Risk management – dealing with risks in an organisation
Risk management is a process with the aim of identifying risks as early as possible, monitoring them in a comprehensible way and avoiding possible costs. A risk is a hazard that endangers an organisation, a project or a development. Accordingly, the ISO standard 31000:2018 defines risk management as a “coordinated activity to guide and control an organisation in relation to risks”¹.
Consequently, risk management encompasses all aspects from systematic and continuous
- risk identification and risk analysis,
- risk assessment and risk prioritisation,
to the definition of measures for
- risk avoidance,
- minimisation or toleration of risk,
and the definition of responsibilities as well as the control of the success of the measures.
Objectives in risk management
Basically, risk management can pursue two objectives:
- the reduction of the probability of risk occurrence and
- the reduction of the extent of damage.
In practice, there are always discussions about determining the probability of occurrence, as this is often done as an extrapolation from past experience. This is considered difficult because projects are inherently unique and many experiences cannot be meaningfully transferred to other situations and projects. There is a danger of illusory, psychological certainty.
A small example:
A person wants to cross a trench (see diagram). Once this is shallow and wide, then narrow and shallow, then narrow and deep and finally deep and wide.
- shallow and wide = high probability of occurrence, low extent of damage
- narrow and shallow = low probability of occurrence, low extent of damage
- narrow and deep = low probability of occurrence, high extent of damage
- deep and wide = high probability of occurrence, high extent of damage
The trench influences both the probability of occurrence and the possible extent of damage.
Schematically, this is easy to visualise, but in risk management practice it is anything but simple.
Important terms in risk management
In the context of risk management, there are a variety of terms that need to be defined and for which there needs to be a common understanding in an organisation, especially as different terms are used in different industries.
Risk identification: The systematic determination of all risks affecting an organisation, a project or a development.
Risk analysis: The systematic analysis of all identified risks. Depending on the perspective, it can include risk identification and risk assessment in the sense of a risk management process or follow on from risk identification.
Risk assessment: The assessment of identified and analysed risks, in particular the probability of occurrence and the extent of damage to the risks.
Risk prioritisation: The interface in the risk management process between risk assessment and risk management in terms of avoidance, minimisation or limitation. This includes handling – e.g. observing risks or taking measures.
Risk avoidance: Term for the omission of risky activities, such as the development of new solutions to unclear market information or legal situations.
Risk minimisation: Measures with which the probability of occurrence of a risk or the extent of damage is reduced. Is also used in the context of machine safety and is addressed there by inherently safe design, protective measures and user information.
Risk diversification: Measures that divide a large risk into smaller risks: Example: Loss during transport of a large consignment of goods. Alternative: Delivery of individual components by different routes.
Risk transfer: Partial or complete transfer of the risks identified in the course of the risk analysis to third parties, e.g. through the conclusion of insurance policies or cooperation agreements. Alternatively, the term risk transfer is also used.
Risk provisioning: A term from the financial sector that includes value adjustments and provisions in the event of possible loan defaults.
Risk response: All measures for risk avoidance, risk reduction, risk diversification, risk transfer and risk provisioning.
Risk control: The monitoring of identified and analysed risks as well as measures to avoid and minimise risks.
It is also important to define the terms danger, risk and venture:
Danger: A danger exists when a situation develops a harmful effect. The prerequisite is the exposure of a person, a group of persons or objects. A fire in Stuttgart in an office building in Stuttgart poses no danger to a development team in Berlin. However, if the team were to be in the corresponding building in Stuttgart, it would be at danger.
Risk: A risk is a danger assessed according to probability of occurrence and extent of damage. Or: A risk is the assessed danger of a negative deviation from the target. Example: If the server on which the results of the Berlin development team are hosted is located in the Stuttgart office building, there is a risk that all the work will go up in smoke. The extent of the damage increases depending on the work invested or existing agreements with customers.
Venture: A venture is the conscious taking of risks. If the results of the development team were not stored separately or backed up at another location, this would be a venture. This could also be referred to as risk tolerance.
Activities in risk management
The following activities are particularly important in the context of risk management:
- Documentation of risks with cause and effect.
- Determining the probability of occurrence, extent of damage, as well as potential delays and costs.
- Clear presentation of risks, e.g. with a risk matrix. A risk matrix visualises a set of risks, usually in relation to their probability of occurrence and potential impact.
- Definition and documentation of measures for risk avoidance, risk reduction, risk transfer or risk tolerance.
- Continuous monitoring of risks and measures and definition of responsibilities.
- Common management of all information (from personnel risk to technical risk) in a common system.
- Consideration of risks in other company disciplines such as project management, requirements management or change management.
- Regular communication about risks, e.g. in the project with project participants or in the steering committee.
Defined methods are often used in the course of continuous risk management:
Methods in risk management
Here you will find a selection of methods in dealing with risks:
A risk matrix – sometimes also called a “risk diagram” – visualises a set of risks depending on their probability of occurrence and potential impact. It represents the risk situation and is a risk communication tool.
The FMEA (Failure Mode and Effect Analysis) is a method for system and risk analysis with the objective of finding potential risks in systems, products and processes at an early stage. It defines 7 steps:
- Scope of consideration (scoping)
- Structural analysis
- Functional analysis
- Failure analysis
- Analysis of measures Actual state
- Optimisation of target state
- Risk and result documentation
The DRBFM (Design Reviw Based on Failure Modes) is a tool originally developed by the Toyota Motor Corporation and is based on the consideration that design problems occur when changes are made to existing technical designs that have already proven successful. The aim of the method is to collaboratively create a robust design as early as possible, with the experts involved thinking about possible errors in the course of changes, and to deposit possible errors in a form, evaluate them and derive measures if necessary.
Fault tree analysis is a risk management method for analysing undesired events, in which the interaction of potential causes for an undesired event is visualised with the help of logical links using a tree diagram. It is suitable for the analysis of central risks and chains of causes for errors that have occurred, as well as the preventive identification of possible risks of failure.
Some publications also speak of risk monitoring; however, whether this represents an independent method in risk management is rather controversial.
Risk management software
There are many tools that address the management of risks. Here you will find a list:
- A1 Tracker
- Decision Time
- QT9 QMS
The list can easily be extended, especially as there are numerous products that support risk management but originally have a different marketing focus.
Impulse to discuss:
In addition to risk management, opportunity management has become established in many companies in recent years. Is this possibly the better term for the development of products and services?
In the development of products or in project management, there are often also combination effects of several individual risks that can lead to a threat to the existence of a project or even an entire organisation. Organisations should therefore aggregate individual risks to determine the overall scope of risk.
Scrum employs an iterative, incremental approach to optimize predictability and to control risk. Would you have associated this with Scrum?
Here you can find a personal assessment about how agile risk management could work.
To a certain extent, the use of secure passwords is also a form of risk management.
Here you will find additional information from our Smartpedia section: