Risk ‘to’ an area of activity and risk ‘from’ the activity (Everyone)

There is risk ‘to’ any given activity within an enterprise, and there is risk to the enterprise ‘from’ that same activity. The same applies to theme-based risk.

This article builds on the concept of discrete risk management processes within an enterprise, which was supported by some examples. It identifies two perspectives on the risk in any given area of activity, or risk theme—risk ‘to’ and risk ‘from’. This is apparently an original observation, so the argument is entirely enclosed in a blue box, and is an excellent subject for comments and queries.

This observation about ‘to’ and ‘from’ perspectives is a stepping stone to the the Clear Lines on Audit and Risk recommendation for building up an enterprise view of risk from discrete and independent risk management processes within the enterprise.


There is risk ‘to’ any given activity within an enterprise, and there is risk to the enterprise ‘from’ that same activity. The same applies to theme-based risk.

If we take an area of enterprise activity as the subject for risk management, there are two valid classes of on risk.

  • Risks to the activity. The activity has its own unique objectives that are affected uncertainty.
  • Risks to wider enterprise objectives from the activity. The objectives affected by uncertainty are those of the enterprise. The uncertain outcomes of the activity may have positive or negative effects on the enterprise. It may have an intended effect, but there will be some uncertainty about the actual effects on the enterprise, whether or not the activity achieves its goals. One obvious risk is that the activity will not achieve the intended effect needed to achieve enterprise objectives.

In the case of a risk theme within an enterprise, there are also two classes of risk.

  • There are risks to the achievement of intended objectives within the theme. For example, in health and safety risk, there is an important objective to minimise death, injury and disease. This objective is regarded as important, whether or not there is any link to enterprise objectives. Achievement of these objectives may be critical to regulators or particular stakeholders, even if they are not usually at front of mind for top management and the board. These factors to many other common risk management themes, such as information security or fraud risk.
  • There are some uncertainties to enterprise objectives arising from health and safety exposures. Effects on the enterprise may not be directly related to instances of death, injury, and disease as such, important as they are in themselves. Health and safety effects on the enterprise may include loss of brand value or loss of profit opportunities through regulator intervention or legal injunctions. There may be enterprise exposure to financial loss from liabilities, but health and safety risks are important even if that financial exposure is trivial after insurance and legal defences are taken into account.

The risks in the ‘to’ class and in the ‘from’ class can be very different, or at least look very different. Most often, a risk to the area of activity can look serious from the point of view of the activity itself, yet the same scenario looks fairly minor as an enterprise risk coming from the activity. The same applies to defined risk themes. At times the opposite can be true, when local managers or specialists do not appreciate the wider impacts their activities or themes might have. A common example is the risk of a total network outage resulting from a small ICT project working to delivery deadline. ICT projects on a deadline are motivated to take risks to save time, not necessarily thinking of the dire business consequences of an unforeseen disruption to the network. Enterprise-level managers of risk need to be vigilant for that kind of case, and if necessary to educate and motivate ‘local’ managers about their broader responsibilities. In the case of an ICT project, the important change is in the priorities of the project board, the management authority that controls the forces that control the project team.

The ‘to’ and ‘from’ classes of risk are built into the layered model of enterprise risk management to be presented in a later topic.

Further Reading

Main articles on the topic: 1. Discrete risk management processes within an enterprise (Everyone) 2. Shapes for discrete risk management processes (Everyone) 3. Examples of discrete risk management processes (Everyone) 4. Risk ‘to’ an area of activity and risk ‘from’ the activity (Everyone)

Some other main topics

What is Risk Management?

Coming soon: Scoping a risk management activity; ERM and RM; RM across an organisation, without a central register; Context setting, Objectives, expected and acceptable outcomes, priorities and tradeoffs.

All pages on ‘Discrete risk management processes within an enterprise’

Articles for everyone Discrete risk management processes within an enterprise (Everyone) Shapes for discrete risk management processes (Everyone) Examples of discrete risk management processes (Everyone) Risk ‘to’ an area of activity and risk ‘from’ the activity (Everyone)
Supplements for reader streams
For Risk Specialists: Risk management processes within an enterprise (Risk Specialists)
For CRMA Candidates: Risk management processes within an enterprise (CRMA)
For CRISC Candidates: Risk management processes within an enterprise (CRISC)
Extras for risk specialists: Vocabulary (Risk Specialists) COSO and ISO 31000 on discrete risk management processes (Risk Specialists) ERM and discrete risk management processes (Risk Specialists)

Risk consequences as the final effect on objectives (LinkedIn – registration required)

For Executives: Risk management processes within an enterprise (Executives)
For Australian Government readers: Risk management processes within an enterprise (Australian Government)

Leave a Reply

Your email address will not be published. Required fields are marked *