Organisations have always faced risks: Your clients don’t like your product, a new competitor does it better or cheaper, the regulation changes, etc. But entrepreneurs and investors continue to push through because of the opportunities: Fame and fortune, pride in creating something new, moving society forward and more.

What are my risks?

Understanding the risk an organisation is facing helps inform its priorities.

Communicating these risks to employees will help them make better decisions and make the organisation more successful.

But what are these risks? This depends on each business, but at a high level, most organisations face the same types of risks (in no particular order):

• Reputational risks arise from the organisation’s failure to maintain its reputation. These risks could be caused by customer dissatisfaction due to poor support, brand damage caused by product recall or a data breach that exposed customer details. They will make it more difficult for us to acquire new customers or raise money.

• Operational risks are caused by a failure to manage day-to-day operations effectively. Operational risks come from situations such as service disruption due to an electrical fault, employee turnover caused by poor culture, or productivity loss following a ransomware attack. They make running the organisation in the short or long term more difficult.

• Financial risks arise from the organisation’s failure to manage its finances effectively. Examples include market risk, credit risk, liquidity risk, loss of revenue after the appearance of a new competitor, increased costs due to severe inflation or decreased shareholder value after a privacy breach, which will likely require an expensive settlement. This can result in the organisation being unable to pay its employees, creditors or providers.

• Legal and regulatory risks are related to a lack of compliance with legal, regulatory and contractual obligations. Examples include non-compliance with data protection laws, anti-bribery laws, and environmental regulations such as non-compliance with regulations, a breach of contract with a client, or litigation with customers. Non-compliance can result in legal penalties, fines, and reputational damage.

• Strategic risks relate to the organisation’s strategic decisions and can impact its long-term success. Examples include entering new markets, mergers and acquisitions, and leadership changes. Strategic mistakes can cost a lot for the organisation by creating more risks in other risk dimensions.

• Information security and privacy risks come from a failure to protect sensitive information, such as the personal data of customers or employees, from unauthorised access, theft or modifications (read Confidentiality, Integrity, and Availability for more details). These risks can result in significant financial losses due to legal penalties or reputational damage.

• Cybersecurity risks arise from the organisation’s failure to protect its information systems and data from unauthorised access, theft, or damage. Cybersecurity risks can result in data breaches, operational impact, financial losses, and reputational damage.

• Environmental risks are related to the organisation’s environmental impact. Examples include pollution, climate change, and natural disasters. Failure to manage these correctly could

• Supply chain risks are tied to the reliance on third-party vendors for goods and services. Supply chain risks can result in disruptions to operations, financial losses, and reputational damage.

• And more.

Note: As discussed in Information Security vs. Cyber Security vs. Privacy, I separate Infosec and Cybersec risks into two different categories, as from experience, the causes and mitigation of these risks are often distinct.

For some organisations, the only thing that will matter is monetary, so for them, all risks will be measured in terms of their eventual financial impact and the risks it represent for the company.

But in most cases, risk will have dependencies. For example, the risk of facing a compliance breach with a regulation could lead to an operational impact because we can’t sell our product in a given market, which also means a financial impact for the same reason. And things end up looking more like this:

Deciding on the top risks

So, how do you decide which risks you should track closely for your organisation? Those risks associated with a possible significant impact that is above a particular risk appetite should be considered.

You also need to look at what matters: Your values. For example, environmental risks might not threaten your business, but they are part of your core values.

Some examples could be:

• You might run a small not-for-profit, and supply chain risks aren’t a concern for you.

• You might run a wood-cutting factory, and health risks are paramount for you.

• You might run an international business in a highly regulated area, and regulatory risks will be essential for you.

There is rarely just one.

I would usually use the categories above to kickstart a whiteboard conversation with the relevant stakeholders and determine which risk they have in mind for their organisation, throwing a few ideas as necessary. This workshop must happen with the right stakeholders. There is limited value in identifying risk for the whole organisation with just the IT team, for example.

The result of this workshop is a list of high-level risks which we can start tracking in the risk register.

The steps following this initial risk identification are discussed at a high level in Threats, Risks and Co. Spoiler alert: We will do a more thorough risk assessment to confirm what we believe our risk levels are.

But before you go there, let’s talk ice cream.

How risky is it to sell ice cream?

Let’s take our Ice Cream Truck example. Jessie is passionate about their small business and doesn’t want to become a billionaire. But they care about the people they serve and the environment.

Looking at these categories above, we could say:

• Reputational risks: The taste and quality of the ice cream makes Jessie’s customer return for more. But Jessie has this under control.

• Operational risks: The truck breaking down would be a problem, but Jessie could work from a fixed location while the truck gets repaired. Hygiene needs to be excellent to avoid any food poisoning.

• Financial risks: Cash flow is always challenging for small businesses, but Jessie has paid off the truck.

• Legal and regulatory risks: This is all about the food license.

• Strategic risks: Not much here.

• Information security and privacy risks: Jessie holds customer’s emails and phone numbers. They provide those when registering to receive a notification to know where the truck will be.

• Cybersecurity risks: The screen showing the day's flavours and other messages isn’t essential. The risks are related to the payment system as the business email that controls the bank account.

• Environmental risks: Jessie cares about the environment and the impact the business could have. But it is not a top risk.

• Supply chain risks: Jessie has enough stock to last a week (milk, etc.) and works with several trusted partners, so this is not a top risk.

Here, I have gone beyond a simple risk identification. I have also conducted a very basic risk assessment to help us determine which risk will likely require a better assessment.

Based on the pre-assessment above, if we wanted to limit ourselves to track the key current risks, I would say:

• Key risks

  • Operational: A contamination event prevents Jessie from trading for weeks.

  • Financial: A cybersecurity incident in which the bank account is drained.

• Worth keeping an eye on

  • Reputational/Operational: A cybersecurity incident during which an attacker sends people to the wrong location and asks for a ransom.

  • Regulatory: Food inspection that goes wrong and sees the license suspended.

Do you agree? What other risk do you think Jessie should track closely?

Key Takeaways

• There can be many risks to consider, but only those associated with a possible significant impact on the organisation that is above a particular risk appetite should be considered.

• Identifying key risks is a brainstorming exercise with the relevant stakeholders.

• This step helps ensure the leadership team has a common view of the risk the business is facing.

Next Steps

• Organise a team. Do you have a leadership team or a group that is suited to talk about this? Who are they? When do they meet?

• Understand your risks. Have you identified the critical risks for your organisation?