Risk ‘to’ an area of activity and risk ‘from’ the activity

There is risk ‘to’ any given activity within an enterprise, and there is risk to the enterprise ‘from’ that same activity. The same applies to theme-based risk.

What to read first: Discrete risk management processes within an enterprise

For Everyone: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first. Stream supplements are available as drill-downs.

This article builds on the concept of discrete risk management processes within an enterprise, which was supported by some examples. It identifies two perspectives on the risk in any given area of activity, or risk theme—risk ‘to’ and risk ‘from’. This is apparently an original observation, so the argument is entirely enclosed in a blue box, and is an excellent subject for comments and queries.

This observation about ‘to’ and ‘from’ perspectives is a stepping stone to the the Clear Lines on Audit and Risk recommendation for building up an enterprise view of risk from discrete and independent risk management processes within the enterprise.


There is risk ‘to’ any given activity within an enterprise, and there is risk to the enterprise ‘from’ that same activity. The same applies to theme-based risk.

If we take an area of enterprise activity as the subject for risk management, there are two valid classes of on risk.

  • Risks to the activity. The activity has its own unique objectives that are affected uncertainty.
  • Risks to wider enterprise objectives from the activity. The objectives affected by uncertainty are those of the enterprise. The uncertain outcomes of the activity may have positive or negative effects on the enterprise. It may have an intended effect, but there will be some uncertainty about the actual effects on the enterprise, whether or not the activity achieves its goals. One obvious risk is that the activity will not achieve the intended effect needed to achieve enterprise objectives.

In the case of a risk theme within an enterprise, there are also two classes of risk.

  • There are risks to the achievement of intended objectives within the theme. For example, in health and safety risk, there is an important objective to minimise death, injury and disease. This objective is regarded as important, whether or not there is any link to enterprise objectives. Achievement of these objectives may be critical to regulators or particular stakeholders, even if they are not usually at front of mind for top management and the board. These factors to many other common risk management themes, such as information security or fraud risk.
  • There are some uncertainties to enterprise objectives arising from health and safety exposures. Effects on the enterprise may not be directly related to instances of death, injury, and disease as such, important as they are in themselves. Health and safety effects on the enterprise may include loss of brand value or loss of profit opportunities through regulator intervention or legal injunctions. There may be enterprise exposure to financial loss from liabilities, but health and safety risks are important even if that financial exposure is trivial after insurance and legal defences are taken into account.

The risks in the ‘to’ class and in the ‘from’ class can be very different, or at least look very different. Most often, a risk to the area of activity can look serious from the point of view of the activity itself, yet the same scenario looks fairly minor as an enterprise risk coming from the activity. The same applies to defined risk themes. At times the opposite can be true, when local managers or specialists do not appreciate the wider impacts their activities or themes might have. A common example is the risk of a total network outage resulting from a small ICT project working to delivery deadline. ICT projects on a deadline are motivated to take risks to save time, not necessarily thinking of the dire business consequences of an unforeseen disruption to the network. Enterprise-level managers of risk need to be vigilant for that kind of case, and if necessary to educate and motivate ‘local’ managers about their broader responsibilities. In the case of an ICT project, the important change is in the priorities of the project board, the management authority that controls the forces that control the project team.

The ‘to’ and ‘from’ classes of risk are built into the layered model of enterprise risk management to be presented in a later topic.


Previous article for Everyone

Examples of discrete risk management processes

The whole enterprise (Enterprise Risk Management) A work unit within the organisation A defined business process or system A project, programme, or portfolio A specific proposed change or initiative Security risk Fraud risk Health and safetyBusiness continuity ‘Legal’ risk

For Everyone: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first. Stream supplements are available as drill-downs.

Parent articles

Discrete risk management processes within an enterprise

Risk management happens across the whole of any enterprise, whether or not it is formalised and explicit. A risk management process has a scope and objectives. There may be multiple discrete risk management processes across the enterprise. Any discrete risk management process needs to have a definite scope. Discrete and independent risk management processes are the work-horses within formal risk management, even if they are not recognised at all in ISO 31000 or COSO ERM.

For Everyone: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first. Stream supplements are available as drill-downs.

Index to the topic Discrete risk management processes within an enterprise

Leave a Reply

Your email address will not be published. Required fields are marked *