https://doi.org/10.22267/rtend.252602.27

 

Research Article
Economy and Finance

 

Theoretical convergences in the classification of business risks and the characterization of the consequence

 

Convergências teóricas na classificação dos riscos empresariais e na caracterização da consequência

 

Por:¹Julio César González Rodríguez; ²Ramiro Díaz Carreño

 

¹ PhD in Management from EAN University. Full-time professor from Universidad Militar Nueva Granada. ORCiD: 0000-0003-1280-2230. E-mail: julio.gonzalezr@unimilitar.edu.co, Bogotá – Colombia.

² Master's degree in Strategy and Geopolitics from the War College. Professor at the Faculty of International Relations, Strategy and Security, Universidad Militar Nueva Granada. ORCID iD: 0009-0005-4857-0584. E-mail: ramiro.diaz@unimilitar.edu.co, Bogotá – Colombia.

 

 

Received: October 13, 2024                              Accepted: June 20, 2025

DOI: https://doi.org/10.22267/rtend.252602.275

How to cite this article: González, J. y Díaz, R. (2025). Theoretical convergences in the classification of business risks and the characterization of the consequence. Tendencias, 26(2), 55-83. https://doi.org/10.22267/rtend.252602.275

 

Abstract

Introduction: Risk management in the business environment has evolved significantly, but it still faces the challenge of having a unified and coherent risk classification. This lack of homogeneity hinders the effective implementation of mitigation strategies and communication between different stakeholders. Objective: This research proposes a new way of classifying business risks, providing a novel theoretical framework for Enterprise Risk Management (ERM). Methodology: An epistemological and praxeological contrast was carried out through an exhaustive review of the academic literature and current business practices in risk management. This analysis made it possible to identify factors of conceptual convergence and to unravel inconsistencies in the existing risk taxonomies. Results: It was determined that internal risks can be grouped into three key areas: strategic, financial and operational. The consequence should not be considered a classification variable, but a construct of several variables. Conclusions: The distinction between the scope of risk and its consequences allows for a more precise identification, evaluation and management. This proposal contributes to standardizing enterprise risk management, by distinguishing between the scope of risk and its consequences. This model improves risk identification and management, reduces conceptual ambiguity, and strengthens organizational capacity to deal with uncertainty.

Keywords: classification; consequences; enterprise; Enterprise Risk Management; risk.

JEL: L29; M10; O20; P27; Q51

 

 

Resumen

Introducción: La gestión del riesgo en el ámbito empresarial ha evolucionado significativamente, pero aún enfrenta el desafío de contar con una clasificación de riesgos unificada y coherente. Esta falta de homogeneidad obstaculiza la aplicación efectiva de estrategias de mitigación y la comunicación entre diferentes stakeholders. Objetivo: Esta investigación propone una nueva forma de clasificar los riesgos empresariales, aportando un marco teórico novedoso para el Enterprise Risk Management (ERM). Metodología: Se realizó un contraste epistemológico y praxeológico mediante una revisión exhaustiva de la literatura académica y las prácticas empresariales actuales en gestión de riesgos. Este análisis permitió identificar factores de convergencia conceptual y desentrañar inconsistencias en las taxonomías de riesgo existentes. Resultados: Se determinó que los riesgos internos pueden agruparse en tres ámbitos clave: estratégico, financiero y operativo. La consecuencia no debe considerarse una variable de clasificación, sino un constructo de diversas variables. Conclusiones: La distinción entre el ámbito del riesgo y sus consecuencias, permite una identificación, evaluación y gestión más precisa. Esta propuesta contribuye a estandarizar la gestión de riesgos empresariales, al distinguir entre el ámbito del riesgo y sus consecuencias. Este modelo mejora la identificación y gestión del riesgo, reduce la ambigüedad conceptual y fortalece la capacidad organizacional para enfrentar la incertidumbre.

Palabras clave: clasificación; consecuencias;empresa, Enterprise Risk Management, riesgo.

JEL: L29; M10; O20; P27; Q51

Resumo

Introdução: A gestão de riscos no ambiente empresarial tem evoluído significativamente, mas ainda enfrenta o desafio de ter uma classificação de risco unificada e coerente. Essa falta de homogeneidade dificulta a implementação efetiva de estratégias de mitigação e a comunicação entre as diferentes partes interessadas. Objetivo: Esta pesquisa propõe uma nova forma de classificar os riscos de negócios, fornecendo uma nova estrutura teórica para o Enterprise Risk Management (ERM). Metodologia: Realizou-se um contraste epistemológico e praxeológico por meio de uma revisão exaustiva da literatura acadêmica e das práticas empresariais atuais em gestão de riscos. Essa análise possibilitou identificar fatores de convergência conceitual e desvendar inconsistências nas taxonomias de risco existentes. Resultados: Determinou-se que os riscos internos podem ser agrupados em três áreas principais: estratégica, financeira e operacional. A consequência não deve ser considerada uma variável de classificação, mas um construto de várias variáveis. Conclusões: A distinção entre o escopo do risco e suas consequências permite uma identificação, avaliação e gerenciamento mais precisos. Essa proposta contribui para a padronização da gestão de riscos corporativos, distinguindo entre o escopo do risco e suas consequências. Esse modelo melhora a identificação e o gerenciamento de riscos, reduz a ambiguidade conceitual e fortalece a capacidade organizacional de lidar com a incerteza.

Palavras-chave: classificação; consequências; empresa, Enterprise Risk Management, risco.

JEL: L29; M10; O20; P27; Q51

 

Introduction

Over the past six decades, Enterprise Risk Management (ERM) has evolved into a discipline supported by practical models such as COSO (Committee of Sponsoring Organizations of Treadway Commission) and ISO 31000 (2018). However, heterogeneity in the classification of risks within organizations can cause the same risk to be placed in multiple classes, which complicates the assignment of responsibilities and the understanding of its impact. For example, the risk of fraud can be classified as financial, due to its economic consequence, or as operational, due to the deficiency in audit controls. A standardized classification is essential to achieve effective intervention and a collective understanding of risks, transcending the individuality of each event.

The study of risk in ERD has been enriched both by the contributions of professional organizations and associations and by academic research. This research seeks to address the current ambiguity in business risk classifications. It is proposed that, by analysing the intrinsic components of risk, it is possible to develop new classifications that allow a clearer and more differentiated taxonomy of each risk group. This will not only contribute to the theoretical framework of MRE, but will also promote greater awareness, more efficient management and a more precise understanding of the potential consequences of the materialisation of risks.
The objective of this article is to propose a classification of risks as a theoretical contribution to the ERM. To this end, first, a review of the current classifications in terms of risk is presented and the similarities between the approaches made by various authors on the subject are identified. Subsequently, the possible elements that allow the types of risk to be segmented more clearly are determined and, finally, from the praxis, the classification and consequences of risk are differentiated.

Methodology

Risk is a construct with a diversity of concepts and interpretations. To a large extent, these come from institutions or organizations specialized in their study. The technical standard ISO 31000 (International Organization for Standardization, 2018) defines it as: "the effect of uncertainty on objectives", which can be negative or positive effects. The Institute of Risk Management (IRM) has defined it as the combination of the probability of an event and its consequences, where these can represent opportunities to obtain benefits or, on the contrary, generate threats (IRM, 2002). In this same sense, COSO specifies it as the function of probability and consequence, with risk and opportunities being opposite effects (Curtis et al., 2012).

In the Risk Assessment Guide (ASIS International, 2015), developed in the USA and converging with the ISO 31000 technical standard for risk management (International Organization for Standardization, 2018), risk is defined as the effect of uncertainty on the achievement of objectives, which can be strategic, tactical or operational; while its results are understood as positive or negative. Uncertainty implies a lack of information, the impact of which falls on tangible or intangible assets, and risk is stated in terms of consequence and probability.

