The latest enterprise risk management news from around the world

Geary Sikich looks at the subject of collateral risk and shows how the concept can be used in risk management processes.


The Law Dictionary defines collateral risk as:

The risk of loss arising from errors in the nature, quantity, pricing, or characteristics of collateral securing a transaction with credit risk.  Institutions that actively accept and deliver collateral and are unable to manage the process accurately are susceptible to loss.  A subcategory of process risk.

The military defines collateral risk in terms of ‘risk to mission’ as depicted in figure one below:

CDE refers to collateral damage estimate.  As we can see from CDE 1: target validation/initial assessment, the risk management process runs through CDE 5: casualty assessment.  Three criteria are considered: structural damage, causalities and restrictions.  The collateral risk scale/matrix is an escalating scale that focuses on ‘risk to mission’ considerations.

The Business Insurance Dictionary includes six definitions of risk:

1. A probability or threat of damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided through preemptive action.

2. Finance: the probability that an actual return on an investment will be lower than the expected return. Financial risk is divided into the following categories: basic risk, capital risk, country risk, default risk, delivery risk, economic risk, exchange rate risk, interest rate risk, liquidity risk, operations risk, payment system risk, political risk, refinancing risk, reinvestment risk, settlement risk, sovereign risk, and underwriting risk.

3. Food industry: the possibility that due to a certain hazard in food there will be a negative effect to a certain magnitude.

4. Insurance: a situation where the probability of a variable (such as burning down of a building) is known but when a mode of occurrence or the actual value of the occurrence (whether the fire will occur at a particular property) is not. A risk is not an uncertainty (where neither the probability nor the mode of occurrence is known), a peril (cause of loss), or a hazard (something that makes the occurrence of a peril more likely or more severe).

5. Securities trading: the probability of a loss or drop in value. Trading risk is divided into two general categories: (1) Systemic risk affects all securities in the same class and is linked to the overall capital-market system and therefore cannot be eliminated by diversification. Also called market risk. (2) Nonsystematic risk is any risk that isn't market-related or is not systemic. Also called nonmarket risk, extra-market risk, or unsystemic risk.

6. Workplace: product of the consequence and probability of a hazardous event or phenomenon. For example, the risk of developing cancer is estimated as the incremental probability of developing cancer over a lifetime as a result of exposure to potential carcinogens (cancer-causing substances).

RIMS, (The Risk and Insurance Management Society) also has a definition for enterprise risk management (ERM):

Enterprise risk management (ERM) is the process of planning, organizing, leading, and controlling the activities of an organization in order to minimize the effects of risk; this includes but is not limited to, financial, accidental losses, strategic, operational and other unrecognized risks.

Enterprise  risk  management  is  a  strategic  business discipline that supports the achievement of an organization’s objectives  by  addressing  the  full  spectrum  of  its  risks  and managing  the  combined  impact  of  those  risks  as  an  interrelated risk portfolio.

The Institute of Internal Auditors (IIA) offers the following:

Enterprise risk management is a structured, consistent and continuous process across the whole organization for identifying, assessing, deciding on responses to and reporting on opportunities and threats that affect the achievement of its objectives.

I could continue with the ISO Standards and other guidance and/or regulatory materials, but that would render this article nearly useless, as well as, unreadable.  However, as we look at these definitions it is readily apparent that ‘risk’ means something very different to those creating the definitions.  Yet, we use the term ‘risk’ and expect that our understanding (definition) will be universally comprehended and accepted.

Don Quixote where are you?

Creating a universal definition of risk could well be the impossible quest.  But, that may be a salvation too; if we begin to carefully communicate our definitions to each other.  We can come to an understanding and begin to apply composite or situational definitions of risk based on the criteria that we are using to evaluate the identified risk.  What we really need to do is concentrate on how we identify the characteristics of the risk that we are concerned with.  We need to then begin to understand and evaluate collateral risk in the context of how we intend to buffer the identified risk and in respect to the risk change that results from the buffering against the risk realization.

This may sound complicated but is where an appreciation of collateral risk begins to take shape as part of the risk assessment/analysis and overall risk management process.  Better to get an understanding of what risks may emerge collateral to the risk that you plan to address and to be prepared to buffer them rapidly.

Creating a collateral risk matrix

Collateral damage is damage to things that are incidental to the intended target.  Collateral risk results from the actions taken to reduce (buffer) risk exposure and achieve risk parity.  By collateral I am referring not to money, but risks that emerge as a result of addressing an identified risk.

