risk management in a business model

• SUGGESTED TOPICS
• The Magazine
• Newsletters
• Managing Yourself
• Managing Teams
• Work-life Balance
• The Big Idea
• Data & Visuals
• Reading Lists
• Case Selections
• HBR Learning
• Topic Feeds
• Account Settings
• Email Preferences

How to Build Risk into Your Business Model

• Karan Girotra
• Serguei Netessine

Smart companies design their innovations around managing risk.

Reprint: R1105G

To create value, companies typically focus on revenue, cost structure, and resource velocity. Improving those factors is the main focus of management literature. But all of them are vulnerable to sharp changes in demand and supply.

Companies can innovate their business models to reduce the impact of such swings. But they can also create value by adding some risk. For instance, more than 30 years ago Rolls-Royce identified a major pain point in the aircraft industry: maintenance of airplane engines. An engine breakdown grounds the plane while the airline pays for repair time and materials. So Rolls-Royce offered a service contract whereby the airline would pay for an engine’s flight hours rather than for time and materials. The new contract triggered a completely new value creation dynamic, because Rolls-Royce was motivated to improve its own products and maintenance processes.

Business model innovations are much cheaper than product and technology innovations, and they can be approached in a systematic way. Furthermore, nearly all the big ones have already been done—so you can simply adapt them to suit your own situation.

The Idea in Brief

Many managers find it harder to tell if changes in their business models will work out than to guess whether a new product or technology will catch on.

The secret to systematic business model innovation is to focus on identifying where the risks are in your value chain. Then determine whether you can reduce them, shift them to other people, or even assume them yourself.

If you take this approach, you won’t need extensive experimentation and prototyping to identify very powerful innovations, because many tools for managing risk are available.

In early 2008 four entrepreneurs in Paris started MyFab, an internet-based furniture retailer that is doing more to change the industry than any other company since IKEA. Instead of building large stocks of furniture, as its competitors do, MyFab provides a catalog of potential designs. Customers vote on them, and the most popular ones are put into production and shipped to buyers directly from the manufacturing sites—with no retail outlets, inventories, complicated distribution, or logistics networks.

• KG Karan Girotra is the Charles H. Dyson Family Professor of Management at Cornell Tech and the Johnson College of Business at Cornell University, and a coauthor, with Serguei Netessine, of The Risk-Driven Business Model: Four Questions That Will Define Your Company (HBR Press, 2014). Follow him on Twitter: @Girotrak
• Serguei Netessine is the vice dean for global initiatives and the Dhirubhai Ambani Professor of Innovation and Entrepreneurship at the University of Pennsylvania’s Wharton School and a coauthor, with Karan Girotra, of  The Risk-Driven Business Model: Four Questions That Will Define Your Company   (HBR Press, 2014). Follow him on Twitter: @snetesin

Partner Center

• Business Essentials
• Leadership & Management
• Credential of Leadership, Impact, and Management in Business (CLIMB)
• Entrepreneurship & Innovation
• *New* Digital Transformation
• Finance & Accounting
• Business in Society
• For Organizations
• Support Portal
• Media Coverage
• Founding Donors
• Leadership Team

• Harvard Business School →
• HBS Online →
• Business Insights →

Business Insights

Harvard Business School Online's Business Insights Blog provides the career insights you need to achieve your goals and gain confidence in your business skills.

• Career Development
• Communication
• Decision-Making
• Earning Your MBA
• Negotiation
• News & Events
• Productivity
• Staff Spotlight
• Student Profiles
• Work-Life Balance
• Alternative Investments
• Business Analytics
• Business Strategy
• Business and Climate Change
• Design Thinking and Innovation
• Digital Marketing Strategy
• Disruptive Strategy
• Economics for Managers
• Entrepreneurship Essentials
• Financial Accounting
• Global Business
• Launching Tech Ventures
• Leadership Principles
• Leadership, Ethics, and Corporate Accountability
• Leading with Finance
• Management Essentials
• Negotiation Mastery
• Organizational Leadership
• Power and Influence for Positive Impact
• Strategy Execution
• Sustainable Business Strategy
• Sustainable Investing
• Winning with Digital Platforms

What Is Risk Management & Why Is It Important?

• 24 Oct 2023

Businesses can’t operate without risk. Economic, technological, environmental, and competitive factors introduce obstacles that companies must not only manage but overcome.

According to PwC’s Global Risk Survey , organizations that embrace strategic risk management are five times more likely to deliver stakeholder confidence and better business outcomes and two times more likely to expect faster revenue growth.

If you want to enhance your job performance and identify and mitigate risk more effectively, here’s a breakdown of what risk management is and why it’s important.

Access your free e-book today.

What Is Risk Management?

Risk management is the systematic process of identifying, assessing, and mitigating threats or uncertainties that can affect your organization. It involves analyzing risks’ likelihood and impact, developing strategies to minimize harm, and monitoring measures’ effectiveness.

“Competing successfully in any industry involves some level of risk,” says Harvard Business School Professor Robert Simons, who teaches the online course Strategy Execution . “But high-performing businesses with high-pressure cultures are especially vulnerable. As a manager, you need to know how and why these risks arise and how to avoid them.”

According to Strategy Execution , strategic risk has three main causes:

• Pressures due to growth: This is often caused by an accelerated rate of expansion that makes staffing or industry knowledge gaps more harmful to your business.
• Pressures due to culture: While entrepreneurial risk-taking can come with rewards, executive resistance and internal competition can cause problems.
• Pressures due to information management: Since information is key to effective leadership , gaps in performance measures can result in decentralized decision-making.

These pressures can lead to several types of risk that you must manage or mitigate to avoid reputational, financial, or strategic failures. However, risks aren’t always obvious.

“I think one of the challenges firms face is the ability to properly identify their risks,” says HBS Professor Eugene Soltes in Strategy Execution .

Therefore, it’s crucial to pinpoint unexpected events or conditions that could significantly impede your organization’s business strategy .

Related: Business Strategy vs. Strategy Execution: Which Course Is Right for Me?

According to Strategy Execution , strategic risk comprises:

• Operations risk: This occurs when internal operational errors interrupt your products or services’ flow. For example, shipping tainted products can negatively affect food distribution companies.
• Asset impairment risk: When your company’s assets lose a significant portion of their current value because of a decreased likelihood of receiving future cash flows . For instance, losing property assets, like a manufacturing plant, due to a natural disaster.
• Competitive risk: Changes in the competitive environment can interrupt your organization’s ability to create value and differentiate its offerings—eventually leading to a significant loss in revenue.
• Franchise risk: When your organization’s value erodes because stakeholders lose confidence in its objectives. This primarily results from failing to control any of the strategic risk sources listed above.

Understanding these risks is essential to ensuring your organization’s long-term success. Here’s a deeper dive into why risk management is important.

4 Reasons Why Risk Management Is Important

1. protects organization’s reputation.

In many cases, effective risk management proactively protects your organization from incidents that can affect its reputation.

“Franchise risk is a concern for all businesses,“ Simons says in Strategy Execution . “However, it's especially pressing for businesses whose reputations depend on the trust of key constituents.”

For example, airlines are particularly susceptible to franchise risk because of unforeseen events, such as flight delays and cancellations caused by weather or mechanical failure. While such incidents are considered operational risks, they can be incredibly damaging.

In 2016, Delta Airlines experienced a national computer outage, resulting in over 2,000 flight cancellations. Delta not only lost an estimated $150 million but took a hit to its reputation as a reliable airline that prided itself on “canceling cancellations.”

While Delta bounced back, the incident illustrates how mitigating operational errors can make or break your organization.

2. Minimizes Losses

Most businesses create risk management teams to avoid major financial losses. Yet, various risks can still impact their bottom lines.

A Vault Platform study found that dealing with workplace misconduct cost U.S. businesses over $20 billion in 2021. In addition, Soltes says in Strategy Execution that corporate fines for misconduct have risen 40-fold in the U.S. over the last 20 years.

One way to mitigate financial losses related to employee misconduct is by implementing internal controls. According to Strategy Execution , internal controls are the policies and procedures designed to ensure reliable accounting information and safeguard company assets.

“Managers use internal controls to limit the opportunities employees have to expose the business to risk,” Simons says in the course.

One company that could have benefited from implementing internal controls is Volkswagen (VW). In 2015, VW whistle-blowers revealed that the company’s engineers deliberately manipulated diesel vehicles’ emissions data to make them appear more environmentally friendly.

This led to severe consequences, including regulatory penalties, expensive vehicle recalls, and legal settlements—all of which resulted in significant financial losses. By 2018, U.S. authorities had extracted $25 billion in fines, penalties, civil damages, and restitution from the company.

Had VW maintained more rigorous internal controls to ensure transparency, compliance, and proper oversight of its engineering practices, perhaps it could have detected—or even averted—the situation.

Related: What Are Business Ethics & Why Are They Important?

3. Encourages Innovation and Growth

Risk management isn’t just about avoiding negative outcomes. It can also be the catalyst that drives your organization’s innovation and growth.

“Risks may not be pleasant to think about, but they’re inevitable if you want to push your business to innovate and remain competitive,” Simons says in Strategy Execution .

According to PwC , 83 percent of companies’ business strategies focus on growth, despite risks and mixed economic signals. In Strategy Execution , Simons notes that competitive risk is a challenge you must constantly monitor and address.

