risk

Business Ethics
Business Ethics Jonathan Poland

Business ethics refer to the principles and values that guide the behavior of individuals and organizations in the business world. These principles and values help to shape the decisions and actions of businesses, and influence the way they interact with stakeholders such as employees, customers, suppliers, and the community.

Some common principles of business ethics include honesty, fairness, responsibility, and respect for the law. These principles help to ensure that businesses operate in a way that is ethical and responsible, and that they have a positive impact on society.

There are several key issues that are often addressed in business ethics, including:

  1. Corporate social responsibility: This refers to the responsibility that businesses have to consider the impact of their actions on society and the environment. This includes issues such as sustainability, environmental protection, and philanthropy.
  2. Employee rights and treatment: This refers to the rights and treatment of employees in the workplace. This includes issues such as fair wages, working conditions, and discrimination.
  3. Consumer protection: This refers to the responsibility of businesses to protect the interests of consumers and ensure that they are treated fairly. This includes issues such as product safety, truth in advertising, and privacy.
  4. Business practices: This refers to the ethical practices of businesses, including issues such as honesty in business dealings, avoiding conflicts of interest, and avoiding unethical practices such as bribery and corruption.

Effective business ethics are important for building trust and credibility with stakeholders, and for ensuring that businesses operate in a way that is responsible and sustainable. This can lead to increased customer loyalty, employee satisfaction, and overall business success.

The following are key terms related to business ethics.

  • Accountability
  • Agency
  • Circular Economy
  • Compliance
  • Conflict Of Interest
  • Cooling Off Period
  • Cronyism
  • Cultural Appropriation
  • Dark Patterns
  • Do No Harm
  • Dual Agency
  • Environmental Issues
  • Equality
  • Ethical Climate
  • Extended Producer Responsibility
  • Fee Splitting
  • Fiduciary Duty
  • Gaming The System
  • Information Security
  • Insider Trading
  • IT Governance
  • Material Information
  • Patent Ambush
  • Precautionary Principle
  • Privacy
  • Product Transparency
  • Professional Conduct
  • Quality Of Life
  • Regulatory Risk
  • Reputational Risk
  • Resilience
  • Right To Know
  • Self Dealing
  • Sustainability
  • Technology Ethics
  • Tone At The Top
  • Transparency
  • Unintended Consequences
  • Usury
  • Values

Conflicts of Interest
Conflicts of Interest Jonathan Poland

A conflict of interest exists when an individual or organization has incentives that contradict their responsibilities. This can occur when a professional may be rewarded for subpar performance, although the existence of a conflict of interest does not necessarily mean that wrongdoing or poor performance has occurred. However, conflicts of interest can create potential problems and are generally avoided by businesses and often prohibited by laws and regulations. The following are a few examples of potential conflicts of interest.

Agents
In some cases, the agents for a buyer and seller in a transaction both work for the same firm. This can lead to the temptation to share confidential information to ensure that a deal is closed and commissions are realized. If this happens, it is typically considered a breach of fiduciary duty.

Bailouts
Government bailouts of industry represent a moral hazard and may be carefully examined for conflict of interest such as campaign contributions or public speaking fees.

Banks
Investment banks put up an information barrier known as a Chinese wall between teams that advise corporate clients on things such as mergers & acquisitions and teams that manage money or advise brokerage clients. If buy-side teams obtained confidential information about such a client, this would be a clear conflict of interest.

Compensation
Hiring salary and salary adjustments may be impacted by cronyism such as an executive who hires friends at unreasonably high salaries with inflated job titles relative to their experience and responsibilities.

Content & Sponsorship
Media organizations may erect a Chinese wall between journalists and advertising departments to prevent advertisers from influencing the news or other content. It is an widely accepted practice to clearly label any content that has been influenced by advertisers.

Discipline
Cronyism may impact employee discipline. For example, serious complaints about executives and their inside circle at a firm may be casually dismissed, potentially in violation of employment law.

Fee Splitting
The practice of referring clients from one professional to another for a fee. Considered unethical in the medical profession.

Governance vs Management
In many cases, governance is set up to direct and monitor management. As such, when governance bodies are controlled by management this can be a conflict of interest. For example, if the board of directors of a firm is controlled in some way by the firm’s management.

Grassroots vs Astroturfing
Grassroots is a term for an organization set up by people who are not the member of an elite in pursuit of a common goal. Astroturfing is when an industry, firm or elite political group set up a fake grassroots organization to pretend that there is public support for their goals.

Insider Trading
An employee of a firm who uses confidential material information for material gain.

Judiciary & Commercial Interests
A judiciary that is influenced by commercial interests such as a privatized prison that influences a judge to give tougher sentences.

Judiciary & Personal Experience
A judge that knows a defendant and similar conflicts of interest based on the personal experiences of judge and jury.

Media & Politics
A high level politician has dinner with a media executive and asks that a journalist be fired for a critical article.

Medical Marketing
When a doctor is given material incentives to recommend a treatment by the firm selling the treatment.

Procurement
Procurement of goods and services is often governed by regulations and expected due diligence to prevent bribery, small gifts, relationships or any other conflict of interest from influencing the process. In some countries, procurement fraud is a major issue that impacts economic efficiency.

Nepotism
Granting favors to family in a commercial or political setting.

Outside Employment
Holding two jobs can theoretically result in conflicts of interest. For example, you may be tempted to use the secret propriety knowledge of one firm to complete work at the other.

Performance Management
Cronyism in performance management such as promoting friends despite low performance.

Perverse Incentives
A negative unintended consequence of a performance goal, incentive or system. For example, an executive who contractually gets a large bonus if they are fired has an incentive to fail in some circumstances.

Profit Motive & Public Services
Allowing the profit motive to corrupt institutions designed for the public good.

Regulatory Capture
A failure of government whereby commercial interests have undue influence on the agencies designed to provide oversight of an industry. In some cases, this extends to capture of the legislative process itself.

Research & Sponsorship
Research designed to satisfy a sponsor as opposed to being scientifically accurate.

Revolving Door
A system of influencing government whereby a firm’s employees are sent to work for government or government employees are offered lucrative future employment in exchange for influence.

Self Audits
An organization or department that audits its own controls may be likely to miss things.

Self Dealing
A general term for a violation of fiduciary duty in pursuit of self-interest.

Self Regulation
Industry self-regulation may risk conflict of interest as the profit motive may supplant the public interest.

Capability Analysis
Capability Analysis Jonathan Poland

Capability analysis is the process of evaluating the capabilities of an organization, system, or process in order to identify its strengths and weaknesses. This analysis helps organizations understand their current capabilities and identify areas for improvement in order to meet the needs of their customers, stakeholders, and other relevant parties.

There are several approaches to capability analysis, including SWOT (Strengths, Weaknesses, Opportunities, Threats) analysis, gap analysis, and benchmarking. These approaches involve identifying and analyzing various factors that can impact an organization’s capabilities, such as its resources, skills, processes, and technology.

SWOT analysis involves evaluating an organization’s internal strengths and weaknesses, as well as external opportunities and threats. This can help organizations identify areas where they have a competitive advantage or disadvantage, and identify opportunities for improvement or areas of potential risk.

Gap analysis involves comparing an organization’s current capabilities to its desired state or target capabilities. This helps organizations identify the gaps between their current and desired capabilities, and develop a plan to close those gaps.

Benchmarking involves comparing an organization’s capabilities to those of its peers or competitors in order to identify areas of relative strength and weakness. This can help organizations identify best practices and areas for improvement.

Capability analysis can be a valuable tool for organizations seeking to improve their performance and achieve their goals. By understanding their current capabilities and identifying areas for improvement, organizations can develop strategies to enhance their capabilities and achieve success.

Here are some examples of capability analysis:

  1. A company conducts a capability analysis to identify its core competencies and determine how they align with its business strategy. For example, a manufacturing company may identify its capability in producing high-quality products as a key strength.
  2. A team within an organization conducts a capability analysis to identify the skills and expertise of its members and determine how they can be leveraged to support the team’s goals. For example, a marketing team may conduct a capability analysis to identify which team members have expertise in social media marketing and how that expertise can be used to support the team’s marketing efforts.
  3. An individual conducts a capability analysis to identify their own strengths and weaknesses and determine how they can develop their skills to support their career goals. For example, a salesperson may conduct a capability analysis to identify areas where they need to improve their skills, such as negotiating or closing deals, in order to advance in their career.
  4. An organization conducts a capability analysis to identify potential areas for expansion or growth. For example, a software development company may conduct a capability analysis to identify the technologies and platforms it has expertise in and determine if there are opportunities to expand into new markets.

