What is Risk Management, what are important terms and which activities are essential?
Risk Management – dealing with risks in an organisation
The ISO 31000:2018 standard defines risk management as “the coordinated activity of managing and controlling an organisation with respect to risks”.
Risk management covers all aspects
- from systematic risk identification, risk analysis, risk assessment, risk prioritisation,
- to the definition of measures for risk avoidance, risk minimisation or risk tolerance,
- and the definition of responsibilities and the control of the success of the measures.
Terms used in risk management
In the context of risk management, there is a multitude of terms that need to be defined and for which there must be a common understanding in an organisation, especially as different terms are used in different industries.
Risk identification: The systematic determination of all risks affecting an organisation, a project or a development.
Risk analysis: The systematic analysis of all identified risks. Depending on the perspective, it can include risk identification and risk assessment in the sense of a risk management process or follow on from risk identification.
Risk assessment: The assessment of identified and analysed risks, in particular the probability of occurrence and the extent of damage to the risks.
Risk prioritisation: The interface in the risk management process between risk assessment and risk management in terms of avoidance, minimisation or limitation. This includes handling – e.g. observing risks or taking measures.
Risk avoidance: Term for the omission of risky activities, such as the development of new solutions to unclear market information or legal situations.
Risk minimisation: Measures with which the probability of occurrence of a risk or the extent of damage is reduced. Is also used in the context of machine safety and is addressed there by inherently safe design, protective measures and user information.
Risk diversification: Measures that divide a large risk into smaller risks: Example: Loss during transport of a large consignment of goods. Alternative: Delivery of individual components by different routes.
Risk transfer: Partial or complete transfer of the risks identified in the course of the risk analysis to third parties, e.g. through the conclusion of insurance policies or cooperation agreements. Alternatively, the term risk transfer is also used.
Risk provisioning: A term from the financial sector that includes value adjustments and provisions in the event of possible loan defaults.
Risk response: All measures for risk avoidance, risk reduction, risk diversification, risk transfer and risk provisioning.
Risk control: The monitoring of identified and analysed risks as well as measures to avoid and minimise risks.
It is also important to define the terms danger, risk and venture:
Danger: A danger exists when a situation develops a harmful effect. The prerequisite is the exposure of a person, a group of persons or objects. A fire in Stuttgart in an office building in Stuttgart poses no danger to a development team in Berlin. However, if the team were to be in the corresponding building in Stuttgart, it would be at danger.
Risk: A risk is a danger assessed according to probability of occurrence and extent of damage. Or: A risk is the assessed danger of a negative deviation from the target. Example: If the server on which the results of the Berlin development team are hosted is located in the Stuttgart office building, there is a risk that all the work will go up in smoke. The extent of the damage increases depending on the work invested or existing agreements with customers.
Venture: A venture is the conscious taking of risks. If the results of the development team were not stored separately or backed up at another location, this would be a venture. This could also be referred to as risk tolerance.
Risk management activities
Risk management is a process aimed at recognising risks as early as possible and monitoring them in a comprehensible manner. In the development of products or in project management, the combined effects of several individual risks often occur, which can threaten the existence of a project or even an entire organisation. Organisations should therefore aggregate individual risks to determine the overall risk level.
Basically, risk management can pursue two goals: reducing the probability of risk occurrence and reducing the extent of damage.
The following activities are particularly important in the context of risk management:
- The documentation of risks with cause and effect.
- The determination of the probability of occurrence, extent of damage, potential delays and costs.
- The clear presentation of risks, for example with a risk matrix. A risk matrix visualises a number of risks, usually depending on their probability of occurrence and potential effects.
- The definition and documentation of measures for risk avoidance, risk reduction, risk transfer or risk tolerance.
- The continuous monitoring of risks and measures and the definition of responsibilities.
- The joint management of all information (from personnel risk to technical risk) in a common system.
- The consideration of risks in other corporate disciplines such as project management, requirements management or change management.
- Regular communication about risks, e.g. in projects with project participants or in the steering committee.
The determination of the probability of occurrence
In practice, there are always discussions about determining the probability of occurrence, as this is often done as an extrapolation from past experience. This is considered difficult because projects are unique in themselves and many experiences cannot be sensibly transferred to other situations and projects. The danger of an illusory, psychological security threatens.
A small example:
A person wants to cross a trench (see diagram). Once it is wide and flat, then narrow and flat, then narrow and finally deep and wide. The trench influences both the probability of falling into it and the possible extent of damage. Schematically, this is easy to visualise, but in risk management practice it is anything but easy to determine.
Impulse to discuss:
In addition to risk management, opportunity management has become established in many companies in recent years. Is this possibly the better term for the development of products and services?
Scrum employs an iterative, incremental approach to optimize predictability and to control risk. Would you have associated this with Scrum?
How could agile risk management work? You can find a personal assessment here.
To a certain extent, the use of secure passwords is also a form of risk management.
Here you will find additional information from our Smartpedia section: