Organizations commonly develop and rely on rules as a primary tool for managing risk, equating compliance with overall effective risk management. While complying with rules may be adequate to manage certain types of risks, history has demonstrated that not all types of risk can be effectively dealt with through compliance-focused risk management. This article presents a new framework for defining and addressing an organization’s risks that expands beyond rules-based models.

Central to this framework is the idea that an organization’s risks can be broken down into the following three categories:

  • Internal risks, relative to an organization, that can be controlled (e.g. the risk of employee misconduct)
  • Strategic risks taken on by an organization in the pursuit of value (e.g. the risk associated with an investment in developing a new product line)
  • External risks, relative to an organization, that are largely beyond control (e.g. the risk of impact from a natural disaster, like an earthquake)

For each risk category, the authors of this Harvard Business Review article discuss risk management mechanisms that have actually been put to effective use in the field by various organizations. Below is a summary of the risk management techniques discussed in the article for each category of risk.

Internal Risks

The internal risks category is the one area where a rules-based approach to risk management may be sufficient to mitigate or eliminate risk. For example, in dealing with the risk of employee misconduct, an employee code of conduct may steer employees away from behavior deemed unacceptable by the organization. In this situation, a risk can be effectively managed through compliance with established rules or policies.

Strategic Risks

In the category of strategic risks, the article discusses three risk management structures that place a person or group of people in a position designed to challenge decisions made about risk within an organization, and to facilitate the circulation of risk information across the enterprise. The three risk management structures for addressing strategic risks are:

  • An external risk-advisory board,
  • An internal, centralized risk management group, potentially involving senior management, or
  • An internal network of risk managers disbursed throughout the organization

This article provides real-world examples illustrating how each structure operates in-practice.

External Risks

External risks, unlike internal or strategic risks, are largely out of the control of an organization. Despite the lack of control over external risks, this article points out that organizations can still manage external risks by generating ideas about the type and magnitude of external events that could happen, and by developing a plan for mitigating the negative impact if such an event actually occurs in the future. The authors discuss three analytical tools that organizations can use to evaluate external risks, including:

  • stress testing,
  • scenario analysis, and
  • “war-gaming,” which is a tool for predicting the impact of aggressive changes in competitors’ strategies

Click below to register and download article.