Critical Mass
Critical Mass Jonathan Poland

In economics, critical mass refers to the minimum size a company needs to be in order to effectively compete in a particular market. The size required for critical mass can vary greatly depending on the industry and the company’s approach to the market. For instance, industries like the automotive industry often require a company to be quite large in order to be competitive, while smaller companies may be able to succeed in industries such as restaurants.

Critical mass can also apply to individual products. For example, a new and innovative product may need to attract a certain number of initial customers in order to generate buzz and become successful. In this case, the product’s critical mass would be the number of customers it needs to reach in order to achieve widespread adoption. Overall, achieving critical mass is an important consideration for businesses as they strive to succeed in a competitive market.

Here are a few examples of critical mass in different industries and contexts:

  1. Manufacturing: A manufacturing company may need to achieve a certain level of production volume in order to reach economies of scale and become competitive in the market.
  2. Service businesses: A service business, such as a consulting firm, may need to reach a certain number of clients in order to cover its overhead costs and be profitable.
  3. Online marketplaces: An online marketplace, such as a platform for buying and selling goods or services, may need to reach a critical mass of users in order to attract sellers and buyers and create a viable market.
  4. Innovative products: An innovative new product may need to attract a certain number of initial customers in order to generate buzz and become successful.
  5. Social networks: A social networking platform may need to reach a critical mass of users in order to become attractive to new users and maintain its user base.

Barriers to Entry
Barriers to Entry Jonathan Poland

Barriers to entry refer to factors that make it difficult for new companies to enter a particular market. These barriers can take many forms, including technological know-how, government regulations, reputation, location, and the need for large investments or specialized assets. When barriers to entry are high, it can allow existing firms in the industry to maintain a strong market position and charge higher prices due to their market power. In extreme cases, high barriers to entry can lead to the formation of a monopoly, where a single firm controls the entire market and can charge high prices without fear of competition.

Examples of barriers to entry:

  1. Intellectual property: Patents, trademarks, and copyrights can be used to protect intellectual property, making it difficult for new competitors to enter the market.
  2. Economies of scale: Companies that have already achieved a large scale of production may have cost advantages over smaller competitors, making it difficult for them to enter the market.
  3. Network effects: When a product or service becomes more valuable as more people use it, new competitors may find it difficult to enter the market because they cannot attract enough users to generate the same value as the existing players.
  4. Government regulation: Regulations and licensing requirements can create barriers to entry, particularly in industries that are heavily regulated, such as healthcare and financial services.
  5. Access to distribution channels: Established firms may have established relationships with distributors and retailers, making it difficult for new competitors to gain access to these channels.
  6. Customer loyalty: If customers are highly loyal to a particular brand, it can be difficult for new competitors to attract these customers and gain a foothold in the market.
  7. Supplier relationships: Established firms may have longstanding relationships with suppliers, making it difficult for new competitors to secure the necessary raw materials or components.
  8. High startup costs: Industries that require large investments in equipment, research and development, or marketing may have high barriers to entry for new competitors.
  9. Legal barriers: Legal contracts, such as exclusive agreements or non-compete clauses, can create barriers to entry by preventing new competitors from entering the market.
  10. Industry consolidation: When a few large firms dominate an industry, it can be difficult for new competitors to enter and compete effectively.
  11. Reputation: Established firms may have a strong reputation in the market, which can make it difficult for new competitors to gain credibility and attract customers.
  12. Customer acquisition costs: Industries that require significant marketing and sales efforts to attract customers may have high barriers to entry for new competitors due to the costs associated with acquiring new customers.

Problem Management
Problem Management Jonathan Poland

Problem management is an important aspect of IT service management that involves identifying, analyzing, and resolving problems that can impact the performance or availability of an IT service. A problem is a root cause of one or more incidents, which are negative events that cause a loss of service or quality.

Problem management is a proactive process that focuses on identifying and resolving problems before they cause significant disruptions to business operations. This involves a number of different activities, including problem identification, problem analysis, and problem resolution.

One of the key goals of problem management is to prevent incidents from occurring in the first place. This can be achieved through a number of different techniques, such as identifying and addressing potential problem areas, implementing preventative measures, and monitoring the IT environment to detect potential problems before they cause incidents.

When an incident does occur, problem management is responsible for identifying and analyzing the underlying problem, and developing a plan to resolve it. This often involves working closely with other teams, such as the incident management team, to ensure that the problem is resolved as quickly and effectively as possible.

