Deloitte Logo


Select your location

No results found

  • Risk Advisory

Risk modeling

Risk angles.

Risk modeling has been prevalent for years in certain industries in which taking calculated risk is integral to the business, such as financial services and energy. 

More recently, organizations throughout the public and private sectors have begun to adopt a wide array of risk models and simulations to start addressing strategic, operational, compliance, geopolitical, and other types of risk. Wider availability of data and sophisticated analysis capabilities is making modeling more practical; at the same time, the need to cope with an increasingly risky environment is making it more valued.

Dr. Patchin Curtis, director, Deloitte & Touche LLP in the United States, and leader of Deloitte’s Center for Risk Modeling and Simulation, discusses the whys and hows of making risk modeling an integral part of enterprise risk management.

risk in business model

Q.   What’s giving rise to the use of risk modeling?

A.   The rise of Big Data and the introduction of dynamic data visualization tools have spurred an increased appetite for using data analytics to address risk. However, data analytics has its limitations, and one of them is that the historical data used is inherently backward looking. So, you’re seeing how a system has behaved in the past, and you can look for correlations, which can give you some indication of causation. But if you want to be predictive, you can’t extrapolate those results into the future assuming that the system will behave in the future as it has in the past. Circumstances and variables are always changing, and the past may not be a good predictor of the future. That’s where modeling comes in—as an adjunct to data analytics and other statistical techniques and a powerful decision-making tool in its own right.

A risk model is a mathematical representation of a system, commonly incorporating probability distributions. Models use relevant historical data as well as “expert elicitation” from people versed in the topic at hand to understand the probability of a risk event occurring and its potential severity. Gathering the right data is one of the two greatest challenges of risk modeling; the second is getting decision makers comfortable enough with the models and their underlying assumption to use them when making meaningful decisions.

risk in business model

Q.   How are organizations using risk models?

A.   Risk models are applicable in assessing many types of risk. You might want to understand the risk to achieving broad strategic objectives or answer very specific questions. Perhaps you want to understand threats to your supply chain, or evaluate the geopolitical risks of entering an emerging market, or how an adaptive adversary (such as a hacker or terrorist) might attack you. Once risk models are developed, they can be used to evaluate not only how a system behaves under normal operating conditions but also under hypothetical “what if” scenarios. This helps organizations determine their level of risk tolerance and evaluate how to build resiliency into systems to be able to withstand various impacts.

It’s a common misconception that risk models are inherently very expensive and require many months or even years to develop. There are many new tools available and accelerators that help in creating even fairly complex models relatively quickly—in a time frame measured in weeks to a few months.

risk in business model

Q.   Where does risk modeling fit into an organization’s enterprise risk management (ERM) strategy?

A.   Risk models tend to be sprinkled throughout an organization, so companies with a mature ERM program will have identified risk owners for their key risks and a governance structure. Governance is important to monitor and oversee the quality of the assumptions used in the various models, and to intervene if competing models are presenting divergent outputs and causing confusion.

Any company employing risk models needs to understand how those models fit into the bigger picture of how it gathers and uses information about risks to make decisions. An emerging tactic is for organizations to move toward what we’re calling a Risk Analytics Sharing Center—a hub where risk information is stored. This hub is tied to primary data sets and other types of business intelligence to give a dynamic view of risks and how they're changing. Risk models are used to present this view, alongside other dynamic forms of risk sensing and data analytics. Really mature organizations are going one step farther and integrating risk intelligence with business intelligence.

risk in business model

The role of simulation in modeling

Eelco Schnezler and Michiel Lodewijk, Deloitte Netherlands directors, focus on model simulation to power enhanced decision making.

A model can be used to represent a system such as business or production process, or even a balance sheet. Simulation is the exercise of looking at how that model behaves under certain conditions or assumptions. The results of such simulations can be used to help guide decision making or to gain insights into the underlying system or process so that it can be made more efficient, stable, resilient, secure—whatever quality is desired. In turn, the model itself can be adjusted and strengthened based on the outcomes of the simulation or as the underlying conditions or assumptions change.

In risk management, simulation can be used to measure risks, to guide decisions and sensible actions in light of those risks, to take steps to reduce risks, and to monitor risks over time. Together, modeling and simulation help reduce the complexity and alleviate the unease of making pivotal business decisions or investments in two ways. First, the act of creating a model inherently involves stripping away extraneous information so that only the essential elements remain, thus reducing a multidimensional problem to a more manageable form. Second, using simulation to see how the underlying system behaves under certain conditions or scenarios helps avoid surprises, lending a measure of comfort in making decisions. Simulation also lends a measure of control in guiding the outcomes of those decisions, in that you can make adjustments to the system or process to suit.

What models and simulations should not be used for, however, is to replace business acumen and common sense. Modeling and simulation by their nature look primarily at “known unknowns” and present results in terms of the probability of an outcome occurring—there is always some uncertainty. One of the fallouts we’ve seen from various crises, whether financial or geopolitical or natural disasters, is that certain long-held, widespread assumptions are simply not relevant anymore. A simulation can be a very powerful tool to test assumptions, realistic or far-fetched, to see the impact on the model and, in turn, understand how assumptions impact decisions about how you run your business. Think of models and simulations as a compass to guide decision making, rather than an autopilot that makes decisions for you.

Explore risk from every angle

Receive the latest thinking from Deloitte on a wide range of issues and ideas related to Governance, Risk and Compliance. Update your Deloitte profile and start receiving the latest insights on risk. 

risk in business model

Your feedback is important to us

To tell us what you think, please  update your settings to accept analytics and performance cookies


A framework for quantifying cyber risk: pipedream or possible, deloitte’s global center for corporate governance, improve your grip on risk governance, cyber crisis management.


Managing Risks: A New Framework

risk in business model

Risk management is too-often treated as a compliance issue that can be solved by drawing up lots of rules and making sure that all employees follow them. Many such rules, of course, are sensible and do reduce some risks that could severely damage a company. But rules-based risk management will not diminish either the likelihood or the impact of a disaster such as Deepwater Horizon, just as it did not prevent the failure of many financial institutions during the 2007–2008 credit crisis.

In this article, Robert S. Kaplan and Anette Mikes present a categorization of risk that allows executives to understand the qualitative distinctions between the types of risks that organizations face. Preventable risks, arising from within the organization, are controllable and ought to be eliminated or avoided. Examples are the risks from employees’ and managers’ unauthorized, unethical, or inappropriate actions and the risks from breakdowns in routine operational processes. Strategy risks are those a company voluntarily assumes in order to generate superior returns from its strategy. External risks arise from events outside the company and are beyond its influence or control. Sources of these risks include natural and political disasters and major macroeconomic shifts. Risk events from any category can be fatal to a company’s strategy and even to its survival.

Companies should tailor their risk management processes to these different risk categories. A rules-based approach is effective for managing preventable risks, whereas strategy risks require a fundamentally different approach based on open and explicit risk discussions. To anticipate and mitigate the impact of major external risks, companies can call on tools such as war-gaming and scenario analysis.

Smart companies match their approach to the nature of the threats they face.

Editors’ note: Since this issue of HBR went to press, JP Morgan, whose risk management practices are highlighted in this article, revealed significant trading losses at one of its units. The authors provide their commentary on this turn of events in their contribution to HBR’s Insight Center on Managing Risky Behavior.

When Tony Hayward became CEO of BP, in 2007, he vowed to make safety his top priority. Among the new rules he instituted were the requirements that all employees use lids on coffee cups while walking and refrain from texting while driving. Three years later, on Hayward’s watch, the Deepwater Horizon oil rig exploded in the Gulf of Mexico, causing one of the worst man-made disasters in history. A U.S. investigation commission attributed the disaster to management failures that crippled “the ability of individuals involved to identify the risks they faced and to properly evaluate, communicate, and address them.” Hayward’s story reflects a common problem. Despite all the rhetoric and money invested in it, risk management is too often treated as a compliance issue that can be solved by drawing up lots of rules and making sure that all employees follow them. Many such rules, of course, are sensible and do reduce some risks that could severely damage a company. But rules-based risk management will not diminish either the likelihood or the impact of a disaster such as Deepwater Horizon, just as it did not prevent the failure of many financial institutions during the 2007–2008 credit crisis.

In this article, we present a new categorization of risk that allows executives to tell which risks can be managed through a rules-based model and which require alternative approaches. We examine the individual and organizational challenges inherent in generating open, constructive discussions about managing the risks related to strategic choices and argue that companies need to anchor these discussions in their strategy formulation and implementation processes . We conclude by looking at how organizations can identify and prepare for nonpreventable risks that arise externally to their strategy and operations.

