Creating a Risk Profile

When creating a Risk Profile of an organization – I will focus on software development company – you need to conduct following activities:

  1. Establish the organization’s risk appetite and risk tolerance.
  2. Identify potential risks in the categories vital for the organization (see below).
  3. Rank, or prioritize, based on the impact risks might have on the organization. Including the likelihood it might happen.
  4. Think about further prioritization including defined relevant subcategories.
  5. Present the risk profile in the readable way, e.g. through a color-coded heat map.

If you wonder how to distinguish risk appetite from risk tolerance, here is my understanding:

  • Risk Appetite: How much risk you want to take.
  • Risk Tolerance: How much risk you can handle without too much stress.

I hope it helps.

Now about those categories. In software development I usually go with the following ones:

  • Operational Risks – project management failures, technical failures, resource allocation
  • Financial Risks
  • Market Risks
  • Technological Risks – including cyber security threats
  • Regulatory and Compliance Risks
  • Human Resources Risks
  • Strategic Risks
  • Reputation Risks

Remember that Risk Profile changes over time! It needs to be regularly monitored and reviewed!