The last thing anybody wants is to double-handle information.   However we are all human and see risks from our perspective.  There can be a danger that different departments within an organisation will group the same risks from their perspective.  For example the engineers may see a contractual issue as a legal issue while the lawyers may see the same issue as a normal engineering deliverable. Both may be correct, but as a starting point a single risk has to be parked somewhere, preferably by a neutral risk manager.

An excellent starting point for a preliminary risk grouping is to work down from the highest level of reporting.  ie. The risks to be posted in the company’s annual reports. By tagging all risks immediately we encounter them and giving them a logical owner, keeps the register alive.

  • Operational risk
  • Strategic risk
  • Financial risk
  • Regulatory risk

Of course, these categories aren’t set in stone.  risks can fall into more than one category, or change categories over time. We generally place a risk in the group where it has the most impact, right now.