The capability to see or hear of a risk (i.e., risk identification and awareness) is critical to begin the process of managing the risk. At RISK TRANSPARENCY we refer to this "voice capture" as an initial stage in the transparency process.


Upon identifying the risk, an entity can advance to the level of considering how to manage the risk. The majority of the RISK TRANSPARENCY website provides materials supporting how various entities, industries, and functional areas can leverage increased awareness to strengthen risk management processes across their respective enterprises and functional units.

Active risk management consists of establishing processes, accountability, controls, metrics, and reporting to ensure the risk is addressed in accordance with the organizational risk appetite and risk tolerance levels.


For example, in the banking industry, credit risks are managed by ensuring each third-party credit related transaction is approved in accordance with predetermined credit risk appetite and tolerance financial levels. Each incremental credit transactions is then evaluated based upon accumulated credit exposures and concentrations again in accordance with predefined risk appetite and tolerance levels. Exceptions are reviewed, evaluated, and approved or rejected. Credit exposures (i.e., risks) that may exceed the risk appetite and tolerance levels will either be rejected (i.e., risk not accepted) or potentially managed via a risk transfer mechanism instrument.


The process of determining how to treat each risk should consider the:


  • Costs and benefits of internally managing the risk

  • Capabilities of the organization to manage the risk

  • Potential benefits of transferring the risk to a third-party

The process of risk transfer enables the organization to strike the proper economic and financial balance between the need to manage the risk to the organizational risk appetite and tolerance levels with the many other competing and complimentary organizational strategic and operational objectives.


For example, a manufacturing company with a factory may implement fire protection systems to prevent, detect, and minimize the risk of a fire. The organization may also establish a business continuity management plan to provide alternative production in the event of a fire event. Many organizations also transfer an element of the risk by purchasing Commercial Property Insurance to protect against the financial exposure (i.e., both risk of financial loss to rebuild the factory and potential lost sales) in the event of a fire. An alternative would be to have duplicate factory capabilities but in most scenarios this is not considered a cost beneficial alternative.



Whether a risk is managed internally or transferred to a third-party via some type of financial instrument or insurance, a base level of risk management will always be required.

For example, if a risk is managed internally, the risk management processes will both drive and determine the level of confidence and assurance organizational leadership will have in the successful outcome of the respective process. Refer to each functional area for risk considerations for key sub-categories and processes which form the drivers of risk and process assurance.


On the other hand, if the risk is transferred via insurance, the insurance broker and insurance company will both require a base level of understanding regarding the underlying risk management processes and their effectiveness (i.e., risk drivers and process assurance). This underwriting evaluation then forms the basis for the pricing of the insurance policy based upon the likelihood and impact of an event occurring (e.g., fire at factory).