Hazard, control and opportunity risks
We have already seen in Chapter 1 that risks can be divided into three categories: Definitions of these three types of risk are also given in Appendix A. They are:
• hazard risks;
• control risks;
• opportunity risks.
A common language of risk is required throughout the organization if the contribution of risk management is to be maximized. The use of a common language will also enable the organization to develop an agreed perception of risk. Part of developing this common language and perception of risk is to agree a risk classification system or series of such systems.
For example, consider people reviewing their financial position and the risks they currently face regarding finances. It may be that the key financial dependencies relate to achieving adequate income and managing expenditure. The review should include an analysis of the risks to job security and pension arrangements, as well as property ownership and other investments.
This part of the analysis will provide information on the risks to income and the nature of those risks (opportunity risks).
Regarding expenditure, the review will consider spending pattern to determine whether cost cutting is necessary (hazard risks). It will also consider leisure time activities, including holiday arrangements and hobbies, and there will be some uncertainties regarding expenditure and the costs of these activities (control risks).
Hazard risks are the risks that can only inhibit achievement of the corporate mission. Typically, these are insurable type risks or perils, and will include fire, storm, flood, injury and so on. The discipline of risk management has strong origins in the management and control of hazard risks. Normal efficient operations may be disrupted by loss, damage, breakdown, theft and other threats associated with a wide range of dependencies, as shown, and these may include (for example):
• people;
• premises;
• assets;
• suppliers;
• information technology (IT);
• communications.
Control risks are risks that cause doubt about the ability to achieve the mission of the organization. Internal financial control protocols are a good example of a response to a control risk. If the control protocols are removed, there is no way of being certain about what will happen. Control risks are the most difficult type of risk to describe, but later Parts of this book will assist with understanding.
Control risks are associated with uncertainty, and examples include the potential for legal non-compliance and losses caused by fraud. They are usually dependent on the successful management of people and successful implementation of control protocols. Although most organizations ensure that control risks are carefully managed, they may, nevertheless, remain potentially significant.
Opportunity risks are the risks that are (usually) deliberately sought by the organization. These risks arise because the organization is seeking to enhance the achievement of the mission, although they might inhibit the organization if the outcome is adverse. This is the most important type of risk for the future long-term success of any organization.
Many organizations are willing to invest in high-risk business strategies in anticipation of a high profit or return. These organizations may be considered to have a large appetite for opportunity investment. Often, the same organization will have the opposite approach to hazard risks and have a small hazard tolerance. This may be appropriate, because the attitude of the organization may be that it does not want hazard-related risks consuming corporate resources, when it is putting so much value at risk investing in opportunities.