From an academic perspective, Lowrance (1976) considers it as a measure of the probability and severity of adverse effects (Aven, 2011). In the evolution of the concept, Kaplan and Garrick (1981) determined it as a function of three variables, s, p, c, where s is the scenario, p is the probability of the scenario and c is the consequence of the risk in that scenario. In the study carried out by Reger and Huff (1993), the concepts associated with risk vary in their perception according to the processes or organizational areas; Financial risks are seen as having both a positive and negative effect.

On the other hand, Bravo and Sánchez (2012) define it as the events that cause the result to be below expectations, and its consequences vary depending on the situation. While Norman (2016) considers risk as the probability of occurrence of an unwanted event that could negatively affect the organization's mission. For Hopkin (2017), risk is the event that has the capacity to impact, inhibiting, improving or generating uncertainty in aspects such as mission, strategy, projects, routines, operations, objectives, key processes, dependencies and the distribution of stakeholder expectations.

Table 1 presents the different definitions of the concept of risk that have been presented.

Table 1
Risk definitions

Source: Authors.

These concepts have as common factors the probability, the consequences, the negative event or the opportunity; however, the consequences can generate both negative and positive effects; therefore, when talking about business or organizational risk, its classification can generate ambiguity; therefore, before analyzing it, it is important to understand what the term risk management implies in the company.

Risk management in the company has been widely characterized by methodologies that have contributed, from practice, to the reduction of uncertainty, especially when it comes to adverse risks. For this reason, the application of ERM began in the financial sector (Bromiley et al., 2014); since then, the concepts of ERM have evolved to consolidate themselves as a new discipline.

Meulbroek (2002) defined it as Integrated Risk Management, being the identification and assessment of the collectivity of those elements that affect the value of the firm and the implementation of a wide range of strategies to manage said risk.

A year later, Verbrugge et al. (2003) used the acronym ERM to refer to a broad approach to the corporation, which transcends the departmentalized perspective of risks, incorporating a responsibility structure. Likewise, Sobel and Reding (2004) referred to this structure, highlighting the importance of reducing uncertainty and including all business risks through a holistic approach.

In this regard, Segal (2011) defined ERM as the process by which companies identify, measure, manage and communicate key risks, with the aim of increasing value for stakeholders.

From a holistic approach, and after analyzing concepts from organizations or institutes such as BS31100, IAA, ACT, COSO, ICAEW, IAA, and HM Treasury, Hopkin (2011) identified three key activities in ERM: (i) the assessment of significant risks, (ii) the assignment of a responsible person within the process, and (iii) the monitoring or follow-up of actions. These activities are applied based on the determination of the organization's risk appetite. Reducing uncertainty is essential and is achieved by obtaining information and meeting objectives, which is evidenced in the improvement of business efficiency and results, generating value for shareholders and strengthening accountability to stakeholders (Hopkin, 2017).

In a similar approach, Hampton (2009) defines ERM as the process of identifying the greatest risks faced by organizations, anticipating their impact on business processes, guiding them through a systematic and coordinated plan, and involving key people to manage critical risks.

For McShane et al. (2011), risk management has traditionally been compartmentalized, being limited to pure risks, so it is necessary to integrate it with financial, operational and strategic risks.
Finally, Bromiley et al. (2015) proposed three common elements within the ERM: (i) risk as a portfolio, i.e., all risks affect the corporation and not individual units; (ii) the importance of traditional risks, recognizing the importance of strategic risk; and (iii) the need to identify opportunities within the risk. Therefore, the risk portfolio is grouped and classified in a unified way, facilitating the taxonomy based on common elements for its identification and analysis.

The heterogeneity in the ways of classifying risks in the company implies a qualitative approach, based on the identification of common factors, differentiable from each other. Therefore, through a descriptive-conceptual study of the taxonomy of risks within organizations, an exploratory and descriptive analysis is carried out, aimed at isolating the ambiguities and heterogeneities present in these classifications. This harmonization of common elements, such as the source, the event and the consequence of the risk, allows the previous contributions made to the classification of risks to be delimited more precisely.