Managing Risk: Rules or Dialogue?

The first step in creating an effective risk-management system is to understand the qualitative distinctions among the types of risks that organizations face. Our field research shows that risks fall into one of three categories. Risk events from any category can be fatal to a company’s strategy and even to its survival.

Category I: Preventable risks.

These are internal risks, arising from within the organization, that are controllable and ought to be eliminated or avoided. Examples are the risks from employees’ and managers’ unauthorized, illegal, unethical, incorrect, or inappropriate actions and the risks from breakdowns in routine operational processes. To be sure, companies should have a zone of tolerance for defects or errors that would not cause severe damage to the enterprise and for which achieving complete avoidance would be too costly. But in general, companies should seek to eliminate these risks since they get no strategic benefits from taking them on. A rogue trader or an employee bribing a local official may produce some short-term profits for the firm, but over time such actions will diminish the company’s value.

Identifying and Managing Preventable Risks

Companies cannot anticipate every circumstance or conflict of interest that an employee might encounter. Thus, the first line of defense against preventable risk events is to provide guidelines clarifying the company’s goals and values.

The Mission

A well-crafted mission statement articulates the organization’s fundamental purpose, serving as a “true north” for all employees to follow. The first sentence of Johnson & Johnson’s renowned credo, for instance, states, “We believe our first responsibility is to the doctors, nurses and patients, to mothers and fathers, and all others who use our products and services,” making clear to all employees whose interests should take precedence in any situation. Mission statements should be communicated to and understood by all employees.

Companies should articulate the values that guide employee behavior toward principal stakeholders, including customers, suppliers, fellow employees, communities, and shareholders. Clear value statements help employees avoid violating the company’s standards and putting its reputation and assets at risk.

The Boundaries

A strong corporate culture clarifies what is not allowed. An explicit definition of boundaries is an effective way to control actions. Consider that nine of the Ten Commandments and nine of the first 10 amendments to the U.S. Constitution (commonly known as the Bill of Rights) are written in negative terms. Companies need corporate codes of business conduct that prescribe behaviors relating to conflicts of interest, antitrust issues, trade secrets and confidential information, bribery, discrimination, and harassment.

Of course, clearly articulated statements of mission, values, and boundaries don’t in themselves ensure good behavior. To counter the day-to-day pressures of organizational life, top managers must serve as role models and demonstrate that they mean what they say. Companies must institute strong internal control systems, such as the segregation of duties and an active whistle-blowing program, to reduce not only misbehavior but also temptation. A capable and independent internal audit department tasked with continually checking employees’ compliance with internal controls and standard operating processes also will deter employees from violating company procedures and policies and can detect violations when they do occur.

See also Robert Simons’s article on managing preventable risks, “ How Risky Is Your Company? ” (HBR May 1999), and his book Levers of Control (Harvard Business School Press, 1995).

This risk category is best managed through active prevention: monitoring operational processes and guiding people’s behaviors and decisions toward desired norms. Since considerable literature already exists on the rules-based compliance approach, we refer interested readers to the sidebar “Identifying and Managing Preventable Risks” in lieu of a full discussion of best practices here.

Category II: Strategy risks.

A company voluntarily accepts some risk in order to generate superior returns from its strategy. A bank assumes credit risk, for example, when it lends money; many companies take on risks through their research and development activities.

Strategy risks are quite different from preventable risks because they are not inherently undesirable. A strategy with high expected returns generally requires the company to take on significant risks, and managing those risks is a key driver in capturing the potential gains. BP accepted the high risks of drilling several miles below the surface of the Gulf of Mexico because of the high value of the oil and gas it hoped to extract.

Strategy risks cannot be managed through a rules-based control model. Instead, you need a risk-management system designed to reduce the probability that the assumed risks actually materialize and to improve the company’s ability to manage or contain the risk events should they occur. Such a system would not stop companies from undertaking risky ventures; to the contrary, it would enable companies to take on higher-risk, higher-reward ventures than could competitors with less effective risk management.

Category III: External risks.

Some risks arise from events outside the company and are beyond its influence or control. Sources of these risks include natural and political disasters and major macroeconomic shifts . External risks require yet another approach. Because companies cannot prevent such events from occurring, their management must focus on identification (they tend to be obvious in hindsight) and mitigation of their impact.

Understanding the Three Categories of Risk

The risks that companies face fall into three categories, each of which requires a different risk-management approach. Preventable risks, arising from within an organization, are monitored and controlled through rules, values, and standard compliance tools. In contrast, strategy risks and external risks require distinct processes that encourage managers to openly discuss risks and find cost-effective ways to reduce the likelihood of risk events or mitigate their consequences.

Companies should tailor their risk-management processes to these different categories. While a compliance-based approach is effective for managing preventable risks, it is wholly inadequate for strategy risks or external risks, which require a fundamentally different approach based on open and explicit risk discussions. That, however, is easier said than done; extensive behavioral and organizational research has shown that individuals have strong cognitive biases that discourage them from thinking about and discussing risk until it’s too late.

Why Risk Is Hard to Talk About

Multiple studies have found that people overestimate their ability to influence events that, in fact, are heavily determined by chance. We tend to be overconfident about the accuracy of our forecasts and risk assessments and far too narrow in our assessment of the range of outcomes that may occur.

We also anchor our estimates to readily available evidence despite the known danger of making linear extrapolations from recent history to a highly uncertain and variable future. We often compound this problem with a confirmation bias, which drives us to favor information that supports our positions (typically successes) and suppress information that contradicts them (typically failures). When events depart from our expectations, we tend to escalate commitment, irrationally directing even more resources to our failed course of action—throwing good money after bad.

Organizational biases also inhibit our ability to discuss risk and failure. In particular, teams facing uncertain conditions often engage in groupthink : Once a course of action has gathered support within a group, those not yet on board tend to suppress their objections—however valid—and fall in line. Groupthink is especially likely if the team is led by an overbearing or overconfident manager who wants to minimize conflict, delay, and challenges to his or her authority.

Collectively, these individual and organizational biases explain why so many companies overlook or misread ambiguous threats. Rather than mitigating risk, firms actually incubate risk through the normalization of deviance, as they learn to tolerate apparently minor failures and defects and treat early warning signals as false alarms rather than alerts to imminent danger.

Effective risk-management processes must counteract those biases. “Risk mitigation is painful, not a natural act for humans to perform,” says Gentry Lee, the chief systems engineer at Jet Propulsion Laboratory (JPL), a division of the U.S. National Aeronautics and Space Administration. The rocket scientists on JPL project teams are top graduates from elite universities, many of whom have never experienced failure at school or work. Lee’s biggest challenge in establishing a new risk culture at JPL was to get project teams to feel comfortable thinking and talking about what could go wrong with their excellent designs.

Rules about what to do and what not to do won’t help here. In fact, they usually have the opposite effect, encouraging a checklist mentality that inhibits challenge and discussion. Managing strategy risks and external risks requires very different approaches. We start by examining how to identify and mitigate strategy risks.

Managing Strategy Risks

Over the past 10 years of study, we’ve come across three distinct approaches to managing strategy risks. Which model is appropriate for a given firm depends largely on the context in which an organization operates. Each approach requires quite different structures and roles for a risk-management function, but all three encourage employees to challenge existing assumptions and debate risk information. Our finding that “one size does not fit all” runs counter to the efforts of regulatory authorities and professional associations to standardize the function.

Independent experts.

Some organizations—particularly those like JPL that push the envelope of technological innovation—face high intrinsic risk as they pursue long, complex, and expensive product-development projects. But since much of the risk arises from coping with known laws of nature, the risk changes slowly over time. For these organizations, risk management can be handled at the project level.

JPL, for example, has established a risk review board made up of independent technical experts whose role is to challenge project engineers’ design, risk-assessment, and risk-mitigation decisions. The experts ensure that evaluations of risk take place periodically throughout the product-development cycle. Because the risks are relatively unchanging, the review board needs to meet only once or twice a year, with the project leader and the head of the review board meeting quarterly.

The risk review board meetings are intense, creating what Gentry Lee calls “a culture of intellectual confrontation.” As board member Chris Lewicki says, “We tear each other apart, throwing stones and giving very critical commentary about everything that’s going on.” In the process, project engineers see their work from another perspective. “It lifts their noses away from the grindstone,” Lewicki adds.

The meetings, both constructive and confrontational, are not intended to inhibit the project team from pursuing highly ambitious missions and designs. But they force engineers to think in advance about how they will describe and defend their design decisions and whether they have sufficiently considered likely failures and defects. The board members, acting as devil’s advocates, counterbalance the engineers’ natural overconfidence, helping to avoid escalation of commitment to projects with unacceptable levels of risk.

