Risk Management

Risk Management is the process of making and implementing decisions that will minimize the negative effects of risk on an organization. Adverse effects of risk can be objective or measurable or subjective, such as insurance premiums and claims costs, and difficult to measure, such as damage to reputation or reduced productivity. By focusing on risk and committing the resources necessary to control and reduce risk, an enterprise will protect itself from uncertainty, reduce costs, and increase the likelihood of business continuity and success.

Manage your business by Prosoftly

You can use Prosoftly Business Management Software to manage your business more effectively.


This article is about Risk Management and 4 Types of Business Risk.

  1. Strategic risks 
  2. Financial risks
  3. External environmental risks
  4. Operational risks

What is Risk Management?

What is Risk?

Risk is a situation that we encounter frequently in our daily lives. Naturally, it is not only a matter of business management. Everyone, from personal to company basis, from all organizations we are into governments, lives with the risk factor. The risk is likely to arise in the future and is the name of the process where internal and external environmental factors arise that may affect our or our organization's activities. Risk is a concept of the future, not the past. It is the name given to the possibility that future events will affect our strategies, goals, and ways of doing business. When we look at it in this way, we should spend our whole life aware that we are facing risk. Because no one knows exactly what they will face, not only in business or private life but even in a minute. Therefore, it is the concept of uncertainty that creates a risk.

The extent of risk can be expressed as:

Risk = Probability x Significance

Probability is the probability of an event occurring, and severity is the extent and cost of the loss incurred.

In general, risks can be divided into two categories:

  • Pure Risk - Risks where the possible consequences are missing or not at all. Loss of fire, robbed building, an employee's involvement in a motor vehicle accident, etc. It includes things.
  • Speculative Risk - The risks where the possible outcomes are a loss, profit, or status quo. Stock market investments and new product lines, new locations, etc. It includes things such as business decisions.


"Risk is trying to control something you are powerless." 

Eric Clapton Since


We do not know what will happen in the future based on individuals, institutions, and countries, we define a concept called risk and in this way, we try to make this business manageable. This is where the concept of risk management is born. Risk management is the name given to the process of making behaviors or actions that we may encounter in the future and that have the potential to affect our lives, the functioning of our organization, and our strategies, by planning and making them manageable from today. Therefore, risk management is a very important concept. If we return to our personal lives without realizing it, we should be aware that we are doing very serious risk management. For example, we're going on a trip tomorrow, and one of the first things we do is check the weather online to see if it's rainy. This is all part of actually managing risk. Because if it is likely to be rainy, we will buy clothes accordingly, we will choose our place closed accordingly, but otherwise, we have to calculate the probability of the risk and take certain actions. 

In summary, Risk management is the process of making and implementing decisions that will minimize the negative effects of risk on an organization. Adverse effects of risk can be objective or measurable or subjective, such as insurance premiums and claims costs, and difficult to measure, such as damage to reputation or reduced productivity. By focusing on risk and committing the resources necessary to control and reduce risk, an enterprise will protect itself from uncertainty, reduce costs, and increase the likelihood of business continuity and success.

What is Enterprise Risk Management?

Enterprise Risk Management is a subtitle of the risk management concept. As the name suggests, companies, firms, etc. It is the name that organizations give to the process of managing risks that will occur within their organization. To explain this a little more; When we look at the details that incorporate risk management, each institution has an organization and this organization has different departments.

The concept of enterprise risk management is the name given to all of these different departments with a top view. As an example, the purchasing department can conduct its risk assessment, plan actions to manage risk factors, which is a very positive thing. However, while the finance department may define some financial metrics as a very serious risk, the purchasing department may not define this factor as a risk.

If we just look at the case as the purchasing department, we do not have an enterprise risk assessment because the business may have a financial dimension that the purchasing department does not dominate. Therefore, a definition of enterprise risk management has emerged to manage all these risks based on senior management, that is, in terms of the overall functioning and top view of the organization.

“There are two options before us in every moment we live; To take a step towards improvement or to step back to feel safe. ”

Abraham Maslow The


First of all, enterprise risk management is a process. It is necessary to determine this because it is not a one-off job. It is a concept that includes process steps such as different people, departments, strategies, and ways of doing business, does not have a clear schedule, continues as the company or institution continues its activities, and is subject to continuous improvement and lean thinking.

If we talk about enterprise risk management in more detail, we can use the enterprise risk management and internal audit in the same sentence. Because these two are complementary to each other. enterprise risk management means looking to the future, internal audit means looking to the past.

The two are standing at one point and turning your face towards the future on one side and towards the past on the other. Both have analysis, control, and audit functions. However, in an internal audit, you evaluate and analyze historical data, and then you consider whether there is a problem in the operation of the company or institution, the deficiencies, and the negativities experienced together with the past burden. Anyhow, this is not the case with enterprise risk management.

Here you focus entirely on future events. In line with the strategies and mission of a company, you analyze the internal or external environmental factors that are likely to damage, disrupt, and cause negativity in this strategy and mission in the future, plan, and reveal a prioritization by examining the effect and probability concepts of the phenomena you plan and analyze. Subsequently, according to this prioritization, you plan from today what actions you need to take in case of any situation.

When you look at today, although organizations do not call this enterprise risk management in many ways, they follow many precautionary policies for a healthier future on behalf of their companies.

When you look at it, this is the expression of the mechanism of managing risk, which includes a family and, accordingly, the institution. Because the purpose of drafting a family constitution is to anticipate future problems amongst the current family members, seek a solution, and plan them, and then the individuals define this process by signing and writing it to manage future risks.

In this way, they plan the actions to be taken in possible negative situations from today. Therefore, when you look at it, family business constitution consultancy, which is a service that most people take without realizing it, is completely a sub-service of enterprise risk management. Based on this example, enterprise risk management is a management methodology designed to prevent future adversities.


“First learn the rules like a professional. Then break them like an artist. " 

Pablo Picasso

7 Benefits of Enterprise Risk Management

1. Enterprise Risk Management provides companies with sustainability. The biggest problem of companies is actually to be a long-term company that lives for years, even generations, and it is the phenomenon of keeping this company alive. Here, there is a threat from both the internal and external environments. Enterprise risk management directly anticipates these threats, increasing the likelihood of the company's sustainability.


2. Of course, financial issues are very important in companies. When we talk about financial issues in companies, although facts such as unprofitability affect negatively, when we listen to the bankruptcy stories of companies, we can observe that there are bankruptcies due to the realization of factors beyond their control, such as cash flow problems or sudden currency shock and interest shock, and these bankruptcies are proportionally higher.

Planning this and trying to take precautions, preparing A, B, C plan extends the life of companies and ensures that they have a healthy structure in financial terms.


3. Companies are seriously intertwined with technology in today's volatile world. This called Digital Transformation. Every job is more or less about technology and the firm needs to incorporate technology. When it comes to technology, there are completely different risks for companies. Hence, companies need to manage these technological risks.

Risk management is a concept born from uncertainty, and while technology reduces internal uncertainties to a great extent, on the other hand, it brings openness to the outside world by creating serious uncertainties, being constantly connected, and integrating with the outside world with concepts such as, as internet and cloud. When you look at the result of this, many concepts and uncertainties arise, which are unknown to companies and individuals.

For example, cyber-attacks, hacking of e-mail accounts, the theoretical possibility that company data is open to external access in many applications from e-invoices, and an environment of fear and uncertainty arising from companies not knowing how this happens technologically, companies turn to the concept of risk management and enterprise risk management. leads. Thus, enterprise risk management enables technological uncertainties to be detected and removed or to take precautions.


4. Another benefit of enterprise risk management complies with regulations. Each country has its legislation, these are legislation that is passed around the world and passed across the country.

Changes in these regulations may cause companies to develop too much or, on the contrary, to almost disappear. These changes cannot be changes that are generally under the control of companies, and to comply with the legislation on this issue, we already have to brainstorm and consider where the trends in the world and the regulatory trends set by the state go in terms of risk and to take precautions by thinking "What will happen if this happens" the start of the company will provide a significant plus in terms of compliance with regulations.

For example, with the development of technology, companies switched to e-invoice solutions, cash registers, and pos devices merged in retailing, and all this happened with legislative changes. Firms that foresee this to come in advance have achieved very serious advantages in their business and services in the market, both in terms of profit, market share, and in terms of sustaining their existence.