The exploratory-descriptive analysis, developed under an inductive and praxeological approach, is framed in business dynamics, in order to support an adequate construct for the standardization of risk types within organizations, within a constructivist paradigm. Therefore, based on a non-experimental and documentary design, the reality of the events that occurred in companies is based on the reality of the events that have occurred in the companies to formulate a coherent classification with these experiences (Eckert & Gatzert, 2015).

This research aims to respond to three propositions that guide the descriptive analysis:

Classification of organizational risks

The classification of knowledge seeks to group, in different categories, common properties, understanding the similarities, characteristics, qualities or shared attributes (Ander, 1995). In this sense, classification facilitates the understanding of the generalities of each group and, in turn, the differentiation of elements with similar particularities. For Porta and Silva (2003), classification consists of the categorization and differentiation of the elements of a set based on defined criteria, which guides the formulation of strategies and controls, with two related perspectives of analysis, one academic and the other praxeological.
To raise the discussion around the different forms of risk classification, it is important to mention that its study is approached from various disciplines, among which actuarial, toxicological, epidemiological, engineering, economics, social theories of risk and cultural theories stand out (Renn, 1992).

From the perspective of the IRM, a classification based on four risk groups is proposed that are intertwined with three types of contexts, external, internal and mixed. The four groups are: (1) financial risks, (2) strategic risks, (3) risks associated with the hazard, and (4) operational risks (IRM, 2002). Financial risks include: interest and exchange rates, credit, liquidity and cash flow. Strategic risks include: competition, changes in consumer and industry habits, customer demand, research and development, and intellectual capital. Regarding operational risks, the following are considered: accounting controls, information systems, recruitment, supply chain, regulation, culture and composition of the management team. Finally, hazard risks include: public access, employees, property, products and services, contracts, natural events, suppliers, and the environment.

Ambiguity is evident in this classification; for example, in the case of an inadequate organizational culture, operational risks and those associated with personnel-related hazards converge (IRM, 2012), where negligence, as a causal factor, could be placed in either of the two categories.

Another relevant classification is the one proposed by COSO-ERM, which identifies four types of risks: (1) strategic, (2) operational, (3) reporting, and (4) compliance (Hopkin, 2017). Regarding the risk of reporting, a key factor is the reliability of this function; however, it is not considered a standalone classification, as it may be present in other categories.

From an academic perspective, the positions on risk present similarities and divergences. A close classification is the one proposed by Van Greuning and Brajovic (2003), who identify four risk groups: (1) financial, (2) business, (3) operational, and (4) events. Financial risks include: balance sheet structure, income disclosure structure, capital adequacy, credit, liquidity and market risk. Business risks include: macropolitics, financial infrastructure, legal infrastructure, legal responsibility, regulatory compliance, reputational risk, fiduciary risk, and country risk. Operational risks include: internal fraud, external fraud, workplace labor practices and safety, customers, business products and services, damage to physical assets, technological risks, distribution, execution, and process management. Finally, the risks of events include: political risks, contagion, banking crisis and others of an exogenous nature.

Business risks resemble legal compliance, which generates similarities with the classification proposal presented by COSO.

According to Mejía (2006), two risk classifications are proposed according to the context; A first category corresponds to environmental risks, and a second to risks generated in the internal context, that is, in the company's environment. In this sense, environmental risks are those associated with nature; to the country, region and city of location; as well as the economic sector and industry. On the other hand, the risks within the company are broader and include: non-systematic, reputational, strategic, operational, financial, market, price, liquidity, credit, technological, labor and physical risks.

While, for Martínez (2007), his proposal for risk classification in organizations is based on five categories: (i) social and public security, (ii) hygiene and health, (iii) internal and external environmental, (iv) social or general interest, and (v) technical and intervention.

