Defining & Categorising Risk

Reading Time: 2 minutes

There are a large number of risks facing organisations today, so to better enable our understanding it helps to group together the main categories of risks, below are some of the salient ones;


  • Reputational Risk
  • Strategic Risk
  • Disruptor & Competitor Risk
  • External Environment Risk


  • Regulatory Risk
  • Legal & Compliance Risk
  • People Risk
  • Project Risk
  • Business Process Risk

Information Technology

  • Cyber Security Risk
  • Service Continuity / Availability Risk
  • Infrastructure Risk
  • Architecture Risk
  • Artificial Intelligence risk


  • Credit Risk
  • Interest Rate Risk
  • Insurance
  • Market Risk

As an organisation a good start is to search your current risk register as a baseline and update accordingly or begin from scratch and compare afterwards to ensure completeness.

At any rate, it is key to define and explain all of the risks your organisation is facing and a good way to identify risks is by using “The Bow Tie” technique.


Risk Bow Tie

Wherein the objective is to;

  1. Identify and categorise the risks
  2. Reduce the likelihood or impact of an event by understanding the root causes
  3. Understand the potential impacts and their likelihood
  4. Identify new controls needed and enhance any weaknesses or gaps in current controls as required.

Once you have your list of risks it is imperative to have an objective and comparative rating of risks so the use of a “Heat map” or “Matrix” is prudent. It considers the likelihood and corresponding impact of each risk and this should be done for both inherent and residual risk to understand the benefit (if any) of controls in place.


Risk Heat Map

Risk Heat Map


It is also recommended a clearly defined rubric is used which is specific, measurable and supports both likelihood and impact for each risk to make comparison clear.

For example, when rating financial risk impact it may be something like;

  1. Insignificant is <$5,000 loss
  2. Minor is $5,000 - $10,000 loss
  3. Moderate is $10,000 - $50,000 loss
  4. Major is $50,000 - $250,000 loss
  5. Critical is >$250,000 loss


Finally, with this done you can create a “Risk Appetite Statement” for your organisation which clearly defines the level of risk you are willing to take or accept during the course of business across all your risks and categories.

Read our previous blog on - What is risk