5. If we express the companies through the eyes of their owners, shareholders, or bosses, the concept of risk management provides the answers to the following questions:

  • What are the main points in my company?
  • What are the problems that may cause me in the future?
  • What would I like to know first as a company manager-boss-shareholder-board member?
  • What can I do if such a risk occurs in the future?
  • What harm or benefit will this bring to me?
  • How can I plan after determining this?

So, to put it in a little more practical language, enterprise risk management is a tool that can be given to the boss to see the future.

In other words, the concept of enterprise risk management is a management decision support mechanism specific to the boss and the board of directors to see the future and make decisions. Therefore, this is one of the most important benefits of helping the boss to make his job easier and plan his future easily.


6.Even if the data is confidential company information or even basic physical security, it is included in risk management planning and can raise awareness of how vital enterprise risk management projects are to the health of companies.


7.Risk management applications allow companies to see where projects need attention and which projects they are. Good risk management, combined perfectly with the existing Project Management Office processes it already has, can provide companies with a context for understanding the performance of a project and can contribute to any health check, peer review, or audit.

Later, senior leaders can access better quality and more useful data, both software and hardware, that enable them to make better decisions based on the reality of a project. The information it accesses is real-time risk information via a project management dashboard and means it is based on the latest data, not an outdated report.

Risk Management Organizational Structure

Risk management plays a very critical role in business management. Risk management is an important business practice that helps businesses identify, assess, monitor, and mitigate risks present in the business environment and is applied by businesses of all sizes. As businesses grow they want to maintain stability.

Managing risks affecting the business is a critical part of this stability and continuity. Not knowing the risks that may affect the business can cause serious losses for the organization. Not being aware of a competitive risk, loss of market share, unaware of a financial risk, financial losses, awareness of a security risk can cause an accident.

People working in the field of risk management monitor the institution and its environment. They look at the business processes followed within the organization and look at external factors that may somehow affect the organization.

A business that can estimate a risk will always be advantageous. A business that can forecast a financial risk will limit its investments and focus on strengthening its finances. A business that can assess the impact of a safety risk can design a safe method of working that can be a major competitive advantage.

If we think of the business world as a hippodrome, the risks are the pits that every business on the track should avoid if they want to win the race. Risk management is the process of identifying all holes, assessing their depth to understand how damaging they can be, and then drafting a strategy to prevent losses. A small pit may slow down the business, while a large pit will require the business to avoid it altogether.

Knowing the severity and probability of risk helps businesses allocate their resources effectively. If businesses understand the risks that affect them, they will know which risks require the most attention and resources and which ones the business can overlook.

Risk management allows businesses to act proactively to mitigate vulnerabilities before any major damage occurs. There are different risk management strategies and solutions for different types of risk.

So what is the question the company manager should ask himself at the point where he is? If we start answering this question, we go better because the answer to this question depends on the scale of the company. Here, a company with 10 employees, a company with 100 employees, a company with 1000 employees should not give the same answer.

The basic concepts and starting points are the same, but in today's world where fast fish swallow slow fish, companies should not be confined to the concepts of worlds where they do not belong. In this question, we can put international companies with a turnover of $ 100 Million and 500 thousand or more employees on the same level.

We can also put companies that are medium-sized with 60-70 employees, with a turnover of $ 30-40 Million to $ 200-300 Million. Also, we should consider the more developing companies, which are at the beginning of the life of the company, which are niche due to the work they do, and provide less turnover in more niche areas with smaller staff but do profitable business as the third category.

In all three, the concept of risk and enterprise risk should be in his life, but the approach of all three to this business must be different.

For example, a company with 20 employees should have a board of directors, there should be certain committees in your board, an early detection committee, an independent member, an enterprise risk department, and if you try to take action in line with these, that company will fail because that company is already. It should employ employees who are currently obliged to fulfill their basic functions and open the door to growth from them. 

"It is necessary to consider preventive and protective measures before the disaster strikes, there is no use in beating after it comes."

Mustafa Kemal Atatürk


The perception that the concept of enterprise risk should not be within these companies and their organization is wrong. Let's start as the category of small-scale or niche-scale emerging companies.