Olson and Wu (2010), on the other hand, identify five types of risks in the company: (i) strategic, (ii) operational, (iii) legal, (iv) credit, and (v) market. Another classification is that of Segal (2011), who distinguishes three types: (i) financial, (ii) strategic and (iii) operational; however, it leaves open the possibility of a fourth category corresponding to insurable risks.

For the banking sector, the Office of the Comptroller of the Currency (OCC) lists nine risk classifications: (i) compliance, (ii) credit, (iii) foreign exchange, (iv) interest rate, (v) liquidity, (vi) price, (vii) reputation, (viii) strategy, and (ix) transaction (Duckhert, 2012). This classification contains common elements that, according to the author, such as credit, exchange, interest rate, liquidity, price and transaction risks, can be grouped by their financial nature. Consequently, risks related to employee misconduct or unsafe working conditions are omitted, which, in other classifications, are considered operational risks. This approach excludes those risks derived from human intentionality in organizations.

Finally, similar to what was proposed by the IRM (2002) and Olson and Wu (2010), Hopkin (2017) identifies four categories of risks: (i) compliance, (ii) hazard (or pure), (iii) control (or uncertainty), and (iv) opportunity (or speculative). It also maintains that there is no single correct or erroneous classification, since different authors may propose different typologies. Despite this, the risk classification mechanisms mentioned by Hopkin (2017) incorporate elements that allow other categories to be formulated, such as the source of the risk, the time scale, the nature of the impact and the magnitude of the risk.

Thus, the elements that facilitate classification according to the source can be grouped into risks: (i) strategic, (ii) tactical, (iii) operational and (iv) compliance. In terms  of impact, the classification based on the FIRM dashboard methodology is applied: (i) financial, (ii) infrastructure, (iii) reputation and (iv) market. Finally, for environmental risks, the PESTAL methodology allows their analysis in political, economic, social, technological, environmental and legal scenarios.

Table 2 presents the different risk classifications previously presented, evidencing the lack of unity of criteria in the differentiation of risk types.

Table 2
Analysis of common elements in risk classifications derived from the internal context of the company

Source: Own elaboration with the sources cited.

Based on the above, the frequency of coincidences in the classifications proposed by the nine authors or organizations that have contributed to the study of risk is analyzed, through a Pareto analysis. According to Table 3, it is found that 60% of the risks correspond to: (1) financial risks, (2) strategic risks, (3) operational risks, (4) compliance or legal risks, and (5) reputational risks. That is, 20% of the categories identified represent 60% of the recurring classifications among the selected authors.

Table 3
Pareto analysis of risks commonly defined by different authors

Source: Authors' elaboration from different related sources.

This result entails the description of each of these risks, in order to determine if all the risks within the company are consolidated in these categories. Therefore, the different concepts of financial, strategic, operational, compliance and reputational risks are analyzed, from an epistemological and pragmatic perspective.

Financial risk: According to Gabriel and Baker (1980), this refers to the aggregate variation in the net cash flows of the owners of the capital, derived from the fixed financial obligation, associated with financing through debt or leases; however, it is also considered to encompass situations of illiquidity or cash insolvency. Among the risks implicit in this classification, Gastineau (1993) identified the following: rate, market, liquidity, credit, legal and regulatory, accounting and fiscal risks.

Philippe (2007) defined financial risks as potential losses related to financial market activities, including market risks (arising from price volatility), liquidity and credit risks. Keating et al. (2009), in their study, defined financial risk as the degree of uncertainty that the consumer is willing to accept in the face of a financial transaction, associating risks with the form of payment and the credit options offered.
A more systemic concept is defined by Kovacevic and Pflug (2015) as:

An event that triggers a loss of economic value or confidence in a substantial portion of the financial system that is severe enough to have significant adverse effects on the real economy, and consequent increases in uncertainty. Systemic risk events can be sudden and unexpected, or the likelihood of them occurring can accumulate over time in the absence of appropriate policy responses. The actual adverse economic effects of systemic problems are generally considered to arise from disruptions in the payment system, credit flows, and the destruction of asset values. (p. 2)

Strategic risks: Strategic risk is defined by Emblemsvåg and Kjølstad (2002) as those situations of extended uncertainty in the pursuit of strategic objectives in a competitive environment. According to Drew et al. (2006), a strategic risk arises when an organization's competitive position and long-term survival are threatened. Within this category, factors such as customer preferences, technological innovation, regulatory framework, political impediments, and positioning have been considered  (D'Arcy and Brogan, 2001).

