top of page
  • Rory Roberts

What are the different types of risk?

Internal Risks

One of the most important questions you can ask in Risk Identification is how much exposure to we have to a particular risk. It is important as a starting point to analyses the exposures of the company toward the taxonomy of risks of the company. A company might for example have a very light exposure to interest rates for example, but a very heavy exposure to energy consumption. Then should there be the same number of Risks Identified in Interest rates as there are in energy exposure? Or would it make more sense to concentrate the search for risks toward the area of energy. In such a case it would be expected that if the company has a high exposure to energy costs, that many of the business areas are dealing with energy costs, and as such a broad search should elucidate more risks in energy costs than interests’ rates. This may not always be the case however there may be a very high concentrations of risk to energy costs in just one part of the company.

It makes sense therefore to have a broad understanding of the companies’ exposures before beginning the risk identification process, so that the intensity of the search may be focused toward the areas where there are concentrations of exposure.

So, what does the term “Internal Risk” mean, when we classify a risk as an internal risk it is because the source of the risk can be identified and quantified internally, so to clarify of energy cost go up because of a geopolitical crisis, then the energy price increase is a external risk. However, the internal risk is our company’s exposure to the growth in energy price costs, or how our company is affected by the rise in energy costs.

Our internal risks can be thought of as our companies’ sensitivities to external risks, or risks that stem from the company itself. Such as knowledge concentration risk, or strategy risk, or internal fraud.

External Risks

So you might have guessed external risks are risk from outside the company, we are only interested in external risks that we are exposed to as a company. Examples of external risks are as follows:

- Inflation or inflation volatility

- Interest Rate rises or interest rate volatility

- Energy price rises or energy price volatility

- Currency Risk or Currency Risk volatility

- Pandemic

- Geopolitical Crisis

- Supply chain risks

- Political Risk

- Regulatory Risk

External Risks can often cause Cascade risks, ie inflation causes less discretionary spending, results in lower sales. For this reason, is a good idea to capture external risks first before running the internal risk identification process. The external risks can then be used to promote thought around the affects that the occurrence of such risks will have on the company’s exposures. External risks can be gathered in a Top-down manner, it is the job of Senior management to be aware of external threats or opportunities to the business, although they may not be aware of all the cascade effects of these threats or opportunities within the business.

External Risks can be circulated to the stakeholders or subject matter experts within the company for them to consider, how these risks might cascade against known exposures in their business area.

This is also a useful motivating factor for the SME’s who may be exasperated by having to contribute to the process. When they see that Senior Management have already given some thought to external threats, they will be more inclined to engage with the process.

This does not mean that only external threats are captured from Senior management, however passing Senior a senior management view of internal threats to the SME’s is likely to influence their objectiveness’ on the internal threats that the perceive. So it is recommended that only the external threats are passed to the SME’s for consideration. In order to keep an audit trail it is important that any internal threat that is seen as a cascading risk from an external threat is tagged to that external threat.

Emerging Risks

Emerging Risks can be internal or external, they are generally risks that are on the horizon but have not become material as of the time of reporting. An emerging risk should therefore have the ability to accelerate in itself or cascade into a broader risk. Emerging risks should also be gathered before the main risk identification process and fed through to that process for consideration, they are usually trigger events that can cause a cascade of possibly internal risks. In order for an emerging risk to be considered it must be considered to be both sufficiently likely and sufficiently impactful to be considered in this way.

Concentration Risks

Concentration risks are usually to be found where there is a concentration of exposure, as in concentration of exposure to a counterparty, line of business, or other underlying driver.

When building out the taxonomy of risks it is important to identify concentrations of exposure, and then to consider the ensuing concentration of possible risks that could cascade from these concentrations of exposures. Counterparty risk is a very common concentration risk, where there is a concentration of risk around one counterparty, different scenarios should be considered to understand potential cascading effects.

Cascade Risks

Risks do not usually occur in isolation, we can consider the Cascade element of risk to be the counterparty of concentration risk, just as a lack of diversification can heighten exposure to concentration risk, cascading risks happen when there is a lack of controls on residual risks. One risk triggers another risk resulting in a domino or cascade effect.

It is important to tag how risks can cascade one from the other, this will also help in the use of the Risk identification process for stress testing and scenario analysis.

Event Risks

Event driven risks can be a sudden an unexpected occurrence, the Event can be internal or external but again must have a significant likelihood and impact to be considered as an input into the risk identification process.

Core or Material Risks

The Risk inventory will need to be prioritised in order to focus resources on mitigating the most important risks. A final inventory of Core risks, that have a high severity should be the output of the Risk identification process. These should be limited in number, and should be presented too and considered by the most senior management in the firm.

0 views0 comments

Recent Posts

See All

How to Measure the Impact of a Risk

Loss View A simple worst case loss view can be taken per risk in cash amount, usually defined as the worst case loss from the Risk Manifesting at its highest severity. Severity is generally viewed as

How to measure the probability of a Risk

There are several probability measures that an organization might use in a risk identification process, including: I. Qualitative probability: Qualitative probability involves using subject

Embedding Risk Identification into your Company

To embed a risk identification process into a company: I. Run the risk identification process periodically, updating the risk register and taking action on the material risks, it is importa


bottom of page