In these structures, we can only envision them as structures that carry out the operation that earns money and are the basic building blocks of this operation, which are sub-building blocks, and where departments such as accounting, such as sales, or persons are the most. The person who will manage the risk is necessarily the company owner and the boss, and we should turn directly to the bosses about what should be done in the organization. The smartest solution here would be a move towards analyzing risk.

First of all, as you know, there is a concept that you cannot manage what you cannot measure. In other words, it is out of the question for you to manage a phenomenon that you do not know, measure, or define. Therefore, the bosses, shareholders, owners of this firm are obliged to analyze the risk first. In this regard, it may not be very likely for companies to establish a department in the organization because they are small in terms of structure, and it is a rational solution to take this as an external service.

Analyzing here at the first stage, discussing certain measures according to the analysis should be a move that the shareholder or the boss will make. At this point, the person who is interested in this business to complete the organization by outsourcing, on behalf of the company, to have it would be a smart solution for the risk inventory and risk analysis study. 

When it comes to medium-sized companies, the situation is beginning to change here because medium-sized companies have now settled their business and have reached the level of earning money and have taken on a serious organizational structure. Accordingly, these companies now have opportunities and possibilities to make certain breakthroughs, to incorporate new management methodologies, and to research them.

Inevitably, we can say that they have to do these things because if they do not do them after a certain period, there is a risk of falling from the middle size or falling into the trap called the middle-income trap and continuing to stand still. Thus, what these companies need to do is perhaps a risk analysis and risk roadmap study, and once they have done it using outsourcing, provided that the solution projects are prioritized against the risk perception that may arise there, perhaps by using external services, perhaps by using internal resources, We can say that we create a management department. 

Many answers can be given to the question of what the enterprise risk management department does, but the following answer may be the smartest, especially for medium-sized companies; If a job is not owned, it would be wrong to wait for a successful result. Therefore, there is a need for someone or someone to embrace the concept of enterprise risk, and the point of emergence of the most basic need is under the umbrella of enterprise risk in these medium-sized companies.

Although not a very crowded department, structures init is the organization that is directly affiliated to the board of directors (if any) and where there is no board of directors is not ideal structures, but in the worst case, there should be an enterprise risk management department directly attached to the general manager. Medium-sized companies should implement this in their organizations. This is also wrong; Provided that such a department is created, let's link it to administrative affairs, human resources, or financial affairs.

Financial affairs, in particular, are a common mistake. Because enterprise risk is thought to arise only from financial risk, but this is a wrong perception. Sometimes organizational structures named as corporate management departments and experts attached to directorates such as production or factory directors are established. This would be a wrong move because in such cases, we can talk about risk being focused on quality, system, and production operation. To manage enterprise risk properly, it is necessary to create a structure that can be defined as the supervisor of all departments and directly accountable to the board of directors. 

Another issue is that we can define as upper-scale companies; International companies, holdings are structures that have reached a serious number of employees and turnover and have reached a serious organization size. In some of these structures, there are already structures in which enterprise risk management becomes mandatory within the concepts of enterprise risk and corporate governance.

For example, companies that are open to the public and subject to NGO legislation have such obligations, but if we put them aside, enterprise risk management without being subject to such obligations a responsibility that these companies should do.

The first of these, of course, is to establish the enterprise risk management department sustainably. However, the next step is to do this; These structures must necessarily have a functioning board of directors and executive boards, and committees must be established and functioning within the board structures. It should be noted that the most important committee regarding the risk issue here is the early detection and prevention of the risk committee.

In companies with this structure, the concept of job blindness sometimes occurs to determine the risk. If you have been working in a company for many years Even if you have worked in different departments, you may inevitably become familiar with some risks, not understand their importance, and risk not evaluating them correctly. Therefore, the most rational solution to eliminate this risk in yourself is to commit the independent board membership system to the company.

In other words, it is the most recommended that the boards of directors are to be converted as independent board members as their professional employees or those who have certain expertise outside the sector or outside the sector and that these members must be included in the early detection and prevention of risk committee, and even be the chairman if possible. one of the solutions. Of course, organizational risk will be in the sub-departments that will concern these large companies.

One of them is the internal audit department and it should be necessary because, in the internal audit report published by the internal audit department, it is possible to detect mistakes made in the past and to write the risk of this in the future as a suggestion.

