We all deal with risk on a regular basis; otherwise, we wouldn't be able to cross a busy street safely.

"No one knows what tomorrow will bring," as the saying goes. As a result, risk management is merely a formalization of an informal habit. Rather than reacting to hazards as they arise, risk management requires us to anticipate risk detection, classification, and action prior to the occurrence of the risk.

Risk management requires us to anticipate risk identification, classify them, and take mitigation activities before the risk occurs in order to minimize any loss threats and maximize any gain.

Some risks can be spotted before they happen. Contrary to popular opinion, this includes COVID 19, for which there were ample warning signs for a distracted world, including an explicit warning by Bill Gates in 2015. Germany's Wire Card business scandal of 2020 also falls in that bracket. Other risks come out of the blue Japan prepared for a Tsunami or an earthquake but did not imagine a combined Tsunami AND earthquake as struck in 2011. Risks can also be opportunities which can be optimized by forward-looking management as demonstrated by Nigeria's paystack which was acquired in October 2020 by America's stripe payments system in a deal valued at over $200m.

This framework begins your risk management journey by taking into account these intricacies.

It categorizes each risk occurrence into three categories for your beginning register: Type, Incidence, and Impact. Because Risk Incidence contains two sub-components, these classifications will require four columns in a basic risk register, i.e., Type, Incidence-Likelihood, Incidence-Scope, and Impact are all factors to consider.

Risk ID
Description
Type
Incidence like hood
Incidence Scope
Impact ID

Type of Risk
Risk Type - Once a risk has been identified, it is assigned a reference number (“Risk ID”), a brief description of its nature (“Description”), and one label (“Type”) that best describes the risk's potential impact on the organization's goals. Below are five sample "labels" from which you can select the one that best fits the risk.

(a) Strategic — [/b]This category denotes behaviors, events, policies, or processes that may have a substantial impact on your entity's long-term goals.

[b](b) Operational – This label groups behaviors, events, policies, or processes that have an immediate impact on your entity's short-term prospects and can't be categorized better using (c) to (e) below.

(c) Asset safeguarding - [/b]This label categorizes risks that may impair your entity's ability to safeguard its assets and, as a result, avoid loss, theft, management overriding of established controls, waste of organization resources, inefficient asset use, and bad decision making.

[b](d) Reporting – [/b]This category includes risks that affect the accuracy of internal and external reporting, which provides data for decision-making, control, and evaluation of management's resource stewardship.

[b](e) Compliance – [/b]This category covers risks that affect your capacity to comply with applicable (internal and external) agreements, regulations, covenants, laws, policies, and procedures that are designed to improve your organization's economy, efficiency, effectiveness, and long-term viability.

[b]Risk Incidence
Risk Incidence – [/b]There are two components to consider: Likelihood and Scope.

Give your opinion on how likely it is that this risk will occur.

[b](a) Low - expected to happen more than 3 years after you identify the risk.

(b) Moderate – [/b]between one and three years after identification.

[b](c) High - this risk is expected to occur within a year of your identification.

Scope

Provide your best estimate of how much of your entity would be affected (example below).

(a) Unit - [/b]restricted to a single entity department with no major impact outside of that component).

[b](b) Organization - you believe it affects more than one component, if not the entire organization, but is manageable within.

(c) External - affects the entire organization, is unlikely to be confined internally, and is likely to have an impact on external stakeholders' interests.

Impact of Risk Risk Impact
This is where you come to a decision on the seriousness of the negative risk or favorable opportunity for your company. The classifications below can be used to estimate risk impact (adapted from Edward de Bono's "5 Day Course in Thinking".

The first two should be utilized for negative risks, the third for neutral risks, and the last two for positive risks. Color coding (see picture in pdf) can be used to make it easier to recognize the impact class in a risk register and to easily create risk heat maps that graphically depict the content of the register:

A Risk Impacts Starter Kit

(a) Fatal (F) you conclude that the identified negative risk poses a substantial threat to the entity's legitimacy and existence. It necessitates immediate action.

(b) Weak (W) [/b]You believe that this negative risk is not fatal, but that it could evolve into a fatal threat if not addressed promptly. It necessitates prompt defensive action on the part of the organization.
It is significant in the natural world.

[b](c) You define dangers or opportunities that do not currently pose a major risk to an entity's goals and operations as neutral (N). They can, however, mutate into serious negative or positive dangers, therefore they must be closely watched.

(d) Challenge (C) – you identify positive risks or possibilities that are expected to produce a rise in demand for the entity's services and/or goods, but that will necessitate more organizational performance to capitalize on the potential. There is a good possibility that the opportunity will be missed. The organization is not yet strong enough to fully exploit the opportunity, and if nothing is done, it will be lost. It's very important.

(e) Strong (S) – [/b]you identify favorable risks or opportunities that are expected to cause an increase in demand for the entity's services and/or goods, either directly or indirectly.

[b]Also Read:
Top 6 cybersecurity certifications
RISK MANAGEMENT IN CYBERSECURITY