“Any firm operating in a competitive market must focus its attention on changes in the external environment that could impair its ability to create value for its customers,” Simons says.

This requires incorporating boundary systems —explicit statements that define and communicate risks to avoid—to ensure internal controls don’t extinguish innovation.

“Boundary systems are essential levers in businesses to give people freedom,” Simons says. “In such circumstances, you don’t want to stifle innovation or entrepreneurial behavior by telling people how to do their jobs. And if you want to remain competitive, you’ll need to innovate and adapt.”

Netflix is an example of how risk management can inspire innovation. In the early 2000s, the company was primarily known for its DVD-by-mail rental service. With growing competition from video rental stores, Netflix went against the grain and introduced its streaming service. This changed the market, resulting in a booming industry nearly a decade later.

Netflix’s innovation didn’t stop there. Once the steaming services market became highly competitive, the company shifted once again to gain a competitive edge. It ventured into producing original content, which ultimately helped differentiate its platform and attract additional subscribers.

By offering more freedom within internal controls, you can encourage innovation and constant growth.

4. Enhances Decision-Making

Risk management also provides a structured framework for decision-making. This can be beneficial if your business is inclined toward risks that are difficult to manage.

By pulling data from existing control systems to develop hypothetical scenarios, you can discuss and debate strategies’ efficacy before executing them.

“Interactive control systems are the formal information systems managers use to personally involve themselves in the decision activities of subordinates,” Simons says in Strategy Execution . “Decision activities that relate to and impact strategic uncertainties.”

JPMorgan Chase, one of the most prominent financial institutions in the world, is particularly susceptible to cyber risks because it compiles vast amounts of sensitive customer data . According to PwC , cybersecurity is the number one business risk on managers’ minds, with 78 percent worried about more frequent or broader cyber attacks.

Using data science techniques like machine learning algorithms enables JPMorgan Chase’s leadership not only to detect and prevent cyber attacks but address and mitigate risk.

Start Managing Your Organization's Risk

Risk management is essential to business. While some risk is inevitable, your ability to identify and mitigate it can benefit your organization.

But you can’t plan for everything. According to the Harvard Business Review , some risks are so remote that no one could have imagined them. Some result from a perfect storm of incidents, while others materialize rapidly and on enormous scales.

By taking an online strategy course , you can build the knowledge and skills to identify strategic risks and ensure they don’t undermine your business. For example, through an interactive learning experience, Strategy Execution enables you to draw insights from real-world business examples and better understand how to approach risk management.

Do you want to mitigate your organization’s risks? Explore Strategy Execution —one of our online strategy courses —and download our free strategy e-book to gain the insights to build a successful strategy.

About the Author

• FOR BUSINESSES
• HOME INSURANCE
• AUTO INSURANCE
• LIFE INSURANCE
• HEALTH INSURANCE
• EMPLOYEE BENEFITS
• HEALTH & WELLBEING
• MASTERCLASS EDUCATION
• HEALTH INSURANCE FOR INDIVIDUALS
• UPCOMING EVENTS
• ADVANCED DE-RISKING
• DOT COMPLIANCE TRAINING
• ACRISURE TRUCK GROUP
• DE-RISKATHON
• DE-RISKING NETWORK
• CLIENT STORIES
• INDUSTRY STUDY
• FREIGHT BROKERS
• SMALL FLEETS (LESS THAN 10 UNITS)
• INSURANCE FOR INDEPENDENT CONTRACTORS
• HEALTH INSURANCE FOR INDEPENDENT CONTRACTORS
• CONSTRUCTION
• MANUFACTURING
• PUBLIC/NON-PROFIT
• LEADERSHIP TEAM
• ACRISURE PARTNERSHIP
• CERTIFICATES
• CLIENT PORTAL / INSURLINK
• HNI CONNECT
• EFT ENROLLMENT
• CREDIT CARD PAYMENT

Risk Modeling: What to Know About Risk Models

by Kyle Meinert

We’ve all heard it in the business industry: “no risk, no reward!” But we hear it for good reason—business efforts are never totally risk-free. Still, companies are constantly working on minimizing risk and maximizing their profit, which can really only be done through intentional, data-driven decisions. Finding new ways to predict and manage risk is a big part of an overall business strategy. 

The real question is how do business leaders and decision-makers measure, evaluate, and minimize risk? Industries like finance, transportation, manufacturing, and construction are finding more success by using a better and more reliable tool called a risk model.

A risk model is a mathematical technique, system, or method that predicts the risk elements of a business strategy. If done right, a risk model can provide functional data and quantitative estimates that help businesses make financial, strategic, and operational decisions. Some models also use qualitative elements, such as relying on subject matter experts to advise. 

Risk models can provide investment analyses, market insights, recurring patterns in your operations, and more. Simply put, a well-designed risk model allows you to input certain values, goals, or data and then makes clear and accurate predictions about your business projection.

What is Risk Modeling?

Risk modeling is the systematic and holistic approach to risk management, especially compared to more traditional methods, such as only buying insurance to protect your business. Risk modeling is about creating effective risk analyses, magnifying how efficient insurance can be, and taking a more comprehensive approach to risk research and solutions.

How Does Risk Modeling Work?

Risk management uses historical data/simulation, extreme value theory (EVT), market risk, as well as expertise elicitation to make reliable assumptions. Among assumptions, modeling also uses economic, statistical, and financial techniques to predict potential/maximum risk.

Some people like to break modeling into three main types: quantitative, qualitative, and a hybrid version. Quantitative modeling relies on statistical data and numerical evidence while quantitative relies more on expertise and potentially subjective knowledge. Most businesses will benefit from a combination of the two, which is where the hybrid model comes in.

Types of Risk

The application of risk modeling will also depend on your goals, the type of risk you're measuring, and your industry. There are several types of risk, but some common ones are strategic, operational, compliance, financial, security, credit, and reputational risk.

Some risk types have to do with the culture or procedures of a company, such as strategic risk or operational risk. Creating a culture of risk awareness and management helps minimize strategic risk. Others, such as financial risk, help measure the flow and use of money depending on market values, stocks, the history of sales or the company’s revenue, etc.

For example, let’s take the transportation industry. Even though the advancement of technology and IoT offers benefits for transportation, it also opens up more opportunities for supply chains and automation issues. A trucking company could use a risk model that analyzes the threats of their supply chain, whether that be security risk management or operational risk management. Different industries may focus on different categories depending on the risk level they face.

Sometimes, using a risk model is risky in and of itself. On the qualitative side, you never know when programming or technical malfunctions may occur. Qualitatively, risk models can always be mismanaged by human error.

Common Pitfalls You Should Know About

• Relying solely on the past won’t predict the future. As helpful as using historical data is, there’s no guarantee that the same system will work in future scenarios.
• Risk models don’t provide perfect insight. Risk models should be combined with other market research, benchmarks, and critical thinking that no computer or equation can manage.
• Subjective topics aren’t as reliable. Depending on the culture of your company, the priorities, the people in charge, plus the influence of people outside of your organization, risk models can fail due to misalignment or bias.

Misinterpreted or insufficient data. Model implementation isn’t always easy without expertise. Even if you are able to get the right kind of information, not everyone knows how to use or interpret data, which may make the model ineffective.

De-Risk Your Business

Systems like risk models are a great way to protect your business from unnecessary or predictable pitfalls. Remember, though, that risk modeling is only one piece of the puzzle. De-risking or risk management is more than a model: it’s a mindset. There are ongoing strategies, different controllable and uncontrollable factors, and industry-specific standards that all contribute to securing your company.

HNI services specialize in de-risking businesses so that you aren’t forced to rely on insurance in order to create secure opportunities. Contact us today to figure out what you need to de-risk your strategy and reclaim control over your business.

Subscribe to our weekly blog

Insights by Role

LEADERSHIP SAFETY HUMAN RESOURCES

Insights by Industry

TRANSPORTATION CONSTRUCTION MANUFACTURING  

HNI works with high-performing companies to help them address the hidden risks in their business and avoid The Insurance Dependency Trap. This is done by proactively DE-RISKING their business so they can be less dependent on insurance.

HNI also offers the basic services of insurance and employee benefits. HNI has offices  in Milwaukee, Chicago, and Minneapolis.

Risk Management 101: Process, Examples, Strategies

Emily Villanueva

August 16, 2023

Effective risk management takes a proactive and preventative stance to risk, aiming to identify and then determine the appropriate response to the business and facilitate better decision-making. Many approaches to risk management focus on risk reduction, but it’s important to remember that risk management practices can also be applied to opportunities, assisting the organization with determining if that possibility is right for it.

Risk management as a discipline has evolved to the point that there are now common subsets and branches of risk management programs, from enterprise risk management (ERM) , to cybersecurity risk management, to operational risk management (ORM) , to  supply chain risk management (SCRM) . With this evolution, standards organizations around the world, like the US’s National Institute of Standards and Technology (NIST) and the International Standards Organization (ISO) have developed and released their own best practice frameworks and guidance for businesses to apply to their risk management plan.

Companies that adopt and continuously improve their risk management programs can reap the benefits of improved decision-making, a higher probability of reaching goals and business objectives, and an augmented security posture. But, with risks proliferating and the many types of risks that face businesses today, how can an organization establish and optimize its risk management processes? This article will walk you through the fundamentals of risk management and offer some thoughts on how you can apply it to your organization.

