The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and vulnerability or likelihood.
The combination of the probability of an event and its consequence. Source: COBIT 5.
A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of:
- the adverse impacts that would arise if the circumstance or event occurs; and
- the likelihood of occurrence. Source: NIST.
- Governance Risks –
Risks related to the structure, policies, procedures, and authorities in which the key directions and decisions of the company are overseen.
For example, independence and oversight; ethics; corporate social responsibility; delegation of authority; shareholder relations; stakeholder activism; corporate policy.
- Strategy and Execution Risks –
Risks associated with the ability to formulate and/or execute a successful business strategy. They relate largely to the company’s future initiatives, such as plans to enter new markets, launch new products, or form new alliances.
For example, acquisitions and divestitures; succession planning; capital planning/ allocation; research and development; brand and marketing; pricing; customer demands; customer concentration; product; and technology.
- Economic risk -
Risks resulting from the capital markets.
For example: credit risks, treasury risks, liquidity risks.
- Operational risks –
Risks affecting controls and the controls infrastructure relating to the protection and utilization of existing assets and operations including how they may be leveraged for future growth.
For example, sourcing; manufacturing; distribution and logistics; sales; franchises and licenses; privacy; quality; information technology; and security. Operational risks also flow from all of the preceding situations where the entity relies on another party in a business relationship.
- Infrastructure Risks –
Risks relating to the performance of people, processes, and systems that support the company’s operations.
For example, legal/intellectual property/litigation; tax; finance and accounting; reporting; treasury; compliance; human resources/culture; change management; personal safety and physical security; insurance/business continuity; environmental; and facilities management.
- External Risks –
Risks associated with the environment in which the company operates or external factors beyond the company’s control.
For example, competition; legal and regulatory; stakeholder relations; geo-political; climatic, economic conditions/industry trends; hazards; terrorism, war, climatic, and civil unrest.