These 8 Risk Domains Are the Meat and Potatoes of Risk Management 

As a practical activity, enterprise risk management (ERM) centers on eight distinct risk domains, some strategic and some operational. In today’s post, we’ll lay out what these domains are, reveal which ones tend to get overlooked, and explain how knowing about the domains can help business continuity professionals reduce their organizations’ risks and bolster their resilience. 

Related on MHA Consulting: The ABCs of ERM: The Rise of Enterprise Risk Management 

Overview of Risk Management  

In Strong Language, MHA’s glossary of essential business continuity terms (free for download with registration), we define risk management as “The process of assessing and mitigating the danger to which an organization is exposed as it carries out its activities.” With respect to this process, the total landscape of risk that is assessed and mitigated can be divided into eight risk domains. Exactly what those domains are will be detailed in a moment. 

First, there are three points that are worth mentioning to put this subject in context. First, risk management is not about being Chicken Little worrying that the sky falling; it’s about being mature, practical, and proactive in actively managing down risk to make the organization and its stakeholders more secure.  

Second, we do not assess the risks to an organization with the expectation that every risk identified can or should be eliminated. (Sometimes the potential consequences of a given risk are too small to worry about.) Rather, we do it as a starting point for conducting a cost/benefit analysis of each risk and ultimately applying one of the four main risk mitigation strategies: risk acceptance, risk avoidance, risk limitation, or risk transfer. (For more on those strategies, click here and here.) 

Finally, everyone involved in assessing and mitigating risk at an organization needs to make sure their work is custom-tailored to that company’s industry and culture. Risk management is not one-size-fits all. 

When you get right down to it, everything we do in business continuity is about reducing risk. Organizationally, risk management tends to take place a level above the nuts and bolts work of business continuity management (BCM), but the goals of the two activities dovetail, and as will be explained below, the BC professional has the opportunity to make a solid contribution toward helping the organization do better at managing risk. 

 The Eight Risk Domains 

The eight risk domains that make up the meat and potatoes of enterprise risk management are: 

1. Operational: Focuses on identifying and managing risks related to day-to-day business processes, systems, and resources (internal, external, technology, equipment, and people) to ensure smooth operations and service delivery. 

2. Health and Safety: Addresses risks associated with the well-being and security of employees, customers, and visitors, safeguarding against accidents and health-related incidents.  

3. Strategic: Involves assessing risks that may impact the achievement of long-term organizational objectives, guiding decision-making and strategic planning. 

4. Financial: Deals with risks related to financial stability, including market fluctuations, credit risks, and cash flow management, to protect the company’s financial health. 

5. Human Resources: Manages risks linked to the workforce, such as availability, single points of knowledge or skill, talent acquisition, retention, training, and employee satisfaction, fostering a productive and engaged workforce. 

6. Legal and Regulatory: Focuses on compliance with laws, regulations, and industry standards, mitigating potential legal liabilities and ensuring ethical practices. 

7. Technological: Addresses risks concerning technology infrastructure, data security, cyber threats, and information breaches, safeguarding against technological disruptions. 

8. Environmental and Infrastructure Hazards: Involves assessing risks associated with natural disasters, physical infrastructure failures, and environmental impacts, ensuring resilience against potential hazards. 

When BC consultants and risk management professionals discuss the need to assess and mitigate the risks to an organization, it’s these eight areas that we are talking about. 

Operational Risks Are Often Overlooked 

As mentioned previously, some of the risk domains named above tend to get short shrift when organizations actually roll their sleeves up and get to work identifying and assessing the risks they face. 

The strategic domain and its close relations (legal and regulatory, financial) usually get a lot of attention owing to the fact that it’s the higher level people who usually take the lead on risk management, and those people tend to think strategically.  

In contrast, the operational side and the other tactical-level concerns tend to be overlooked. This is unfortunate because the operational piece is key from a business continuity and viability perspective.  

Ignoring granular, front-line risks and only concentrating on strategic matters is akin to sailing a boat by looking at the stars while ignoring the water rising around your feet from a leak in the bottom. That approach is unwise both from a sailing perspective and an organizational one.  

Anyone involved in risk assessment and mitigation should make a special push to gather information about operational and tactical risks from the people who know them best: front-line, lower-level workers.  

MHA’s experience in this area suggests that superficial questions will yield superficial results. What’s needed are probing, informed questions by people who respect the experience of the front-line workers and are determined to get to a true picture of the vulnerabilities they alone can identify. (For good examples of this type of operational vulnerability, see “Single Points of Failure: Protecting Yourself from Hanging by a Thread.”) 

The Role of the BC Practitioner 

The previous paragraph points toward the topic with which this blog will conclude: the role of the BCM professional in ensuring that the organization looks at all eight domains in assessing and mitigating risk.  

BC practitioners tend to have little to do with assessing strategic risks; however, they are well-positioned to play a role in engaging with front-line workers to elicit substantive information on critical operational risks, as well as risks to health and safety, technology, and other tactical areas. The BC pros should also devise recommendations to mitigate the risks they identify.  

Finally, their findings and recommendations should be rolled up into the all-inclusive risk assessment package (strategic and operational) given to the senior leadership to enable them to make informed decisions about what the organization should do to manage down its risks, decisions which tend to require either procedural changes or operational outlays.  

This activity, by the way, is not a one-and-done project but an ongoing process. 

Playing a Pivotal Role in Mitigating Risk 

Enterprise risk management (ERM) revolves around eight distinct risk domains, combining both strategic and operational aspects. These domains play a pivotal role in assessing and mitigating risks, ensuring smooth operations, and safeguarding the organization’s well-being.  

Business continuity professionals have an important role to play in actively engaging with front-line workers to gather critical information about operational risks, an area that is often overlooked. The vulnerabilities they identify, and the solutions they propose, can then be provided to senior leadership, enabling them to make informed decisions about mitigation strategies as the organization engages in the ongoing process that is contemporary risk management. 

Further Reading 

For more information on risk management, and other hot topics in business continuity and IT disaster recovery, check out the following recent posts from MHA Consulting: 

• Rinse and Repeat: Using the Risk Management Process to Manage Uncertainty 
• Everything You Always Wanted to Know About Managing Risk but Were Afraid to Ask 
• Don’t Just Hope: Choosing Strategies to Mitigate Risk 
• Every Single Day: Make Risk Management Part of Your Company’s Culture 
• The ABCs of ERM: The Rise of Enterprise Risk Management 
• What is Risk Mitigation? The Four Types and How to Apply Them 
• How to Offload Your Risk to a Third Party