As I wrote in my recent article, entitled 'Complexity – The Wager: Analysis or Intuition', risk parity is:

a balancing of resources to a risk, threat, hazard, vulnerability (RTHV), etc.  You identify a RTHV and then balance the resources you allocate to buffer against the RTHV being realized (that is occurring).  This is done for all RTHV that you identify and is a constant process of allocation of resources to buffer the RTHV based on the expectation of RTHV occurring and the velocity, impact and ability to sustain resilience against the RTHV realization.  You would apply this and then constantly assess to determine what resources need to be shifted to address the RTHV.  This can be a short term or long term effort.  The main point is that achieving risk parity is a balancing of resources based on assessment of RTHV realization and potential consequences to the organization.  Risk parity is not static as RTHV and consequences are not static. 

We can use the military matrix shown above as a baseline for creating a collateral risk matrix applicable to business operations. The complexity of the matrix can be adjusted to the degree of in depth risk analysis that the organization chooses to undertake. Can you identify collateral risk issues with this process? The answer, is yes, and you can custom fit the variables to look at three levels of collateral risk; strategic, operational and tactical.  Combine this with an assessment of time critical, time sensitive and time dependent risks and collateral risks and you could end up with a matrix like the one in figure two, below:

Twelve key factors

That are twelve key factors that should be considered as categories for grouping analysis and creating touchpoint identifiers in regard to collateral risk and risk cascade if the primary risk materializes.  These are:


Human capital

Current competitors



Infrastructure (external & internal)


Government (All levels, national, international)



Competitive intelligence

New entrants

These factors can be rank ordered, key issue identified, impact (high, medium, low, short term, long term) assessed, primary risk listed and collateral risks listed to form a quick reference analysis table.  From here war gaming can be utilized to assess risk realization impacts and identify risk cascade and collateral risk realization.

The twelve key factors are depicted below with examples of risk and collateral risk:

Key Factor


Key Issue



Collateral Risk





Sustainability within current markets

Customer tolerance level (CTL), maximum tolerable outage (MTO)

Human Capital


Succession &
Intellectual Value


Leadership, intellectual capital, sustainability of replenishment pool, key client/stakeholder relationships

Operational impact, market share, sustainability

Current Competitors




Competitive Advantage

Financial, customer loyalty





Sustainability, strength in markets served, loyalty, capacity to manage surge

Value chain vetting, contract structure





Ability to influence capabilities to provide product/services, readily available alternatives

Continuity of operations



Internal & External


Accessibility to; and ability of external infrastructure to meet demand/surges.  Limitations of internal infrastructure to meet demand/surges.  Cascade effects of failure.

Operations, financial, customer, value chain - Suppliers



Support Level


Capability to meet expectations

Financial investments, market value



Regulatory Drivers


Number of regulatory agencies and regulatory compliance scrutiny, potential actions – direct impact, potential actions – indirect impact

Customer tolerance level (CTL), financial, operational

Substitutes/ Alternatives


Threat Level


Readily available alternatives, differentiating qualities

Financial, operational, market share





Long term impairment of reputation

Customer tolerance level (CTL), operations, financial

Competitive Intelligence


Competitive Advantage


Loss of intellectual capital, data compromise, competitive advantage, market share

Human capital, financial, operations

New Entrants


Threat Level


Barriers to entry, financial challenges, customer loyalty

Financial, operations, human capital, customers, suppliers (value chain)

Additional examples of time critical, time sensitive and time dependent criteria are provided below:

Time critical (examples):

Time critical risks and collateral risks can be defined by time periods.  For example: 0 – 3 hours, 0 – 3 days

Loss of critical infrastructures (external)
Loss of critical infrastructures (internal)
Telecommunications/information systems
Transportation (air, land, water)
Utilities (gas, electric, water)
Energy supply
Critical services
Access denial                                       
Degradation/loss of critical operations
Loss/degradation of operational capability
Loss of electrical supply sources
Loss of telecommunications/information sources
Loss/degradation of buildings/occupancy
Disruption of transportation
Disruption of water supply
Disruption of emergency services

Time sensitive (examples):

Time sensitive risks and collateral risks can be defined by time periods.  For example: 4 – 8 hours, 4 – 8 days

Business applications
Human resources & staffing
Legal oversight/documentation
Transition to recovery organization
Recovery operations
Humanitarian assistance
Infrastructure restoration
Information recovery & synchronization
Resumption of critical business functions
Full function restoration
Permanent restoration

Time dependent (examples):

Time dependent risks & collateral risks can be defined by time periods.  For example: 8 + hours, 8 + days

Government relations
Corporate relations
Corporate image
Banking & finance
Assigned relocation sites
Communication systems requirements
Operations systems requirements
Personnel requirements
Documentation of facilities recovery
Assessment of operations requirements
Building documents/records required in an emergency
Public sector contacts
Forms and supplies
Associated plans and information
Insurance and risk management plan
Treasury contingency cash plan
Controller's system for tracking recovery expenses
Vendor/supplier/consultant list
Floor space alternatives outside main office
Records planning, storage & retrieval

