siloed data results in unfulfilled customer engagements.
As demonstrated by the pandemic, businesses faced a serious downturn or failure without the necessary people and technologies to perform the required tasks.
Risk management for career professionals
The following articles provide resources for risk management professionals:
3. Technology risks
Considering how much businesses depend on access to the internet, wireless communications, highly sophisticated business systems and applications, laptop computers and smart phones, any kind of power loss or technical failure can devastate an organization's ability to function. Even with the advent of cloud-based services that speed business operations, provide alternate processing and data backup systems, and support disaster recovery, technology risks persist.
From an ERM perspective, cybersecurity is among the top corporate concerns. The growing number of cyber attacks involving phishing, distributed denial-of-service and ransomware creates an enormous amount of risks to a business. A ransomware attack, for example, that should have been identified and prevented can devastate a company, especially if the bad news reaches the media news cycle.
4. Facility risks
The effects of the pandemic made remote work a necessity, while advances in technology are making hybrid workforces reality.
In many cases, the need for excessive floor space in high-rise office buildings as well as office spaces in large industrial complexes has been minimized. Companies can save the costs associated with leasing space and managing building campuses on acres of land. Yet there's the question of how long a majority of employees can work remotely without the face-to-face collaboration and sociability that comes with an office environment. This brings us back to people risks.
As businesses slowly return to office environments, new questions, business models and risks emerge: What if employees don't want to return to the office? What if they want to continue working remotely? Could a hybrid arrangement be amenable to employees and management?
Aside from COVID-19, a number of facility risks can impact virtually any aspect of an organization, such as a total power outage at a manufacturing plant or office complex. As changes occur in the climate, business facilities may be at increased risk of disruptions from severe storms, hurricanes, tornadoes, mudslides, wildfires, earthquakes and tsunamis. The downstream effect on other risk factors can be enormous.
Implementing enterprise risk management practices
Small and medium-sized companies are no less at risk than multibillion-dollar global enterprises. Businesses making risk assessments and investing in ERM need to focus on the four primary risk elements: people, process, technology and facility.
By identifying the threats and vulnerabilities that influence these four underlying factors, enterprises can effectively manage and mitigate the negative effects on other types of business risks, resulting in positive business outcomes.