Hence, in large companies, it is necessary to see that the internal audit and enterprise risk management departments work together in the organization and directly report to the board of directors and make sure that they are implemented in this way.

Types of Business Risk

Businesses face all kinds of risks, some of which could result in a serious loss of profits or even bankruptcy. But while all large companies have extensive "risk management" departments, small businesses tend not to look at the issue in such a systematic way.

When we look at it, the concept of enterprise risk is a phenomenon that affects the whole life of companies and confronts them with every step they take. Since it exists everywhere, it is useful to take it in a more structured way to understand and internalize it. To examine under 4 titles;

  1. Strategic risks 
  2. Financial risks
  3. External environmental risks
  4. Operational risks

Strategic Risk

Where everything starts in companies is strategy. Everyone knows that a company that wants to be successful needs a comprehensive, well-thought-out business plan. But it is also a fact of life that things are changing, and your best-laid plans can sometimes seem very outdated very quickly. This is a strategic risk. This is the risk that your company's strategy will become less effective and, as a result, have difficulty achieving your company's goals.

This could be due to technological changes, a strong new competitor entering the market, changes in customer demand, increases in raw material costs, or other large-scale changes.


Whether or not companies name them, they are born with a strategy, a vision, and a mission to realize this vision. When a business is established, it is established with a dream and a goal about where it wants to reach in the future. It is born with the first-period theories about what to do to reach this goal, that is, its mission. Therefore, a company born with this is faced with a huge risk in this strategy journey that it updates along the way.

These strategies involve many risks; the probability of the targets not being realized, the possibility of realization more or less, the wrong set of targets related to these targets, and the risks of dragging the company in a completely different direction. When we look at it, all these are actually in the concept of risk.

At this point, it is not the risks that concern the strategy and only the targets. Strategy means a process in which the founders, owners, shareholders, or senior management of the company determine the place and route they want to go, and it is a continuously active period.


"Measure is always the tool of wisdom."

Patrick Rothfuss


Strategies are constantly changing in today's world. For example, this year we are in the year of the virus, and in December, we should look at the strategies that companies talked about and stated for 2020, what were the works done, and talked about after 3-4 months. So the strategies are really risky, and these strategies don't just include certain words on a written basis.

The strategies in practice, that is, the strategies of the way companies do business, their financial strategies, sales or customer-oriented strategies, and more, fall under this concept. Therefore, when you look at it, it can pose very serious risks in matters that are under internal control, that is, the things that the company determines within itself, and these things are at risk of changing with internal or external factors.

This factor must be considered as strategic risks. As a footnote; As required by the definition of the strategy, we can assume that strategic risks (measured by the impact and probability of a risk make), as if the impact coefficient starts over a certain number. In other words, the risks that are most likely to affect the boss's life are included in this group.

Financial Risks

The concept of financial risk is a topic that comes closer to companies than the other 3 main risk headings because it requires dealing with finance, that is, dealing with the money issue that keeps the company alive, and when you look at it today, even the grocery store on the corner is doing financial risk management. How does he do it? Does it use the software? No. Did he set up a department? No. Got an independent board member? No. The simplest thing he does is; He buys cheese and determines the payment term of the cheese he will buy, the price he will sell to the customer, and he sees the good or bad mismatch between them and puts a profit margin to compensate it according to the situation, or he buys the cheese from the supplier who sells this maturity. There is financial risk management here. If we give an example on the institutionalized company scale, there are currency issues that are hot on the agenda in many companies in developing countries and companies inevitably do business with foreign exchange. There are various reasons for this. Or as an importer company sells products in developing countries and doing import and sell foreign currency directly, but at the end of the day as own currency. In another version, the company is a manufacturer and sells mainly abroad, but let's say some of its products are imported or imported in dollars. European countries buy the product it sells in the euro and therefore there is a foreign exchange difference. Today, developing countries are now both in private, both in the world and pruning increases the risk of high waves move in a very general concept that we in the exchange. Therefore, companies that especially after the crisis in Turkey in 2001, he lived very intense exchange focused on financial risks that companies have become a bit more familiar with the concept and began managing it. At first, it started to be managed within the financial departments. They started only as foreign exchange risk, but enterprise risk management is not just about this concept.