What Are Risks?

We’ve been talking about risk management and how it has evolved, but it’s important to clearly define the concept of risk. Simply put, risks are the things that could go wrong with a given initiative, function, process, project, and so on. There are potential risks everywhere — when you get out of bed, there’s a risk that you’ll stub your toe and fall over, potentially injuring yourself (and your pride). Traveling often involves taking on some risks, like the chance that your plane will be delayed or your car runs out of gas and leave you stranded. Nevertheless, we choose to take on those risks, and may benefit from doing so. 

Companies should think about risk in a similar way, not seeking simply to avoid risks, but to integrate risk considerations into day-to-day decision-making.

• What are the opportunities available to us?
• What could be gained from those opportunities?
• What is the business’s risk tolerance or risk appetite – that is, how much risk is the company willing to take on?
• How will this relate to or affect the organization’s goals and objectives?
• Are these opportunities aligned with business goals and objectives?

With that in mind, conversations about risks can progress by asking, “What could go wrong?” or “What if?” Within the business environment, identifying risks starts with key stakeholders and management, who first define the organization’s objectives. Then, with a risk management program in place, those objectives can be scrutinized for the risks associated with achieving them. Although many organizations focus their risk analysis around financial risks and risks that can affect a business’s bottom line, there are many types of risks that can affect an organization’s operations, reputation, or other areas.

Remember that risks are hypotheticals — they haven’t occurred or been “realized” yet. When we talk about the impact of risks, we’re always discussing the potential impact. Once a risk has been realized, it usually turns into an incident, problem, or issue that the company must address through their contingency plans and policies. Therefore, many risk management activities focus on risk avoidance, risk mitigation, or risk prevention.

What Different Types of Risks Are There?

There’s a vast landscape of potential risks that face modern organizations. Targeted risk management practices like ORM and SCRM have risen to address emerging areas of risk, with those disciplines focused on mitigating risks associated with operations and the supply chain. Specific risk management strategies designed to address new risks and existing risks have emerged from these facets of risk management, providing organizations and risk professionals with action plans and contingency plans tailored to unique problems and issues.

Common types of risks include: strategic, compliance, financial, operational, reputational, security, and quality risks.

Strategic Risk

Strategic risks are those risks that could have a potential impact on a company’s strategic objectives, business plan, and/or strategy. Adjustments to business objectives and strategy have a trickle-down effect to almost every function in the organization. Some events that could cause strategic risks to be realized are: major technological changes in the company, like switching to a new tech stack; large layoffs or reductions-in-force (RIFs); changes in leadership; competitive pressure; and legal changes.

Compliance Risk

Compliance risks materialize from regulatory and compliance requirements that businesses are subject to, like Sarbanes-Oxley for publicly-traded US companies, or GDPR for companies that handle personal information from the EU. The consequence or impact of noncompliance is generally a fine from the governing body of that regulation. These types of risks are realized when the organization does not maintain compliance with regulatory requirements, whether those requirements are environmental, financial, security-specific, or related to labor and civil laws.

Financial Risk

Financial risks are fairly self-explanatory — they have the possibility of affecting an organization’s profits. These types of risks often receive significant attention due to the potential impact on a company’s bottom line. Financial risks can be realized in many circumstances, like performing a financial transaction, compiling financial statements, developing new partnerships, or making new deals.

Operational Risk

Risks to operations, or operational risks, have the potential to disrupt daily operations involved with running a business. Needless to say, this can be a problematic scenario for organizations with employees unable to do their jobs, and with product delivery possibly delayed. Operational risks can materialize from internal or external sources — employee conduct, retention, technology failures, natural disasters, supply chain breakdowns — and many more.

Reputational Risk

Reputational risks are an interesting category. These risks look at a company’s standing in the public and in the media and identify what could impact its reputation. The advent of social media changed the reputation game quite a bit, giving consumers direct access to brands and businesses. Consumers and investors too are becoming more conscious about the companies they do business with and their impact on the environment, society, and civil rights. Reputational risks are realized when a company receives bad press or experiences a successful cyber attack or security breach; or any situation that causes the public to lose trust in an organization.

Security Risk

Security risks have to do with possible threats to your organization’s physical premises, as well as information systems security. Security breaches, data leaks, and other successful types of cyber attacks threaten the majority of businesses operating today. Security risks have become an area of risk that companies can’t ignore, and must safeguard against.

Quality Risk

Quality risks are specifically associated with the products or services that a company provides. Producing low-quality goods or services can cause an organization to lose customers, ultimately affecting revenue. These risks are realized when product quality drops for any reason — whether that’s technology changes, outages, employee errors, or supply chain disruptions.

Steps in the Risk Management Process

The six risk management process steps that we’ve outlined below will give you and your organization a starting point to implement or improve your risk management practices. In order, the risk management steps are: 

• Risk identification
• Risk analysis or assessment
• Controls implementation
• Resource and budget allocation
• Risk mitigation
• Risk monitoring, reviewing, and reporting

If this is your organization’s first time setting up a risk management program, consider having a formal risk assessment completed by an experienced third party, with the goal of producing a risk register and prioritized recommendations on what activities to focus on first. Annual (or more frequent) risk assessments are usually required when pursuing compliance and security certifications, making them a valuable investment.

Step 1: Risk Identification

The first step in the risk management process is risk identification. This step takes into account the organization’s overarching goals and objectives, ideally through conversations with management and leadership. Identifying risks to company goals involves asking, “What could go wrong?” with the plans and activities aimed at meeting those goals. As an organization moves from macro-level risks to more specific function and process-related risks, risk teams should collaborate with critical stakeholders and process owners, gaining their insight into the risks that they foresee.

As risks are identified, they should be captured in formal documentation — most organizations do this through a risk register, which is a database of risks, risk owners, mitigation plans, and risk scores.

Step 2: Risk Analysis or Assessment

Analyzing risks, or assessing risks, involves looking at the likelihood that a risk will be realized, and the potential impact that risk would have on the organization if that risk were realized. By quantifying these on a three- or five-point scale, risk prioritization becomes simpler. Multiplying the risk’s likelihood score with the risk’s impact score generates the risk’s overall risk score. This value can then be compared to other risks for prioritization purposes.

The likelihood that a risk will be realized asks the risk assessor to consider how probable it would be for a risk to actually occur. Lower scores indicate less chances that the risk will materialize. Higher scores indicate more chances that the risk will occur.

Likelihood, on a 5×5 risk matrix, is broken out into:

• Highly Unlikely
• Highly Likely

The potential impact of a risk, should it be realized, asks the risk assessor to consider how the business would be affected if that risk occurred. Lower scores signal less impact to the organization, while higher scores indicate more significant impacts to the company.

Impact, on a 5×5 risk matrix, is broken out into:

• Negligible Impact
• Moderate Impact
• High Impact
• Catastrophic Impact

Risk assessment matrices help visualize the relationship between likelihood and impact, serving as a valuable tool in risk professionals’ arsenals.

Organizations can choose whether to employ a 5×5 risk matrix, as shown above, or a 3×3 risk matrix, which breaks likelihood, impact, and aggregate risk scores into low, moderate, and high categories.

Step 3: Controls Assessment and Implementation

Once risks have been identified and analyzed, controls that address or partially address those risks should be mapped. Any risks that don’t have associated controls, or that have controls that are inadequate to mitigate the risk, should have controls designed and implemented to do so.

Step 4: Resource and Budget Allocation

This step, the resource and budget allocation step, doesn’t get included in a lot of content about risk management. However, many businesses find themselves in a position where they have limited resources and funds to dedicate to risk management and remediation. Developing and implementing new controls and control processes is timely and costly; there’s usually a learning curve for employees to get used to changes in their workflow.

Using the risk register and corresponding risk scores, management can more easily allocate resources and budget to priority areas, with cost-effectiveness in mind. Each year, leadership should re-evaluate their resource allocation as part of annual risk lifecycle practices.

Step 5: Risk Mitigation

The risk mitigation step of risk management involves both coming up with the action plan for handling open risks, and then executing on that action plan. Mitigating risks successfully takes buy-in from various stakeholders. Due to the various types of risks that exist, each action plan may look vastly different between risks. 

For example, vulnerabilities present in information systems pose a risk to data security and could result in a data breach. The action plan for mitigating this risk might involve automatically installing security patches for IT systems as soon as they are released and approved by the IT infrastructure manager. Another identified risk could be the possibility of cyber attacks resulting in data exfiltration or a security breach. The organization might decide that establishing security controls is not enough to mitigate that threat, and thus contract with an insurance company to cover off on cyber incidents. Two related security risks; two very different mitigation strategies. 

One more note on risk mitigation — there are four generally accepted “treatment” strategies for risks. These four treatments are:

• Risk Acceptance: Risk thresholds are within acceptable tolerance, and the organization chooses to accept this risk.
• Risk Transfer : The organization chooses to transfer the risk or part of the risk to a third party provider or insurance company.
• Risk Avoidance : The organization chooses not to move forward with that risk and avoids incurring it.
• Risk Mitigation : The organization establishes an action plan for reducing or limiting risk to acceptable levels.

If an organization is not opting to mitigate a risk, and instead chooses to accept, transfer, or avoid the risk, these details should still be captured in the risk register, as they may need to be revisited in future risk management cycles.

Step 6: Risk Monitoring, Reviewing, and Reporting

The last step in the risk management lifecycle is monitoring risks, reviewing the organization’s risk posture, and reporting on risk management activities. Risks should be monitored on a regular basis to detect any changes to risk scoring, mitigation plans, or owners. Regular risk assessments can help organizations continue to monitor their risk posture. Having a risk committee or similar committee meet on a regular basis, such as quarterly, integrates risk management activities into scheduled operations, and ensures that risks undergo continuous monitoring. These committee meetings also provide a mechanism for reporting risk management matters to senior management and the board, as well as affected stakeholders.

As an organization reviews and monitors its risks and mitigation efforts, it should apply any lessons learned and use past experiences to improve future risk management plans.

Examples of Risk Management Strategies

Depending on your company’s industry, the types of risks it faces, and its objectives, you may need to employ many different risk management strategies to adequately handle the possibilities that your organization encounters. 

Some examples of risk management strategies include leveraging existing frameworks and best practices, minimum viable product (MVP) development, contingency planning, root cause analysis and lessons learned, built-in buffers, risk-reward analysis, and third-party risk assessments.

Leverage Existing Frameworks and Best Practices

Risk management professionals need not go it alone. There are several standards organizations and committees that have developed risk management frameworks, guidance, and approaches that business teams can leverage and adapt for their own company. 

Some of the more popular risk management frameworks out there include:

• ISO 31000 Family : The International Standards Organization’s guidance on risk management.
• NIST Risk Management Framework (RMF) : The National Institute of Standards and Technology has released risk management guidance compatible with their Cybersecurity Framework (CSF).
• COSO Enterprise Risk Management (ERM) : The Committee of Sponsoring Organizations’ enterprise risk management guidance.

Minimum Viable Product (MVP) Development

This approach to product development involves developing core features and delivering those to the customer, then assessing response and adjusting development accordingly. Taking an MVP path reduces the likelihood of financial and project risks, like excessive spend or project delays by simplifying the product and decreasing development time.

Contingency Planning

Developing contingency plans for significant incidents and disaster events are a great way for businesses to prepare for worst-case scenarios. These plans should account for response and recovery. Contingency plans specific to physical sites or systems help mitigate the risk of employee injury and outages.

Root Cause Analysis and Lessons Learned

Sometimes, experience is the best teacher. When an incident occurs or a risk is realized, risk management processes should include some kind of root cause analysis that provides insights into what can be done better next time. These lessons learned, integrated with risk management practices, can streamline and optimize response to similar risks or incidents.

Built-In Buffers

Applicable to discrete projects, building in buffers in the form of time, resources, and funds can be another viable strategy to mitigate risks. As you may know, projects can get derailed very easily, going out of scope, over budget, or past the timeline. Whether a project team can successfully navigate project risks spells the success or failure of the project. By building in some buffers, project teams can set expectations appropriately and account for the possibility that project risks may come to fruition.

Risk-Reward Analysis

In a risk-reward analysis, companies and project teams weigh the possibility of something going wrong with the potential benefits of an opportunity or initiative. This analysis can be done by looking at historical data, doing research about the opportunity, and drawing on lessons learned. Sometimes the risk of an initiative outweighs the reward; sometimes the potential reward outweighs the risk. At other times, it’s unclear whether the risk is worth the potential reward or not. Still, a simple risk-reward analysis can keep organizations from bad investments and bad deals.

Third-Party Risk Assessments

Another strategy teams can employ as part of their risk management plan is to conduct periodic third-party risk assessments. In this method, a company would contract with a third party experienced in conducting risk assessments, and have them perform one (or more) for the organization. Third-party risk assessments can be immensely helpful for the new risk management team or for a mature risk management team that wants a new perspective on their program. 

Generally, third-party risk assessments result in a report of risks, findings, and recommendations. In some cases, a third-party provider may also be able to help draft or provide input into your risk register. As external resources, third-party risk assessors can bring their experience and opinions to your organization, leading to insights and discoveries that may not have been found without an independent set of eyes.

Components of an Effective Risk Management Plan

An effective risk management plan has buy-in from leadership and key stakeholders; applies the risk management steps; has good documentation; and is actionable. Buy-in from management often determines whether a risk management function is successful or not, since risk management requires resources to conduct risk assessments, risk identification, risk mitigation, and so on. Without leadership buy-in, risk management teams may end up just going through the motions without the ability to make an impact. Risk management plans should be integrated into organizational strategy, and without stakeholder buy-in, that typically does not happen. 

Applying the risk management methodology is another key component of an effective plan. That means following the six steps outlined above should be incorporated into a company’s risk management lifecycle. Identifying and analyzing risks, establishing controls, allocating resources, conducting mitigation, and monitoring and reporting on findings form the foundations of good risk management. 

Good documentation is another cornerstone of effective risk management. Without a risk register recording all of a company’s identified risks and accompanying scores and mitigation strategies, there would be little for a risk team to act on. Maintaining and updating the risk register should be a priority for the risk team — risk management software can help here, providing users with a dashboard and collaboration mechanism.

Last but not least, an effective risk management plan needs to be actionable. Any activities that need to be completed for mitigating risks or establishing controls, should be feasible for the organization and allocated resources. An organization can come up with the best possible, best practice risk management plan, but find it completely unactionable because they don’t have the capabilities, technology, funds, and/or personnel to do so. It’s all well and good to recommend that cybersecurity risks be mitigated by setting up a 24/7 continuous monitoring Security Operations Center (SOC), but if your company only has one IT person on staff, that may not be a feasible action plan.

Executing on an effective risk management plan necessitates having the right people, processes, and technology in place. Sometimes the challenges involved with running a good risk management program are mundane — such as disconnects in communication, poor version control, and multiple risk registers floating around. Risk management software can provide your organization with a unified view of the company’s risks, a repository for storing and updating key documentation like a risk register, and a space to collaborate virtually with colleagues to check on risk mitigation efforts or coordinate on risk assessments. Get started building your ideal risk management plan today!

Emily Villanueva, MBA, is a Senior Manager of Product Solutions at AuditBoard. Emily joined AuditBoard from Grant Thornton, where she provided consulting services specializing in SOX compliance, internal audit, and risk management. She also spent 5 years in the insurance industry specializing in SOX/ICFR, internal audits, and operational compliance. Connect with Emily on LinkedIn .

Related Articles

• Search Search Please fill out this field.
• Fundamental Analysis

Model Risk: Definition, Management, and Examples

Gordon Scott has been an active investor and technical analyst or 20+ years. He is a Chartered Market Technician (CMT).

What Is Model Risk?

Model risk is a type of risk that occurs when a financial model is used to measure quantitative information such as a firm's market risks or value transactions, and the model fails or performs inadequately and leads to adverse outcomes for the firm.

A model is a system, quantitative method, or approach that relies on assumptions and economic, statistical, mathematical, or financial theories and techniques. The model processes data inputs into a quantitative-estimate type of output.

Financial institutions and investors use models to identify the theoretical value of stock prices and to pinpoint trading opportunities. While models can be useful tools in investment analysis , they can also be prone to various risks that can occur from the usage of inaccurate data, programming errors, technical errors, and misinterpretation of the model's outputs.

Key Takeaways

• In finance, models are used extensively to identify potential future stock values, pinpoint trading opportunities, and help company managers make business decisions.
• Model risk is present whenever an insufficiently accurate model is used to make decisions.
• Model risk can stem from using a model with bad specifications, programming or technical errors, or data or calibration errors.
• Model risk can be reduced with model management such as testing, governance policies, and independent review.

Understanding Model Risk

Model risk is considered a subset of operational risk , as model risk mostly affects the firm that creates and uses the model. Traders or other investors who use a given model may not completely understand its assumptions and limitations, which limits the usefulness and application of the model itself.

In financial companies, model risk can affect the outcome of financial securities valuations , but it's also a factor in other industries. A model can incorrectly predict the probability of an airline passenger being a terrorist or the probability or a fraudulent credit card transaction. This can be due to incorrect assumptions, programming or technical errors, and other factors that increase the risk of a poor outcome.

What Does the Concept of Model Risk Tell You?

Any model is a simplified version of reality, and with any simplification, there is the risk that something will fail to be accounted for. Assumptions made to develop a model and inputs into the model can vary widely. The use of financial models has become very prevalent in the past decades, in step with advances in computing power, software applications, and new types of financial securities. Before developing a financial model, companies will often conduct a financial forecast , which is the process by which it determines the expectations of future results.

Some companies, such as banks, employ a model risk officer to establish a financial model risk management program aimed at reducing the likelihood of the bank suffering financial losses due to model risk issues. Components of the program include establishing model governance and policies. It also involves assigning roles and responsibilities to individuals who will develop, test, implement, and manage the financial models on an ongoing basis.

Real World Examples of Model Risk

Long-term capital management.

The Long-Term Capital Management (LTCM) debacle in 1998 was attributed to model risk. In this case, a small error in the firm's computer models was made larger by several orders of magnitude because of the highly leveraged trading strategy LTCM employed.  

