How to build a company risk profile: a methodology based upon the risks disclosed by Fortune 500 companies

C. Dumitriu
2006 Wit Transactions on Ecology and The Environment   unpublished
In the volatile environment in which we are living, new risks can emerge faster than our ability to manage them. The purpose of this paper is to present a framework for identifying the total risk of a company. Our model is based upon specific criteria organized in a data collection instrument (DCI) that researchers and managers could use to gather information on potential risks, and to select relevant risks for building the enterprise risk-profile. This paper presents the structure of our DCI,
more » ... ncluding a descriptive analysis of all incorporated risk categories, followed by the global, cross-sector and inter-sector results from our DCI verification, using the risks disclosed by Fortune 500 companies (2004). Our initial DCI design was based on a revue of scientific literature and various risk databases, an analysis of best practices in risk management, and personal interviews with North American managers. In order to further refine our DCI, we subsequently reviewed the annual reports filed by almost all Fortune 500 130 Risk Analysis V: Simulation and Hazard Mitigation www.witpress.com, ISSN 1743-3541 (on-line) © 2006 WIT Press WIT Transactions on Ecology and the Environment, Vol 91, According to our definition, F kj (%) measures the importance of a particular risk C kj compared to the other risks included in our DCI. Risk Analysis V: Simulation and Hazard Mitigation 131 www.witpress.com, ISSN 1743-3541 (on-line) © 2006 WIT Press WIT Transactions on Ecology and the Environment, Vol 91, Risk Analysis V: Simulation and Hazard Mitigation 133 www.witpress.com, ISSN 1743-3541 (on-line) © 2006 WIT Press WIT Transactions on Ecology and the Environment, Vol 91, C2.4 Employees: a) risk of loosing key personnel; b) unrealistic pension and health care commitments or loss of control over retirement costs and pension scheme benefits; c) poor motivation and absenteeism; d) union bargaining power and strike risk; e) vandalism; f) discrimination; g) harassment. C2.5 Civic society: a) environmental catastrophe (any environmental risk greater than the acceptable risk); b) health risks still unknown/unverified (differs from 1.3, which is a controllable risk), for instance: "the economic class syndrome" for the air transportation sector; mobile phone radiation and brain cancer; videogames and child aggressive behaviour or even epilepsy; mad cow disease; toxic building materials such as asbestos etc.; c) risk of product boycott ("hegemonic" attitude towards the local community and local businesses). C2.6 The legal risk: in this category we include the legal risks related to the relationships mentioned in C2.1-C2.5. C2.7 Information risk: in this category we include only the information risks related to the relationships mentioned in C2.1-C2.5, such as: loss of system and data integrity, loss of system functionality and/or availability, loss of confidentiality (improper use and disclosure of sensitive information). The other risks related to new technologies are included in the category 6. We found the main sources of these risks to be: a) malicious transactions/ intrusions in Database Systems and/or industrial espionage: internal intruder (risk due to inadequate control over employee access rights) or external intruder (risk due to security design and/or implementation procedures); b) errors, omissions, and mistakes in transactions; c) virus infection; d) service attacks due to weakness in security policies. C3. Market risk: C3.1 Commodity risk; C3.2 Spot exchange rates risk; C3.3 Long-term and Short-term Interest Rate Risk. C4. Financial & liquidity risk: C4.1 Impossibility to meet financial obligations when new projects/investments lead to important cash outflows (risk 2.3 (b), 8.2 and 8.4 being the inputs); C4.2 Operational, financial and legal risks related to the use of derivative products; C4.3 Financial fraud. C5. Credit risk: loss due to the inability of various counterparties to make payments as required. C6 Technological risk: including all technology related risks. C6.1 Major industrial accidents (including oil tanker accidents, chemical industry accidents, explosions on site); main sources: a) human error; b) equipment and/or safety device failures; c) poor maintenance; d) communication failures; e) terrorism; f) organisational structure failures; g) malicious actions. C6.2 Accidents related to the marine transportation industry, including shipping and port activities, as well as marine transportation of dangerous substances (explosives and infectious substances); main sources: a) human error; b) 134 Risk Analysis V: Simulation and Hazard Mitigation www.witpress.com, ISSN 1743-3541 (on-line)
doi:10.2495/risk060131 fatcat:cxchbrlzane7jjb63tl7xq6qga