What are the concepts that accompany enterprise risk management? A subtitle of the concept of financial risk is to be able to manage foreign currency risk. Another topic is to be able to manage net working capital. In other words, it is the analysis of whether the person can spend the money he has as working capital while doing his job or not. Because networking capital is the size of the material value of the money that stands in that safe in our office and is used for the concepts of bought-sold and produced-sold to manage the daily operation if we have a safe to turn any business. In other words, it is the money that should be in the cash register on any given day for that business to work.

How can we manage this correctly and what are the risks? Let's think of it like this; A new business center was built opposite the grocery store and 5,000 people came to the business center and started working. The grocery store saw the opportunity and started making sandwiches to sell these to 5,000 employees during lunch breaks, but 1,000 of the 5,000 people arrived at noon.

The working capital that 1000 people will spend on their sandwich, that is, the money they should have, is perhaps more than his turnover in one month or the previous months. He does not have such a safe because he uses the money he already earns to support his house. Therefore, he will prepare sandwiches for 10-20 people at once, but he will not be able to do it even though he sees the demands of 30 people. Here it is necessary to foresee this. When we return to the companies, a new customer has been sought, but perhaps when some customers arrive, it may require such large working capital and this can even ruin the company if not managed properly. We can often come across examples.

One of the most important examples; Although it is thought that a company that has recently provided office rental services in the international sense is doing very well, it has not been able to manage its working capital properly due to the obligation to open new offices and cannot manage the risk of going bankrupt within 5-6 months by entering into serious debts. is one.

When looking at another financial risk concept, it can be said that there are risks related to the company-related budget concept. In other words, companies must make a budget at every scale. Some actions will be taken according to the budget here. However, in the probability of these actions and budget estimates to be realized incompletely, it can be thought that a B plan or the positive or negative effect it will create is a subject that concerns both financial risks and is a subject within the concept of strategic risk in terms of its connection with main strategies.

Today, with these financial risks to manage the foreign exchange side, especially in companies in developing countries some concepts become a little more familiar. One of them is the Hadge concept. For example, if we consider that risk goes hand in hand with uncertainty, the US dollar poses a risk to developing economies' companies because we don't know what the dollar rate will be in the future. It can be import or export, or many things are the basis we eat and drink from fuel today.

Many things up to buy products are determined by foreign currency. Therefore, the change in foreign currency creates serious uncertainty. To manage this, financial instruments have been created in the financial world.

One of them is the Hedge concept. To define this concept, it is to keep the loss that may be faced with the increase or decrease of the dollar in a future day at a minimum level by fixing the currency with the company that the business is doing. When that day comes, the dollar rate may be slightly lower or higher, but at least the company has fixed it from today, removing the uncertainty about the sixth month ahead.

In this direction, if the company develops a strategy accordingly and fixes its 6-month accounts to the dollar exchange rate here, it can make a profit from profit, it can turn its loss into profit, but in both cases the company becomes manageable. Thus, the Hatch concept is one of the concepts that arise very seriously in terms of enterprise risk management. Firms should be careful about financial instruments.


External Environmental Risks

External environmental risks are risks that are outside of individuals, institutions, and originate from outside, and do not have a personal or corporate control-intervention chance. As an example of these risks;

  • legal matters,
  • legislative issues,
  • political-political issues,
  • Natural disasters and disaster issues can be given.


Legal Issues

Companies may be carrying serious legal risks due to new legislation in the law or an issue that companies are not aware of in the current legislation. For example, there is legal legislation regarding products produced in the food sector and the company has skipped this detail. It can harm a person by unwittingly containing the substance that should not be contained in the food product, and this creates a legal risk, even the state may be involved in this and the company issued. Later, high compensation may be faced against this lawsuit. Again, there are standards set by the state to do certain works, and if these legal standards are exceeded, legal sanctions will be faced.

There may be issues set by the state itself or regulated by an agreement between states. For example, it may be subject to agreements such as natural gas pipelines or international energy deals.

As can be seen in our country, the fact that large investment projects, such as bridge hospital projects, are carried out by the private sector in partnership with abroad creates topics that may be subject to international arbitration. Thus, suddenly the company starts to take the risks of international law.