Risk and collateral risk analysis (examples of areas)

Corporate strategy
Strategic goals
Regulatory compliance
Competitive intelligence
Business risk issues
Human factors
Financial impacts
Value chain
Vendors, suppliers
Outsource partners
Infrastructure (internal)
Infrastructure (external)
Product lifecycle
Service offerings
Merger & acquisition
Natural events
Manmade events
Cyber events
Demand issues


In order for any organization to succeed in today’s fast paced, globally interlinked business environment the ability to identify and assess risk and to identify collateral risk needs to be addressed.  When you take management (leadership & decision-making), planning, operations, logistics, communications, finance, administration, infrastructure (internal & external), reputation, external relations and other dependency issues into account there is significant impact on six areas that I consider critical for organizations: strategy (goals & objectives), concept of operations, organizational structure, resource management, core competencies and pragmatic leadership (at all levels with a common understanding of terminology).

We live in a world full of consequences.  Our decisions need to be made with the most information available with the recognition that all decisions carry with them flaws due to our inability to know everything.  Our focus should be on how our flawed decisions establish a context for flawed RTHV assessments, leading to flawed plans, resulting in flawed abilities to execute effectively.  If we change our thought processes from chasing symptoms and ignoring consequences to recognizing the limitations of decision making under uncertainty we may find that the decisions we are making have more upside than downside.

The author

Geary Sikich, entrepreneur, consultant, author and business lecturer, is a seasoned risk management professional who advises private and public sector executives to develop risk buffering strategies to protect their asset base. With a M.Ed. in Counseling and Guidance, Geary's focus is human capital: what people think, who they are, what they need and how they communicate. With over 25 years in management consulting as a trusted advisor, crisis manager, senior executive and educator, Geary brings unprecedented value to clients worldwide.

Geary is well-versed in contingency planning, risk management, human resource development, ‘war gaming,’ as well as competitive intelligence, issues analysis, global strategy and identification of transparent vulnerabilities. Geary began his career as an officer in the US Army after completing his BS in Criminology. As a thought leader, Geary leverages his skills in client attraction and the tools of LinkedIn, social media and publishing to help executives in decision analysis, strategy development and risk buffering. A well-known author, his books and articles are readily available on Amazon, Barnes & Noble and the Internet.

Contact information: E-mail: or Telephone: 1- 219-922-7718


  • Apgar, David, Risk Intelligence – Learning to Manage What We Don’t Know, Harvard Business School Press, 2006.
  • Jones, Milo and Silberzahn, Philippe, Constructing Cassandra: Reframing Intelligence Failure at the CIA, 1947–2001, Stanford Security Studies (August 21, 2013) ISBN-10: 0804785805, ISBN-13: 978-0804785808
  • Kami, Michael J., ‘Trigger Points: how to make decisions three times faster,’ 1988, McGraw-Hill, ISBN 0-07-033219-3
  • Sikich, Geary W., Graceful Degradation and Agile Restoration Synopsis, Disaster Resource Guide, 2002
  • Sikich, Geary W., ‘Integrated Business Continuity: Maintaining Resilience in Times of Uncertainty,’ PennWell Publishing, 2003
  • Sikich, Geary W., ‘Risk and Compliance: Are you driving the car while looking in the rearview mirror?’ 2013
  • Sikich, Geary W., ‘’Transparent Vulnerabilities’ How we overlook the obvious, because it is too clear that it is there’ 2008
  • Sikich, Geary W., ‘Risk and the Limitations of Knowledge’ 2014
  • Sikich, Geary W., ‘Complexity: The Wager – Analysis or Intuition?’ 2015
  • Taleb, Nicholas Nassim, ‘The Black Swan: The Impact of the Highly Improbable,’ 2007, Random House – ISBN 978-1-4000-6351-2, 2nd Edition 2010, Random House – ISBN 978-0-8129-7381-5
  • Law Dictionary: What is COLLATERAL RISK? definition of COLLATERAL RISK (Black's Law Dictionary)
  • Read more:

Want news and features emailed to you?

Signup to our free newsletters and never miss a story.

A website you can trust

The entire Continuity Central website is scanned daily by Sucuri to ensure that no malware exists within the site. This means that you can browse with complete confidence.

Business continuity?

Business continuity can be defined as 'the processes, procedures, decisions and activities to ensure that an organization can continue to function through an operational interruption'. Read more about the basics of business continuity here.

Get the latest news and information sent to you by email

Continuity Central provides a number of free newsletters which are distributed by email. To subscribe click here.