Risk management is painful—not a natural act for humans to perform.

At JPL, the risk review board not only promotes vigorous debate about project risks but also has authority over budgets. The board establishes cost and time reserves to be set aside for each project component according to its degree of innovativeness. A simple extension from a prior mission would require a 10% to 20% financial reserve, for instance, whereas an entirely new component that had yet to work on Earth—much less on an unexplored planet—could require a 50% to 75% contingency. The reserves ensure that when problems inevitably arise, the project team has access to the money and time needed to resolve them without jeopardizing the launch date. JPL takes the estimates seriously; projects have been deferred or canceled if funds were insufficient to cover recommended reserves.


Many organizations, such as traditional energy and water utilities, operate in stable technological and market environments, with relatively predictable customer demand. In these situations risks stem largely from seemingly unrelated operational choices across a complex organization that accumulate gradually and can remain hidden for a long time.

Since no single staff group has the knowledge to perform operational-level risk management across diverse functions, firms may deploy a relatively small central risk-management group that collects information from operating managers. This increases managers’ awareness of the risks that have been taken on across the organization and provides decision makers with a full picture of the company’s risk profile.

Read more about

When Every Employee Is a Risk Manager

We observed this model in action at Hydro One, the Canadian electricity company. Chief risk officer John Fraser, with the explicit backing of the CEO, runs dozens of workshops each year at which employees from all levels and functions identify and rank the principal risks they see to the company’s strategic objectives. Employees use an anonymous voting technology to rate each risk, on a scale of 1 to 5, in terms of its impact, the likelihood of occurrence, and the strength of existing controls. The rankings are discussed in the workshops, and employees are empowered to voice and debate their risk perceptions. The group ultimately develops a consensus view that gets recorded on a visual risk map, recommends action plans, and designates an “owner” for each major risk.

Hydro One strengthens accountability by linking capital allocation and budgeting decisions to identified risks. The corporate-level capital-planning process allocates hundreds of millions of dollars, principally to projects that reduce risk effectively and efficiently. The risk group draws upon technical experts to challenge line engineers’ investment plans and risk assessments and to provide independent expert oversight to the resource allocation process. At the annual capital allocation meeting, line managers have to defend their proposals in front of their peers and top executives. Managers want their projects to attract funding in the risk-based capital planning process, so they learn to overcome their bias to hide or minimize the risks in their areas of accountability.

Embedded experts.

The financial services industry poses a unique challenge because of the volatile dynamics of asset markets and the potential impact of decisions made by decentralized traders and investment managers. An investment bank’s risk profile can change dramatically with a single deal or major market movement. For such companies, risk management requires embedded experts within the organization to continuously monitor and influence the business’s risk profile, working side by side with the line managers whose activities are generating new ideas, innovation, and risks—and, if all goes well, profits.

The danger from embedding risk managers within the line organization is that they “go native”—becoming deal makers rather than deal questioners.

JP Morgan Private Bank adopted this model in 2007, at the onset of the global financial crisis. Risk managers, embedded within the line organization, report to both line executives and a centralized, independent risk-management function. The face-to-face contact with line managers enables the market-savvy risk managers to continually ask “what if” questions, challenging the assumptions of portfolio managers and forcing them to look at different scenarios. Risk managers assess how proposed trades affect the risk of the entire investment portfolio, not only under normal circumstances but also under times of extreme stress, when the correlations of returns across different asset classes escalate. “Portfolio managers come to me with three trades, and the [risk] model may say that all three are adding to the same type of risk,” explains Gregoriy Zhikarev, a risk manager at JP Morgan. “Nine times out of 10 a manager will say, ‘No, that’s not what I want to do.’ Then we can sit down and redesign the trades.”

The chief danger from embedding risk managers within the line organization is that they “go native,” aligning themselves with the inner circle of the business unit’s leadership team—becoming deal makers rather than deal questioners. Preventing this is the responsibility of the company’s senior risk officer and—ultimately—the CEO, who sets the tone for a company’s risk culture.

Avoiding the Function Trap

Even if managers have a system that promotes rich discussions about risk, a second cognitive-behavioral trap awaits them. Because many strategy risks (and some external risks) are quite predictable—even familiar—companies tend to label and compartmentalize them, especially along business function lines. Banks often manage what they label “credit risk,” “market risk,” and “operational risk” in separate groups. Other companies compartmentalize the management of “brand risk,” “reputation risk,” “supply chain risk,” “human resources risk,” “IT risk,” and “financial risk.”

Such organizational silos disperse both information and responsibility for effective risk management. They inhibit discussion of how different risks interact. Good risk discussions must be not only confrontational but also integrative. Businesses can be derailed by a combination of small events that reinforce one another in unanticipated ways.

Managers can develop a companywide risk perspective by anchoring their discussions in strategic planning, the one integrative process that most well-run companies already have. For example, Infosys, the Indian IT services company, generates risk discussions from the Balanced Scorecard, its management tool for strategy measurement and communication. “As we asked ourselves about what risks we should be looking at,” says M.D. Ranganath, the chief risk officer, “we gradually zeroed in on risks to business objectives specified in our corporate scorecard.”

In building its Balanced Scorecard, Infosys had identified “growing client relationships” as a key objective and selected metrics for measuring progress, such as the number of global clients with annual billings in excess of $50 million and the annual percentage increases in revenues from large clients. In looking at the goal and the performance metrics together, management realized that its strategy had introduced a new risk factor: client default. When Infosys’s business was based on numerous small clients, a single client default would not jeopardize the company’s strategy. But a default by a $50 million client would present a major setback. Infosys began to monitor the credit default swap rate of every large client as a leading indicator of the likelihood of default. When a client’s rate increased, Infosys would accelerate collection of receivables or request progress payments to reduce the likelihood or impact of default.

To take another example, consider Volkswagen do Brasil (subsequently abbreviated as VW), the Brazilian subsidiary of the German carmaker. VW’s risk-management unit uses the company’s strategy map as a starting point for its dialogues about risk. For each objective on the map, the group identifies the risk events that could cause VW to fall short of that objective. The team then generates a Risk Event Card for each risk on the map, listing the practical effects of the event on operations, the probability of occurrence, leading indicators, and potential actions for mitigation. It also identifies who has primary accountability for managing the risk.

The Risk Event Card. VW do Brasil uses risk event cards to assess its strategy risks. First, managers document the risks associated with achieving each of the company’s strategic objectives. For each identified risk, managers create a risk card that lists the practical effects of the event’s occurring on operations. This sample card looks at the effects of an interruption in deliveries, which could jeopardize VW’s strategic objective of achieving a smoothly functioning supply chain. The card clearly describes each aspect of the risk event, beginning with the strategic objective, which is to guarantee reliable and competitive supplier-to-manufacturer processes. The risk event is interruption of deliveries. Outcomes could be: overtime, emergency freight, quality problems, and production losses. Risk indicators include: a critical items report, late deliveries, incoming defects, and incorrect component shipments. The likelihood of the risk event happening is 12. This number represents a heat map score between 1 and 25, that multiplies a likelihood rating by a magnitude rating. A score of 15 or higher represents a risk event that is most likely to occur and most consequential. Management controls include: holding daily supply chain meeting with logistics, purchasing, and Q-A; Monitoring suppliers tooling to detect deterioration; and risk-mitigation initiatives to upgrade suppliers’ tooling and to identify the key supply chain executive at each critical supplier. The Accountable manager is Mister Oh Manuel, director of manufacturing logistics.

See more HBR charts in Data & Visuals

The risk team then presents a high-level summary of results to senior management.

The Risk Report Card. VW do Brasil summarizes its strategy risks on a Risk Report Card organized by strategic objectives. Managers can see at a glance how many of the identified risks for each objective are critical and require attention or mitigation. Managers can also monitor progress on risk management across the company. In this table, strategic objectives are listed in the first column. The second column lists the number of assessed risks for each objective, and the third column specifies how many of those risks are deemed critical. The final column indicates whether the trend is improving, worsening, or staying the same, compared with the previous quarter. For instance, VW identified 11 risks associated with achieving the goal “Satisfy the customer’s expectations.” Four of the risks were critical, but that was an improvement over the previous quarter’s assessment. As another example, for the goal “Guarantee customer-oriented innovations management,” VW identified 5 risks, of which 2 were critical, which was worse than the previous quarter’s assessment.