At its height, the hedge fund managed over $100 billion in assets and reported annual returns of over 40%. LTCM famously had two Nobel Prize winners in economics as principal shareholders, but the firm imploded due to its financial model that failed in that particular market environment.

JPMorgan Chase

Almost 15 years later, JPMorgan Chase (JPM) suffered massive trading losses from a value at risk (VaR) model that contained formula and operational errors. Risk managers use VaR models to estimate the future losses a portfolio could potentially incur. In 2012, CEO Jamie Dimon's proclaimed "tempest in a teapot" turned out to be a $6.2 billion loss resulting from trades gone wrong in its synthetic credit portfolio (SCP).  

A trader had established large derivative positions that were flagged by the VaR model that existed at the time. In response, the bank's chief investment officer made adjustments to the VaR model, but due to a spreadsheet error in the model, trading losses were allowed to pile up without warning signals from the model.

This was not the first time that VaR models have failed. In 2007 and 2008, VaR models were criticized for failing to predict the extensive losses many banks suffered during the global financial crisis .  

Roger Lowenstein. "When Genius Failed: The Rise and Fall of Long-Term Capital Management." Random House Trade Paperbacks, 2000.

Government Publishing Office. " JPMorgan Chase Whale Trades: A Case History of Derivatives Risks and Abuses ," Page 8. Accessed Sept. 7, 2020.

Government Publishing Office. " The Risks of Financial Modeling: VAR and the Economic Meltdown ," Page 3. Accessed Sept. 7, 2020.

• Terms of Service
• Editorial Policy
• Privacy Policy
• Your Privacy Choices

• ERM Resource Center
• Full Resource Center Archive
• ERM Fundamentals
• ERM Leadership and Governance
• ERM and Strategy
• Risk Identification and Assessment
• Risk Appetite and Response
• Risk Monitoring and Communications
• ERM Frameworks and Best Practices
• ERM Expert Insights
• Emerging Risks
• ERM Roundtable Summit
• Training and Events
• Advanced ERM
• ERM in Higher Ed
• ERM in Non-Profits
• ERM Fellows
• ERM Custom Training
• Master of Management, Risk & Analytics
• Master of Accounting, ERM Concentration
• ERM Initiative Team
• ERM Advisory Board
• Contact ERM

What is Enterprise Risk Management (ERM)?

Leaders of organizations must manage risks in order for the entity to stay in business. In fact, most would say that managing risks is just a normal part of running a business. So, if risk management is already occurring in these organizations, what’s the point of “enterprise risk management” (also known as “ERM”)?

Let’s Start by Looking at Traditional Risk Management

Business leaders manage risks as part of their day-to-day tasks as they have done for decades. Calls for entities to embrace enterprise risk management aren’t suggesting that organizations haven’t been managing risks. Instead, proponents of ERM are suggesting that there may be benefits from thinking differently about how the enterprise manages risks affecting the business.

Traditionally, organizations manage risks by placing responsibilities on business unit leaders to manage risks within their areas of responsibility. For example, the Chief Technology Officer (CTO) is responsible for managing risks related to the organization’s information technology (IT) operations, the Treasurer is responsible for managing risks related to financing and cash flow, the Chief Operating Officer is responsible for managing production and distribution, and the Chief Marketing Officer is responsible for sales and customer relationships, and so on. Each of these functional leaders is charged with managing risks related to their key areas of responsibility. This traditional approach to risk management is often referred to as silo or stove-pipe risk management whereby each silo leader is responsible for managing risks within their silo as shown in Figure 1 below.

Figure 1 – Traditional Approach to Risk Management 

Limitations with Traditional Approaches to Risk Management

While assigning functional subject matter experts responsibility for managing risks related to their business unit makes good sense, this traditional approach to risk management has limitations, which may mean there are significant risks on the horizon that may go undetected by management and that might affect the organization. Let’s explore a few of those limitations.

Limitation #1: There may be risks that “fall between the silos” that none of the silo leaders can see. Risks don’t follow management’s organizational chart and, as a result, they can emerge anywhere in the business. As a result, a risk may be on the horizon that does not capture the attention of any of the silo leaders causing that risk to go unnoticed until it triggers a catastrophic risk event. For example, none of the silo leaders may be paying attention to demographic shifts occurring in the marketplace whereby population shifts towards large urban areas are happening at a faster pace than anticipated. Unfortunately, this oversight may drastically impact the strategy of a retail organization that continues to look for real estate locations in outlying suburbs or more rural areas surrounding smaller cities.

Limitation #2: Some risks affect multiple silos in different ways. So, while a silo leader might recognize a potential risk, he or she may not realize the significance of that risk to other aspects of the business. A risk that seems relatively innocuous for one business unit, might actually have a significant cumulative effect on the organization if it were to occur and impact several business functions simultaneously. For example, the head of compliance may be aware of new proposed regulations that will apply to businesses operating in Brazil. Unfortunately, the head of compliance discounts these potential regulatory changes given the fact that the company currently only does business in North America and Europe. What the head of compliance doesn’t understand is that a key element of the strategic plan involves entering into joint venture partnerships with entities doing business in Brazil and Argentina, and the heads of strategic planning and operations are not aware of these proposed compliance regulations.

Limitation #3: Third, in a traditional approach to risk management, individual silo owners may not understand how an individual response to a particular risk might impact other aspects of a business. In that situation, a silo owner might rationally make a decision to respond in a particular manner to a certain risk affecting his or her silo, but in doing so that response may trigger a significant risk in another part of the business. For example, in response to growing concerns about cyber risks, the IT function may tighten IT security protocols but in doing so, employees and customers find the new protocols confusing and frustrating, which may lead to costly “work-arounds” or even the loss of business.

Limitation #4: So often the focus of traditional risk management has an internal lens to identifying and responding to risks. That is, management focuses on risks related to internal operations inside the walls of the organization with minimal focus on risks that might emerge externally from outside the business. For example, an entity may not be monitoring a competitor’s move to develop a new technology that has the potential to significantly disrupt how products are used by consumers.

Limitation #5: Despite the fact that most business leaders understand the fundamental connection of “risk and return”, business leaders sometimes struggle to connect their efforts in risk management to strategic planning. For example, the development and execution of the entity’s strategic plan may not give adequate consideration to risks because the leaders of traditional risk management functions within the organization have not been involved in the strategic planning process. New strategies may lead to new risks not considered by traditional silos of risk management.

What’s the impact of these limitations? There can be a wide array of risks on the horizon that management’s traditional approach to risk management fails to see, as illustrated by Figure 2. Unfortunately, some organizations fail to recognize these limitations in their approach to risk management before it is too late.

Figure 2 – Currently Unknown, But Knowable Risks Overlooked by Traditional Risk Management

Effective Enterprise Risk Management (ERM) Should be a Valued Strategic Tool

Over the last decade or so, a number of business leaders have recognized these potential risk management shortcomings and have begun to embrace the concept of enterprise risk management as a way to strengthen their organization’s risk oversight. They have realized that waiting until the risk event occurs is too late for effectively addressing significant risks and they have proactively embraced ERM as a business process to enhance how they manage risks to the enterprise.

The objective of enterprise risk management is to develop a holistic, portfolio view of the most significant risks to the achievement of the entity’s most important objectives. The “e” in ERM signals that ERM seeks to create a top-down, enterprise view of all the significant risks that might impact the strategic objectives of the business. In other words, ERM attempts to create a basket of all types of risks that might have an impact – both positively and negatively – on the viability of the business.

An effective ERM process should be an important strategic tool for leaders of the business. Insights about risks emerging from the ERM process should be an important input to the organization’s strategic plan. As management and the board become more knowledgeable about potential risks on the horizon they can use that intelligence to design strategies to nimbly navigate risks that might emerge and derail their strategic success. Proactively thinking about risks should provide competitive advantage by reducing the likelihood that risks may emerge that might derail important strategic initiatives for the business and that kind of proactive thinking about risks should also increase the odds that the entity is better prepared to minimize the impact of a risk event should it occur. 

As illustrated by Figure 3, the ERM process should inform management about risks on the horizon that might impact the success of core business drivers and new strategic initiatives.

Figure 3 – ERM Should Inform Strategy of the Business

Elements of an ERM Process

Because risks constantly emerge and evolve, it is important to understand that ERM is an ongoing process. Unfortunately, some view ERM as a project that has a beginning and an end. While the initial launch of an ERM process might require aspects of project management, the benefits of ERM are only realized when management thinks of ERM as a process that must be active and alive, with ongoing updates and improvements.

The diagram in Figure 4 illustrates the core elements of an ERM process. Before looking at the details, it is important to focus on the oval shape to the figure and the arrows that connect the individual components that comprise ERM. The circular, clockwise flow of the diagram reinforces the ongoing nature of ERM. Once management begins ERM, they are on a constant journey to regularly identify, assess, respond to, and monitor risks related to the organization’s core business model.

Figure 4 – Elements of an ERM Process

ERM Starts with What Drives Value for the Entity

Because ERM seeks to provide information about risks affecting the organization’s achievement of its core objectives, it is important to apply a strategic lens to the identification, assessment, and management of risks on the horizon. An effective starting point of an ERM process begins with gaining an understanding of what currently drives value for the business and what’s in the strategic plan that represents new value drivers for the business. To ensure that the ERM process is helping management keep an eye on internal or external events that might trigger risk opportunities or threats to the business, a strategically integrated ERM process begins with a rich understanding of what’s most important for the business’ short-term and long-term success.

Let’s consider a public-traded company. A primary objective for most publically traded companies is to grow shareholder value. In that context, ERM should begin by considering what currently drives shareholder value for the business (e.g., what are the entity’s key products, what gives the entity a competitive advantage, what are the unique operations that allow the entity to deliver products and services, etc.). These core value drivers might be thought of as the entity’s current “crown jewels”. In addition to thinking about the entity’s crown jewels, ERM also begins with an understanding of the organization’s plans for growing value through new strategic initiatives outlined in the strategic plan (e.g., launch of a new product, pursuit of the acquisition of a competitor, or expansion of online offerings etc.). You might find our thought paper, Integration of ERM with Strategy , helpful given it contains three case study illustrations of how organizations have successfully integrated their ERM efforts with their value creating initiatives.

With this rich understanding of the current and future drivers of value for the enterprise, management is now in a position to move through the ERM process by next having management focus on identifying risks that might impact the continued success of each of the key value drivers. How might risks emerge that impact a “crown jewel” or how might risks emerge that impede the successful launch of a new strategic initiative? Using this strategic lens as the foundation for identifying risks helps keep management’s ERM focus on risks that are most important to the short-term and long-term viability of the enterprise. This is illustrated by Figure 5.

Figure 5 – Apply Strategic Lens to Identify Risks

The Focus is on All Types of Risks

Sometimes the emphasis on identifying risks to the core value drives and new strategic initiatives causes some to erroneously conclude that ERM is only focused on “strategic risks” and not concerned with operational, compliance, or reporting risks. That’s not the case. Rather, when deploying a strategic lens as the point of focus to identify risks, the goal is to think about any kind of risk – strategic, operational, compliance, reporting, or whatever kind of risk – that might impact the strategic success of the enterprise. As a result, when ERM is focused on identifying, assessing, managing, and monitoring risks to the viability of the enterprise, the ERM process is positioned to be an important strategic tool where risk management and strategy leadership are integrated. It also helps remove management’s “silo-blinders” from the risk management process by encouraging management to individually and collectively think of any and all types of risks that might impact the entity’s strategic success.

Output of an ERM Process

The goal of an ERM process is to generate an understanding of the top risks that management collectively believes are the current most critical risks to the strategic success of the enterprise. Most organizations prioritize what management believes to be the top 10 (or so) risks to the enterprise (see our thought paper, Survey of Risk Assessment Practices , that highlights a number of different approaches organizations take to prioritize their most important risks on the horizon). Generally, the presentation of the top 10 risks to the board focuses on key risk themes, with more granular details monitored by management. For example, a key risk theme for a business might be the attraction and retention of key employees. That risk issue may be discussed by the board of directors at a high level, while management focuses on the unique challenges of attracting and retaining talent in specific areas of the organization (e.g., IT, sales, operations, etc.).

With knowledge of the most significant risks on the horizon for the entity, management then seeks to evaluate whether the current manner in which the entity is managing those risks is sufficient and effective. In some cases, management may determine that they and the board are willing to accept a risk while for other risks they seek to respond in ways to reduce or avoid the potential risk exposure. When thinking about responses to risks, it is important to think about both responses to prevent a risk from occurring and responses to minimize the impact should the risk event occur. An effective tool for helping frame thinking about responses to a risk is known as a “Bow-Tie Analysis”, which is illustrated by Figure 6. The left side of the “knot” (which is the risk event) helps management think about actions management might take to lower the probability of a risk occurring. The right side of the “knot” helps management think about actions that could be taken to lower the impact of a risk event should it not be prevented (take a look at our article, The Bow-Tie Analysis: A Multipurpose ERM Tool).

Figure 6 – Bow-Tie Tool for Developing Responses to Risks

Monitoring and Communicating Top Risks with Key Risk Indicators (KRIs)

While the core output of an ERM process is the prioritization of an entity’s most important risks and how the entity is managing those risks, an ERM process also emphasizes the importance of keeping a close eye on those risks through the use of key risk indicators (KRIs). Organizations are increasingly enhancing their management dashboard systems through the inclusion of key risk indicators (KRIs) linked to each of the entity’s top risks identified through an ERM process. These KRI metrics help management and the board keep an eye on risk trends over time. Check out our thought paper, Developing Key Risk Indicators to Strengthen Enterprise Risk Management , issued in partnership with COSO for techniques to develop effective KRIs.

Leadership of ERM

Given the goal of ERM is to create a top-down, enterprise view of risks to the entity, responsibility for setting the tone and leadership for ERM resides with executive management and the board of directors. They are the ones who have the enterprise view of the organization and they are viewed as being ultimately responsible for understanding, managing, and monitoring the most significant risks affecting the enterprise.

Top management is responsible for designing and implementing the enterprise risk management process for the organization. They are the ones to determine what process should be in place and how it should function, and they are the ones tasked with keeping the process active and alive. The board of director’s role is to provide risk oversight by (1) understanding and approving management’s ERM process and (2) overseeing the risks identified by the ERM process to ensure management’s risk-taking actions are within the stakeholders’ appetite for risk taking. (Check out our thought paper, Strengthening Enterprise Risk Management for Strategic Advantage , issued in partnership with COSO, that focuses on areas where the board of directors and management can work together to improve the board’s risk oversight responsibilities and ultimately enhance the entity’s strategic value).

Given the speed of change in the global business environment, the volume and complexity of risks affecting an enterprise are increasing at a rapid pace. At the same time, expectations for more effective risk oversight by boards of directors and senior executives are growing. Together these suggest that organizations may need to take a serious look at whether the risk management approach being used is capable of proactively versus reactively managing the risks affecting their overall strategic success. Enterprise risk management (ERM) is becoming a widely embraced business paradigm for accomplishing more effective risk oversight.

Interested in Learning More About ERM?

As business leaders realize the objectives of ERM and seek to enhance their risk management processes to achieve these objectives, they often are seeking additional information about tactical approaches for effectively doing so in a cost-effective manner. The ERM Initiative in the Poole College of Management at North Carolina State University may be a helpful resource through the articles, thought papers, and other resources archived on its website or through its ERM Roundtable and Executive Education offerings . Each year, we survey organizations about the current state of their ERM related practices. Check out our most recent report, The State of Risk Oversight Report: An Overview of Enterprise Risk Management Practices.

Original Article Source:  “What is Enterprise Risk Management?”

• Board Communication
• Board Risk Oversight
• Risk Assessment
• Strategic Risk
• Briefs and Insights
• Tools and Templates

More From Enterprise Risk Management Initiative

Integrating erm with other risk and assurance functions, balancing erm’s focus on operational risks and emerging risks, new resources: erm tools & techniques.

A strategic vision for model risk management

In the economic environment created by the COVID-19 pandemic, many models on which financial institutions rely for their business decisions became inadequate. The extraordinary economic conditions exacerbated preexisting stresses in model risk management (MRM). Facing a critical challenge, a few leading institutions, with others following suit, have begun to rethink their model landscapes and the model life cycle. As we discussed recently, their considerations have revealed a new S-curve in model risk management .

In the past year, McKinsey provided a number of forums for model risk managers from financial institutions around the world. These professionals shared their views on challenges and emerging themes at roundtables and in our global MRM survey. More than 150 model risk managers from nearly 100 institutions participated in the survey. The results showed three areas of focus: the impact of COVID-19 on MRM, the evolutionary changes in MRM, and the challenges posed by models using artificial intelligence (AI) and machine learning (ML).

The impact of the COVID-19 pandemic on model risk management

The COVID-19 pandemic has affected the performance of models globally, including traditional financial-risk models, such as those for credit risk, as well as models for nonfinancial risk, such as fraud management. Banks necessarily responded with short-term measures. The responses included more frequent monitoring to identify models at risk, compensating controls such as model overlays, and substitutions using alternative existing models. Some of these short-term measures (such as overlays) lacked adequate controls, so appropriate governance had to be developed.

Leading institutions are also undertaking longer-term solutions, upgrading their MRM functions to adapt to the new conditions. Their objective is to move MRM to a new level, defined by a meaningful collaboration between the first and second lines of defense. For that to happen, institutions will have to embed MRM culture throughout the model life cycle. That means changing not only processes and procedures but also the ways individuals involved in the model life cycle think and act.

Heightened model risk and emerging solutions

For financial institutions, the pandemic’s effects increased model risk in a wide range of use cases. Models that rely on macroeconomic variables or customer behavior were heavily affected. Specifically, models for predicting creditworthiness, as well as for stress-testing and provisioning, were all severely tested by the pandemic-triggered economic fallout.

In terms of model impact, our survey revealed that for most banks (more than 80 percent), the most heavily affected models were those for credit risk and stress-testing. These models rely on static historical data, and the pandemic created discontinuities and problems of data reliability. To address the challenges, institutions in different regions are taking different approaches. In Asian countries, especially China, banks are already recalibrating or redeveloping their models. In North America and Europe, model remediation is taking the form of interim overlays (such as expert judgment) as the search for more systematic approaches proceeds apace.

From expert discussions on the challenges created by quick remediation, some best-practice solutions emerged. The MRM function must establish governance of overlays covering business-as-usual models and regulatory models. Transparency of all overlays is vital, as banks explore more systematic and responsive approaches to address overlays in every segment (consumer, small and medium-size enterprise, corporate). That is needed as the COVID-19 pandemic and its effects are stretching across a longer time horizon than was initially anticipated.

Findings from the McKinsey survey of leading institutions on model risk management, 2020

of banks globally reported that credit-risk models were the most affected by the COVID-19 business environment.

of banks used overlays to mitigate model-performance issues due to the COVID-19 crisis.

of banks expect their model risk-management (MRM) functions to grow in the next two years.

of banks believe that automation will be the top solution in enhancing MRM efficiency.

of banks will develop more artificial-intelligence (AI) and machine-learning (ML) models in the next 12 months.

of banks cite as a top challenge the lack of specific validation standards for AI and ML models; 67 percent similarly cite a lack of talent with Al or ML knowledge.

Overlays cannot always meet the challenges effectively. Institutions should consider prioritizing models for redevelopment, where feasible and effective. The first and second lines of defense must collaborate closely to identify the affected models and guide redevelopment or recalibration.

Participants in our MRM discussions noted that a “crisis tool kit” could help institutions that are relying on second-line controls and model monitoring. These crisis procedures and protocols would incorporate lessons from the present crisis in order to provide a contingency plan to deal with the next one. Some of the signal findings from our MRM survey are listed in the sidebar.

The evolution of model risk management

The crisis has highlighted the value of MRM and raised the function’s significance as a strategic-risk partner. MRM maturity varies by region, in part due to different regulatory guidelines. Nonetheless, improving validation effectiveness and operational efficiency are universal priorities. Our survey revealed that the number of models requiring validation and risk reviews is growing, and the scope of MRM is also rapidly expanding—into models for automatic decision making, for example.

Within financial institutions in every region, MRM functions are evolving faster than ever, primarily because models are proliferating in number and scope. The survey revealed that most institutions are enhancing their MRM frameworks as a priority. Respondents agree that this is most critical in regions where regulatory pressure is higher.

Banks face cost and capacity pressures as they strengthen frameworks and expand model inventories. Validation backlogs and delays mount as existing validation capacity fails to cover expanding demand. Inventory is increasing as new models are developed outside traditional areas of financial risk. The rapid development of AI is increasing model complexity and adding to the backlog.

The quality of validation can consequently suffer unless the bank brings in external support. To manage the model-validation budget, leading banks have industrialized validation, using lean fundamentals and automated processes. Models are prioritized for validation based on key factors such as their importance in business decisions and materiality of the model exposure. Validation intensity is customized by model tiers to improve speed and efficiency. Likewise, model tiers are used to define the resource strategy and governance approach.

The use of model tiers to improve efficiency varies by region. In Asia and Latin America, where MRM functions are still maturing, about half our surveyed banks report using tiers in their model inventory. In Europe, tiering is prevalent, but most banks do not use it to its full effect, deploying it to determine validation frequency but not the depth of validation. In the United States, most large banks refined their framework by including a fourth tier in their model classification. The additional tier is essential for the impact of tiering to be effective, since the number of models is steadily increasing.

The next level of maturity in the MRM journey is defined by more advanced MRM capabilities, which go beyond the validation-centered approach. The emphasis shifts from a technical model review to a risk manager’s view that assesses the risks beyond model methodology. The entire portfolio of models is managed, including extended inventories beyond credit- and market-risk models, encompassing also nonfinancial-risk and business models. Reporting thereby becomes meaningful, as senior managers get an exhaustive view on model risk beyond the technicalities—one with a real risk perspective.

Learn more about Risk Dynamics ?

Institutions can take targeted actions to realize their MRM objectives. The MRM function should define priority actions to improve governance, frameworks, model scope, and standards for model development and validation as a foundational phase for an efficient operating model. Improved validation is an obvious top priority, especially in North America and Europe, where MRM is more mature. More than half the survey participants identified automation as the most important approach for improving validation efficiency given the current requirements and scope in these regions. Validation remains a priority, since it ensures that models are of high quality and do not generate undue risk. The key challenge is to balance quality and efficiency in model validation, in recognition of current cost pressures.

Efficiency can be further improved by a review of the model landscape. Where banks can simplify the overall landscape, they will also ease the validation workload. The number of models and their use cases are rising rapidly, including use cases outside areas of risk. Nearly half of North American and European survey participants reported that a better understanding of model interdependence is an important precondition for prioritizing models and streamlining MRM activities.

Artificial-intelligence and machine-learning challenges

Institutions are increasingly using models based on artificial intelligence and machine learning. AI and ML models amplify model risk because of their complexity and comparative lack of transparency. Complicating issues include designer bias, which, given the nature of these models, is difficult to detect; interpretability, meaning the ease or difficulty of predicting what a model will do; and explainability, defined as the degree to which the workings of an AI or ML system can be understood in nontechnical terms.

Talent is lacking

To keep pace with these AI and ML developments , MRM must shape standards and perform end-to-end management for the new models. Most MRM functions do not have comprehensive standards tailored for AI and ML. These are needed to address specific challenges, including bias detection, ethical questions, and explainability. Further vulnerabilities are caused by a lack of appropriate AI and ML tools and infrastructure. The steepest challenge, however, is in the area of knowledge. Most MRM functions are short of AI and ML talent. Model submissions are often incomplete , furthermore, as many owners of the new models neither adequately understand the responsibilities of a model owner nor have a sufficient grasp of model risk. Early signs are that institutions will face increased regulatory scrutiny of AI and ML models as they adopt use cases at scale.

Our survey revealed that validation of AI and ML models is in a very early stage in all regions, though Asian institutions are more advanced in model development. Among Asian banks surveyed, 90 percent plan to develop more AI and ML models over the next two years. In addition, the accelerating pace of digital transformations, partly brought on by the economic crisis caused by the pandemic, is causing demand for these models to increase. Yet less than 20 percent of surveyed banks said that they were ready for this demand. Many cited a lack of AI–ML talent as their most glaring shortcoming in this regard.

Recruiting expertise and building capabilities

To help their institutions adjust to this fast-changing environment, MRM functions must lead the campaign to attract sufficient expertise in advanced analytics. Once the needed talent is in place, MRM functions can keep pace with AI–ML development—establishing needed training programs, selecting the right tools and infrastructure, and developing appropriate standards. These capabilities are urgently needed to support use cases for AI–ML models, which are quickly shifting from experimental pilots to extension at scale. Surveyed banks noted that the first line is incorporating techniques that may be insufficiently rigorous for these more complex models. Active management by the MRM function of the tiering approach to model development and validation is thus clearly needed.

Regulators are now giving attention to MRM and model governance in the application of analytics to digital- and internet-lending use cases. In January 2020, for example, the European Banking Authority issued guidance for banks on improving controls in their implementation of advanced analytics. China’s Banking and Insurance Regulatory Commission introduced specific requirements in July 2020 to expedite governance for AI–ML models. AI has also increased the importance of data management for MRM frameworks. AI–ML data requirements are significant: compared with traditional models, AI–ML models consume far greater volumes of data, including from third-party sources. The complexity of the data and the number and variety of use cases are also greater. Institutions need to be able to apply rigorous data-management frameworks and MRM, with clearly defined model-related data-governance and ownership structures.

In this next-generation MRM environment, the MRM function must apply its robust risk-management practices across the model life cycle. By ensuring that effective oversight is built into processes, the MRM function also fosters closer collaboration with the first line in managing model risk. The result is a sustainable operating model.

The importance of MRM was already growing before the COVID-19 crisis. In response to rising levels of risk and the need for more sophisticated modeling, financial institutions began to develop AI–ML models for financial and nonfinancial risks alike. The crisis has accelerated digital transformations in the financial sector, which has been an important driver of the new generation of models.

This, then, is the right moment to transform MRM. The function’s strategic importance has increased. Across the organization, the scope of models is expanding; many of the new models are designed around advanced analytics. The level of MRM work is rising commensurately, calling for greater MRM efficiency. Financial institutions need a less validation-centric function, one that can strategically prioritize the redevelopment and adjustment of models. A more comprehensive MRM approach, beyond validation, will help ensure a model life cycle better suited to AI and ML models.

Marie-Paule Laurent is a partner in McKinsey’s Brussels office; Andreas Raggl is an associate partner in the Zürich office; Christophe Rougeaux is an expert in the Waltham, Massachusetts, office; and Maribel Tejada is a senior expert in the Paris office.

The authors wish to thank Noé Berger, Rohit Luhadia, and Lavanya Pant for their contributions to this article.

This article was edited by Richard Bucci, a senior editor in the New York office.

Explore a career with us

Related articles.

The next S-curve in model risk management

Applying machine learning in capital markets: Pricing, valuation adjustments, and market risk

Banking models after COVID-19: Taking model-risk management to the next level

• Certifications

7 Risk Management Models To Consider Before You Start Your Business

• March 3, 2023

Risk management models are a core component of running any kind of business. You can’t run your business if you don’t know how much money you can afford to lose and what risk factors could affect that figure. If you’re just starting out, it might be tempting to avoid thinking about risk management because it can feel like an intimidating topic.

