Business risk
Definition
Business risk
Business risk is any threat — internal or external — that can dent a company’s sales, squeeze its margins, or sink its profit altogether. It spans strategic missteps, compliance gaps, operational breakdowns, financial shocks, and cross-border exposure. Risk can’t be erased, but it can be measured, priced, and managed.
Key takeaways
- Business risk spans five working categories: strategic, compliance, operational, financial, and reputational.
- Internal sources, including people, process, and technology, cause more outages than external shocks for most mid-market firms.
- A 2024 McKinsey survey found 40% of executives said their risk function still lagged the pace of business change.
- Outsourced functions inherit the provider’s risk posture, so vendor due diligence is part of risk management, not procurement admin.
- Mature programs price risk in dollars, not colours on a heat map.
Every operating decision carries some downside. A new product can flop. A key supplier can fold. A junior accidentally emails a customer list to the wrong distribution group.
The job of a risk program isn’t to predict each event. It’s to make the company resilient when one lands.
How it works
Business risk management runs on a four-step loop: identify, assess, treat, monitor. You list the threats that could damage revenue, reputation, or compliance. You rate each one by likelihood and impact. You decide whether to accept, reduce, transfer, or avoid it, then watch the indicators and update the register as conditions shift.
Most firms anchor this work in a risk register, a single document or platform that tracks every named risk, its owner, its controls, and its residual rating. The ISO 31000 standard, refreshed in 2018, sets the global baseline for how that register should be structured and reviewed.
Treatment usually falls into one of five buckets, and the choice often comes down to how cheap the control is versus how much loss it prevents.
| Treatment | What it means | Typical example |
|---|---|---|
| Avoid | Stop the activity that creates the risk | Exiting a sanctioned market |
| Reduce | Add controls to lower likelihood or impact | Multi-factor authentication on all logins |
| Transfer | Move the financial loss to a third party | Cyber-insurance policy or hedging contract |
| Accept | Acknowledge and budget for the risk | Self-insuring small petty-cash shortfalls |
| Share | Split the exposure with a partner | Joint-venture liability clauses |
The board owns the appetite, meaning how much risk the company is willing to carry to hit its growth targets. Management owns the controls. Internal audit checks the controls actually work. When any of those three roles drift, the whole program loses teeth.
Examples
Concrete cases land the categories faster than definitions.
Strategic risk — Kodak, 2012. The film giant filed for Chapter 11 bankruptcy in January 2012 after misreading the speed of the shift to digital photography. Its bankruptcy filing listed $6.75 billion in debts against $5.1 billion in assets. The technology wasn’t a surprise. Kodak engineers built the first digital camera in 1975, but leadership underweighted the strategic threat for two decades.
Compliance risk, Wells Fargo, 2016 to 2022. The bank paid more than $3 billion across settlements and fines after staff opened millions of unauthorised accounts to hit sales quotas. The Consumer Financial Protection Bureau’s 2022 order alone required $3.7 billion in customer refunds and civil penalties.
Operational risk, CrowdStrike outage, July 2024. A faulty kernel-level update from CrowdStrike took down roughly 8.5 million Windows machines on 19 July 2024. Delta Air Lines later claimed the incident cost it more than $500 million in lost revenue and recovery spend, a textbook case of operational risk concentrating inside a single supplier.
Financial risk, Silicon Valley Bank, March 2023. SVB failed inside 48 hours after a $1.8 billion loss on its bond portfolio triggered a digital deposit run. The collapse showed how interest-rate risk, concentration risk, and liquidity risk can compound when controls miss the link between them.
For outsourcing buyers, the lesson behind each case is the same. Risk usually shows up at the seams between teams, suppliers, and tech stacks. A solid vendor management program is the place where most of those seams get stitched.
Related terms
- Risk Management: the umbrella discipline that identifies, assesses, and controls business threats across every category.
- Operational Risk: exposure from failed internal processes, people, or systems during day-to-day delivery.
- Compliance: the practice of meeting every legal, regulatory, and contractual requirement that governs the business.
- Vendor Management: the controls a buyer uses to track third-party performance, security, and continuity.
- Business Continuity Plan (BCP): the playbook that keeps critical operations running through a disruption.
- Due Diligence: the fact-finding step that surfaces hidden risks before a deal or partnership closes.
- Service Level Agreement (SLA): the contract clause that turns vendor risk into measurable, enforceable thresholds.
FAQ
What’s the difference between business risk and financial risk?
Business risk covers anything that could threaten sales, profit, or survival, including strategic, operational, compliance, or reputational threats. Financial risk is the narrower subset tied to capital structure, debt, liquidity, and market moves.
Can business risk be eliminated?
No. Every revenue-generating activity carries some downside. Mature programs cut likelihood and impact through controls, transfer residual loss through insurance, and accept what’s left inside a stated appetite.
How often should a risk register be reviewed?
Most listed companies refresh the full register quarterly and update high-severity items in real time. Smaller firms can run a lighter semi-annual cycle, but anything longer than a year tends to miss material shifts.
Does outsourcing increase or reduce business risk?
Both. A capable provider absorbs operational and talent risk you’d otherwise carry alone. A weak one concentrates supplier risk and creates new compliance exposure. The deciding factor is the due-diligence and SLA work done before signing.
Who owns business risk inside a company?
The board sets the appetite, executives own the controls, and internal audit tests them. Every employee owns the risks attached to their own role. Risk management is a culture, not a department.
If you’re scoping an outsourcing program and want help mapping the risk register against vendor SLAs, talk to the Outsource Accelerator team for a shortlist of verified BPO partners matched to your sector.







Independent