Beyond introducing a systematic process for identifying and mitigating strategy risks, companies also need a risk oversight structure. Infosys uses a dual structure: a central risk team that identifies general strategy risks and establishes central policy, and specialized functional teams that design and monitor policies and controls in consultation with local business teams. The decentralized teams have the authority and expertise to help the business lines respond to threats and changes in their risk profiles, escalating only the exceptions to the central risk team for review. For example, if a client relationship manager wants to give a longer credit period to a company whose credit risk parameters are high, the functional risk manager can send the case to the central team for review.

These examples show that the size and scope of the risk function are not dictated by the size of the organization. Hydro One, a large company, has a relatively small risk group to generate risk awareness and communication throughout the firm and to advise the executive team on risk-based resource allocations. By contrast, relatively small companies or units, such as JPL or JP Morgan Private Bank, need multiple project-level review boards or teams of embedded risk managers to apply domain expertise to assess the risk of business decisions. And Infosys, a large company with broad operational and strategic scope, requires a strong centralized risk-management function as well as dispersed risk managers who support local business decisions and facilitate the exchange of information with the centralized risk group.

Managing the Uncontrollable

External risks, the third category of risk, cannot typically be reduced or avoided through the approaches used for managing preventable and strategy risks. External risks lie largely outside the company’s control; companies should focus on identifying them, assessing their potential impact, and figuring out how best to mitigate their effects should they occur.

Some external risk events are sufficiently imminent that managers can manage them as they do their strategy risks. For example, during the economic slowdown after the global financial crisis, Infosys identified a new risk related to its objective of developing a global workforce: an upsurge in protectionism, which could lead to tight restrictions on work visas and permits for foreign nationals in several OECD countries where Infosys had large client engagements. Although protectionist legislation is technically an external risk since it’s beyond the company’s control, Infosys treated it as a strategy risk and created a Risk Event Card for it, which included a new risk indicator: the number and percentage of its employees with dual citizenships or existing work permits outside India. If this number were to fall owing to staff turnover, Infosys’s global strategy might be jeopardized. Infosys therefore put in place recruiting and retention policies that mitigate the consequences of this external risk event.

Most external risk events, however, require a different analytic approach either because their probability of occurrence is very low or because managers find it difficult to envision them during their normal strategy processes. We have identified several different sources of external risks:

Companies use different analytic approaches for each of the sources of external risk.

Tail-risk stress tests.

Stress-testing helps companies assess major changes in one or two specific variables whose effects would be major and immediate, although the exact timing is not forecastable. Financial services firms use stress tests to assess, for example, how an event such as the tripling of oil prices, a large swing in exchange or interest rates, or the default of a major institution or sovereign country would affect trading positions and investments.

The benefits from stress-testing, however, depend critically on the assumptions—which may themselves be biased—about how much the variable in question will change. The tail-risk stress tests of many banks in 2007–2008, for example, assumed a worst-case scenario in which U.S. housing prices leveled off and remained flat for several periods. Very few companies thought to test what would happen if prices began to decline—an excellent example of the tendency to anchor estimates in recent and readily available data. Most companies extrapolated from recent U.S. housing prices, which had gone several decades without a general decline, to develop overly optimistic market assessments.

Scenario planning.

This tool is suited for long-range analysis, typically five to 10 years out. Originally developed at Shell Oil in the 1960s, scenario analysis is a systematic process for defining the plausible boundaries of future states of the world. Participants examine political, economic, technological, social, regulatory, and environmental forces and select some number of drivers—typically four—that would have the biggest impact on the company. Some companies explicitly draw on the expertise in their advisory boards to inform them about significant trends, outside the company’s and industry’s day-to-day focus, that should be considered in their scenarios.

For each of the selected drivers, participants estimate maximum and minimum anticipated values over five to 10 years. Combining the extreme values for each of four drivers leads to 16 scenarios. About half tend to be implausible and are discarded; participants then assess how their firm’s strategy would perform in the remaining scenarios. If managers see that their strategy is contingent on a generally optimistic view, they can modify it to accommodate pessimistic scenarios or develop plans for how they would change their strategy should early indicators show an increasing likelihood of events turning against it.


War-gaming assesses a firm’s vulnerability to disruptive technologies or changes in competitors’ strategies. In a war-game, the company assigns three or four teams the task of devising plausible near-term strategies or actions that existing or potential competitors might adopt during the next one or two years—a shorter time horizon than that of scenario analysis. The teams then meet to examine how clever competitors could attack the company’s strategy. The process helps to overcome the bias of leaders to ignore evidence that runs counter to their current beliefs, including the possibility of actions that competitors might take to disrupt their strategy.

A firm’s ability to weather storms depends on how seriously executives take risk management when the sun is shining and no clouds are on the horizon.

Companies have no influence over the likelihood of risk events identified through methods such as tail-risk testing, scenario planning, and war-gaming. But managers can take specific actions to mitigate their impact. Since moral hazard does not arise for nonpreventable events, companies can use insurance or hedging to mitigate some risks, as an airline does when it protects itself against sharp increases in fuel prices by using financial derivatives. Another option is for firms to make investments now to avoid much higher costs later. For instance, a manufacturer with facilities in earthquake-prone areas can increase its construction costs to protect critical facilities against severe quakes. Also, companies exposed to different but comparable risks can cooperate to mitigate them. For example, the IT data centers of a university in North Carolina would be vulnerable to hurricane risk while those of a comparable university on the San Andreas Fault in California would be vulnerable to earthquakes. The likelihood that both disasters would happen on the same day is small enough that the two universities might choose to mitigate their risks by backing up each other’s systems every night.

The Leadership Challenge

Managing risk is very different from managing strategy. Risk management focuses on the negative—threats and failures rather than opportunities and successes. It runs exactly counter to the “can do” culture most leadership teams try to foster when implementing strategy. And many leaders have a tendency to discount the future; they’re reluctant to spend time and money now to avoid an uncertain future problem that might occur down the road, on someone else’s watch. Moreover, mitigating risk typically involves dispersing resources and diversifying investments, just the opposite of the intense focus of a successful strategy. Managers may find it antithetical to their culture to champion processes that identify the risks to the strategies they helped to formulate.

For those reasons, most companies need a separate function to handle strategy- and external-risk management. The risk function’s size will vary from company to company, but the group must report directly to the top team. Indeed, nurturing a close relationship with senior leadership will arguably be its most critical task; a company’s ability to weather storms depends very much on how seriously executives take their risk-management function when the sun is shining and no clouds are on the horizon.

That was what separated the banks that failed in the financial crisis from those that survived. The failed companies had relegated risk management to a compliance function; their risk managers had limited access to senior management and their boards of directors. Further, executives routinely ignored risk managers’ warnings about highly leveraged and concentrated positions. By contrast, Goldman Sachs and JPMorgan Chase, two firms that weathered the financial crisis well, had strong internal risk-management functions and leadership teams that understood and managed the companies’ multiple risk exposures. Barry Zubrow, chief risk officer at JP Morgan Chase, told us, “I may have the title, but [CEO] Jamie Dimon is the chief risk officer of the company.”

Risk management is nonintuitive; it runs counter to many individual and organizational biases. Rules and compliance can mitigate some critical risks but not all of them. Active and cost-effective risk management requires managers to think systematically about the multiple categories of risks they face so that they can institute appropriate processes for each. These processes will neutralize their managerial bias of seeing the world as they would like it to be rather than as it actually is or could possibly become.

Partner Center

Risk Analysis: A Comprehensive Guide

Everything you need to know about risk analysis: its components, types, and methods, as well as examples and steps on how to perform risk analysis

leader in business performing risk analysis

Published 31 Jan 2023

What is Risk Analysis?

Risk analysis is a multi-step process aimed at mitigating the impact of risks on business operations. Leaders from different industries use risk analysis to ensure that all aspects of the business are protected from potential threats. Performing regular risk analysis also minimizes the vulnerability of the business to unexpected events.

Risk assessment is just one component of risk analysis. The other components of risk analysis are risk management and risk communication. Risk management is the proactive control and evaluation of risks while risk communication is the exchange of information involving risks. Unlike risk analysis, risk assessment is primarily focused on safety and hazard identification .

Risk analysis framework includes risk assessment, risk management, and risk communication

Risk Analysis Framework

As risk analysis covers a wide range of topics, there are many approaches to analyzing risks or types of risk analysis. These include, but are not limited to, the following:

There are two main risk analysis methods. The easier and more convenient method is qualitative risk analysis. Qualitative risk analysis rates or scores risk based on the perception of the severity and likelihood of its consequences. Quantitative risk analysis, on the other hand, calculates risk based on available data.