However, as your business grows and you expand your operations, it becomes even more important to track your risk exposure so that you know what factors need to be monitored to keep your company operating safely and efficiently. In this article, we’ll introduce you to the different kinds of risk management models that are available in the market and outline why they are useful for identifying and mitigating risks in your business.

What is Risk Management?

Risk management is the process of identifying, measuring, and controlling the risk factors that could negatively impact your company. It is the act of considering risk and deciding how to best mitigate them. Risk management is the process of looking at the risk factors that can affect your company, and then deciding how to mitigate those risks.

Risk factors include things like competition, the strength of your product/service, your ability to execute on your strategy, and many more. When you’re starting out, you don’t have the resources to monitor every single risk factor that could impact your business. You need to prioritize the most significant risks, and then start building a strategy around mitigating them. If you’re just getting started, you don’t have enough information to evaluate risk factors and make strategic decisions about how to mitigate those risks. You need to first identify the significant risks and then set up programs to mitigate them.

Asset Register or Inventory

Before you start managing risk, you need to know the current state of your assets and how much the company owns. This is called a “asset register/inventory.” You can do this by conducting an inventory of your company’s current assets, and then organizing them on a spreadsheet or database so that you can see their current values. You can also use an online inventory tool like Business Management Software.

This inventory is important because it identifies what your company owns right now. Once you have this information, you can start managing risk by looking at the risks associated with each asset. For example, in your start-up phase, it is fine to make decisions that increase your overall asset value because you have a small business that doesn’t have a lot of assets to begin with. But as your company expands and you begin managing larger risks, you need to know what your assets are worth so that you can make more informed decisions.

How do you take your business to the next level?

When you’re starting out, the most important thing that you can do to manage risk is to understand the risks that your business faces. Once you have identified these risks, you can put together a risk management program to mitigate them.

To take your business to the next level, you need to understand these three key areas of risk. – External Risks: External risks are the risks that your company faces from outside factors, like the strength of your competition, the performance of your customers, and many more. External risks are different from internal risks because they are not something that your company does. You can’t control external factors, so you need to focus on managing them.

– Asset Risks: Asset risks are the risks associated with each asset in your company. For example, an asset might be your intellectual property, the technology you are using to run your business, or the equipment that you use to produce your product/service. – Operational Risks: Operational risks are the risks that occur during daily business operations. For example, an operational risk might be poor inventory management or a breakdown in your supply chain that causes your product to be delayed in arriving at the customer.

Why is it important to know the different kinds of risk management models?

As you grow your business, you will encounter new types of risks that you haven’t encountered before. You can’t deal with new risks if you don’t know what they are! By identifying different kinds of risk management models, you can prepare for any new risks that you may encounter in the future. Different risk management models are suitable for different types of businesses.

For example, asset management is more useful for companies that sell physical assets like a manufacturing facility or retail store. However, a digital business may not be as affected by asset management risks like having too much inventory or having too much money tied up in assets like equipment.

Types of Risk Management Models

There are different types of risk management models that can help you identify and mitigate risk. One of the most popular risk management models is the Five-Factor Model, and it is one that you should consider when you’re starting out. The Five-Factor Model was developed by Harvard Business School professor Dr. Henry Mintzberg.

This model identifies five key factors that determine the overall risk of your company. If any three of these factors are high, then it is likely that your overall risk is high, too. If any one of these factors is low, then it has a small impact on the overall risk of your company. If all three factors are high, though, then it has a significant impact on your overall risk.

Capital Requirement or Buffer Account

If you already have an established business, the next step is to start managing risk associated with existing assets. The most common way to do this is to create a “buffer account.” A buffer account is a reserve fund that you set aside from your operating revenue to cover any unexpected but likely expenses that could arise.

For example, if you have a product that is selling for $100, and you expect to operate at a loss of $100 for the month, that’s an expense that isn’t unusual for your business. However, it is an expense that could significantly affect your overall risk if it happens too often. That’s why you need to have a buffer account set aside to cover these types of expenses. The buffer account can be thought of as a cash reserve that you keep separate from your operating revenue.

Probabilistic Risk Management

The Five-Factor Model is a deterministic model that assumes that risks are evenly distributed across the factors. Therefore, if any one factor is low, then the overall risk is not significantly affected. However, businesses often don’t operate in a vacuum – they also have human beings working for them, and human beings are not always as rational as we would like to think. Therefore, in the real world, some factors will be higher than others. In those cases, you need a probabilistic model that takes into account the likelihood of each factor occurring.

Financial Risk Analysis

At the end of the day, financial risk analysis is about trying to identify the factors that have the highest probability of causing your company to go bankrupt or miss payroll. Therefore, the goal of this analysis is to identify the factors that have the highest chance of negatively affecting your company. You can do or learn about this by looking at the courses on financial analysis that give a brief of your company to see if any factors are significantly low. If any factors are significantly low, you need to investigate why that is happening so that you can find a way to fix it.

So now you know what risk management is, what different models are available, and how to identify the most significant risks facing your business. These are important topics to understand before you start managing risk in your company because it can be difficult to do if you don’t know what you’re getting yourself into.

Share This Post:

5 thoughts on “7 risk management models to consider before you start your business”.

[…] risks that can have adverse financial consequences. Insurance acts as a critical tool in this risk management process. It provides a safety net that helps individuals and businesses recover from unexpected […]

[…] of risks, such as credit risk, market risk, and liquidity risk. Compliance programs contribute to risk management by ensuring that financial institutions comply with regulations related to risk measurement, […]

I am so grateful for your article post.Much thanks again. Cool.

Existe – T – Il un moyen de récupérer l’historique des appels supprimés? Ceux qui disposent d’une sauvegarde dans le cloud peuvent utiliser ces fichiers de sauvegarde pour restaurer les enregistrements d’appels de téléphone mobile.

Lorsque nous soupçonnons que notre femme ou notre mari a trahi le mariage, mais qu’il n’y a aucune preuve directe, ou que nous voulons nous inquiéter de la sécurité de nos enfants, surveiller leurs téléphones portables est également une bonne solution, vous permettant généralement d’obtenir des informations plus importantes..

Add a Comment Cancel reply

Save my name, email, and website in this browser for the next time I comment.

Get A 5X Raise In Salary

Reset Password

Insert/edit link.

Enter the destination URL

Or link to existing content

Technology Strategy

Get the flexibility and value you need from technology

Why technology strategy matters.

the revenue growth when leaders double down on investments in technology and innovation

of CIO/CTOs are primarily focusing investment on revenue growth as opposed to cutting costs

of CIOs are focusing on an overall business transformation, versus a single function, in 2024

of enterprise transformation projects fail to meet expectations

Start with technology, then reinvent

Use everything technology offers to build a better business.

What you need to do

Get out of tech debt and into tech value.

Curb your tech debt and focus your tech spending on the activities that will power your business growth. Give your management team a shared understanding of how tech can deliver more value.

Design an enterprise architecture that allows your business to soar

Make the most of digital core technologies and techniques to improve business continuity and reduce your risk. Reinvent every aspect of your IT using generative AI.

Build an operating model that’s as innovative as your team

Respond to changing market demands by being nimbler. Design and implement an intelligent operating model built for business agility, resiliency and growth.

Have a clear vision for your tech transformation

Prioritize what you want to achieve, set the success criteria, and establish a transformation office to deliver it.

What you’ll achieve

A tech strategy everyone supports

Create a coalition for change with a plan that also fires up your business, tech and finance teams.

Total transparency on where your tech spend is going

With a clear view, you can decide where to reduce, redistribute and expand your tech investments.

A vision for your future architecture

Get the outcomes your business needs while continuously transforming your organization at scale.

An operating model that is your competitive edge

Get an intelligent operating model that moves at the same pace as your customers.

A transformation that meets expectations

Track and communicate the value of your enterprise transformation and get insights to help you make better decisions.

What’s trending in technology strategy

This is a singular moment for CIOs: here is how they can take advantage to unlock true business value across their enterprise.

How do you simplify a complex enterprise transformation; Accenture’s Jason Sain recommends starting with a clear vision and value creation story.

By focusing on new opportunities provided by cloud, data and AI, CSPs can accelerate their legacy technology transformation to resolve tech debt and position themselves for new product and service growth. 

CIOs can bring the greatest value to transformation. Accenture’s Greg Douglass explains how CIOs address new challenges in today’s business.

If Agile is challenging, meet multi-speed; a model combining the best of both worlds to gain agility.

Accenture’s Kit Friend explains what’s at risk when CIOs mistake a hybrid solution for Agile, and why multi-speed isn’t always the answer.

Five imperatives the C-suite must address to reinvent in the age of generative AI.

Greg Douglass from Accenture advises how to boost a tech-savvy board as embracing digital transformation requires tech expertise across enterprises.

Accelerate your journey

myDiagnostic

Assess your business, talent, and IT maturity to understand your strengths and gaps. Unlock opportunities over a data-driven path to hastened growth and value.

Accenture Momentum

Orchestrate large-scale business transformations from start to finish, focusing on vision, value, speed, talent and technology.

Partners in change

Our leaders

Koenraad Schelfaut

Lead – Technology Strategy & Advisory

Keith Boone

Lead – Technology Strategy & Advisory, North America

Frédéric Brunier

Lead – Technology Strategy & Advisory, EMEA

Tejas R. Patel

Lead – Technology Strategy & Advisory, Growth Markets