Risk “categorization”

Before you “spot your risks” in different areas of business areas or operations, you need to structure your thoughts so that you may identify different risk categories that are relevant, important and critical for your tracking.

You might wonder why categorization? – Can I just not go about having a list of top 10 or 20 risks and go on building from there as and when I identify them?

The reason for categorization is simple-

1. You systematize the approach to the risk planning process. This requires putting your top executives’ ‘heads’ through a collaborative approach and get to know what are all the perceived top threats and slot them into appropriate categories such as accounting, treasury, procurement, supply chain, human capital management, information technology, etc.

2. Organize workshops / brainstorming sessions with focus groups to identify top areas of concern. This will subsequently culminate in identifying individual risks that need to be assessed and monitored.

3. Categories help you to allocate responsibility to concerned operational heads or departments so they can focus on the relevant risks in their areas of operation.

4. Helps in defining in ball-park risk appetites – both quantitative and qualitative. (i.e what is the maximum exposure they can take as an organization/ department.)

5. Categories also help in protecting some sensitive business risks becoming public knowledge to all operations – for example – if top management is keen to track risks on certain markets or assess competition or evaluate merger / acquisition possibilities, then these categories can be off-limits or restricted for access to other operations.

6. Reporting and discussions can be prioritized based on high-risk areas of operation enabling quicker resolution or risk treatment plans.

So – what are the general risk categories that companies may want to focus on?

1. Depends on which country / countries the business operations are spanning. Each country may have specific requirements that a business must meet and non-compliance risks need to be spotted on an on-going basis. Example – Companies Act 2013 in India (and similar laws in several other countries).

2. Depends on which industry you are operating.

3. Many businesses are highly regulated by statute –

• the risks related to non-compliance are very high and can have grave significance such as fines, penalties, imprisonment and even closure notices. Example -oil and gas, utilities, mining, pharmaceutical and chemicals, etc.

• Banking and insurance and financial services – prescriptions given by several country-specific central banks as well as world bodies such as Basel or Insurance regulatory bodies.

4. Depends on the size of the business – are they small/ mid-size or large or a conglomerate?

5. There are some generic categories that are common to all businesses. Let us look at some examples below

• General Accounting

• Procurement

• Sales and Distribution

• Human Capital Management

• Information Systems

• Inventory

• Manufacturing

• Logistics

• Mergers and Acquisitions

• Bid and Tender Management