Types of risk analysis associated with qualitative risk analysis are all root cause analysis (RCA) tools except for failure mode and effects analysis, needs assessment, and risk matrix. Furthermore, the most common types of the latter are the 3×3 risk matrix, 4×4 risk matrix, and 5×5 risk matrix .

Risk Assessment Matrix

Risk Matrix

Types of risk analysis included in quantitative risk analysis are business impact analysis (BIA), failure mode and effects analysis (FMEA), and risk benefit analysis.

A key difference between qualitative and quantitative risk analysis is the type of risk each method results in. For qualitative risk analysis, this is projected risk, which is an estimation or guess of how the risk will manifest. Meanwhile, quantitative risk analysis deals with statistical risk. Unlike projected risk, statistical risk is specific and verified. For this reason, it’s often used in the calculation of insurance premiums.

Though risk analysis is used across industries by businesses of all sizes and types, some leaders may find a risk analysis example that’s specific to their industry more helpful than a generic one. Here are risk analysis examples for three major industries: construction, transport & logistics, and manufacturing.

Construction Risk Analysis Example : The owner of a construction company was presented with a project proposal to build a luxury resort. While pursuing this project may lead to good press for the company, the owner is hesitant to accept the project because her company specializes in mid-range residential buildings. Taking on this project would be both a leap and a challenge. Before making a final decision, she performs a risk benefit analysis together with her team to see if the benefits of pursuing this project outweigh the risks.

Transport & Logistics Risk Analysis Example : The director of a multinational shipping company is anxious about the impact an upcoming storm will have on business operations. She believes the company should set aside some money for recovery after the storm hits. Her colleague, however, thinks differently. He argues that the storm won’t affect them that much. To convince her colleague and fellow directors, she performs a business impact analysis and presents its results in the next board meeting.

Manufacturing Risk Analysis Example : A newly hired manager is in charge of preparing a factory and its workers for a large influx of customer orders due to the summer season. To get an understanding of what he needs to do for this factory to succeed in producing enough units, he performs a quick needs assessment by asking the workers to fill out a survey on the factory’s processes.

For leaders who have already decided on the type of risk analysis to perform, here are steps and instructions on how to perform risk analysis for each type:

How to Perform Needs Assessment

Needs Assessment Template

Use this digital template to identify business/department, performance, and learning needs. It has all the tools leaders need to improve the management of their businesses.

How to Perform Business Impact Analysis 

Business Impact Analysis Template

Use this digital template to assess the impact of possible disruptive events across key business functions. This template includes an assessment of losses in terms of operational activities and revenue. Leaders can use it to prioritize functions for recovery during crises.

How to Perform Failure Mode and Effects Analysis

The mechanism of failure (potential failure modes, effects, and causes) can be identified properly when leaders in charge of FMEAs account for past failures, agree upon certain assumptions, and establish ground rules.

The risk priority number is used to prioritize the potential failures that require additional planning. It’s a product of three factors: severity, occurrence, and detection.

FMEA RPN risk analysis

FMEA RPN Risk Analysis

Leaders should focus their improvement efforts on potential failures at the top 20% of the highest RPNs. These high-risk failure modes must be addressed through effective action plans.

After establishing and executing effective action plans, leaders should remember to continuously review these plans and the high-risk failure modes they address.

Failure Mode and Effects Analysis Template

Use this digital template to identify problems in processes or products. Describe the potential failure effect, the potential cause, and current controls. Add the severity, occurrence, and detection ratings. Finally, record the RPN and sign-off.

How to Perform Root Cause Analysis

5 Whys involves asking the question “why” five times. Though 5 Whys is the easiest to use, it can also oversimplify problems. 8D stands for the eight disciplines of problem-solving. While 8D provides long-term solutions, performing it correctly requires extensive training. 

DMAIC, on the other hand, is more comprehensive than 5 Whys, but also relatively easier to perform than 8D, especially if the third step (Analyze) is simplified.

Root Cause Analysis Template

Use this digital template to analyze a recurring problem and its effect on productivity. List reasons why the problem occurs and rate how likely they are to be root causes. Once a root cause has been identified, choose its category and provide a prevention strategy.

For leaders who haven’t decided on a specific type or want a general outline of how to perform risk analysis, refer to the steps below:

Create a Risk Analysis Template

Eliminate manual tasks and streamline your operations.

One way to manage risks effectively is to use the ISO 31000 standard. ISO 31000 is an internationally recognized benchmark for risk management. It can be summarized into three guiding rules for leaders to follow:

Another key aspect of using ISO 31000 is to ensure that all employees are familiar with the standard and/or have received training on how to apply the standard in their work. While leaders should take responsibility for the overall risk management, they should be careful to not alienate employees from this process. Without the support and input of employees, implementing ISO 31000 will be much harder than it needs to be.

ISO 31000:2018 Risk Management Template

Use this digital template to establish a solid risk management framework based on ISO 31000. Show leadership by making a commitment to risk management. Share the responsibility of managing risks with other stakeholders in the business, including employees.

Though adhering to the ISO 31000 standard is recommended, this can seem intimidating or overly complicated for smaller businesses or those with less resources to spend on risk management. A temporary alternative is to use a risk management plan , which should have the following parts:

When using a risk management plan , it can be helpful to have a risk management plan template that’s easy to distribute to employees and update when needed. Without a template, it can be difficult to use or create a risk management plan for the entire business. 

Risk Management Plan Template

Use this digital template to assess the likelihood and severity of consequences. Specify planned mitigation strategies and the employee/s responsible for executing them. Give the estimated cost and timeline of mitigation actions.

SafetyCulture is a digital inspection platform businesses can use to identify, analyze, communicate, and manage risks effectively. Together with Mitti, a technology-first insurance company, SafetyCulture rewards businesses that are proactive in managing their risks.

Qualitative Risk Analysis Template

Use this digital template to perform qualitative risk analysis in 4 steps:

Quantitative Risk Analysis Template

This digital template can be used as guide in performing quantitative risk analysis. It has the following steps:

risk in business model

SafetyCulture staff writer

Erick Brent Francisco

Erick Brent Francisco is a content writer and researcher for SafetyCulture since 2018. As a content specialist, he is interested in learning and sharing how technology can improve work processes and workplace safety. His experience in logistics, banking and financial services, and retail helps enrich the quality of information in his articles.

In this article

Relevant articles, green building.

Benefits Green building practices present a great alternative to traditional construction systems ...

First Aid in the Workplace

Why is it Important? Workplace first aid is an essential part of an organization’s health and ...

Buddy System at Work

What is a Workplace Buddy System? Interestingly, the concept of the “buddy system” came ...

construction team discuss green building design plan

Related pages

We use cookies to provide necessary website functionality and improve your experience. To find out more, read our updated Privacy Policy .

How Companies Make Money

What Is a Business Model?

Understanding business models, evaluating successful business models, how to create a business model.

The Bottom Line

Learn to understand a company's profit-making plan

risk in business model

Katrina Ávila Munichiello is an experienced editor, writer, fact-checker, and proofreader with more than fourteen years of experience working with print and online publications.

risk in business model

Investopedia / Laura Porter

The term business model refers to a company's plan for making a profit . It identifies the products or services the business plans to sell, its identified target market , and any anticipated expenses . Business models are important for both new and established businesses. They help new, developing companies attract investment, recruit talent, and motivate management and staff.

Established businesses should regularly update their business model or they'll fail to anticipate trends and challenges ahead. Business models also help investors evaluate companies that interest them and employees understand the future of a company they may aspire to join.

Key Takeaways

Business Model

A business model is a high-level plan for profitably operating a business in a specific marketplace. A primary component of the business model is the value proposition . This is a description of the goods or services that a company offers and why they are desirable to customers or clients, ideally stated in a way that differentiates the product or service from its competitors.

A new enterprise's business model should also cover projected startup costs and financing sources, the target customer base for the business, marketing strategy , a review of the competition, and projections of revenues and expenses. The plan may also define opportunities in which the business can partner with other established companies. For example, the business model for an advertising business may identify benefits from an arrangement for referrals to and from a printing company.

Successful businesses have business models that allow them to fulfill client needs at a competitive price and a sustainable cost. Over time, many businesses revise their business models from time to time to reflect changing business environments and market demands .

When evaluating a company as a possible investment, the investor should find out exactly how it makes its money. This means looking through the company's business model. Admittedly, the business model may not tell you everything about a company's prospects. But the investor who understands the business model can make better sense of the financial data.

A common mistake many companies make when they create their business models is to underestimate the costs of funding the business until it becomes profitable. Counting costs to the introduction of a product is not enough. A company has to keep the business running until its revenues exceed its expenses.

