A comprehensive list of risk categories to support a definition previously provided. Categories can be downloaded via MS Excel.
(To save you some time, download PDF of Risk Categories and Internal Controls, or keep reading about the list methodology).
In a previous blog, Defining Risk Categories, I introduced the following definition of a Risk Category:
A risk category allows for the grouping of one or more risks in a manner that is meaningful to the organization and its key external-stakeholders such as investors, citizens, auditors. etc. A risk generally aligns with a single category although an organization may choose to assign a risk to two or more categories if this aids in the organization’s risk management function. In selecting its risk categories, the organization must consider, in order:
- The nature of the organization and the various risk-reporting needs throughout its hierarchy.
- The influence the organization has over the risk with the primary units of organization being:
- Internal (controllable by the organization),
- Strategic (a conscious decision by the organization to assume a risk)
- External (mostly uncontrollable), and
- Voldemort (risks that fall into the above categories but shall not be named, see my previous blog on this concept).
- Industry, legislative or other compliance requirements externally imposed or influencing the organization (e.g. security exchange risk categories required in finance reporting).
- Ongoing relevance of the above to the organization as internal and external circumstances change.
Have List, Will Categorize
Now that I have a definition, how hard can it be to identify all the possible categories? After a literature review, scanning popular books and articles on the topic and of course the internet I have come up with 190. Most of them can be readily identified as internal, external, strategic or an industry risk category with a few classified as a ‘Meta-Category’.
Category Take-Away
At 63%, most of the categories are internal. This makes sense as these are the things an organization can control. Examples include Operations, Human Resources, Processes, Investment in Plant, etc. External Risks are a distant second and are dominated by the political, social, environmental or legislative landscape. In my data sample I ran across some odd balls which are mapped to either a ‘Meta Category’ or to Industry. This leaves strategic risks which really should be called ‘Strategic Risks and Opportunities’ as they include both positive and negative events.
Why Stop There?
Some of the categories could quite rightly be called risks and there are a number of duplicates in the count (see the following table, after a while I stopped adding risk categories I already had). Please note that I have included only risk categories of interest to a general business reader.
| Risk Category | Duplicate Count (N=190) |
| Operational | 9 |
| Strategic | 8 |
| Financial | 5 |
| External | 4 |
| Political | 4 |
| Legal | 3 |
| Compliance | 3 |
| Internal | 3 |
| Reputational | 3 |
| Governance | 3 |
All of the categories collected can be downloaded via the file provided below as well as the source links. Check back as I plan to add new categories as I come across them. Nevertheless, my active search has come to an end.
<<<Download PDF of Risk Categories and Internal Controls>>>
How to Use the Categories
So what now? For myself, I plan to use the list as a starting point when an organization is trying to develop its own risk categories and sub-categories. There are about ~135 distinct values so an organization will need to select those that are most relevant to its business. As well, the list of categories may also help jog an organization’s thinking on what risks/opportunities it should be considering.
What Do you Think and a Bonus!
Feel free to download the file and select the categories that make the most sense to your organization. As a bonus, I have also included a list of internal controls from a previous blog in the same file.
As always, let me know what you think.
Organizational Biology 