Infrastructure risks Internally driven- Recruitment, people skills, health and safety, premises, IT systemsExternally driven- Communications, transport links, supply chain, terrorism, natural disasters, pandemic

Marketplace risks Internally driven- M&A activity, R&D activities, intellectual property, contractsExternally driven- Economic environment, technology developments, competition, customer demand, regulatory requirements

Reputational risks Internally driven- Brand extensions, board composition, control environmentExternally driven- Product recall, CSR, public perception, regulator enforcement, competition behaviour

What’s immediately clear from this methodology is that significantly more risks are externally driven than they are driven from internal influences. And this, according to Anderson, is where much of the problem with current risk-management approaches lies. “Enterprise risk management is too inwards looking,” he says. “It needs to work across your ecology rather than just the bounds of your organisation. That is a major thrust that we are going to see developing over the coming few years.”