One way analysts and investors evaluate the success of a business model is by looking at the company's gross profit . Gross profit is a company's total revenue minus the cost of goods sold (COGS). Comparing a company's gross profit to that of its main competitor or its industry sheds light on the efficiency and effectiveness of its business model. Gross profit alone can be misleading, however. Analysts also want to see cash flow or net income . That is gross profit minus operating expenses and is an indication of just how much real profit the business is generating.

The two primary levers of a company's business model are pricing and costs. A company can raise prices, and it can find inventory at reduced costs. Both actions increase gross profit. Many analysts consider gross profit to be more important in evaluating a business plan. A good gross profit suggests a sound business plan. If expenses are out of control, the management team could be at fault, and the problems are correctable. As this suggests, many analysts believe that companies that run on the best business models can run themselves.

When evaluating a company as a possible investment, find out exactly how it makes its money (not just what it sells but how it sells it). That's the company's business model.

Types of Business Models

There are as many types of business models as there are types of business. For instance, direct sales, franchising , advertising-based, and brick-and-mortar stores are all examples of traditional business models. There are hybrid models as well, such as businesses that combine internet retail with brick-and-mortar stores or with sporting organizations like the NBA .

Below are some common types of business models; note that the examples given may fall into multiple categories.

One of the more common business models most people interact with regularly is the retailer model. A retailer is the last entity along a supply chain. They often buy finished goods from manufacturers or distributors and interface directly with customers.

Example: Costco Wholesale


A manufacturer is responsible for sourcing raw materials and producing finished products by leveraging internal labor, machinery, and equipment. A manufacturer may make custom goods or highly replicated, mass produced products. A manufacturer can also sell goods to distributors, retailers, or directly to customers.

Example: Ford Motor Company


Instead of selling products, fee-for-service business models are centered around labor and providing services. A fee-for-service business model may charge by an hourly rate or a fixed cost for a specific agreement. Fee-for-service companies are often specialized, offering insight that may not be common knowledge or may require specific training.

Example: DLA Piper LLP


Subscription-based business models strive to attract clients in the hopes of luring them into long-time, loyal patrons. This is done by offering a product that requires ongoing payment, usually in return for a fixed duration of benefit. Though largely offered by digital companies for access to software, subscription business models are also popular for physical goods such as monthly reoccurring agriculture/produce subscription box deliveries.

Example: Spotify

Freemium business models attract customers by introducing them to basic, limited-scope products. Then, with the client using their service, the company attempts to convert them to a more premium, advance product that requires payment. Although a customer may theoretically stay on freemium forever, a company tries to show the benefit of what becoming an upgraded member can hold.

Example: LinkedIn/LinkedIn Premium

Some companies can reside within multiple business model types at the same time for the same product. For example, Spotify (a subscription-based model) also offers free version and a premium version.

If a company is concerned about the cost of attracting a single customer, it may attempt to bundle products to sell multiple goods to a single client. Bundling capitalizes on existing customers by attempting to sell them different products. This can be incentivized by offering pricing discounts for buying multiple products.

Example: AT&T


Marketplaces are somewhat straight-forward: in exchange for hosting a platform for business to be conducted, the marketplace receives compensation. Although transactions could occur without a marketplace, this business models attempts to make transacting easier, safer, and faster.

Example: eBay

Affiliate business models are based on marketing and the broad reach of a specific entity or person's platform. Companies pay an entity to promote a good, and that entity often receives compensation in exchange for their promotion. That compensation may be a fixed payment, a percentage of sales derived from their promotion, or both.

Example: social media influencers such as Lele Pons, Zach King, or Chiara Ferragni.

Razor Blade

Aptly named after the product that invented the model, this business model aims to sell a durable product below cost to then generate high-margin sales of a disposable component of that product. Also referred to as the "razor and blade model", razor blade companies may give away expensive blade handles with the premise that consumers need to continually buy razor blades in the long run.

Example: HP (printers and ink)

"Tying" is an illegal razor blade model strategy that requires the purchase of an unrelated good prior to being able to buy a different (and often required) good. For example, imagine Gillette released a line of lotion and required all customers to buy three bottles before they were allowed to purchase disposable razor blades.

Reverse Razor Blade

Instead of relying on high-margin companion products, a reverse razor blade business model tries to sell a high-margin product upfront. Then, to use the product, low or free companion products are provided. This model aims to promote that upfront sale, as further use of the product is not highly profitable.

Example: Apple (iPhones + applications)

The franchise business model leverages existing business plans to expand and reproduce a company at a different location. Often food, hardware, or fitness companies, franchisers work with incoming franchisees to finance the business, promote the new location, and oversee operations. In return, the franchisor receives a percentage of earnings from the franchisee.

Example: Domino's Pizza


Instead of charging a fixed fee, some companies may implement a pay-as-you-go business model where the amount charged depends on how much of the product or service was used. The company may charge a fixed fee for offering the service in addition to an amount that changes each month based on what was consumed.

Example: Utility companies

A brokerage business model connects buyers and sellers without directly selling a good themselves. Brokerage companies often receive a percentage of the amount paid when a deal is finalized. Most common in real estate, brokers are also prominent in construction/development or freight.

Example: ReMax

There is no "one size fits all" when making a business model. Different professionals may suggest taking different steps when creating a business and planning your business model. Here are some broad steps one can take to create their plan:

Instead of reinventing the wheel, consider what competing companies are doing and how you can position yourself in the market. You may be able to easily spot gaps in the business model of others.

Criticism of Business Models

Joan Magretta, the former editor of the Harvard Business Review, suggests there are two critical factors in sizing up business models. When business models don't work, she states, it's because the story doesn't make sense and/or the numbers just don't add up to profits. The airline industry is a good place to look to find a business model that stopped making sense. It includes companies that have suffered heavy losses and even bankruptcy .

For years, major carriers such as American Airlines, Delta, and Continental built their businesses around a hub-and-spoke structure , in which all flights were routed through a handful of major airports. By ensuring that most seats were filled most of the time, the business model produced big profits.

However, a competing business model arose that made the strength of the major carriers a burden. Carriers like Southwest and JetBlue shuttled planes between smaller airports at a lower cost. They avoided some of the operational inefficiencies of the hub-and-spoke model while forcing labor costs down. That allowed them to cut prices, increasing demand for short flights between cities.

As these newer competitors drew more customers away, the old carriers were left to support their large, extended networks with fewer passengers. The problem became even worse when traffic fell sharply following the September 11 terrorist attacks in 2001 . To fill seats, these airlines had to offer more discounts at even deeper levels. The hub-and-spoke business model no longer made sense.

Example of Business Models

Consider the vast portfolio of Microsoft. Over the past several decades, the company has expanded its product line across digital services, software, gaming, and more. Various business models, all within Microsoft, include but are not limited to:

A business model is a strategic plan of how a company will make money. The model describes the way a business will take its product, offer it to the market, and drive sales. A business model determines what products make sense for a company to sell, how it wants to promote its products, what type of people it should try to cater to, and what revenue streams it may expect.

What Is an Example of a Business Model?

Best Buy, Target, and Walmart are some of the largest examples of retail companies. These companies acquire goods from manufacturers or distributors to sell directly to the public. Retailers interface with their clients and sell goods, though retails may or may not make the actual goods they sell.

What Are the Main Types of Business Models?

Retailers and manufacturers are among the primary types of business models. Manufacturers product their own goods and may or may not sell them directly to the public. Meanwhile, retails buy goods to later resell to the public.

How Do I Build a Business Model?

There are many steps to building a business model, and there is no single consistent process among business experts. In general, a business model should identify your customers, understand the problem you are trying to solve, select a business model type to determine how your clients will buy your product, and determine the ways your company will make money. It is also important to periodically review your business model; once you've launched, feel free to evaluate your plan and adjust your target audience, product line, or pricing as needed.

A company isn't just an entity that sells goods. It's an ecosystem that must have a plan in plan on who to sell to, what to sell, what to charge, and what value it is creating. A business model describes what an organization does to systematically create long-term value for its customers. After building a business model, a company should have stronger direction on how it wants to operate and what its financial future appears to be.

Harvard Business Review. " Why Business Models Matter ."

Bureau of Transportation Statistics. " Airline Travel Since 9/11 ."

Microsoft. " Annual Report 2021 ."

Small Business

Warren Buffett

Types of Corporations

Tech Companies


By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts.

The evolution of model risk management

The number of models is rising dramatically—10 to 25 percent annually at large institutions—as banks utilize models for an ever-widening scope of decision making. More complex models are being created with advanced-analytics techniques, such as machine learning, to achieve higher performance standards. A typical large bank can now expect the number of models included within its model risk management (MRM) framework to continue to increase substantially.