Problem management is a critical part of ensuring the availability and performance of IT services. By proactively identifying and resolving problems, businesses can minimize the impact of incidents and maintain a high level of service quality for their customers. Here are some illustrative examples.

Incident Management

Incident management is the process of detecting and handling negative events. The goal here is to find a quick resolution or workaround that reduces losses. This can be contrasted with problem management that solves the root cause of the incident to prevent recurring issues. For example, if a system is down incident response teams may reboot a machine to resolve the incident. The incident is closed when service is restored. Problem management would then investigate why the machine was malfunctioning to determine if further corrective action is required. The problem is closed when the root cause of the incident is addressed.

Root Cause Analysis

When an incident occurs there are often several layers of cause. Root cause analysis tends to be a complex and open-ended exercise such that any two teams that look at the same problem are likely to reach different conclusions. As a rule of thumb, the goal is to find the cause with the greatest explanatory power that is within your ability to fix. For example, the cause “the sensor wasn’t tested at last maintenance” is likely to be selected as it can be addressed by the airline to prevent future incidents.

Corrective Action

Corrective action is an action that solves a current problem. For example, replacing a faulty sensor on an aircraft.

Preventative Action

Preventative action is an action that prevents future incidents. For example, testing sensors on a monthly basis to prevent safety issues and flight delays.

Design Thinking

Problems can often be solved with design practices such as reliability engineering. For example, redesigning a user interface to prevent latent human error.

Resilience

Resilience is an approach to solving problems by designing your society, city, organization, processes and practices in a fundamentally sound way. For example, a city that uses land in a high risk tsunami zone as a park that is easily evacuated as compared to a city that builds hospitals, schools, houses, nuclear power facilities and other vulnerable structures on the same land.

Continuous Improvement

In many cases, a problem isn’t resolved with a single action but requires an ongoing and sustained program of improvement. For example, a series of pervasive customer service incidents that require training and improvements to your customer service culture that may take years to fully achieve.

Knowledge Management

Problem management tends to generate a great deal of knowledge. For example, you may identify process gaps that aren’t prioritized to be fixed. This knowledge can be captured, shared and communicated.

Known Problem Management

The process of monitoring for incidents related to a known problem to apply a standard workaround or fix. For example, a manual workaround that a team can use to complete their work when a system is experiencing availability issues.

Problem Review

The process of reviewing each problem to identify organizational weakness that can be improved.

Problem Communication

Problems tend to capture the attention of stakeholders such as executive management, business units and customers. As such, communicating the status of problems and managing relationships with stakeholders is a key element of problem management. For example, managing communication with a customer who has reported a problem.

Risk Management

Risk management is the process of identifying potential incidents and treating them before they occur. This can be integrated with problem management as problem management teams can contribute to the identification and reduction of risk.

Quality Assurance

Quality assurance is the practice of addressing the root cause of quality failures. This is essentially problem management under a different name or vice versa.

Factor Market
Factor Market Jonathan Poland

The factor market, also known as the input market, is the market where the factors of production are bought and sold. The factors of production are the resources used to produce goods and services, including land, labor, and capital. In the factor market, these resources can be rented, leased, or purchased by businesses and organizations. The factor market is an essential component of the economy, as it allows businesses to access the resources they need to produce goods and services. This market is often studied in the field of economics, and plays a key role in the allocation of resources and the determination of prices.

The factor market is a concept that is often associated with simplistic and outdated economic models that view the economy as consisting of producers who buy unfinished inputs and consumers who buy finished goods. This narrow focus on the manufacturing sector ignores the complexity and diversity of modern economies. For example, the knowledge economy may require very few factors of production beyond labor, and the service economy often relies on the purchase of finished goods. Additionally, it is increasingly common for consumers to participate in production and for firms to purchase consumer goods. These developments highlight the limitations of the factor market model and the need for more nuanced and comprehensive approaches to understanding economic systems.

The following are common elements of the factor market.

  • Buildings
  • Business Services
  • Components
  • Electricity
  • Equipment Information
  • Technology Services
  • Infrastructure
  • Inventory
  • Labor
  • Land
  • Machines
  • Materials
  • Natural Resources (e.g. water)
  • Outsourcing
  • Parts
  • Vehicles

External Risk
External Risk Jonathan Poland

An external risk is a type of risk that is outside of your control and cannot be influenced or managed by you or your organization. These risks may be caused by external factors such as natural disasters, market fluctuations, or changes in government regulations. Because external risks are beyond your control, they can often be difficult to predict or mitigate. As a result, it is important for organizations to have contingency plans in place to help them respond to and manage external risks effectively.

Disaster Risk
The insurance industry defines external risk as the risk of disasters that are beyond the control of a policy holder such as earthquakes, wildfires, floods and pandemics.

Act of God
Another term for disasters of a non-human cause such as a volcanic eruption.

Force Majeure
Force majeure is a major adverse event such as a disaster. This potentially includes human caused disasters such as a war but definitions vary by jurisdiction.

Environmental Hazards
The potential for an environmental disaster such as very low air quality that threatens the health and safety of large populations.

Infrastructure Risk
The potential for major infrastructure disruptions beyond your control such as an event that causes large scale internet outages.

Political Risk
The potential for political disruptions such as a revolution, strike or protest.

Economic Risk
Large economic risks such as the potential for a recession or depression. Predictable economic risks such as exchange rate fluctuations aren’t considered external as these can be mitigated.

Project Risk
Projects often define external risks as anything beyond the capacity of the project to mitigate. For example, a merger or acquisition might derail a project but be well beyond the control of the project.

External Factors
External factors are elements outside of an organization that can impact its strategy and decision making. These factors can include competition, markets, customers, technological change, economic conditions, politics, regulations, and social and cultural change. Organizations often use frameworks like SWOT analysis to identify and categorize external factors as threats and opportunities. This can help organizations understand the impact of these external factors on their operations and make informed decisions. By considering external factors, organizations can develop strategies that anticipate and adapt to changes in their environment.

Attitudes Barriers to Entry (new competition)
Business Models Business Risks
Capital (e.g. new machines) Consumer Devices
Consumer Trends Costs
Customer Experience Customer Needs
Customer Perceptions Demand
Demographics Design Practices
Direct Competition Disasters
Distribution (e.g. ecommerce) Economic Problems
Efficiency (e.g. energy efficiency of new vehicles) Elections
Environment (e.g. air quality) Environmental Regulations
Exchange Rates Factor Markets (input supply)
Financial Conditions Fiscal Policy (government spending)
Government Policy Growth Rates (industry or economy)
Indirect Competition Information Security (threats and vulnerabilities)
Infrastructure Interest Rates
Interests Know-how (of competition)
Labor Regulations Lifestyles
Market Structure New Materials
Operating Models Opinions
Political Stability Practices
Price Competition Productivity Rates
Protests Psychographics
Research & Development Revenue Models
Social Structure Strike Actions
Styles Subcultures
Subsidies Supply Chain Disruptions
Taxes Technology Culture
Technology Platforms Trade Barriers
Trade Wars Values

Risk Management
Risk Management Jonathan Poland

Risk management is the process of identifying, assessing, and prioritizing risks in order to minimize their potential impact on an organization. It is an essential element of effective business planning and decision making, as it helps organizations to identify and mitigate potential negative consequences that could arise from their operations or activities.

There are several key steps involved in the risk management process:

  1. Identifying risks: The first step in risk management is to identify potential risks that could affect the organization. This involves looking at a wide range of factors, including the organization’s operations, the industry in which it operates, and the external environment.
  2. Assessing risks: Once risks have been identified, they need to be assessed in terms of their likelihood and potential impact. This involves evaluating the likelihood of a risk occurring, as well as the potential consequences of the risk if it does occur.
  3. Prioritizing risks: After risks have been identified and assessed, they need to be prioritized based on their likelihood and potential impact. This helps the organization to focus its efforts on the most critical risks and allocate resources accordingly.
  4. Developing risk management strategies: After risks have been prioritized, the organization needs to develop strategies to mitigate or minimize them. This may involve implementing new processes or procedures, introducing new technology, or other measures.
  5. Implementing risk management strategies: The final step in the risk management process is to implement the strategies that have been developed to mitigate or minimize risks. This involves putting the necessary measures in place and ensuring that they are effectively implemented and followed.

Effective risk management is essential for the success and sustainability of any organization. It helps organizations to identify and mitigate potential risks that could affect their operations, and enables them to make informed decisions that support their long-term goals.

Risk Management Plan

A risk management plan is a plan that outlines the steps to take to identify, assess, and mitigate identified risks. It is a proactive approach to addressing potential issues and is typically developed as the output of risk identification and analysis activities. The goal of a risk management plan is to minimize the impact of risks on an organization and its stakeholders. This is often done through the implementation of controls and other measures that reduce the likelihood of risks occurring or their potential impact.

Basic
The basic elements of a risk management plan are a description of each risk, an estimate of their impact and probability and an overview of the steps that are taken to treat each risk.

Risk Exposure
Risk exposure is a numerical estimate of the probable cost of a risk. This is calculated as impact × probability. For example, if there is a 10% chance that a million dollar house will burn down your risk exposure is $1,000,000 × 0.1 = $100,000. A more sophisticated analysis will also include the risk of partial losses such as a fire that only damages your kitchen.

Residual Risk
Residual risk is the risk that remains after risk treatment. This implies that you have accepted a certain amount of risk as part of risk management. In practice, most risks can’t be reduced to zero and this would seldom be desirable as you tend to get decreasing returns if you over manage risk.

Secondary Risk
A secondary risk is a risk that is created by risk treatments themselves. Risk management can go too far and cause more problems than it prevents. As such, measuring and communicating secondary risk has value in preventing overzealous risk management steps.

Risk Assessment

Risk assessment is the process of identifying and evaluating potential risks in a systematic and structured manner. It involves identifying the sources of potential risks, analyzing the likelihood and potential impact of these risks, and determining the appropriate course of action to mitigate or manage them. In risk assessment, probability refers to the likelihood that a particular risk will occur. Impact, on the other hand, refers to the potential consequences of a risk when it does occur. Probability and impact can be assessed using a variety of methods, including single estimates or probability distributions.

Project Management
A project team brainstorms risks with the input of the entire team and required subject matter experts such as an information security professional. They estimate probability and impact for each risk in a probability/impact matrix.

Program Management
An IT program composed of dozens of projects models the risk of projects being late or over budget using reference class forecasting, a method of comparing projects to historical projects with similar scope and risk profiles.

Equity Analyst
An equity analyst develops in depth knowledge about a company and its industry in order to evaluate risks and rewards associated with a stock. If they downgrade a stock they may provide a list of high level risks associated with the firm in a note to investors.

Risk Analyst
A risk analyst may use statistical analysis to evaluate the risks associated with a particular investment or class of investments. They may use a large number of variables to estimate the probability of losses as a probability distribution. For example, the probability of a 10% loss on a particular investment might be 3% and the probability of a 100% loss might be 0.3%.

Small Business
A small business lists out risks associated with a strategy to open a new retail location. They evaluate probabilities on a scale of 1-4 labeled as “very likely”, “likely”, “possible”, “remotely possible”. They evaluate impact on a scale of 1-4 labeled as “disaster”, “high”, “medium”, “low.” The business then uses the evaluations to prioritize efforts to avoid, transfer, reduce or accept each risk.

Risk 101
Risk 101 Jonathan Poland

Risk evaluation is a crucial component of the risk management process. It involves assessing the potential impact and likelihood of identified risks to determine their significance. This evaluation helps organizations prioritize risks and allocate resources effectively to manage them. Let’s delve deeper into the topic:

Purpose of Risk Evaluation:

  • Prioritization: By evaluating risks, organizations can prioritize them based on their potential impact and likelihood. This ensures that the most significant risks are addressed first.
  • Resource Allocation: Once risks are prioritized, organizations can allocate resources (like time, money, and personnel) more effectively to manage these risks.
  • Informed Decision Making: Risk evaluation provides decision-makers with a clearer picture of the potential threats and opportunities, allowing them to make informed decisions.

Steps in Risk Evaluation:

  • Risk Identification: Before you can evaluate risks, you need to identify them. This involves recognizing potential threats and opportunities that could affect the achievement of objectives.
  • Risk Assessment: This step involves determining the likelihood and potential impact of the identified risks. It’s often done using qualitative or quantitative methods.
  • Risk Ranking: Based on the assessment, risks are ranked. This helps in understanding which risks need immediate attention.
  • Determine Risk Tolerance: Organizations need to determine their risk tolerance, which is the amount of risk they are willing to accept. Any risk that exceeds this tolerance level needs to be addressed.

Methods of Risk Evaluation:

  • Qualitative Analysis: This method involves describing risks in terms of their potential severity and likelihood using descriptive terms like “high,” “medium,” or “low.”
  • Quantitative Analysis: This method uses numerical values to represent risk. It might involve statistical data, financial values, or other measurable metrics.

