When categorizing risk, it’s useful to follow a few simple rules of thumb.

The first rule of thumb is to use an approach risk management professions call mutually exclusive, collectively exhaustive(MECE).The MECE approach categorizes risk in such a way that all risks can be covered without developing overlap.

When it comes time to measure and manage risk, companies serve themselves best when the risks are measured in independent groups. This puts the risks in their proper categories, but also enables the assessor or assessment team to add up the groups to arrive at a “total” risk.

When categorizing your company’s risks, also keep in mind that specific risks tend to follow certain types of businesses. This is usually driven by the industry, but the company’s size, growth, changing business climate, and other factors also come into play. Most businesses also face risks in each of the different main risk categories. The question for any company implementing a risk management plan is “What specific risks do you have, and which are truly material?”