Risk management: How to make sound decisions
“Risk management” describes all the measures for identifying and influencing the opportunities and threats that arise in the course of business activity. These opportunities and risks can have a positive or negative impact on the success of the business.
It is not the task of risk management to eliminate all threats – because that is practically impossible. Rather, the goal is to optimise the relationship between opportunities and risks. In other words, successful risk management contributes to decision-making and planning security, minimises the risk of insolvency, and stabilises the earnings situation.
- Legal regulations and international standards for risk management
- Significance of risk management in the company and interdependencies
- The four phases of corporate risk management
- Responsibilities in risk management
- Summary: Risk management as the cornerstone of success
Legal regulations and international standards for risk management
Risk management not only makes economic sense for companies, it’s also a legally binding building block in corporate management. There is a complex legal framework in the UK when it comes to corporate risk and compliance management. Several standards have been developed worldwide to help businesses implement risk management efficiently. With this common idea of how processes should work, it helps to regulate the practice the world over.
The most important international standards include the risk management standard ISO 31000:2009, the quality management standard ISO 9001:2015, and the COSO Enterprise Risk Management Framework (COSO ERM 2017). The framework, also known as the COSO cube, categorises risk management according to components, target categories, and organisational units.
The guidelines set out in these standards are intended to help companies implement their own risk management and develop it further. Both the ISO and the COSO standards are regularly reviewed and, if necessary, adapted to reflect current developments in the corporate world.
In addition, the UK also has the “Risk Management Standard”, which was developed in 2002 by the UK’s three main risk organisations.
Significance of risk management in the company and interdependencies
Frequently, risk management is linked to compliance and corporate governance in companies, because all three disciplines are closely related to one another. They all contribute to proper and efficient corporate governance.
Corporate risk management can be divided into strategic and operational risk management. The strategic aspect involves defining risk management objectives, formulating an overarching strategy, and defining operational processes. Implementing these processes is the task of operational risk management.
The four phases of corporate risk management
Operational risk management doesn’t consist of one-off measures, but is a continuous process: Opportunities and risks that could influence corporate success must be permanently monitored.
Companies must implement risk management processes to systematically determine all relevant factors. These can be represented as a control loop in which the different phases are passed through in a continuous cycle.
The control loop for operational risk management can be divided into four phases:
- Risk identification (risk analysis I)
- Risk quantification (risk analysis II)
- Risk strategy
- Risk management
The first step is risk determination, which involves sorting, identifying, and describing all existing risks qualitatively, individually, and by risk area. This can be done on the company’s level as well as at the project level. Decision-makers can use different methods to structure the identification process and ensure that all threats and sources of harm are identified:
- Expert and employee surveys
- Evaluation of existing data and documents
- Internal risk workshops
- Factory and site visits
At the end of this phase, a complete risk catalogue (also: risk inventory) should have been created.
In the next step, each individual risk is quantitatively assessed with regard to its probability of occurrence and its potential impact. In the assessment, not only one risk must be considered in isolation, but also the consequences of several risks interacting or accumulating over time. This aspect is also referred to as risk aggregation.
Probability distributions or frequency distributions are used in quantification. The concrete measure used to assess a risk is called the “value at risk”.
Steps 1 and 2 are also referred to collectively as risk analysis. This analysis is considered to be the most difficult step in the risk management process, as not only current but also future risks need to be identified and assessed. Once the results of the risk analysis have been evaluated, the risks that have a particularly high probability of occurring have priority and should be dealt with first.
“Risk strategy” is an umbrella term which covers all the measures that companies can take in response to risks. Basically, there are two possible responses: the active preventive response and the passive corrective response.
Active measures serve to reduce the probability of the threats identified in the risk analysis from occurring, or else to minimise the extent of damage by addressing the causes. Companies could, for example, improve their product to reduce liability risks. Risk avoidance is also an active prevention mechanism – for example, when a product that poses a health hazard is not launched into the market at all.
Passive reactions are intended to transfer the consequences of the onset of risk to other risk carriers (risk transfer) – for example, by taking out insurance policies or transferring them to the capital market.
In addition, there is often a residual risk that the company itself will ultimately have to pay for a loss despite all its control strategy measures. This risk cannot be completely eliminated. A residual amount of unknown risk always remains – even with very good analyses.
Risk management involves examining the methods applied with regard to their efficiency, appropriateness, and effectiveness. Controlling can take place in two ways that ideally complement one another: as continuous monitoring in real time and as periodic in-depth risk assessment. The results are promptly forwarded to those responsible.
Responsibilities in risk management
Risk management is not the responsibility of one individual, but concerns every employee in the company. Although the strategy and fundamental orientation of risk management are determined by management, other employees are involved in the operational business.
The model of the three lines of defence is often used for allocating responsibilities in risk management:
- First line: Managers and employees react to operational risks in accordance with the defined strategies – supported by an internal system of controls.
- Second line: Employees who are directly involved in risk management tasks support and monitor the first line, e.g. by specifying methods or by coaching.
- Third line: Risk management is monitored by an independent body.
Summary: Risk management as the cornerstone of success
Identifying and managing risks is an integral part of our corporate culture. Therefore, risk management is not confined to the top floor. However, it affects every single employee in his or her daily work.
Anyone who does not take into account the possible negative effects of their decisions in advance ultimately endangers the economic stability of a company. With its methods, risk management offers the necessary tools to clearly identify risks instead of relying on a vague gut feeling. This makes it possible for companies to take calculated risks that are necessary for growth and success.