Risk management – strategic and structured

In a rapidly changing world, risk management is playing an increasingly important role. The skillful handling of unforeseeable dangers has long since gone from being a nice-to-have to a have-to-have. Identifying risks of a strategic business – legal or financial nature – at an early stage, determines whether control mechanisms take effect in good time and whether negative developments can be steered in a positive direction.

We live in a VUCA world. The term was coined back in 1990, following the collapse of the Soviet Union and a new world order in which the environment had to be completely reassessed. VUCA was intended to bring clarity and stands for:

V = Volatility

U = Uncertainty

C = Complexity

A = Ambiguity

Today, more than 30 years later, these terms describe our modern (working) world better than ever. For example, if we know where uncertainties exist, we have the opportunity to consider what we can do about them in advance. And that brings us to the subject of risk management.

Attempt at a definition

Risk management refers to the systematic recording and assessment of risks to business operations. But that is by no means everything! It is not enough to record and evaluate risks, because that would only represent the current situation. Hence the second important point: risk management helps companies to identify operational, legal and procedural risks and mitigate them through preventive measures.

But perhaps a risk can also be something positive, because it draws our attention to the fact that we can improve or increase something under certain conditions – provided the risk management process works.

Good risk management requires a systematic approach. The ­ISO 31000 :2018 standard, for example, sets out guidelines that describe how to deal with risks in an organization. The application of these guidelines can be adapted to each company in its specific environment. It always starts with the question: are we more concerned with projects or strategic planning or are we at the operational level? The latter would be, for example, a power outage that means a company can no longer produce. 

The first important step in risk assessment is risk identification, followed by risk analysis (describing causes and effects) and finally risk evaluation. In addition to databases that incorporate empirical values from other companies, also internal risk identification workshops – in which creative techniques such as brainstorming/writing are used to find out what could happen – are particularly helpful for risk identification. Once we have identified and classified the risks, we have to decide what dangers they pose for our company.

This assessment gradually results in clear criteria for certain risks, including possible strategies and specific measures. At the same time, risk identification makes it possible to classify which risks we still have or permanently have, which have been newly added or have possibly even disappeared. Monitoring and reviewing risks always means making comparisons: is the assessment from last week or last month still correct? Or have certain parameters changed, which also changes the assessment?

When it comes to measures, it is important to check which ones are planned, can be implemented on time or whether the measures taken have already contributed to minimizing risk.

The elementary hazards in the company 

The pandemic has taught us that everything can change from one day to the next. Nevertheless, this only has a limited impact on the topic. Legislation has long prescribed risk management in many areas. In addition to the obligation, however, there are companies that have shifted their focus on the topic as a result of their experiences with the pandemic. The shock is deep-seated and they want to be better prepared for possible future events of this kind.

Irrespective of this global problem, there are of course also smaller regional or industry-related incidents, including personal strokes of fate, which can be handled more easily and better with strategic risk management.

Let us take a look at possible examples of corporate risks: The German Federal Office for Information Security (BSI), for example,  has listed 47 elementary threats for IT companies. The individual risk areas are presented in a document, together with recommendations on how to deal with them.

In principle, risks can be divided into different areas. In the case of external risks that affect the environment (laws, spatial conditions, etc.), we have little influence. We have to accept events as they happen and when they happen. Of course, we can prepare for laws in good time, for example, but we cannot prevent them.

In the case of internal risks, we normally have more influence on the probability of occurrence and, above all, on what and when we can do something about them.

Risk assessment = probability of occurrence + damage (+ time factor)

Once we as a company have collected all the risks, classified them and described the causes and effects, we can move on to risk assessment. Two criteria are relevant here: firstly, the probability of occurrence and secondly, the extent of damage.

Finally, we have a third point that is sometimes neglected because it is not necessarily relevant for the assessment, but conversely is very important for the planning of measures: the proximity of occurrence, i.e. the time factor.

How we plan measures ultimately depends on whether we expect a risk to occur next week or a year from now. For the evaluation, however, we first stick to the combination of probability of occurrence and impact, which figure 1 (page 40) demonstrates wonderfully. Based on this, a risk matrix can be created/the risk value can be calculated.

When dealing with and handling risks, it always makes sense to consider how we as a company can use our strengths to avoid dangers or seize opportunities. If, on the other hand, weaknesses meet risks, this is usually far more challenging for companies.

Four strategies emerge from the created risk matrix. Risk avoidance is about avoiding the risk completely, if possible. Risk reduction is about lowering the probability of the risk occurring or reducing the scope (of the loss). In risk transfer, we do not bear the risk ourselves, but transfer it to a third party (example: factoring). The last option is risk acceptance, in which we – precisely – do nothing! At least for the moment.

Of course, it is also worth taking a look at the risks from time to time. We can then derive measures from these strategies – concrete activities that are planned and can be preventive or corrective. One example: If I know that the stairs in the stairwell have been wiped, they are slippery and I could slip and fall, I could place a mattress at the foot of the stairs as a corrective measure and fall on it, thus minimizing the risk of injury. A preventative measure would be to minimize the likelihood of slipping by waiting at the top of the stairs until they are dry.

Risk management is a very comprehensive topic and accordingly has a broad field of possible assessments and treatments of hazards in the company. The more experts you ask, the more opinions there are. A strategic and structured approach is always important in risk management. This requires awareness and well-trained employees.

If companies strengthen their risk management expertise, the investment usually pays for itself more quickly than expected. Human error or machine failure, the VUCA world or many small everyday hazards – all of these can be mastered. With identify, assess, measure, unforeseeable risks are now a thing of the past!