Risk Management

Risk Management is understood to mean “a set of coordinated activities to direct and control an organisation with regard to risks”.


The environment in which the companies operate and the processes within them entail risks in perennial evolution, such as to compromise the accomplishment of the objectives set at a strategic level, the achievement of company profitability and the creation of shareholder value.


The goal of Risk Management is to act in such a manner as to safeguard the company's resources, its economic and financial solidity. The objective is the pursuit of value maximization, the basic tenet of the endeavour of a business enterprise.

By means of its identification, assessment and treatment, the implementation of a Risk Management Process has the task of making the related profile viable for the economic feasibility of the company.


However, it is only through collaboration, communication and integration between the various company functions that it can be possible to inculcate a true culture of risk at all levels of the organization. It is based on the awareness of the importance that individual behaviour plays compared to the exposure of risks, and to the goal of attaining common corporate purposes.



The Risk Management process has undergone a rapid evolution over the last years. It has witnessed the development, the definition and the formalisation of the main activities embodied in it.


The formalisation of the process, its contents and the definition of the role of the players involved has led to the creation of some benchmarks. Here below are those most common:


    • Co.So 2017 - Enterprise Risk Management – Integrating with strategy and performance, published by the Committee of Sponsoring Organizations of the Treadway Commission (a U.S. private organism overseeing internal controls and corporate governance); it describes the most important principles, components and concepts related to corporate risks, with specific focus on the roles and tasks of the various functions, within the sphere of Corporate Governance
    • AS/NZS -ISO 31000 2018, the evolution of the former Australian standard, known and adopted in Europe as ISO, subsequently adopted in Australia/New Zealand.


Fundamental Principles

The Risk Management Process basically aims at the Creation and Protection of Corporate Value.

The Creation and Protection of Value:


It is integrated in the sphere of all the organisation processes

Risk management is not an independent sphere, separate from the organisation’s main activities and processes. It falls under the responsibilities of management, and is an integral part of all company processes, including strategic planning and all processes of project and change management

It is structured, global and dynamic

A systematic, timely, structured and dynamic approach to risk management contributes towards efficiency as well as consistent, comparable and reliable results, also in relation to the company's evolutionary context

It is customised

Risk management must be fully in line with both the internal and external context, and reflect the risk profile of each enterprise

It is inclusive

The appropriate and timely involvement of all the stakeholders and particularly of the decision makers, at all levels of the organization, ensures that risk management remains alive and updated. Such action also allows the stakeholders to be duly represented and heard on their points of view whilst defining the risk benchmarks

It is based on the best available information

Incoming elements to the risk management process are based on information sources such as historical data, experience, feedback from stakeholders, observations, forecasts and expert opinion. However, decision makers must inform themselves and take into account any limitations of data, the analysis models used or any divergence of opinion among specialists.

It considers human and cultural factors

In the context of risk management, elements such as skills, perceptions and expectations of people outside and inside of the organization, that can facilitate or hinder the accomplishment of objectives, must be factored in

It is dynamic

Risk management must continuously respond to change. Faced with the circumstances of external and internal events and a change in the reference context, the risk identification, assessment and treatment stages must be reiterated

It strives for continuous enhancement

Businesses must devise and implement strategies in order to optimise their plans of risk management




The Risk Management Process

The implementation of a proper Risk Management Process cannot be detached from a concrete and tangible involvement of the top management, whose task is necessarily to encourage the development of an adequate environment for the process to bloom. Therefore, not only is the framework design important, but so is the company's willingness to favour the development of an adequate risk awareness, at all company levels.

Strictly speaking, the Risk Management Process unfolds in several individually distinct stages:


  • Definition of the application field of the corporate process, context and benchmarks

  • Risk assessment, through:
    • Identification
    • Analysis
    • Ponderation
  • Risk treatment
    • reduction
    • prevention
    • financing
  • Reporting

  • Monitoring and review

  • Internal and external communication and consulting