According to Iverson (2013), strategic risk is directly linked to the investment decisions of the board of directors, classified into four levels: strategic, investment, implementation and review. Each level entails specific types of investment and associated risks, such as governance, asset allocation, timing, structure, implementation, and monitoring. Strategic risk is also closely linked to long-term thinking and the formulation of objectives (Bula, 2014). The difficulty arises when long-term goals are not considered in a changing environment, making continuous monitoring essential to identify variations and apply corrective measures.

Operational risk: Operational risk is one of the most extensive and complex; therefore, the Basel Committee defines it as the risk of loss resulting from failures or deficiencies in internal processes, including legal risk, but excluding strategic and reputational risks. This can be manifested in eight lines of business: (1) corporate finance, (2) trade and sales, (3) retail banking, (4) commercial banking, (5) payment and settlement, (6) agency services, (7) asset management, and (8) retail brokerage (Moscadelli, 2004). According to this approach, financial risk can be contained within operational risk, especially because of the operational nature of the banking business model. Therefore, the Basel Committee adopts and validates this approach (Cornalba and Giudici, 2004; Jarrow, 2007; Sturum, 2013).

Despite an apparent consensus, operational risk has been defined heterogeneously in the literature. Moosa (2007) links it to losses generated by events such as fraud, theft, cyberattacks, flight of key personnel, litigation, information disruptions, terrorism, vandalism and natural disasters. For their part, D'Arcy and Brogan (2001) expand this scope to include aspects such as customer satisfaction, product development and failure, brand protection, corporate leadership, information technology, fraud management, and information risks.

Finally, Sahmad (2008) conceives operational risk as any loss caused by a failure in the operation, arguing that this type of risk can amplify others such as market, credit, liquidity, and underwriting, which would be less significant in the absence of operational failures.

Compliance risk: At a general level, this risk is related to the imposition of sanctions by regulatory entities for non-compliance with regulations (Adams, 1994). Rayner (2003) defines it as the contravention or omission of rules, either inadvertently or deliberately, which can generate consequences such as litigation, legal investigations, civil or criminal sanctions, public censure, loss of licenses, fines, disqualification, imprisonment, decrease in the value of shares, claims for damages and loss of business.

For Kocziszky et al. (2017), compliance risks generate losses derived from conflicts of interest related to internal and external compliance with regulatory regulations.

Reputational risks: Rayner (2003) states that, in the case of reputational risks, the correct concept is "reputational risk", since risks, regardless of their source, have the power to impact the image of an organization. In other words, reputational risk should be understood as a consequence derived from another risk, and not as an event in itself. To understand this, it is necessary to take into account that reputation is a perceptual representation of a company's past actions and future prospects, reflecting its overall attractiveness to key stakeholders, compared to its main competitors (Eckert & Gatzert, 2015).

The Basel Committee defines it as a risk that arises from a negative perception by stakeholders, which can affect the corporate image or new business relationships (Sturum, 2013).

Analysis: In short, according to the revised concepts on the most common risk classifications, there is still no clear delimitation or homogeneous grouping of each type of risk and its components. Despite this, there is a solid structure in financial, operational and strategic risks, whose concepts, although not identical among the different authors, maintain a general coherence.

However, as evidenced above, certain risks such as financial fraud can also be interpreted as operational risks, depending on their cause. Likewise, compliance or legal risks and reputational risks are not easily differentiated, since compliance risk can be integrated within strategic, financial or operational risks. This confirms the P1 proposition, which states that the same risk can be classified into several categories simultaneously.