Among the model types that are proliferating are those designed to meet regulatory requirements, such as capital provisioning and stress testing . But importantly, many of the new models are designed to achieve business needs, including pricing, strategic planning, and asset-liquidity management. Big data and advanced analytics  are opening new areas for more sophisticated models—such as customer relationship management or anti-money laundering and fraud detection.

Insights from benchmarking and MRM best practices

Model risk management (MRM) was addressed as a top-of-mind concern by leading global banks in recent surveys and roundtables conducted in Europe and the United States by McKinsey and Risk Dynamics. The overall number of models varied widely, ranging from 100 to 3,000 per bank; the number of full-time equivalents (FTEs) dedicated to MRM and validation is also highly variable, with European banks dedicating an average of 8 FTEs per €100 billion of assets, while for US banks this average is 19. MRM groups have grown considerably in recent years, and that growth is expected to continue. Most banks said they still rely heavily on the support of external consultants for validation. The time period for validation varies, depending on model intensity. For European banks, model validation can take anywhere from a few days to 30 weeks, whereas in the United States, we found that variation takes between one and 17 weeks. For both US and EU banks, pass/fail rates vary widely by model. The scope of MRM activities varies widely as well, especially for ongoing model monitoring and model implementation. With respect to governance, most of the MRM groups report directly to the chief risk officer (CRO), or to his or her direct report; the boards of these banks typically discuss MRM in at least six meetings per bank.

In probing the model risk management terrain more closely, our research identified important trends and defined a model life cycle, from planning and development through model use, risk appetite, and policies. 1 1. The research was performed by McKinsey Risk Dynamics, which specializes in model risk and validation. Our research also revealed the key questions on the agenda of chief risk officers (exhibit), and the extent to which these questions are being addressed in some of the most important areas.

Model planning and development

Model planning should be well coordinated across the whole bank. While taking great care to maintain the independence of validation, the model-development group should work closely with validation, an approach that controls costs by reducing the number of iterations and overall development time.

Banks are increasingly centralizing model planning and development, with best-practice institutions setting up “centers of excellence”—advanced-analytics centers acting as service providers to business units. They have created three location models: a local model with the bulk of the work close to model owners, each of them with dedicated teams; a hybrid model; and a centralized model, with the bulk of the work performed in the dedicated corporate center.

As talent demands rise, the highly specialized skills needed to develop and validate models are becoming increasingly scarce. Nearly three-quarters of banks said they are understaffed in MRM, so the importance of adjusting the model risk function to favor talent acquisition and retention has become pronounced. Banks are now developing talent solutions combining flexible and scalable resourcing with an outsourcing component.

Best-practice institutions are classifying models (model “tiering”) using a combination of quantitative and qualitative criteria, including materiality and risk exposure (potential financial loss), and regulatory impact. Models are typically prioritized for validation based on complexity and risk associated with model failure or misuse. Model risk is defined according to potential impact (materiality), uncertainty of model parameters, and what the model is used for. The level of validation is located along a continuum, with high-risk models prioritized for full validation and models of low risk assigned light validation. In the majority of banks we surveyed, validation is highly centralized and situated in the risk organization. Outsourcing is increasing at both European and US institutions, as a result of talent constraints.

Most US banks have strengthened the independence of validation, with the head reporting directly to the CRO. In the United States, material models have to be validated in great detail, with systematic replication and the use of challenger models. This approach is not uniformly applied in Europe, where “conceptual” validations are still accepted in many cases. Likewise, model implementation (in operational and production systems) is not validated consistently across EU banks.

Control and monitoring

In the United States, the Federal Reserve is strict about proper deployment of the three lines of defense, with all stakeholders playing their roles: model developers need to continuously monitor their models; validation must make periodic reviews and audits, relying on the right level of rigor and skills. In Europe, implementation of the three lines remains less defined. The regulatory focus is mainly on regulatory models, as opposed to the US approach, where proper control is expected for all material models, whatever their type. Consequently, in the European Union, few banks have a control and governance unit in charge of MRM policies and appetite; in the United States, nearly all banks have an MRM unit.

Model use, risk appetite, and policies

In accordance with best practices, approximately half the surveyed banks have integrated model risk within their risk-appetite statement, either as a separate element or within nonfinancial risks. Only around 20 percent, however, use specific key performance indicators for model risk, mainly based on model performance and open validation findings on models.

All banks have a model governance framework in place, but 60 percent of the group uses it for the main models only (such as internal ratings based or stress testing). Half of the survey group has a model risk policy. For 60 percent of the group, model ownership is held by users, representing the preferred option for institutions that are more advanced in model management, allowing a better engagement of business on data and modeling assumptions. Risk committees authorize model-use exceptions in around 70 percent of cases.

The promise and wider application of models have brought into focus the need for an efficient MRM function, to ensure the development and validation of high-quality models across the whole organization—eventually beyond risk itself. Financial institutions have already invested millions in developing and deploying sophisticated MRM frameworks. In analyzing these investments, we have discovered the ways that MRM is evolving and the best practices for building a systematically value-based MRM function (see sidebar, “Insights from benchmarking and MRM best practices”). This article summarizes our findings.

Model risk and regulatory scrutiny

The stakes in managing model risk have never been higher. When things go wrong, consequences can be severe. With digitization and automation, more models are being integrated into business processes, exposing institutions to greater model risk and consequent operational losses. The risk lies equally in defective models and model misuse. A defective model caused one leading financial institution to suffer losses of several hundred million dollars when a coding error distorted the flow of information from the risk model to the portfolio-optimization process. Incorrect use of models can cause as much (or greater) harm. A global bank misused a risk-hedging tool in a highly aggressive manner and, as a result, passed its value-at-risk limits for nearly a week. The bank eventually detected the risk, but because the risk model it used was inadequately governed and validated, it only adjusted control parameters rather than change its investment strategy. The consequent loss ran into the billions. Another global bank was found in violation of European banking rules and fined hundreds of millions of dollars after it misused a calculation model for counterparty-risk capital requirements.

Stay current on your favorite topics

Events like these at top institutions have focused financial-industry attention on model risk. Supervisors on both sides of the Atlantic decided that additional controls were needed and began applying specific requirements for model risk management on banks and insurers. In April 2011, the US Board of Governors of the Federal Reserve System published the Supervisory Guidance on Model Risk Management (SR 11-7). This document provided an early definition of model risk that subsequently became standard in the industry: “The use of models invariably presents model risk, which is the potential for adverse consequences from decisions based on incorrect or misused model outputs and reports.” SR 11-7 explicitly addresses incorrect model outputs, taking account of all errors at any point from design through implementation. It also requires that decision makers understand the limitations of a model and avoid using it in ways inconsistent with the original intent. The European Banking Authority’s Supervisory Review and Evaluation Process , meanwhile, requires that model risk be identified, mapped, tested, and reviewed. Model risk is assessed as a material risk to capital, and institutions are asked to quantify it accordingly. If the institution is unable to calculate capital needs for a specific risk, then a comprehensible lump-sum buffer must be fixed.

The potential value in mature MRM

The value of sophisticated MRM extends well beyond the satisfaction of regulatory regimes. But how can banks ensure that their MRM frameworks are capturing this value thoroughly? To find the answer, we must first look more closely at the value at stake. Effective MRM can improve an institution’s earnings through cost reduction, loss avoidance, and capital improvement. Cost reduction and loss avoidance come mainly from increased operational and process efficiency in model development and validation, including the elimination of defective models.

Capital improvement comes mainly from the reduction of undue capital buffers and add-ons. When supervisors feel an institution’s MRM is inadequate, they request add-ons. An improved MRM function that puts regulators in a more comfortable position leads to a reduction of these penalties. (The benefit is similar to remediation for noncompliance.) Capital inefficiency is also the result of excessive modeler conservatism. To deal with uncertainty, modelers tend to make conservative assumptions at different points in the models. The assumptions and attending conservatism are often implicit and not well documented or justified. The opacity leads to haphazard application of conservatism across several components of the model and can be costly. Good MRM and proper validation increases model transparency (on model uncertainties and related assumptions) and allows for better judgments from senior management on where and how much conservatism is needed.

Would you like to learn more about our Risk Practice ?

This approach typically leads to the levels of conservatism being presented explicitly, at precise and well-defined locations in models, in the form of overlays subject to management oversight. As a result, the total level of conservatism is usually reduced, as end users better understand model uncertainties and the dynamics of model outcomes. They can then more clearly define the most relevant mitigation strategies, including revisions of policies governing model use.

