What is Risk Management?
Table of Contents: Definition – Objectives – Activities – Questions from the field – Notes
Smartpedia: Risk management is a process for the early identification and monitoring of risks with the aim of reducing the probability of occurrence and risk costs.
Risk management – dealing with risks in an organisation
Risks are an integral part of entrepreneurial activity, as the future and the effects of actions cannot be predicted with certainty. Risk management is a process with the aim of recognising risks as early as possible, monitoring them in a comprehensible manner and avoiding possible costs.
A risk is a danger that endangers an organisation, a project or a development. Accordingly, the ISO 31000:2018 standard defines risk management as a “coordinated activity to steer and control an organisation with regard to risks.”¹
Accordingly, risk management encompasses all aspects from the systematic and continuous identification and analysis, assessment and prioritisation of risks to the definition of measures to avoid and minimise or tolerate risks, the definition of responsibilities and the monitoring of the success of the measures.
Objectives in risk management
Basically, risk management can pursue two objectives:
- the reduction of the probability of risk occurrence and
- the reduction of the extent of damage.
In practice, there are always discussions about determining the probability of occurrence, as this is often done as an extrapolation from past experience. This is considered difficult because projects are inherently unique and many experiences cannot be meaningfully transferred to other situations and projects. There is a danger of illusory, psychological certainty.
A small example:
A person wants to cross a trench (see diagram). Once this is shallow and wide, then narrow and shallow, then narrow and deep and finally deep and wide.
- shallow and wide = high probability of occurrence, low extent of damage
- narrow and shallow = low probability of occurrence, low extent of damage
- narrow and deep = low probability of occurrence, high extent of damage
- deep and wide = high probability of occurrence, high extent of damage
The trench influences both the probability of occurrence and the possible extent of damage.
Schematically, this is easy to visualise, but in risk management practice it is anything but simple.
Activities in risk management
Risk management is an important activity in organisations and includes the following tasks, among others:
- Identification and documentation of risks with cause and effect.
- Determining the probability of occurrence, extent of damage, as well as potential delays and costs.
- Clear presentation e.g. with a risk matrix, which visualises a set of risks, usually in relation to their probability of occurrence and potential impact.
- Definition and documentation of measures for avoidance, reduction, transfer or tolerance.
- Continuous monitoring of risks and measures and definition of responsibilities.
- Common management of all information (from personnel to technical risk) in a common system.
- Consideration of risks in other company disciplines such as project management, requirements management or change management.
- Regular communication about risks, e.g. in the project with project participants or in the steering committee.
Companies should bear in mind that risk management is a process or a continuous task.
Questions from the field
Here you will find some questions and answers from the field:
What is the difference between danger, risk and venture?
It is important to make a clear distinction between the terms danger, risk and venture:
A danger exists when a situation develops a harmful effect. The prerequisite is the exposure of a person, a group of persons or objects. A fire in Stuttgart in an office building in Stuttgart poses no danger to a development team in Berlin. However, if the team were to be in the corresponding building in Stuttgart, it would be at danger.
A risk is a danger assessed according to probability of occurrence and extent of damage. Or: A risk is the assessed danger of a negative deviation from the target. Example: If the server on which the results of the Berlin development team are hosted is located in the Stuttgart office building, there is a risk that all the work will go up in smoke. The extent of the damage increases depending on the work invested or existing agreements with customers.
A venture is the conscious taking of risks. If the results of the development team were not stored separately or backed up at another location, this would be a venture. This could also be referred to as tolerance.
Which terms are important in risk management?
It is important to have a common understanding of terms in organisations, especially as different terms are used in different industries.
Risk identification: The systematic determination of all risks affecting an organisation, a project or a development.
Risk analysis: The systematic analysis of all identified risks. Depending on the perspective, it can include identification and assessment in the sense of a management process or follow on from identification.
Risk assessment: The assessment of identified and analysed risks, in particular the probability of occurrence and the extent of damage to the risks.
Risk prioritisation: The interface in the risk management process between assessment and management in terms of avoidance, minimisation or limitation. This includes handling – e.g. observing risks or taking measures.
Risk avoidance: Term for the omission of risky activities, such as the development of new solutions to unclear market information or legal situations.
Risk minimisation: Measures with which the probability of occurrence of a risk or the extent of damage is reduced. Is also used in the context of machine safety and is addressed there by inherently safe design, protective measures and user information.
Risk diversification: Measures that divide a large risk into smaller risks: Example: Loss during transport of a large consignment of goods. Alternative: Delivery of individual components by different routes.
Risk transfer: Partial or complete transfer of the risks identified in the course of the analysis to third parties, e.g. through the conclusion of insurance policies or cooperation agreements.
Risk provisioning: A term from the financial sector that includes value adjustments and provisions in the event of possible loan defaults.
Risk response: All measures for avoidance, reduction, diversification, transfer and provisioning.
Risk control: The monitoring of identified and analysed risks as well as measures to avoid and minimise them.
What risk management methods exist?
A risk matrix – sometimes also called a “risk diagram” – visualises a set of risks depending on their probability of occurrence and potential impact. It represents the risk situation and is a risk communication tool.
The FMEA (Failure Mode and Effect Analysis) is a method for system and risk analysis with the objective of finding potential risks in systems, products and processes at an early stage. It defines 7 steps:
- Scope of consideration (scoping)
- Structural analysis
- Functional analysis
- Failure analysis
- Analysis of measures Actual state
- Optimisation of target state
- Risk and result documentation
The DRBFM (Design Reviw Based on Failure Modes) is a tool originally developed by the Toyota Motor Corporation and is based on the consideration that design problems occur when changes are made to existing technical designs that have already proven successful. The aim of the method is to collaboratively create a robust design as early as possible, with the experts involved thinking about possible errors in the course of changes, and to deposit possible errors in a form, evaluate them and derive measures if necessary.
Fault tree analysis is a risk management method for analysing undesired events, in which the interaction of potential causes for an undesired event is visualised with the help of logical links using a tree diagram. It is suitable for the analysis of central risks and chains of causes for errors that have occurred, as well as the preventive identification of possible risks of failure.
Some publications also speak of risk monitoring; however, whether this represents an independent method is rather controversial.
Which standards, laws and regulations address risk management?
- ISO 31000: This International Organisation for Standardisation (ISO) standard sets out the principles and guidelines for risk management and provides a general framework that can be applied to various organisations and industries.
- Basel III: This international standard for banks sets out regulatory requirements for risk management and capital requirements to promote the stability of the financial system.
- COSO Framework: The Committee of Sponsoring Organisations of the Treadway Commission (COSO) Framework is a framework used by companies in many countries to establish internal controls and risk management processes.
- Sarbanes-Oxley Act (SOX): This US law sets standards for corporate financial reporting and also includes requirements for risk management and internal control.
- MaRisk: The Minimum Requirements for Risk Management (MaRisk) are a set of regulations in Germany issued by the German Federal Financial Supervisory Authority (BaFin) for banks and financial services institutions.
- GDPR (General Data Protection Regulation): The European Union’s General Data Protection Regulation contains requirements and best practices for the protection of personal data, including aspects of risk management in connection with data breaches and data protection impact assessments.
- The Control and Transparency Act (KonTraG) is a German law that was introduced in 1998. It stipulates the responsibility of the management board of stock corporations to implement a risk management system in order to identify, assess and manage risks. KonTraG requires regular risk analyses, measures to limit risks and transparent reporting on risks and the status of risk management.
In addition to the examples mentioned, there are specific standards and guidelines in various sectors and industries that relate to risk management. In the pharmaceutical industry, for example, there are the ICH-GCP guidelines (Good Clinical Practice), which define the requirements for risk management in clinical trials.
What are the 6 levels of risk management?
Level one: There is no risk management here. Company management has hardly any awareness of risks and there is no systematic approach. Decisions that react to risks are rare.
Stage two: This is where loss management begins. The company recognises certain risks and takes measures to prevent them. It also takes into account regulations such as environmental protection and occupational health and safety. In the case of major risks, the company takes out insurance to minimise damage. However, there is no specific tool for risk assessment and risk action plans are worked on in isolated teams.
Stage three: This is where regulatory risk management begins. The company has a continuous risk management system. It constantly monitors and evaluates risks. All risks form the risk inventory. Information such as scope, responsibility and frequency is recorded in writing. The company develops strategies to manage important risks.
Stage four: This is where economic, decision-orientated risk management begins. The company recognises both threats and opportunities as risks. It has a comprehensive, software-supported risk management system. The goal is flexible and agile risk management that is closely linked to strategy development.
Stage five: This is where integrated value-based risk management begins. The risk management process is closely linked to the operational level of the company. All plans can be assigned to risks, which enables planning reliability. The company can calculate the value contribution and evaluate strategic moves in relation to risks.
Stage six: This is where embedded risk management begins. The assessment of the risk-adjusted capitalised earnings value reflects the owner’s risk preference and forms the basis for strategic and operational decisions. Risk management is firmly integrated into the corporate culture and entrepreneurial thinking.
According to Gleissner and Mott, good risk management is a success factor for every company. It should involve as many employees as possible in order to give the company management the opportunity to correctly identify and assess risks. The management must be the “top risk manager”, as it makes the decisive decisions on the scope of risk. It should apply strategies and fixed organisational patterns and methods to ensure that potential “existentially threatening developments” are recognised at an early stage.
What role does psychology play in the assessment and evaluation of risks?
Psychology plays a crucial role in the assessment and evaluation of risks. Here are some aspects of how psychology influences risk behaviour:
People evaluate risks based on their perceptions, which are strongly influenced by psychological factors. Personal experiences, cultural backgrounds and emotional reactions influence risk perception. What appears to be high-risk to one person may be less threatening to another.
People use simplistic thinking models or heuristics to assess risks, which can lead to systematic biases. For example, people often rely on readily available information or overestimate risks due to their presence in the media. In addition, the optimism bias leads people to underestimate the probability of negative events for themselves.
Emotions play an important role in risk assessment. Negative emotions such as fear or worry can lead people to overestimate risks. Positive emotions such as hope or enthusiasm, on the other hand, can lead people to underestimate risks.
The behavior of other people and social norms influence the perception of risks. People often orientate themselves by the actions and opinions of their peers, which can lead them to evaluate risks differently depending on what is considered acceptable or normal in their social environment.
Individual cognitive abilities and level of education also play a role. People with higher levels of education tend to evaluate risks more rationally and make better decisions, while those with lower levels of education may be more susceptible to certain types of bias or misjudgement.
Overall, the psychological aspects of risk perception and assessment are complex and involve a variety of factors. A better understanding of these psychological dynamics can help organisations to develop and implement more effective risk management strategies.
How useful is it to aggregate individual risks to determine the overall scope of risk?
When developing products or in project management, there are often combined effects of several individual risks that can threaten the existence of a project or even an entire organisation. Organisations should therefore aggregate individual risks to determine the overall risk scope.
Which software is suitable for risk management?
There are many tools that address the handling of risks. Here you will find a short list without any claim to completeness or evaluation:
The list can certainly be easily expanded, especially as there are numerous products that support risk management but originally have a different marketing focus.
Impulse to discuss:
In addition to risk management, opportunity management has become established in many companies in recent years. Is this possibly the better term for the development of products and services?
Notes:
[1] ISO 31000:2018 – Risk management – Guidelines
Scrum employs an iterative, incremental approach to optimize predictability and to control risk. Would you have associated this with Scrum?
Here you can find a personal assessment about how agile risk management could work.
To a certain extent, the use of secure passwords is also a form of risk management.
Here you will find additional information from our Smartpedia section: