Risk Management Knowledge Base

The risk management process, as defined in ISO 31000:2018, comprises a series of logical steps that together form a systematic approach to managing risk:

• Communication and Consultation: Ongoing dialogue with stakeholders throughout the entire process, ensuring that those affected by risks are informed and their perspectives are considered.
• Scope, Context and Criteria: Defining the internal and external environment in which the organization operates, and establishing the criteria against which risk significance will be evaluated.
• Risk Assessment: The combined process of risk identification, risk analysis, and risk evaluation.
• Risk Treatment: Selecting and implementing options to modify risk — which may include avoiding, taking, removing the source of, changing the likelihood or consequences of, sharing, or retaining risk.
• Monitoring and Review: Ongoing surveillance to ensure controls remain effective, the risk profile is current, and lessons learned are captured.
• Recording and Reporting: Documenting outcomes and communicating risk information to relevant stakeholders.

Understanding core terminology is essential for effective communication within risk management:

• Probability (Likelihood): The chance that a risk event will occur, expressed as a frequency, probability value, or qualitative rating (e.g., rare, unlikely, possible, likely, almost certain).
• Impact (Consequence): The effect on objectives should the risk event occur — measured across dimensions such as financial, reputational, operational, regulatory, or health and safety.
• Risk Exposure: A function of probability and impact, representing the overall significance of a risk. Typically presented on a risk matrix or heat map.
• Inherent Risk: The level of risk before any controls or treatments are applied.
• Residual Risk: The risk remaining after controls and treatments have been implemented.
• Risk Appetite: The amount and type of risk an organization is willing to pursue or accept in order to achieve its objectives.
• Risk Tolerance: The acceptable variation in outcomes relative to risk appetite — defining the boundaries of acceptable risk-taking.

Risk appetite and tolerance are strategic concepts that set the parameters within which an organization makes risk-taking decisions.

Risk appetite is a high-level statement that articulates the types and level of risk an organization is prepared to accept in pursuit of its strategic objectives. It is typically established by the board of directors and reflected in policies, procedures, and key risk indicators.

Risk tolerance is more specific — it defines the acceptable range of variability in outcomes around a given risk appetite statement. Where appetite says "we accept moderate market risk," tolerance specifies the precise thresholds (e.g., a maximum value-at-risk limit) beyond which escalation is required.

Effective articulation of both concepts enables consistent decision-making across an organization, provides clarity to management about boundaries, and facilitates meaningful board oversight of risk-taking activities.

Enterprise Risk Management represents a holistic, organization-wide approach to identifying, assessing, and managing all categories of risk in an integrated manner. Unlike siloed, departmental risk management, ERM creates a unified view of risk across the entire organization.

Core components of a mature ERM program include:

• A board-endorsed risk appetite statement linked to strategic objectives
• An enterprise risk register capturing identified risks, owners, controls, and residual ratings
• Risk governance structures including a Chief Risk Officer (CRO) and Risk Committee
• Defined Three Lines of Defence model allocating risk ownership across functions
• Key Risk Indicators (KRIs) providing early warning signals
• Regular risk reporting to board, audit committee, and senior management
• Integration of risk assessment into strategic planning and capital allocation

Research consistently demonstrates that organizations with mature ERM programs achieve lower earnings volatility, better credit ratings, and stronger risk-adjusted financial performance.

Operational risk is the risk of loss resulting from inadequate or failed internal processes, people, systems, or external events. First formally categorized under Basel II for banks, operational risk management principles now extend across sectors and are central to most enterprise risk frameworks.

Key operational risk categories include:

• Process risk: Failures in business processes — errors, inefficiencies, or breakdowns in controls
• People risk: Human error, misconduct, key person dependency, and inadequate skills
• Systems risk: Technology failures, system outages, and data integrity issues
• External events: Natural disasters, pandemics, regulatory changes, and third-party failures
• Legal and compliance risk: Regulatory breaches, contract failures, and litigation

Measurement approaches range from qualitative scenario analysis and risk and control self-assessments (RCSAs) to quantitative Loss Distribution Approach (LDA) modelling used by banks under Basel operational risk capital rules.

