Organizations are exposed to business
risks in varying degrees.
These risks can be categorized
as:
risks in varying degrees.
These risks can be categorized
as:
- Operational
/ strategic risk, which includes anything that could impede the
organization’s performance due to- external
events (e.g. pandemics, natural catastrophes, climate change)
- internal
events (e.g. labor issues, strike)
- technology
problems (e.g. increasing technical debt) - vendor choice
/ turnover - security
issues (e.g. CyberSecurity)
- external
- Reputational risk which summarizes
potential harm to the organization’s- internal
perception by its employees and shareholders - external
perception by customers and the general public
- internal
- Compliance
risk, which are related to the organization’s responsibilities under
applicable laws and regulations
- Environmental, Social and Governance (ESG)
risk, which relates to the organization’s business ethics and practices
(e.g. environmental management, respect for human rights,
anti-bribery/-corruption, financial reporting)
Since risks often affect multiple
business units or the whole organization, it is important to centralize
risk management, i.e. the responsibility for identifying, assessing and
mitigating threats that may significantly impact the organization in its ability
to conduct its current and future business. Particular attention needs to be
paid to cumulative risks, i.e. the organization’s total exposure that
amounts from the existence of several parallel, but independent risk factors
with the same impact (e.g. several vendors that process personal data on behalf
of a certain organization could independently suffer a data
breach).
business units or the whole organization, it is important to centralize
risk management, i.e. the responsibility for identifying, assessing and
mitigating threats that may significantly impact the organization in its ability
to conduct its current and future business. Particular attention needs to be
paid to cumulative risks, i.e. the organization’s total exposure that
amounts from the existence of several parallel, but independent risk factors
with the same impact (e.g. several vendors that process personal data on behalf
of a certain organization could independently suffer a data
breach).
Risk management is typically headed by a
corporate executive, the Chief Risk Officer (CRO). Small and medium sized
organization may not establish a separate position for risk management, but
assign the related responsibility to another executive (for the sake of
simplicity, hereinafter also called “CRO”). The CRO should ideally report to the
CEO or the Board. As most of the risks have a financial impact, the CRO may
instead report to the Chief Financial Officer
(CFO).
corporate executive, the Chief Risk Officer (CRO). Small and medium sized
organization may not establish a separate position for risk management, but
assign the related responsibility to another executive (for the sake of
simplicity, hereinafter also called “CRO”). The CRO should ideally report to the
CEO or the Board. As most of the risks have a financial impact, the CRO may
instead report to the Chief Financial Officer
(CFO).
Having a horizontal responsibility (such
as the CFO, Chief Human Resources Officer (CHRO), or Chief Data Officer (CDO)),
the CRO needs to be an excellent communicator and influencer.
as the CFO, Chief Human Resources Officer (CHRO), or Chief Data Officer (CDO)),
the CRO needs to be an excellent communicator and influencer.
The CRO’s
responsibility includes the following tasks of risk
management:
responsibility includes the following tasks of risk
management:
- Document
process maps with focus on risk to both information and material, both in
transfer and in rest - Analyze the
organization’s risk profile in terms of potential operational, strategic,
reputational, compliance and ESG risks - Identify risk
factors that could have the same impact - Determine and
quantify the organization’s risk
appetite - Develop action
plans to mitigate risks to the organization – both strategic and
tactical - Seek insurance
coverage for remaining risks - Integrate risk
management priorities into the organization’s overall
strategy - Plan and
oversee budget for risk management and related projects - Monitor the
progress of risk mitigation efforts
- Communicate
risk analysis and mitigation progress to the
organization’s executives, board members and heads of business
units