Profit and loss

With respect to improvement in profit and loss (P&L), MRM reduces rising modeling costs, addressing fragmented model ownership and processes caused by high numbers of complex models. This can save millions. At one global bank, the capital budget for models increased sevenfold in four years, rising from €7 million to €51 million. By gaining a better understanding of the model landscape, banks are able to align model investments with business risks and priorities. By reducing model risk and managing its impact, MRM can also reduce some P&L volatility. The overall effect heightens model transparency and institutional risk culture. The resources released by cost reductions can then be reallocated to high-priority decision-making models.

Systematic cost reduction can only be achieved with an end-to-end approach to MRM. Such an approach seeks to optimize and automate key modeling processes, which can reduce model-related costs by 20 to 30 percent. To take one example, banks are increasingly seeking to manage the model-validation budget, which has been rising because of larger model inventories, increasing quality and consistency requirements, and higher talent costs. A pathway has been found in the industrialization of validation processes, which use lean fundamentals and an optimized model-validation approach.

The evolution toward capturing value systematically

To manage the P&L, capital, and regulatory challenges to their institutions’ advantage, leading banks are moving toward a robust MRM framework that deploys all available tools to capture efficiencies and value. The path to sophisticated model risk management is evolutionary—it can be usefully discussed as having three stages: building the elements of the foundation, implementing a robust MRM program, and capturing the value from it (Exhibit 1).

Building the foundational elements

The initial phase is mainly about setting up the basic infrastructure for model validation. This includes the policies for MRM objectives and scope, the models themselves, and the management of model risk through the model life cycle. Further policies determine model validation and annual review. Model inventory is also determined, based on the defined characteristics of the model to be captured and a process to identify all models and nonmodels used in the bank. Reports for internal and external stakeholders can then be generated from the inventory. It is important to note, however, that the industry still has no standard of what should be defined as a model. Since banks differ on this basic definition, there are large disparities in model-inventory statistics.

Governance and standards are also part of the MRM infrastructure. Two levels of governance are set up: one covering the steps of the model life cycle and one for the board and senior management. At this point, the MRM function will mainly consist of a small governance team and a team of validators. The governance team defines and maintains standards for model development, inventory, and validation. It also defines stakeholder roles, including skills, responsibilities, and the people who will fill them. The validation team conducts technical validation of the models. Most institutions build an MRM work-flow tool for the MRM processes.

Implementing a robust program

With foundational elements in place, banks can then build an MRM program that creates transparency for senior stakeholders on the model risk to the bank. Once model-development standards have been established, for example, the MRM program can be embedded across all development teams. Leading banks have created detailed templates for development, validation, and annual review, as well as online training modules for all stakeholders. They often use scorecards to monitor the evolution of model risk exposure across the institution.

McKinsey on Risk Number 2 - January 2017

McKinsey on Risk, Volume 2

A fundamental objective is to ensure high-quality, prioritized submissions. Model submissions missing key components such as data, feeder models, or monitoring plans reduce efficiency and increase delivery time. Efficiency can be meaningfully enhanced if all submissions adhere to standards before the validation process begins. Models are prioritized based on their importance to the business, outcome of prior validation, and potential for regulatory scrutiny.

Gaining efficiencies and extracting value

In the mature stage, the MRM function seeks efficiencies and value, reducing the cost of managing model risk while ensuring that models are of the highest quality. In our survey of leading financial institutions, most respondents (76 percent) identified incomplete or poor quality of model submissions as the largest barrier for their validation timelines. 1 1. Many fewer respondents cited a lack of sufficient resources (14 percent) and the need to validate each model comprehensively (10 percent). Model owners need to understand the models they use, as they shall be responsible for errors in decisions based on those models.

One of the best ways to improve model quality is with a center of excellence for model development, set up as an internal service provider on a pay-per-use basis. Centers of excellence enable best-practice sharing and advanced analytics across business units, capturing enterprise-wide efficiencies. The approach increases model transparency and reduces the risk of delays, as center managers apply such tools as control dashboards and checkpoints to reduce rework.

Process automation defines MRM maturity, as model development, validation, and resource management are “industrialized” (Exhibit 2). Validation is led by a project-management office setting timelines, allocating resources, and applying model-submission standards. Models are prioritized according to their importance in business decisions. An onshore “validation factory” reviews, tests, and revises models. It can be supported by an offshore group for data validation, standards tests and sensitivity analysis, initial documentation, and review of model monitoring and reporting. The industrial approach to validation ensures that models across the organization attain the highest established standards and that the greatest value is captured in their deployment.

The standards-based approach to model inventory and validation enhances transparency around model quality. Process efficiency is also monitored, as key metrics keep track of the models in validation and the time to completion. The validation work-flow system improves the model-validation factory, whose enterprise-wide reach enables efficient resource deployment, with cross-team resource sharing and a clear view of validator capabilities and model characteristics.

Consistent standards for model planning and development allow institutions to develop more accurate models with fewer resources and in less time. In our experience, up to 15 percent of MRM resources can be conserved. Similarly, streamlining the model-validation organization can save up to 25 percent in costs. With the significant regulatory spending now being demanded of institutions on both sides of the Atlantic, these savings are not only welcome but also necessary.

The contours of a mature stage of model risk management have only lately become clear. We now know where the MRM function has to go in order to create the most value amid costly and highly consequential operations. The sooner institutions get started in building value-based MRM on an enterprise-wide basis, the sooner they will be able to get ahead of the rising costs and get the most value from their models.

Ignacio Crespo is an associate partner in McKinsey’s Madrid office, Pankaj Kumar is an associate partner in the New York office , where Peter Noteboom is a partner, and Marc Taymans is a managing partner in McKinsey’s Risk Dynamics group.

Explore a career with us

Related articles.


Sustainable compliance: Seven steps toward effectiveness and efficiency


The future of bank risk management

The value in digitally transforming credit risk management_1536x1536_300_Standard_Standard_Standard

The value in digitally transforming credit risk management

risk in business model


  1. Tools and Methods 001: Visual Risk Assessment for Business Model Canvas

    risk in business model

  2. Pin on 02 Risk Management

    risk in business model

  3. Tools and Methods 001: Visual Risk Assessment for Business Model Canvas

    risk in business model

  4. Technical Risk-Business Risk Model diagram

    risk in business model

  5. Risk management Failed Us!

    risk in business model

  6. Guide to Risk and Risk Reporting

    risk in business model


  1. Webinar: Determining the Risk_Asset Management Risk Analysis Discussion and Available Tools

  2. امين رغيب: اخطاء قاتلة كديروها في بيع I.P.T.V

  3. Managerial Finance: Risk

  4. Risk Based Approach and Obligations

  5. 🚨 New YouTube video now LIVE 🎥

  6. risk lena sikho! / learn to take risk //business knowledge #shorts #viral #youtubeshorts


  1. Risk modeling - Deloitte

    A risk model is a mathematical representation of a system, commonly incorporating probability distributions. Models use relevant historical data as well as “expert elicitation” from people versed in the topic at hand to understand the probability of a risk event occurring and its potential severity.

  2. What Is Business Risk? Definition, Factors, and Examples

    Business risk usually occurs in one of four ways: strategic risk, compliance risk, operational risk, and reputational risk . Business Risk Types of Business Risk Strategic Risk...

  3. How to Build Risk into Your Business Model

    How to Build Risk into Your Business Model by Karan Girotra and Serguei Netessine From the Magazine (May 2011) Summary. Reprint: R1105G To create value, companies typically focus on revenue, cost...

  4. Managing Risks: A New Framework - Harvard Business Review

    Strategy risks cannot be managed through a rules-based control model. Instead, you need a risk-management system designed to reduce the probability that the assumed risks actually materialize and ...

  5. 10 Types of Business Risks and How to Manage Them

    What is a business risk? A business risk threatens a company's financial goals. Business risks can be categorized as internal or external risks and can include: Political changes Cybersecurity threats Threats to reputation Mergers and acquisitions Health crises Location hazards

  6. A Guide to Risk Analysis: Example & Methods | SafetyCulture

    Types of risk analysis included in quantitative risk analysis are business impact analysis (BIA), failure mode and effects analysis (FMEA), and risk benefit analysis. A key difference between qualitative and quantitative risk analysis is the type of risk each method results in.

  7. What is a Business Model with Types and Examples - Investopedia

    A business model is a company's core strategy for profitably doing business. Models generally include information like products or services the business plans to sell, target markets, and...

  8. The evolution of model risk management | McKinsey

    Model risk is assessed as a material risk to capital, and institutions are asked to quantify it accordingly. If the institution is unable to calculate capital needs for a specific risk, then a comprehensible lump-sum buffer must be fixed. The potential value in mature MRM