Outcome of Risk Evaluation:

Once risks are evaluated, organizations can decide on the appropriate risk response strategies, such as:

  • Avoidance: Eliminating the risk by discontinuing the associated activity.
  • Mitigation: Reducing the impact or likelihood of the risk.
  • Transfer: Shifting the risk to another party, like through insurance.
  • Acceptance: Acknowledging the risk and preparing to deal with its consequences.

Review and Monitoring:

Risk landscapes are dynamic, and new risks can emerge while existing ones can change in their significance. Hence, continuous monitoring and periodic reviews of the risk evaluation are essential. Risk evaluation is a foundational step in the risk management process. It ensures that organizations are aware of their risk landscape and can take appropriate actions to manage those risks effectively.

Risk Management

Risk management strategies are formulated based on the outcomes of risk evaluations. The goal is to address the identified risks in a manner that aligns with the organization’s objectives, risk appetite, and available resources. Here’s a step-by-step breakdown of how risk management strategies are formed using risk evaluations:

Understand the Risk Context:

Before forming strategies, it’s essential to understand the broader context in which the organization operates. This includes its objectives, stakeholders, regulatory environment, and other relevant factors.

Use the Risk Evaluation Outcomes:

The results from the risk evaluation (i.e., the ranking and assessment of risks based on their likelihood and impact) provide a foundation for strategy formulation.

Determine the Organization’s Risk Appetite:

Risk appetite is the level of risk an organization is willing to accept in pursuit of its objectives. It acts as a guidepost for strategy formulation. Risks that exceed the organization’s risk appetite will need more aggressive management strategies.

Select Appropriate Risk Response Strategies:

Based on the risk evaluation and the organization’s risk appetite, one or more of the following risk response strategies can be chosen:

  • Avoidance: This strategy involves not taking or discontinuing an action to avoid the risk altogether. For instance, if a business venture is deemed too risky, the organization might decide not to pursue it.
  • Mitigation: This involves taking steps to reduce the likelihood or impact of a risk. For example, implementing safety protocols can mitigate the risk of workplace accidents.
  • Transfer: Some risks are best managed by transferring them to another party. This is commonly done through insurance or contractual agreements. For instance, a company might take out insurance against natural disasters.
  • Acceptance: If a risk is deemed acceptable based on its likelihood and impact (and considering the organization’s risk appetite), it might be accepted without any specific action. However, contingency plans might be put in place to address the consequences if the risk materializes.
  • Exploitation: In cases where the risk presents an opportunity, strategies might be formulated to exploit the situation. For instance, if there’s a potential market disruption, a company might strategize to capitalize on it.

Develop and Implement Action Plans:

Once the appropriate strategies are selected, specific action plans are developed. These plans detail the steps to be taken, resources required, responsibilities, timelines, and monitoring mechanisms.

Continuous Monitoring and Review:

The risk environment is dynamic. As such, it’s essential to continuously monitor the identified risks and the effectiveness of the management strategies. Adjustments to the strategies might be needed based on changing circumstances.

Communication and Reporting:

Effective communication is crucial. Stakeholders, including employees, management, and external parties, should be informed about the risks and the strategies in place. Regular reporting ensures transparency and accountability.

Forming risk management strategies is a systematic process that leverages the insights gained from risk evaluations. The strategies are designed to align with the organization’s objectives and risk appetite, ensuring that risks are managed in a way that supports the organization’s goals.

Monitoring & Review

The monitoring and review phase is a continuous and integral part of the risk management process. It ensures that the risk management strategies remain effective and relevant in the face of changing circumstances. Here’s a detailed look at this phase:

Purpose of Monitoring and Review:

  • Ensure Effectiveness: To confirm that the risk management strategies and actions are working as intended.
  • Detect Changes: To identify new risks or changes in existing risks due to shifts in the internal or external environment.
  • Continuous Improvement: To refine and enhance the risk management process based on feedback and lessons learned.

Key Activities in the Monitoring and Review Phase:

  • Regular Check-ins: Scheduled reviews of the risk management plan to ensure its relevance and effectiveness. This could be monthly, quarterly, or annually, depending on the nature of the risks and the organization’s context.
  • Performance Indicators: Using Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs) to measure and track the effectiveness of risk responses and the status of risks.
  • Audit and Assurance: Internal or external audits can provide an independent assessment of the risk management process, ensuring that it aligns with best practices and regulatory requirements.
  • Stakeholder Feedback: Engaging with stakeholders, including employees, customers, and partners, to gather feedback on the perceived effectiveness of risk management activities.
  • Incident Reporting: Establishing a system for reporting and analyzing incidents related to risks. This helps in understanding the root causes and can lead to refining risk management strategies.

Adjusting Strategies:

  • Refinement: Based on the insights from monitoring and review, risk management strategies might need adjustments. This could involve strengthening certain controls, introducing new measures, or even relaxing controls if a risk level decreases.
  • Re-evaluation: If significant changes are detected in the risk landscape, it might be necessary to revisit the risk evaluation phase to reassess the impact and likelihood of risks.

Documentation and Reporting:

  • Maintain Records: Keeping detailed records of monitoring and review activities, findings, and actions taken. This provides an audit trail and can be valuable for future risk assessments.
  • Report Findings: Regularly reporting the outcomes of monitoring and review activities to relevant stakeholders, including senior management and the board. This ensures transparency and keeps decision-makers informed.

Continuous Learning:

  • Lessons Learned: Capturing and analyzing lessons from both successful risk management and instances where risks weren’t managed effectively. This contributes to the organization’s knowledge base and helps in refining future strategies.
  • Training and Development: Based on the findings from the monitoring and review phase, there might be a need for additional training or development programs to enhance the organization’s risk management capabilities.

The monitoring and review phase is not a one-off activity but a continuous loop. It ensures that the risk management process remains dynamic, responsive, and effective in managing risks in a changing environment. It’s the mechanism that ensures the organization’s risk management approach remains proactive rather than reactive.

Learn More
Brand Equity Jonathan Poland

Brand Equity

Brand equity refers to the value that a brand adds to a product or service. It is the positive perception…

Performance Metrics Jonathan Poland

Performance Metrics

Performance metrics, also known as key performance indicators (KPIs), are measurable values that organizations use to evaluate their progress towards…

Bargaining Power Jonathan Poland

Bargaining Power

Bargaining power is a concept in negotiation theory that refers to the relative ability of parties to influence each other…

Expectancy Theory Jonathan Poland

Expectancy Theory

Expectancy theory is a motivational concept that suggests people are motivated by their beliefs about the relationship between their efforts…

Personal Selling Jonathan Poland

Personal Selling

Personal selling is a type of sales approach that involves face-to-face interaction with potential customers. Unlike other forms of sales,…

Business Values Jonathan Poland

Business Values

Business values are statements that reflect the ethical principles of a company. These values are intended to guide the company’s…

What is a One Stop Shop? Jonathan Poland

What is a One Stop Shop?

A one stop shop is a business that offers a wide range of products and services from a single location,…

Good Customer Service Jonathan Poland

Good Customer Service

Good customer service is a service experience that goes above and beyond to meet the needs and expectations of customers,…

Market Potential Jonathan Poland

Market Potential

Market potential is the entire size of the market for a product at a specific time. It represents the upper limits of the market for a product. Market potential is usually measured either by sales value or sales volume.

Jonathan Poland © 2025

Content Database

Search over 1,000 posts on topics across
business, finance, and capital markets.

Origin of Money Jonathan Poland

Origin of Money

Money is a type of asset or object that is widely accepted as a medium of exchange for goods, services,…

Adaptive Performance Jonathan Poland

Adaptive Performance

Adaptive performance is the ability of an individual to perform well in changing, uncertain, and stressful situations. This type of…

Capability Analysis Jonathan Poland

Capability Analysis

Capability analysis is the process of evaluating the capabilities of an organization, system, or process in order to identify its…

What is Price Stability? Jonathan Poland

What is Price Stability?

Price stability refers to the maintenance of relatively stable prices over time. This is typically measured by the rate of…

Soft Skills Jonathan Poland

Soft Skills

Soft skills are a broad and diverse set of abilities that are essential for success in many areas of life,…

Small Business Jonathan Poland

Small Business

A small business is a privately owned and operated company with a small number of employees and relatively low volume…

What is a Product Line? Jonathan Poland

What is a Product Line?

A product line refers to a group of related products that are marketed together as a single unit. Product lines…

Environmental Challenges Jonathan Poland

Environmental Challenges

Environmental issues are detrimental changes to the Earth’s natural surroundings that negatively impact the current quality of life for individuals…

Business Models Jonathan Poland

Business Models

Business models define how a company creates, delivers, and captures value. There are numerous business models, each tailored to specific…

Read More