“Risk management” describes all the measures for identifying and influencing the opportunities and threats that arise in the course of business activity. These opportunities and risks can have a positive or negative impact on the success of the business.
It is not the task of risk management to eliminate all threats – because that is practically impossible. Rather, the goal is to optimise the relationship between opportunities and risks. In other words, successful risk management contributes to decision-making and planning security, minimises the risk of insolvency, and stabilises the earnings situation.
Risk management not only makes economic sense for companies, it’s also a legallybinding building block in corporate management. There is a complex legal framework in the UK when it comes to corporate risk and compliance management. Several standards have been developed worldwide to help businesses implement risk management efficiently. With this common idea of how processes should work, it helps to regulate the practice the world over.
The most important international standards include the risk management standard ISO 31000:2009, the quality management standard ISO 9001:2015, and the COSO Enterprise Risk Management Framework (COSO ERM 2017). The framework, also known as the COSO cube, categorises risk management according to components, target categories, and organisational units.
The guidelines set out in these standards are intended to help companies implement their own risk management and develop it further. Both the ISO and the COSO standards are regularly reviewed and, if necessary, adapted to reflect current developments in the corporate world.
In addition, the UK also has the “Risk Management Standard”, which was developed in 2002 by the UK’s three main risk organisations.
Frequently, risk management is linked to compliance and corporate governance in companies, because all three disciplines are closely related to one another. They all contribute to proper and efficient corporate governance.
Corporate risk management can be divided into strategic and operational risk management. The strategic aspect involves defining risk management objectives, formulating an overarching strategy, and defining operational processes. Implementing these processes is the task of operational risk management.
Operational risk management doesn’t consist of one-off measures, but is a continuous process: Opportunities and risks that could influence corporate success must be permanently monitored.
Companies must implement risk management processes to systematically determine all relevant factors. These can be represented as a control loop in which the different phases are passed through in a continuous cycle.
The control loop for operational risk management can be divided into four phases:
The first step is risk determination, which involves sorting, identifying, and describing all existing risksqualitatively, individually, and by risk area. This can be done on the company’s level as well as at the project level. Decision-makers can use different methods to structure the identification process and ensure that all threats and sources of harm are identified:
At the end of this phase, a complete risk catalogue (also: risk inventory) should have been created.
In the next step, each individual risk is quantitatively assessed with regard to its probability of occurrence and its potential impact. In the assessment, not only one risk must be considered in isolation, but also the consequences of several risks interacting or accumulating over time. This aspect is also referred to as risk aggregation.
Probability distributions or frequency distributions are used in quantification. The concrete measure used to assess a risk is called the “value at risk”.
Steps 1 and 2 are also referred to collectively as risk analysis. This analysis is considered to be the most difficult step in the risk management process, as not only current but also future risks need to be identified and assessed. Once the results of the risk analysis have been evaluated, the risks that have a particularly high probability of occurring have priority and should be dealt with first.
“Risk strategy”is an umbrella term which covers all the measures that companies can take in response to risks. Basically, there are two possible responses: the active preventive response andthe passive corrective response.
Active measures serve to reduce the probability of the threats identified in the risk analysis from occurring, or else to minimise the extent of damage by addressing the causes. Companies could, for example, improve their product to reduce liability risks. Risk avoidance is also an active prevention mechanism – for example, when a product that poses a health hazard is not launched into the market at all.
Passive reactions are intended to transfer the consequences of the onset of risk to other risk carriers (risk transfer) – for example, by taking out insurance policies or transferring them to the capital market.
In addition, there is often a residual risk that the company itself will ultimately have to pay for a loss despite all its control strategy measures. This risk cannot be completely eliminated. A residual amount of unknown risk always remains – even with very good analyses.
Risk management involves examining the methods applied with regard to their efficiency, appropriateness, and effectiveness. Controlling can take place in two ways that ideally complement one another: as continuous monitoring in real time and as periodic in-depth risk assessment. The results are promptly forwarded to those responsible.
Risk management is not the responsibility of one individual, but concerns every employee in the company. Although the strategy and fundamental orientation of risk management are determined by management, other employees are involved in the operational business.
The model of the three lines of defence is often used for allocating responsibilities in risk management:
Identifying and managing risks is an integral part of our corporate culture. Therefore, risk management is not confined to the top floor. However, it affects every single employee in his or her daily work.
Anyone who does not take into account the possible negative effects of their decisions in advance ultimately endangers the economic stability of a company. With its methods, risk management offers the necessary tools to clearly identify risks instead of relying on a vague gut feeling. This makes it possible for companies to take calculated risks that are necessary for growth and success.
A colourful bar chart or a wide network that correlates different project tasks: there are several diagrams that show different methods of project management. Many processes are similar because certain problems occur in almost all projects. But you don’t have to reinvent the wheel: methodologies provide you with formalised approaches that have already proven successful many times over. With the...
If you want to develop software, you first need a suitable concept for the development process. For larger projects in which the evaluation of possible risks and potential costs plays a decisive role, the spiral model is ideally suited. In this article, you can find out exactly what is behind this process model and how it works.
If you want to minimise the risks associated with organisational errors, damaging actions by senior employees or even just economic crime in your company, you do not want to leave anything to chance. An ICS - short for Internal Control System - establishes guidelines that enable the monitoring of operational processes. What does an ICS look like?
Risk management in accordance with ISO 31000 can ensure a company’s survival: Every organisation frequently encounters danger factors – however, these don’t have to be a problem if you know how to deal with them. That is why many companies set up a risk management system, and the ISO 31000 standard provides a valuable tool for doing this. What does the international standard mean?
Provide powerful and reliable service to your clients with a web hosting package from IONOS
