Organizations are exposed to business
risks in varying degrees.
These r
isks can be
  • Operational
    / strategic risk
    , which includes anything that could impede the
    organization’s performance due to

    • external
      events (e.g. pandemics, natural catastrophes, climate change)
    • internal
      events (e.g. labor issues, strike)

    • technology
      problems (e.g. increasing technical debt)
    • vendor choice
      / turnover
    • security
      issues (e.g. CyberSecurity)
  • Reputational risk which summarizes
    potential harm to the organization’s

    • internal
      perception by its employees and shareholders
    • external
      perception by customers and the general public
  • Compliance
    , which are related to the organization’s responsibilities under
    applicable laws and regulations

  • Environmental, Social and Governance (ESG)
    , which relates to the organization’s business ethics and practices
    (e.g. environmental management, respect for human rights,
    anti-bribery/-corruption, financial reporting)
Since risks often affect multiple
business units or the whole organization, it is important to centralize
risk management, i.e. the responsibility for identifying, assessing and
mitigating threats that may significantly impact the organization in its ability
to conduct its current and future business. Particular attention needs to be
paid to cumulative risks, i.e. the organization’s total exposure that
amounts from the existence of several parallel, but independent risk factors
with the same impact (e.g. several vendors that process personal data on behalf
of a certain organization could independently suffer a data
Risk management is typically headed by a
corporate executive, the Chief Risk Officer (CRO). Small and medium sized
organization may not establish a separate position for risk management, but
assign the related responsibility to another executive (for the sake of
simplicity, hereinafter also called “CRO”). The CRO should ideally report to the
CEO or the Board. As most of the risks have a financial impact, the CRO may
instead report to the Chief Financial Officer
Having a horizontal responsibility (such
as the CFO, Chief Human Resources Officer (CHRO), or Chief Data Officer (CDO)),
the CRO needs to be an excellent communicator and influencer.
The CRO’s
responsibility includes the following tasks of risk
  • Document
    process maps with focus on risk to both information and material, both in
    transfer and in rest
  • Analyze the
    organization’s risk profile in terms of potential operational, strategic,
    reputational, compliance and ESG risks
  • Identify risk
    factors that could have the same impact 
  • Determine and
    quantify the organization’s risk
  • Develop action
    plans to mitigate risks to the organization – both strategic and
  • Seek insurance
    coverage for remaining risks 
  • Integrate risk
    management priorities into the organization’s overall
  • Plan and
    oversee budget for risk management and related projects 
  • Monitor the
    progress of risk mitigation efforts

  • Communicate
    risk analysis and mitigation progress to the
    organization’s executives, board members and heads of business