In COSO's Internal Control - Integrated framework, risk assessment forms one of the key components. Before making a risk assessment, one has to be clear as to the various types of risk that exist. One of my client Chief Audit Executive CAE questioned me the same in an internal meeting. COSO framework lays down certain important risk categories. I am listing the four important risk categories under COSO and some examples under each category.

1. Strategic Risk - Some examples include governance related issues, strategic business objectives not being met, a wrong or incorrect business model, external forces etc.

2. Operational Risk - Operational risk may be due to weak controls in business processes, financial risk, risk in supply chain operations etc.

3. Reporting Risk - Reporting risk normally includes, financial reporting risk, information technology disclosures, reputation, intellectual property etc.

4. Compliance risk - Compliance risk, often the most talked about includes, non-comploance to statutes, environmental laws, non complaince to sarbanes oxley, legal etc.

Section 404 Project Scoping , Sarbanes Oxley Investor Protection