Risk determination with risk typology

Author: Manu Steens

The determination of the risks is one of the important steps in risk management, to arrive at a risk register with accompanying action plans as an intermediate step.

In this respect, according to the principle of subsidiarity, the lowest in rank that can sensibly determine the risks is the right person to list the necessary risks. This applies to risks at all levels in the organization.

The first step therefore consists of determining the target group of the brainstorming session for the risks. For operational risks these can be process or project managers, but also newcomers who do not yet have a lot of vision on risks. For they constantly come into contact with unforeseen issues, and cooperating in the risk analysis raises their awareness and alertness. For tactical and strategic risks these can be board members. The target group of the risks must also be determined. For the normal risks these can be the managers, for large risks and strategic risks one must report to the top management / management board.

Once the target groups for determining the risks and reporting have been determined, the risks themselves must be assessed. This can be done with a risk typology. In addition, there are several possibilities. These are always dependent on the organization itself, which must therefore be well known by those who choose / design the appropriate risk typology. Below we present a number of examples of risk typologies (not exhaustive).

A first possible division is as follows:

  • Financial risks
  • Legal requirements
  • Legal compliance
  • Reputation
  • Specific to the industry
  • Data integrity and reliability
  • Confidentiality of the data
  • Security of your own data
  • Disaster recovery and continuity planning
  • Operational risks

A second possible division is as follows:

  • External risks
    • Nature
    • Politics / law and regulations
    • Social / social
    • Economy / market, fairs, …
  • Internal risks
    • Strategy
    • Legal / financial consequences legal form
    • Continuity
    • Quality
    • Fraud / Compliance …
    • Material risks (loss of damage)
    • Safety of people / resources
    • Financial risks
    • Critical knowledge
    • Capacity …


A third possible division is as follows:

  • Operational risks:
    (Willem De Ridder, ‘Risicobeheersing met toegevoegde waarde’): “The risk of loss as a result of inadequate or failing processes, people and systems or as a result of external events.”
  • Strategic risks:
    (Lizanne Vroom, ‘Risicomanagement vanuit het Dynamisch Business Model’): “The danger of (capital) loss and / or the survival of the organization as a result of changes in the organization’s environment, the lack of response or an incorrect response. Changes in the environment of the organization, business adverse decisions or incorrect implementation of the chosen strategy. ”

A useful way to work with this risk typology is to brainstorm with a SWOT method. Note that making this SWOT does distinguish between internal matters (strengths and weaknesses) and external issues (opportunities and threats), but is not yet a risk analysis in itself. It can be used to formulate the risk statements on the basis of each item in the risk typology, in relation to the operational projects, processes, objectives or strategic objectives. So in fact to do risk identification. The risk typology used can also depend on this. In addition, the SWOT method with its confrontation matrix is ​​suitable for formulating measures.

A brainstorming session is best with a group of about 4 people, or a coach. The latter must always challenge the group to formulate the risk statements properly, and also, according to the principle of a Bow-Tie, to formulate the causes and consequences, causes of causes and consequences of consequences, etc. The 5x ‘why’ and 5x ‘what then’ question method applies here. In this way the participants in the brainstorm eventually formulate the risk statements in the form of ‘The organization / the process / project … has problem / opportunity … with the cause (s) … and effect (s) …’.

One can choose to split the causes and consequences with the problem over several risk statements, or to group the causes and group the consequences. These are then challenged with preventive and reactive measures respectively. The Bow-Tie method is then very suitable to indicate whether all the stated causes and consequences are being addressed with measures.

A Risk identification method

Author: Manu Steens

This method is in line with the COSO-ERM approach when it comes to setting the objectives of the company and identifying both static and dynamic risks throughout the entity.

The structure is a matrix that is shaped by, on the one hand, the objectives (Strategic and operational objectives) and, on the other hand, possible internal and external factors, the quick scan.

This matrix approach promotes the completeness of the risk identification and provides a structure for the organization of the risks.

More specifically, this ‘risk matrix’ looks like the one shown below:

nr Aspects Quick Scan findings Risks: mention the incidents, their probability, cause and consequence
Strategic goals SG1 SG2
Operational goals OG1-1 OG1-2 OG2-1 OG2-2
1 Proces management
2 stakeholders management
3 Monitoring
4 Organisation structure
5 Human Resources Management
6 Organization culture
7 Information and communication
8 Financial management
9 Facility management
10 Information and communication technology
11 External factors

By filling in this matrix, the CRO answers three essential questions:

  1. Which objectives of the entity are subject to research?
  2. Which parts / aspects of the organization are the subject of research?
  3. In which risks is further insight required?

In a first step, the potential risks to which the entity is exposed are examined on the basis of a quick scan.

As a second step, the CRO will have to systematically check with the business which of the risk problem fields identified in the quick scan occur in its company and which require further investigation. For this he must question the internal and external experts and the management team in question.

The development of a quick scan can usually be done by conducting a survey with the experts, which they generally view as realistic risks in relation to the aspects of the guideline. This can be supplemented with a desk research using annual reports, audit reports, risk inventories of occupational safety, fire prevention plans, continuity plans, incident registrations, damage history including registration of near damage.

Afterwards the matrix is ​​”weighted” with regard to the quick scan in step 2, whereby it must be clearly chosen which risks have a grip on which strategic and operational objectives. In periodic interviews with the management team, the company then asks which risks they see, how these risks affect the organization and what is done to control them. An approach of existing control measures can already be included in the quick scan.