Natural Disasters and Disaster Issues

Another subtitle, natural disasters, and disasters are the sub-break where we can give an example of the covid disease we are experiencing. The virus is an epidemic disease all over the world in a way that it is not created by human beings itself, and in a way that human beings are not directly involved, and it is not possible to destroy it in advance because you cannot destroy what you do not know, so the concept of natural disaster is faced.

Of course, it can be tried to be taken under control, measures can be planned and the companies should work, plan and foresee “what we can do if such a scenario occurs” in advance, and it is required to create A, B, C plans under the heading of enterprise risk management concept in case of possible disasters.

Regulatory Issues

Legislative issues are regulated under the auspices of the state since the forest laws will be valid if the rule of other business is not determined, humanity has been publishing certain laws, regulations, and issues since the Sumerians and trying to reveal the main sectoral parts of how certain works can be done and the regular progress of the works. Of course, these regulations inevitably reflect on the business of companies. How is it reflected?

For example, in the past, the cash register where the receipt was cut was a separate pos device. Then, some tax losses could arise before the state. With the credit card, the relevant seller could not cut a receipt and not show such a seller officially, although it was illegal. Hence, he did not pay the tax for that job.

Later, the state-issued legislation and produced a new cash register POS device where these two devices are combined and the receipt and the credit card slip are issued together. the appendix stated that they will now be used.

In this way, tax evasion has been prevented. However, what has this brought to businesses? Old appliances all went to waste. Because the state made the old devices non-functional by requiring these new cash register POS devices in each branch of the companies selling goods. Thus, when looked at, legislation introduced by the state directly affected individuals and companies in a way that they did not have.

Political-Political Issues

Countries have both domestic and foreign policies. Both of them inevitably affect companies and carry risks. These; the country entering into an economic crisis, entering into a certain political crisis, the political gaps emerging with the politicians who govern the countries drifting into chaos in various ways, the countries being politically threatening to each other and the political relations becoming tense.

Operational Risks

Operational risk summarizes the uncertainties and dangers a company faces when trying to do its day-to-day business activities in a particular area or industry. Some form of business risk can arise from breakdowns in internal procedures, people, and systems. Although risks arising from external events are often more likely, companies are also a source of risk for themselves.

Operational risk means an unexpected failure in the daily operations of companies. It could be a technical malfunction, such as server downtime, due to employees or processes.

Operational risk can be summed up as a human risk, as it reflects man-made procedures and thinking processes; It is the risk of business operations that fail due to human error. It varies from industry to industry and is an important consideration when looking at potential investment decisions. Sectors with less human interaction are likely to have lower operational risk. For example, an employee of a company may write the wrong amount on a check by paying $ 100,000 instead of $ 10,000 to a customer account.

This is a "human" failure, but also a "process" failure. Having a more secure payment process could have been prevented, for example, by using a second staff member to authorize each major payment or by using an electronic system to flag unusual amounts for review.

In some cases, operational risk can also be caused by events beyond your control, such as a natural disaster or a power outage, or a problem with your website's server. Anything that disrupts your company's core operations falls into the operational risk category.

While the events may seem quite small compared to the big strategic risks we mentioned earlier, operational risks still have a huge impact on your company. Not only the cost of resolving the problem but also operational issues can prevent the delivery of customer orders or make it impossible to contact the company, resulting in lost revenue and damage to the company's reputation.

Difference Between Operational Risk and Financial Risk

In a corporate context, financial risk refers to the possibility that a company's cash flow will be insufficient to cover its obligations, namely loan repayments and other debts. This inadequacy is related to the performance of company products as well as decisions made by management (especially company finance professionals), and financial risk is considered to be different from operational risk, although it may result from them.

Often, operational risk and financial risk are separated as it relates to the company's use of financial leverage and debt financing rather than daily efforts to make the company a profitable business.

Ways to Identify Risks in Your Organization

Effective enterprise risk management is becoming increasingly important in today's regulatory environment. Regulators and rating agencies expect companies to have a good understanding of their risk profile and to implement an appropriate management structure to reduce their risk.

Conducting an enterprise risk assessment can allow an organization to gain a holistic view of the risks faced by it, and management to identify those risks and take advantage of opportunities.

Risks affect a company's ability to survive, compete successfully within the industry, and maintain its financial strength and positive public image, as well as the overall quality of its products, services, and employees.

Company owners, managers, etc. should consider the risks from their perspective within the company, taking into account their goals and objectives. They should consider everything from insurance risks such as “Catastrophe Risk” to operational risks such as “Outsourcing and Service Provider Risk”.


There are many different types of risks - legal risks, environmental risks, market risks, regulatory risks, and much more. It is important to identify as many of these risk factors as possible. At this point, of course, the concept of risk management starts with analyzing the risk. Risk analysis is also carried out with certain methodologies.

The first method to be said is the SWOT Analysis method. We did not work to identify the strengths, weaknesses, opportunities, and threats of the company and it is a step to be taken when determining strategies. The risk should be included in the planning of the strategy of the companies because this is the only way to achieve homogeneous planning. Therefore, planning the risk involves determining the strategy according to this risk.


It is useful to underline a changing concept in our day. The concept of risk has always been called a negative thing in both companies and literature from the past until today or it has been taken in that direction. The future adversities and the way the company does business are examined. However, it should be noted that today this concept has started to change and it emerges from the necessity of thinking outside the box.

Seeing the concept of risk as equivalent to an opportunity rather than negativity and threat, and internalizing the concept of equating with this opportunity has now become a much more effective method. Because the risks make companies think about future threats, as well as open the door for you to see an opportunity.

For example, let's say there was a serious economic crisis, companies shut down, people's income fell, so they cannot shop, etc. Accordingly, if the company wants to sell a product through its merchandising channel, this can be looked at as follows:

When a crisis comes out (we assume that the company has made a risk plan before the crisis), yes, people's income will decrease, but people will continue to eat and the company wants to take part in shopping malls at these times, but both rents are high and there are no shops. However, in times of crisis, since the shops are closed one after the other, the shopping mall management will also lower the rents and make the payment plan easier. Therefore, when the company sees an opportunity here and analyzes this risk, a threat-opportunity situation arises. Yes, it is a risk, what is the threat this risk poses to the company?

What is the opportunity it creates for the company? With the answers to the questions, road maps can be determined very clearly, and the company can make a profit based on the turnover during a crisis. Therefore, the investor accumulates his cash on the sidelines in a good time and does not invest now (if he sees the future of the crisis for a certain short or medium-term), and the new business plan coincides with the crisis period and continues with much cheaper rents and then with cheap rents. can build a business model. In this way, the concept of risk perceived as negativity and threat by everyone is turned into an advantage. Therefore, the introduction of the opportunity-risk matrix as a method is a new phenomenon within the concept of enterprise risk.

Another issue is the risk inventory study. It emerges as the main name in the analysis study. Under the heading of strategic, financial, external environment, and operational risks, which we mentioned before, companies need to overhaul and analyze all their internal processes. While doing this analysis, companies should ask themselves the following questions;

  • What phenomenon is likely to affect my future job?
  • What is the probability of this phenomenon happening?
  • If this phenomenon happens, what effect will it have on me?
  • What is the order of importance?
  • If this happens, what are the actions I should or can take?
  • If this risk occurs, what are the projects that I can implement?


Creating a risk inventory that includes all of these is emerging as one of the main methods. Certain tools can be used to do this. While analyzing, there may be one-to-one interviews, survey methods, but these questionnaires had to be seriously considered on the question sets. Certain workshops can be organized throughout the company to search for risks, which can then be referred to as search conferences, together with small group and large group workshops.


In another topic, certain software or hardware tools can be used in the context of technical risks to identify risks with some online tools and outsourcing. No matter how harmonious and healthy communication between departments can be, any negativity that may arise due to the communication force can be detected early and put into effect by taking necessary measures.

The lack of communication between departments, which is one of the biggest problems for companies, is eliminated with these software and hardware solutions, and the risks that the company may or may encounter are determined beforehand.


The risk assessment process is ongoing and should be revised over time. It can be repeated several times before the company has seen a complete picture of the risks and understand the controls and processes that reduce them. The outcome of the process allows management and employees to better understand the company risk profile and the importance of the control environment in reducing risk.