What is Risk Management?
Risk management – dealing with risks in an organisation
Risk management is a process with the aim of identifying risks as early as possible, monitoring them in a comprehensible way and avoiding possible costs. A risk is a hazard that endangers an organisation, a project or a development. Accordingly, the ISO standard 31000:2018 defines risk management as a “coordinated activity to guide and control an organisation in relation to risks”¹.
Consequently, risk management encompasses all aspects from systematic and continuous
- identification and analysis,
- assessment and prioritisation for risks,
to the definition of measures for
- minimisation or toleration,
and the definition of responsibilities as well as the control of the success of the measures.
Objectives in risk management
Basically, risk management can pursue two objectives:
- the reduction of the probability of risk occurrence and
- the reduction of the extent of damage.
In practice, there are always discussions about determining the probability of occurrence, as this is often done as an extrapolation from past experience. This is considered difficult because projects are inherently unique and many experiences cannot be meaningfully transferred to other situations and projects. There is a danger of illusory, psychological certainty.
A small example:
A person wants to cross a trench (see diagram). Once this is shallow and wide, then narrow and shallow, then narrow and deep and finally deep and wide.
- shallow and wide = high probability of occurrence, low extent of damage
- narrow and shallow = low probability of occurrence, low extent of damage
- narrow and deep = low probability of occurrence, high extent of damage
- deep and wide = high probability of occurrence, high extent of damage
The trench influences both the probability of occurrence and the possible extent of damage.
Schematically, this is easy to visualise, but in risk management practice it is anything but simple.
Important terms in risk management
In the context of risk management, there are a variety of terms that need to be defined and for which there needs to be a common understanding in an organisation, especially as different terms are used in different industries.
Identification: The systematic determination of all risks affecting an organisation, a project or a development.
Analysis: The systematic analysis of all identified risks. Depending on the perspective, it can include identification and assessment in the sense of a management process or follow on from identification.
Assessment: The assessment of identified and analysed risks, in particular the probability of occurrence and the extent of damage to the risks.
Prioritisation: The interface in the risk management process between assessment and management in terms of avoidance, minimisation or limitation. This includes handling – e.g. observing risks or taking measures.
Avoidance: Term for the omission of risky activities, such as the development of new solutions to unclear market information or legal situations.
Minimisation: Measures with which the probability of occurrence of a risk or the extent of damage is reduced. Is also used in the context of machine safety and is addressed there by inherently safe design, protective measures and user information.
Diversification: Measures that divide a large risk into smaller risks: Example: Loss during transport of a large consignment of goods. Alternative: Delivery of individual components by different routes.
Transfer: Partial or complete transfer of the risks identified in the course of the analysis to third parties, e.g. through the conclusion of insurance policies or cooperation agreements.
Provisioning: A term from the financial sector that includes value adjustments and provisions in the event of possible loan defaults.
Response: All measures for avoidance, reduction, diversification, transfer and provisioning.
Control: The monitoring of identified and analysed risks as well as measures to avoid and minimise them.
It is also important to define the terms danger, risk and venture:
Danger: A danger exists when a situation develops a harmful effect. The prerequisite is the exposure of a person, a group of persons or objects. A fire in Stuttgart in an office building in Stuttgart poses no danger to a development team in Berlin. However, if the team were to be in the corresponding building in Stuttgart, it would be at danger.
Risk: A risk is a danger assessed according to probability of occurrence and extent of damage. Or: A risk is the assessed danger of a negative deviation from the target. Example: If the server on which the results of the Berlin development team are hosted is located in the Stuttgart office building, there is a risk that all the work will go up in smoke. The extent of the damage increases depending on the work invested or existing agreements with customers.
Venture: A venture is the conscious taking of risks. If the results of the development team were not stored separately or backed up at another location, this would be a venture. This could also be referred to as tolerance.
Activities in risk management
The following activities are particularly important in the context of risk management:
- Documentation of risks with cause and effect.
- Determining the probability of occurrence, extent of damage, as well as potential delays and costs.
- Clear presentation e.g. with a risk matrix, which visualises a set of risks, usually in relation to their probability of occurrence and potential impact.
- Definition and documentation of measures for avoidance, reduction, transfer or tolerance.
- Continuous monitoring of risks and measures and definition of responsibilities.
- Common management of all information (from personnel to technical risk) in a common system.
- Consideration of risks in other company disciplines such as project management, requirements management or change management.
- Regular communication about risks, e.g. in the project with project participants or in the steering committee.
Defined methods are often used in the course of continuous risk management:
Methods in risk management
Here you will find a selection of methods in dealing with risks:
A risk matrix – sometimes also called a “risk diagram” – visualises a set of risks depending on their probability of occurrence and potential impact. It represents the risk situation and is a risk communication tool.
The FMEA (Failure Mode and Effect Analysis) is a method for system and risk analysis with the objective of finding potential risks in systems, products and processes at an early stage. It defines 7 steps:
- Scope of consideration (scoping)
- Structural analysis
- Functional analysis
- Failure analysis
- Analysis of measures Actual state
- Optimisation of target state
- Risk and result documentation
The DRBFM (Design Reviw Based on Failure Modes) is a tool originally developed by the Toyota Motor Corporation and is based on the consideration that design problems occur when changes are made to existing technical designs that have already proven successful. The aim of the method is to collaboratively create a robust design as early as possible, with the experts involved thinking about possible errors in the course of changes, and to deposit possible errors in a form, evaluate them and derive measures if necessary.
Fault tree analysis is a risk management method for analysing undesired events, in which the interaction of potential causes for an undesired event is visualised with the help of logical links using a tree diagram. It is suitable for the analysis of central risks and chains of causes for errors that have occurred, as well as the preventive identification of possible risks of failure.
Some publications also speak of risk monitoring; however, whether this represents an independent method is rather controversial.
Risk management software
There are many tools that address the management of risks. Here you will find a list:
- A1 Tracker
- Decision Time
- QT9 QMS
The list can easily be extended, especially as there are numerous products that support risk management but originally have a different marketing focus.
Impulse to discuss:
In addition to risk management, opportunity management has become established in many companies in recent years. Is this possibly the better term for the development of products and services?
In the development of products or in project management, there are often also combination effects of several individual risks that can lead to a threat to the existence of a project or even an entire organisation. Organisations should therefore aggregate individual risks to determine the overall scope of risk.
Scrum employs an iterative, incremental approach to optimize predictability and to control risk. Would you have associated this with Scrum?
Here you can find a personal assessment about how agile risk management could work.
To a certain extent, the use of secure passwords is also a form of risk management.
Here you will find additional information from our Smartpedia section: