A survey of definitions for ‘risk category’ results in one that is organization focused: A risk category allows for the grouping of one or more risks in a manner that is meaningful to the organization and its key external-stakeholders such as investors, citizens, auditors. etc. 

In classic risk management, analyzing risks is a key step.  To do this, many organizations categorize their risks so that responses can be applied to an entire class of risk.  But what exactly is a risk category and how do you know you have a good one?  ISO 31000, Risk management – Guidelines (2009) is silent on the concept of risk categories other than the need to conduct appropriate risk analysis.  The other significant risk management framework, COSO hints at categories but likes the sounds of silence as well.  

What is a Risk Category?

Given that both ISO and COSO are silent, here are a few definitions of what is a Risk Category.  These definitions are exclusively focused on ‘Business Risks’.  Definitions for why a building falls down, an earthquake occurs or a pregnancy terminates are definitively out of scope!

From PMBOK: 

Risk categories are made up of risk causes that fall into common groups. These groups can include risks such as technical risks, internal risks, external risks, group risks, organizational risks, and or, environmental risks. Categories may be stand alone in nature, or, when more specificity is desired, they may themselves be broken down into subcategories. [1]

PMBOK & Project Management Institute

Risk Categorization is to systematically identify risks in a consistent manner and organize them so that they can be better managed. It also helps to identify the root causes of these risks.

Risk Breakdown Structure (RBS): “A source-oriented grouping of project risks that organizes and defines the total risk exposure of the project. Each descending level represents an increasingly detailed definition of sources of risk to the project.” The RBS is therefore a hierarchical structure of potential risk sources. [2]

Government of Canada (Treasury Board)

A risk category is a type of risk that is sufficiently generic that it can be used to identify and aggregate risks from various parts of the organization. [3]

United States Government Accountability Office

Categorizing risks can help agency leaders see how risks relate and to what extent the sources of the risks are similar.

US Chief Financial Officers Council

Organizations should define risk categories in a way that supports their business processes and should use these categories consistently. Agencies may also consider developing a common risk language dictionary—a glossary of key risk terms to ensure all parties are consistent in their understanding of key concepts, words, and ideas. Categories of risk evolve over time, with new types of risk becoming salient and other risks becoming relatively less important. [5]

The Complete Idiot’s Guide To Risk Management

Risk Categories and Subcategories: The world of risk funnels down into three major categories: Strategic/business, Financial and Operational.  Each of these risk categories contains unique characteristics that require different measurement, analysis, and management techniques. Each category fans into a group of subcategories that help more specifically nail down what is happening within the business and where the true risks lie. [4]

Project Risk Coach

Risk categories allow you to group individual project risks for evaluating and responding to risks.

Investorwords.com

Organization of risks in the form of a hierarchical scale that identifies each risk and what that level of risk entails

SAP (the software/ERP company)

Risk categories are used to provide a standard terminology to describe risks, and facilitate the understanding, communication and management of risks. The categories help to identify the distribution of risk, areas requiring special attention, recurring risk themes and risk ‘hot spots’. Risk categories also make it easier to compare risks across projects, services and business activities.

Word Clouds and Definitions

The common themes from the above definitions is that a risk category helps to identify the sources of risks, their causes and management through classification.  Okay, nothing too earth shattering here, but are all risk categories create the same?

How BIG Is a Category?

A common theme is the deductive process; organizations should start with big trends and work their way down to individual risks.  If this is the case then there must be big categories and little categories.  The following would fall into the ‘Big Category’ camp with subordinate sub-categories.  

• Internal versus External: Does the risk come from inside or outside of the organization.  Governments, markets or a natural disaster are clearly external.  Staff, liquidity or production equipment internal.  There are a few fuzzy middle ones as well such as the effectiveness of a marketing campaign. One source calls the internal variety ‘Operational Failure’ and the externals ‘Operational Strategic’. 
• People, Process and Technology: mostly a sub-categorization of the above internal risks.  It excludes things like governance however. 
• COSO’s four entity Objectives: Strategic, Operations, Reporting and Compliance. These have a strong accounting and audit focus.
• Basel II framework classifies risks broadly as credit, market, or operational.  Useful for the bank industry. 
• Operational versus Strategic Risks: There are lots of nuances to this categorization.
  • Time difference (operational meaning now, strategic in the future),
  • Power difference (operational = shop floor, strategic = board room or ‘C-Suite’)
  • Internal/external (operational = inside, strategic = outside).
• PESTLE: political, economic, social, technological, legal, and environmental, which is often used as a prompt list for identifying risks.
• Levels 1-3: CPA Canada issued a framework for boards to manage their risks noting that this differs from the role of management.  The board’s oversight role should not be passive or, too reliant on management.
  • Level 1 risks include customary operational risks requiring limited board involvement,
  • Level 2 are high-impact risks that cannot be adequately mitigated or for which there is the presence of management bias. 
  • Level 3 is where management is clearly conflicted or heavily biased, and so these risks should command the highest level of board involvement.
• Robert Kaplan: Of the balance scorecard fame, in a 2012 Harvard Business Review, he proposed 3 categories:
  • Category I: Preventable Risks, internal risks that are controllable.
  • Category II: Strategy Risks, voluntary risks accepted to generate higher returns.
  • Category III: External Risks, arise outside the organization and are beyond the organization’s influence or control. 
• Industry Specific: Each industry has unique risks.  What keeps the CEO of a bank (financial, e.g. derivatives), an airline (e.g. weather) or the nuclear industries (e.g. a reactor ending civilization) are sufficiently different to warrant their own ‘Big Category’.

Risking a Definition

What have we learned so far?  That a risk category helps an organization to navigate its risks and allows for the decision makers and shop floor employees to take the appropriate action for the relevant risk.  Assuming this is what a successful category looks like then my proposed definition of a Risk Category is: 

Definition: Risk Category

A risk category allows for the grouping of one or more risks in a manner that is meaningful to the organization and its key external-stakeholders such as investors, citizens, auditors. etc.  A risk generally aligns with a single category although an organization may choose to assign a risk to two or more categories if this aids in the organization’s risk management function.  In selecting its risk categories, the organization must consider, in order: 

1. The nature of the organization and the various risk-reporting needs throughout its hierarchy.
2. The influence the organization has over the risk with the primary units of organization being: internal (controllable by the organization), external (mostly uncontrollable), strategic (a conscious decision by the organization to assume a risk) and Voldemort (risks that fall into the above categories but shall not be named).  
3. Industry, legislative or other compliance requirements externally imposed or influencing the organization (e.g. security exchange risk categories required in finance reporting). 
4. Ongoing relevance of the above to the organization as internal and external circumstances change.  

Sneaking in Multiple Categories

Eagle eyed readers will notice that I am proposing a risk category system that allows for a risk to contribute to two or more categories.  This is a suggestion I have seen in a few sources while others definitely like a more regimented approach.  

Rather than de-constructing risks so they neatly fit into a single category, I would rather have risks proportionally contribute to one or another category.  In other words, telling the ‘risk story’ is more important than having neat buckets of risks.  

So, what do you think, do you agree with my definition or am I missing a nuance?  Drop me a comment and let me know.  

1. https://project-management-knowledge.com/definitions/r/risk-category
2. Use a risk breakdown structure (RBS) to understand your risks.
3. Guide to Risk Taxonomies (Treasury Board of Canada). 
4. The Complete Idiots Guide to Risk Management.
5. Playbook: Enterprise Risk Management (ERM) for the U.S. Federal Government.