Financial risk encompasses the risks arising from financial transactions, market exposures, and the management of capital and liquidity.

Credit Risk: The risk that a counterparty fails to meet its contractual obligations, resulting in financial loss. Measured through Probability of Default (PD), Loss Given Default (LGD), and Exposure at Default (EAD). Banks hold regulatory capital against credit risk under Basel frameworks.

Market Risk: The risk of losses from movements in market variables — interest rates, foreign exchange rates, equity prices, and commodity prices. Key measures include Value-at-Risk (VaR), Expected Shortfall (ES), and sensitivity measures (Greeks in options).

Liquidity Risk: The risk that an organization cannot meet its financial obligations as they fall due without incurring unacceptable losses. Divided into funding liquidity risk (inability to raise funding) and market liquidity risk (inability to liquidate assets quickly at fair value).

Interest Rate Risk: The exposure of an organization's financial position to adverse movements in interest rates — particularly relevant for banks' banking book exposures, governed by IRRBB standards.

Cyber risk refers to the potential for loss or harm related to technical infrastructure, technology usage, or the reputation of an organization resulting from a failure of its information technology systems. It is now consistently ranked among the top global risks in annual surveys including the World Economic Forum's Global Risks Report.

From a risk governance perspective, cyber risk management involves:

• Board and senior management oversight of cybersecurity strategy
• Integration of cyber risk into enterprise risk appetite and reporting
• Application of frameworks such as NIST CSF 2.0, ISO/IEC 27001, and CIS Controls
• Scenario analysis of material cyber threats (ransomware, data breach, supply chain attack)
• Third-party and vendor cyber risk assessment programmes
• Cyber risk quantification methodologies (e.g., FAIR model)
• Incident response planning and business continuity integration

Regulatory expectations for cyber risk governance have increased significantly in recent years, with frameworks such as DORA (Digital Operational Resilience Act, effective January 2025 in the EU) setting prescriptive requirements for financial sector entities.

Environmental, Social, and Governance (ESG) risk has become one of the most significant areas of evolution in risk management practice over the past decade. Driven by regulatory requirements, investor expectations, and the material financial implications of climate change, ESG risk is now integrated into mainstream risk frameworks.

Climate Risk Classification (TCFD):

• Physical risks: Acute risks (extreme weather events) and chronic risks (long-term changes in climate patterns) that damage assets, disrupt operations, or affect supply chains
• Transition risks: Risks arising from the shift to a lower-carbon economy — including policy changes (carbon pricing), technology changes (stranded assets), and market and reputational shifts

Social Risk encompasses human rights risks across supply chains, labour practices, community relations, and product safety. The EU Corporate Sustainability Due Diligence Directive (CS3D) introduces mandatory human rights and environmental due diligence requirements.

Governance Risk relates to board composition, executive remuneration structures, anti-corruption policies, and shareholder rights — areas that materially affect organizational resilience and reputation.

Disclosure frameworks including ISSB standards (IFRS S1 and IFRS S2), the EU CSRD/ESRS, and the SEC's climate disclosure rules are driving convergence toward standardized, comparable ESG risk reporting.

Strategic risks arise from fundamental decisions about an organization's direction — including mergers, market entry, business model choices, and responses to competitive disruption. Unlike operational risks, strategic risks often have long time horizons and uncertain probability-impact profiles.

Emerging risks are risks that are new, not yet fully understood, or evolving rapidly, making traditional assessment approaches difficult to apply. Current examples include:

• AI and automation risk: Model risk, algorithmic bias, AI-enabled fraud, and workforce displacement
• Geopolitical risk: Supply chain fragmentation, sanctions regimes, and cross-border regulatory divergence
• Pandemic and biological risk: Lessons from COVID-19 applied to resilience planning and scenario analysis
• Nature and biodiversity loss: Physical and transition risks from ecosystem degradation — addressed by the TNFD (Taskforce on Nature-related Financial Disclosures) framework
• Concentration and systemic risk: Interconnectedness creating cascading failure scenarios across sectors

Horizon scanning, scenario planning, and stress testing are the primary tools for identifying and assessing emerging risks before they crystallize into material events.