4C Insights

What is Risk Management?


Risk is inherent in any business and is in constant change, being impacted by micro and macro factors. Understanding the risks that your organisation is exposed to, the level of control you have over those risks, and the actions necessary to handle them is central to effective risk management. The main risk categories can be listed as follows:

  • operational risks
  • strategic risks
  • financial risks
  • reputational risks
  • compliance risks

ISO 31000:2018 Risk management and its implementation

The second edition of the risk management standard states that “Managing risk is iterative and assists organisations in setting strategy, achieving objectives and making informed decisions.” It then goes on to say that in order to implement a risk management framework, an organisation should:

  • develop an appropriate plan including time and resources
  • identify where, when and how different types of decisions are made across the organisation, and by whom
  • modify the applicable decision-making processes where necessary
  • ensure that the organisation’s arrangements for managing risk are clearly understood and practiced.

Developing the ISO Standards in Sweden

  • Risk management process

    The risk management process follows a well-proven framework that covers key steps as laid out in the ISO 31000 standards. These form part of a continual process of review and reform. This must be done from an individual risk, as well as a holistic perspective.

The traditional risk model

A risk is an inherent part of all operations, so too is risk appetite and the level of risk an organisation is willing to accept within its operations. In the traditional model used by many organisations today, once critical risks have been identified, the likelihood of them occurring is plotted along with their potential impact on the organisation. Based on this information, a strategy is defined to move risks from high risk and/or high likelihood of occurring, to low-to-medium risk and unlikely possibility of occurring in line with risk appetite.

However, for an organisation that operates multiple business models, and therefore fundamentally different levels of risk appetite, the model simply doesn’t suffice. Furthermore, it was developed before businesses and society became reliant on IT and global supply chains, and before non-compliance was a high-risk strategy for an organisation. Today, organisations face a more fragmented and uncertain picture of their current risk exposure. The risk landscape has changed and risk management, its models and the tools used to manage it, must move forward.

“Essentially, with the help of 4C’s Exonaut, we can identify the right balance between risk and reward. And, we have a structured record of all the data so we can analyse our performance in actual risk mitigation over time and learn from it.”
Filip Rönning, SBAB Risk Analyst and Exonaut System Manager

Bringing control to risk management models

New models introduce a new key component into risk management that enables organisations to embrace risks rather than simply mitigate them; namely control. The 4C Relative Risk Control Model, for instance, shifts focus to the level of control exerted over a risk. The ultimate goal of risk management in this sense is no longer achieving the lowest possible risk exposure but achieving adequate control of the risk landscape. An adequate control level means managing the risk in line with the organisation’s risk appetite. This concept even allows for risks with high exposure to the organisation to be deemed acceptable, which would not be case with the traditional risk model. In the model, risks are transitioned from inadequate control to adequate control over time, no matter the impact they may have on an organisation. This strengthens the mandate of risk owners and fosters a clear common view on risk and risk appetite over time. The model therefore supports diverging risk appetites between departments and business units, i.e., enabling companies to embrace a risk in one part of the company and mitigate it in other areas.

  • Risk response

    Responding to risk is often broken down into four stages. The level of response chosen will depend on a department or organisation’s risk appetite and risk control. For every stage in the response matrix, perceived risk is lowered, but so too are the potential rewards from taking such a risk. If you operate in the financial sector, for instance, avoiding financial risks will not be very profitable, avoiding certain operational risks where possible, however, makes much more sense.

Risk management software

Due to the complexity of today’s risk landscape, traditional risk management tools no longer suffice. Spreadsheets are useful for basic risk operations but if you want to work with risk systematically, according to ISO 31000, based on a common understanding of risks, modern risk management software is becoming a necessity.

"Extensive projects need to be carried out and we need to start now, because it will not be possible to implement all the necessary measures at once. Resilience is the ultimate aim: whatever hits the city, we need to be able to deal with it."
Lena Maria Fritzberg, Safety Strategist at the City of Stockholm, discusses the collaborative climate risk project with 4C Strategies

The 4C Exonaut® software was included in Gartner’s 2020 Hype Cycle for Risk Management report. The end-to-end solution delivers a structured and integrated approach to project-based and enterprise-wide risks. With a common risk register, aggregating risks, and visualising them in dashboards, Exonaut provides a comprehensive overview of risk exposure at all organisational levels and business areas. For examples, Exonaut enables you to map, visualise and share complex risk scenarios and their many dependencies in a similar way to the bowtie method, but on a far greater scale.

Discover how the government-owned bank, SBAB, uses Exonaut as part of its three-dimensional approach to risk management.

“Using Exonaut, we are able to analyse and identify distinguishing features of the company's risk exposure within different operational areas – and track our progress. This information feeds into the overall strategy of the company as it enables senior management to take better, more risk-informed decisions.”
Filip Rönning, SBAB Risk Analyst and Exonaut System Manager

Risk and organisational resilience

As one of the three key elements of organisational resilience, your risk strategy should be closely integrated with your Business Continuity and Incident Management strategies.

An integrated operational strategy will also enable you to pinpoint where, for instance, business continuity capabilities should be increased in order for a controllable high-return risk to be exploited in accordance with risk appetite, as opposed to simply looking to transition it to low-risk.

Our approach is driven by a shift from an operational silo mindset to an organisational resilience mindset. This involves the strategic integration of risk, business continuity and crisis management and continuous capability development through training and exercises.

Risk Management – developing your strategy

At 4C Strategies, we can help you develop a risk management strategy that meets your organisations needs and risk appetite. Our expert consultants have extensive experience from supporting global enterprises in the planning and delivery of risk strategies that support better business decision making. Using the latest risk models and our advanced risk management software, we work with your risk teams and senior management to define the optimal roadmap for a healthy risk environment that supports business goals.

More about the 4C Relative Risk Control Model

  • In many of our dealings with enterprises we have encountered frustrations among senior management with traditional risk management models and tools. Plotting how to ensure strategic, operational, financial or compliance risks are minimised and unlikely to occur, can often hinder business and growth. In fact, if this is company policy, departments that are dependent on taking greater risks to compete and grow their markets can go rogue.

    Looking at risk differently by using the Relative Risk Control Model allows better prioritisation of risks and allows businesses units to operate to specifically agreed risk appetites with full transparency for senior management.

    Read more about the 4C Risk Management model.

Thank you for downloading!
The resource will be sent to the given email address. You are welcome to contact us with any question you may have.

    To learn more about how 4C Strategies process data, please read our

    privacy statement.

    I agree to be contacted for the purpose indicated above, and to receive information about 4C Strategies’ products, services and events.

    Download Resources

    More Insights

    Message sent

    Thank you
    Your message has been received. We will get back to you as soon as possible.

    Thank you!

    You are now registered.

    Download pack

    Photo credits


    Choose size
    • Original image
    • Large image (2900px)
    • Medium image (1920px)
    • Small image (1024px)

    Get in touch

    Book a demo

      Get in touch

        I want to

        Message sent

        Thank you
        Your message has been received. We will get back to you as soon as possible.

        Message sent

        Thank you
        Your message has been received. We will get back to you as soon as possible.

        Message sent

        Thank you
        Your message has been received. We will get back to you as soon as possible.