What is Risk Management?

It is important to make a clear distinction between the terms danger, risk and venture:

A danger exists when a situation develops a harmful effect. The prerequisite is the exposure of a person, a group of persons or objects. A fire in Stuttgart in an office building in Stuttgart poses no danger to a development team in Berlin. However, if the team were to be in the corresponding building in Stuttgart, it would be at danger.

A risk is a danger assessed according to probability of occurrence and extent of damage. Or: A risk is the assessed danger of a negative deviation from the target. Example: If the server on which the results of the Berlin development team are hosted is located in the Stuttgart office building, there is a risk that all the work will go up in smoke. The extent of the damage increases depending on the work invested or existing agreements with customers.

A venture is the conscious taking of risks. If the results of the development team were not stored separately or backed up at another location, this would be a venture. This could also be referred to as tolerance. 

It is important to have a common understanding of terms in organisations, especially as different terms are used in different industries.

Risk identification: The systematic determination of all risks affecting an organisation, a project or a development.

Risk analysis: The systematic analysis of all identified risks. Depending on the perspective, it can include identification and assessment in the sense of a management process or follow on from identification.

Risk assessment: The assessment of identified and analysed risks, in particular the probability of occurrence and the extent of damage to the risks.

Risk prioritisation: The interface in the risk management process between assessment and management in terms of avoidance, minimisation or limitation. This includes handling – e.g. observing risks or taking measures.

Risk avoidance: Term for the omission of risky activities, such as the development of new solutions to unclear market information or legal situations.

Risk minimisation: Measures with which the probability of occurrence of a risk or the extent of damage is reduced. Is also used in the context of machine safety and is addressed there by inherently safe design, protective measures and user information.

Risk diversification: Measures that divide a large risk into smaller risks: Example: Loss during transport of a large consignment of goods. Alternative: Delivery of individual components by different routes.

Risk transfer: Partial or complete transfer of the risks identified in the course of the analysis to third parties, e.g. through the conclusion of insurance policies or cooperation agreements.

Risk provisioning: A term from the financial sector that includes value adjustments and provisions in the event of possible loan defaults.

Risk response: All measures for avoidance, reduction, diversification, transfer and provisioning.

Risk control: The monitoring of identified and analysed risks as well as measures to avoid and minimise them.

A risk matrix – sometimes also called a “risk diagram” – visualises a set of risks depending on their probability of occurrence and potential impact. It represents the risk situation and is a risk communication tool.

The FMEA (Failure Mode and Effect Analysis) is a method for system and risk analysis with the objective of finding potential risks in systems, products and processes at an early stage. It defines 7 steps:

1. Scope of consideration (scoping)
2. Structural analysis
3. Functional analysis
4. Failure analysis
5. Analysis of measures Actual state
6. Optimisation of target state
7. Risk and result documentation

The DRBFM (Design Reviw Based on Failure Modes) is a tool originally developed by the Toyota Motor Corporation and is based on the consideration that design problems occur when changes are made to existing technical designs that have already proven successful. The aim of the method is to collaboratively create a robust design as early as possible, with the experts involved thinking about possible errors in the course of changes, and to deposit possible errors in a form, evaluate them and derive measures if necessary.

Fault tree analysis is a risk management method for analysing undesired events, in which the interaction of potential causes for an undesired event is visualised with the help of logical links using a tree diagram. It is suitable for the analysis of central risks and chains of causes for errors that have occurred, as well as the preventive identification of possible risks of failure.

Some publications also speak of risk monitoring; however, whether this represents an independent method is rather controversial.

• ISO 31000: This International Organisation for Standardisation (ISO) standard sets out the principles and guidelines for risk management and provides a general framework that can be applied to various organisations and industries.
• Basel III: This international standard for banks sets out regulatory requirements for risk management and capital requirements to promote the stability of the financial system.
• COSO Framework: The Committee of Sponsoring Organisations of the Treadway Commission (COSO) Framework is a framework used by companies in many countries to establish internal controls and risk management processes.
• Sarbanes-Oxley Act (SOX): This US law sets standards for corporate financial reporting and also includes requirements for risk management and internal control.
• MaRisk: The Minimum Requirements for Risk Management (MaRisk) are a set of regulations in Germany issued by the German Federal Financial Supervisory Authority (BaFin) for banks and financial services institutions.
• GDPR (General Data Protection Regulation): The European Union’s General Data Protection Regulation contains requirements and best practices for the protection of personal data, including aspects of risk management in connection with data breaches and data protection impact assessments.
• The Control and Transparency Act (KonTraG) is a German law that was introduced in 1998. It stipulates the responsibility of the management board of stock corporations to implement a risk management system in order to identify, assess and manage risks. KonTraG requires regular risk analyses, measures to limit risks and transparent reporting on risks and the status of risk management.

In addition to the examples mentioned, there are specific standards and guidelines in various sectors and industries that relate to risk management. In the pharmaceutical industry, for example, there are the ICH-GCP guidelines (Good Clinical Practice), which define the requirements for risk management in clinical trials.

Werner Gleißner and Wolfgang Mott have described a classification of corporate risk management based on 6 levels in “Risikomanagement auf dem Prüfstand – Nutzen, Qualität und Herausforderungen in der Zukunft“:

Level one: There is no risk management here. Company management has hardly any awareness of risks and there is no systematic approach. Decisions that react to risks are rare.

Stage two: This is where loss management begins. The company recognises certain risks and takes measures to prevent them. It also takes into account regulations such as environmental protection and occupational health and safety. In the case of major risks, the company takes out insurance to minimise damage. However, there is no specific tool for risk assessment and risk action plans are worked on in isolated teams.

Stage three: This is where regulatory risk management begins. The company has a continuous risk management system. It constantly monitors and evaluates risks. All risks form the risk inventory. Information such as scope, responsibility and frequency is recorded in writing. The company develops strategies to manage important risks.

Stage four: This is where economic, decision-orientated risk management begins. The company recognises both threats and opportunities as risks. It has a comprehensive, software-supported risk management system. The goal is flexible and agile risk management that is closely linked to strategy development.

Stage five: This is where integrated value-based risk management begins. The risk management process is closely linked to the operational level of the company. All plans can be assigned to risks, which enables planning reliability. The company can calculate the value contribution and evaluate strategic moves in relation to risks.

Stage six: This is where embedded risk management begins. The assessment of the risk-adjusted capitalised earnings value reflects the owner’s risk preference and forms the basis for strategic and operational decisions. Risk management is firmly integrated into the corporate culture and entrepreneurial thinking.

According to Gleissner and Mott, good risk management is a success factor for every company. It should involve as many employees as possible in order to give the company management the opportunity to correctly identify and assess risks. The management must be the “top risk manager”, as it makes the decisive decisions on the scope of risk. It should apply strategies and fixed organisational patterns and methods to ensure that potential “existentially threatening developments” are recognised at an early stage.

Psychology plays a crucial role in the assessment and evaluation of risks. Here are some aspects of how psychology influences risk behaviour:

People evaluate risks based on their perceptions, which are strongly influenced by psychological factors. Personal experiences, cultural backgrounds and emotional reactions influence risk perception. What appears to be high-risk to one person may be less threatening to another.

People use simplistic thinking models or heuristics to assess risks, which can lead to systematic biases. For example, people often rely on readily available information or overestimate risks due to their presence in the media. In addition, the optimism bias leads people to underestimate the probability of negative events for themselves.

Emotions play an important role in risk assessment. Negative emotions such as fear or worry can lead people to overestimate risks. Positive emotions such as hope or enthusiasm, on the other hand, can lead people to underestimate risks.

The behavior of other people and social norms influence the perception of risks. People often orientate themselves by the actions and opinions of their peers, which can lead them to evaluate risks differently depending on what is considered acceptable or normal in their social environment.

Individual cognitive abilities and level of education also play a role. People with higher levels of education tend to evaluate risks more rationally and make better decisions, while those with lower levels of education may be more susceptible to certain types of bias or misjudgement.

Overall, the psychological aspects of risk perception and assessment are complex and involve a variety of factors. A better understanding of these psychological dynamics can help organisations to develop and implement more effective risk management strategies.

When developing products or in project management, there are often combined effects of several individual risks that can threaten the existence of a project or even an entire organisation. Organisations should therefore aggregate individual risks to determine the overall risk scope.

• A1 Tracker
• AuditBoard
• c1risk
• checkbox
• Decision Time
• NContracts
• Laika
• MEG
• StandardFushion
• Tandem
• QT9 QMS
• Quentic

The list can certainly be easily expanded, especially as there are numerous products that support risk management but originally have a different marketing focus.