Reputational risks should be understood as a consequence that may arise from any of the three fundamental risks; for example, in the case of a surveillance services company, if there is a breach of its mission duties and it is sanctioned, the event is classified as an operational risk; however, if the breach corresponds to an internal regulation linked to the liquidity policy,  it would be a financial risk. In both cases, compliance risk acts transversally and implicitly, affecting other classifications (Comité de Supervisión Bancaria de Basilea, 2016).

Reputational risk can also originate from a strategic risk; for example, if a strategic decision violates an environmental standard, its initial impact would be legal, but could generate a subsequent reputational impact. In this sense, the different risk classifications maintain their dependence and origin in three main categories, strategic, operational and financial, which validates the P2 proposition.
Finally, an additional alternative, according to Hopkin (2017), is to consider the elements that make up risk as a source of classification, which is analyzed below.

 

Results

Risk components

To understand and classify risk, it is essential to analyze its components. Hopkin (2017) suggests that the source of the risk, its timescale, the nature of the impact,  and the magnitude are key elements for its classification. This perspective aligns with the description of risk from the International Organization for Standardization (2018), which considers the source, event, and consequences as applied in the Bow Tie methodology, widely used for risk analysis (Lewis & Smith, 2010; Van Thienen et al., 2014).
These three elements (causes, occurrence and consequences) allow us to propose risk classifications according to their type within the organization. An analysis of global risk cases (Table 4) reveals that the source of all risks is human, either intentional or otherwise. Sutcliffe and Rugg (1998) identify the level of competence, the interpretation of the rules and the level of knowledge as causes of error. This suggests that a classification of risk could be based on its source, or even employ designations of causes of error, such as the four categories of human error in the Human Factor Analysis and Classification System (HFACS): (i) organizational influences , (ii) unsafe supervision , (iii) preconditions for unsafe acts, and (iv) unsafe acts of the operator ,  and the 19 possible factors that induce error (Shapell et al., 2007).

Table 4 analyzes the elements that make up business risk previously defined: source of risk, event (or risk) and its consequence, based on a non-probabilistic sample.

Table 4
Description of cases of risk manifestation in companies

Source: Own elaboration with the cases cited.

Table 4 shows common elements and deduces that reputational impact or risk is a consequence and not a classification of risk. Another finding of the examples taken highlights the need to intervene in human talent as it is the main source of risk in organizations.

Differentiation between classification and consequence of risk: a construct

With the Bow Tie methodology, the components that make up the risk timeline are identified, which differs from the classification derived from the previously proposed grouping of strategic, financial and operational risks. An important finding is found at the source, where it is evident that a wide spectrum of risks is generated by the human threat, whose responsibility falls mainly on the auditing, security and human talent management processes. Some authors define these as security risks (Talbot & Jakeman, 2009), and they are considered to be able to cause damage to the different assets or processes of the organization.
On the other hand, within the human source, decision-making errors are also identified, based on competencies and perceptual aspects, whose responsibility is distributed among all the processes of the organization. The source of the risk highlights the evidence that human resources departments or areas constitute, in essence, the first control of risk within the company, by implementing selection processes that seek not only competent, but also reliable candidates. Table 5 presents the risk classification based on the human source.

Table 5
Classification of human (anthropogenic) risks within the internal context of the organization, according to the primary source

Source: Authors' elaboration with information from Shapell et al. (2007) and Pratt and Cullen (2000).

Martínez (2007) classifies risk events into categories such as social and public security, hygiene and health, environmental (internal and external), social or general interest, and technical and intervention. Moreover, this classification does not ensure that a risk belongs to a single category. Therefore, it is crucial to clearly differentiate and conceptualize each risk, grouping them by common elements to achieve a less ambiguous classification than other forms of classification, such as those based on the source of the risk. It is necessary to investigate cases to expand this classification model.

Finally, in relation to the consequences, seven types were previously identified: (i) human, (ii) environmental, (iii) operational, (iv) reputational, (v) economic, (vi) legal and (vii) informational; these will be referred to hereafter by the acronym HAORELI, made up of the initials of each type of consequence. This indicates that the consequences are simultaneously in several typologies, or generate several types of consequences, for example the case of money laundering with economic, legal and reputational repercussions. This ambiguity generates difficulties in its use as a risk classification mechanism, which is detailed in Table 6, and includes the reputational impacts of risk, which allows us to accept proposition P3.

Table 6
Risk classification according to the HAORELI consequence

Source: Authors.

This segmentation of the consequences explains that risks, depending on the form of occurrence, can generate several impacts within the HAORELI variables, highlighting the risk by scenarios, as proposed by Kaplan and Garrick (1981).  The consequence-based approach strengthens the accuracy for the design of new analysis matrices to assess the different impacts according to human, environmental, operational, reputational, legal and informational impacts. Together, these also allow us to formulate models to calculate risk acceptability and appetite. This goes beyond what is proposed by the RAMCAP methodology (Risk Analysis Matrix for Critical Asset Protectionof the Association of Mechanical Engineers of North America [ASME]), whose impact classification is geared toward critical infrastructure (Brashear & Jones, 2010), and is oriented to the economic, human and information; without considering the environmental, operational, reputational, and legal consequences.

Conclusions

The conceptual diversity of risk converges in the existence of three components: probability, event, and consequence. The latter, depending on the approach adopted, can involve both positive and negative events. As in ERM, the different models have provided a significant framework of reference for organizations in risk management.

The taxonomy of organizational risks lacks universal consensus, which leads to classifications that, while useful, are often empirical and ambiguous. There is a predominant tendency, both in the literature and in professional practice, towards the categorization of risk into three main dimensions: operational, financial and strategic; however, the conceptualization of risk and the delimitation of each category vary substantially between authors and frameworks. This conceptual heterogeneity generates not only interpretative divergences, but also overlaps, in which the same risk event can be properly classified into more than one category. Consequently, the proposition that business risks, due to their interconnected and multifaceted nature, transcend the limits of a single classification, manifesting themselves simultaneously in various dimensions, is validated.

By characterizing risk in its basic components, source, event, and consequences, it is concluded that the proposed classifications are mainly heterogeneous. In addition, the consequence encompasses human, environmental, operational, reputational, economic, legal and informational factors (HAORELI). This consequence classification model facilitates the development and implementation of impact analysis matrices, improving the understanding of each variable and its scale of impact within the risk appetite of each organization.

Among the most relevant findings is that the current state of the art on business risk does not present a consensus classification among academics and organizations specialized in the subject. Reputational risk has greater affinity with the consequences of risk than with  traditional ERM ratings. So far, the most coherent classification, according to what has been proposed by various authors, is limited to three categories: strategic, operational and financial,  and some risks, due to their similarity and nature, may belong to two or more classifications simultaneously. In this sense, classifying risk based on its consequences (HAORELI model) offers a clearer and more functional alternative.

Limitations

Given the exploratory nature and qualitative approach of this research, there may be other risk classifications beyond those addressed (strategic, financial and operational). This suggests the need to analyze more information from the praxeological perspective.

Future research

It is recommended  to rethink the classification of risk based on symbolic interactionism, considering its particularities and seeking its articulation with the common classifications proposed by the main authors and organizations of the ERM, especially from the perspective of the risk event.

Ethical considerations
This research did not require ethical approval, as it was based on a review of documents.

Conflict of interest
All authors made significant contributions to the paper and declare that there is no conflict of interest related to this article.

Authors' contribution statement
Julio César González: Conceptualization, Methodology, Validation, Formal analysis, Research, Resources, Data curation, Writing - Original draft.
Ramiro Díaz Carreño: Resources, Writing: review and editing, Visualization, Supervision, Project management, Acquisition of funds.

Source of financing
Article financed with the authors' own resources.

 

References