Defining the terms of risk management
09/26/2024
In business, potential risk lurks everywhere, and procurement professionals need to be aware of what is out there. However, even a dip into the risks procurement professionals face can leave readers drowning in a sea of terms, definitions and acronyms. To help those still orienting themselves to the landscape of risk, we’ve broken down the main terms used to describe the various aspects of managing risk.
Find our in-depth guide to third-party risk management with accompanying free download here.
What is a risk?
A risk is a potential future event that could cause harm or loss. It’s essentially an uncertain situation with a possibility of negative consequences. It is a probabilistic concept, meaning it involves the possibility of various outcomes. Broadly speaking, the variety of possibilities for risk is covered by the acronym VUCA: V for rapid volatility, U for uncertainty, C for the complexity of interconnected systems and A for ambiguity.
Risks are identified, assessed and prioritized based on their likelihood and potential impact. The assessment helps organizations develop strategies to manage or mitigate these risks.
You can break these risks into two types: inherent risks and residual risks. Inherent risk refers to the base level of risk associated with an activity or situation before any controls are implemented. It represents the natural risk level due to the nature of the business or the environment in which it operates. Residual risk is the level of risk that remains after the implementation of controls or mitigating actions.
It must be stressed that a risk is different from an incident. An incident is an actual event that has already happened and has caused or might cause harm or loss. Unlike risk, incidents are actual occurrences. They represent the materialization of a risk.
Incident management involves responding to, resolving and recovering from these events. It often includes investigating the cause, mitigating immediate impacts and implementing measures to prevent recurrence.
ERM vs GRC
Two key frameworks for managing risk are Enterprise Risk Management (ERM) and Governance, Risk and Compliance (GRC). ERM is a comprehensive approach to identifying, assessing and managing risks across all functions of an organization, and GRC manages governance and compliance risk within an organization. GRC can be compared to a control center that translates the risk information from ERM into actionable plans.
More specifically, ERM ensures that organizations are prepared for potential risks that could impact their goals and overall performance. Essentially, it’s about understanding and addressing uncertainties that could affect the organization’s success. It involves executives and the board, ensuring a high-level view of risks that could impact the organization’s objectives.
GRC ensures that operations align with objectives, risks are managed effectively and compliance with laws and regulations is maintained. It focuses on three key areas:
- Governance (G) to establish structures, processes and practices that guide the organization towards its goals. This includes setting clear policies, defining roles and responsibilities and ensuring accountability.
- Risk management (R) to identify, assess and mitigate risks that could hinder the organization’s ability to achieve its objectives. This involves understanding both internal and external risks, such as financial or operational threats.
- Compliance (C) to ensure adherence to laws, regulations and internal policies. This requires staying up-to-date with changing requirements and implementing processes to guarantee ongoing compliance.
ERM and GRC: How they fit together
So, ERM and GRC have similar objectives and deal with risk management, but they operate at different levels and differ in their scope and approach. ERM takes a broader view that encompasses all risks while GRC focuses more on governance, compliance and specific risk management initiatives.
ERM aims to understand and manage risks holistically, involving executives and the board; GRC emphasizes ensuring adherence to regulations and standards. In simpler terms, ERM identifies the risks, and GRC develops a plan to manage them. GRC provides the framework for communicating around governance and compliance issues while ERM is about measuring and quantifying risks and establishing ownership over them. Together, they form crucial pillars in safeguarding organizations against potential threats and ensuring their sustainable growth and success.
In practice, ERM and GRC provide the ‘backplane’ that supply risk management should plug into. For example, managing risk for IT suppliers must take into account IT risk management requirements from ERM and GRC. The same goes for supply chain risk management docking into business continuity planning. Supplier compliance should dock explicitly into corporate compliance within ERM and GRC, e.g., regulatory compliance for sustainability.
ESG vs CSR
Environmental, social governance (ESG) and corporate social responsibility (CSR) form the second major pairing of risk management. ESG focuses on reaching certain performance metrics, setting measurable goals and conducting audits, and CSR is a qualitative and self-regulating business model that aims to improve society and the environment.
For ESG, there are explicit standards, and ESG performance now serves as a sustainability credit rating for companies and their investors. In the context of procurement and supply chain, there are laws and public scrutiny that increasingly focus on ESG concerns. Companies are often held responsible for not only their own compliance but that of suppliers as well. What falls under ‘ESG’ can be broad, ranging from climate change to striking workers.
ESG and CSR: How they fit together
ESG is mostly externally driven by regulations and implemented through measurable goals and audits. It has a more direct relation to business valuation than CSR, which is voluntary and implemented through corporate culture, values and brand management.
The connection with Procurement
Supply risk management
Supply risk management deals in identifying and mitigating risks that could disrupt the flow of goods or services within the supply chain. This encompasses various factors, such as demand variability, supplier reliability, natural disasters, geopolitical instability and regulatory changes. The primary goals are to enhance the resilience of the supply chain and minimize the impact of disruptions on operations.
Supplier risk management
Supplier risk management specifically focuses on assessing and mitigating risks associated with external suppliers throughout the procurement lifecycle. It involves evaluating factors, such as financial stability, quality assurance, geopolitical risks and compliance with regulations to ensure a reliable and resilient supply chain. Essentially, it’s about ensuring that organizations work with trustworthy and responsible suppliers to minimize potential disruptions.
Third-party risk management
Third-party risk management (TPRM) is a broader concept that encompasses both supplier risk management and the risks associated with any third-party vendors or partners, such as IT contractors, logistics partners or even customers. It’s about ensuring that organizations have effective processes in place to identify and mitigate risks across their extended enterprise network.
The goal of TPRM is to ensure the security, reliability and ethical conduct of all external relationships.
Supply chain risk management
Supply chain risk management (SCRM) specifically focuses on identifying, evaluating and mitigating risks within the supply chain itself.
This includes risks related to supplier reliability, geopolitical factors, natural disasters or changes in demand. SCRM aims to proactively manage disruptions and maintain continuity in operations by addressing risks at various levels of the supply chain. It is concerned with ensuring that the entire supply chain network is resilient and capable of responding to challenges effectively.
How they relate to each other
Supply risk management and supplier risk management are closely related. Supplier risk management is a subset of supply risk management that focuses on risks associated with external suppliers, while supply risk management encompasses a broader range of risks within the supply chain.
TPRM is a superset of supplier risk management that covers both risks associated with suppliers and those associated with other third-party entities with which organizations engage.
SCRM intersects with both supplier risk management and TPRM. It focuses on identifying and mitigating risks within the supply chain, including those related to supplier reliability and other external factors.
These definitions show just how wide and complex the risk management concept can be. But to add to that complexity, the type of ‘risk,’ ‘shock’ or ‘event’ and its source also comes in many flavors – as we shall see. Look out for our next post on types of risk.
-
-
-
CORE04/19/2022
-
-
-
-
-
CORE04/19/2022
-
-