Risk management: How to make sound decisions
“Risk management” describes all the measures for identifying and influencing the opportunities and threats that arise in the course of business activity. These opportunities and risks can have a positive or negative impact on the success of the business.
It is not the task of risk management to eliminate all threats – because that is practically impossible. Rather, the goal is to optimize the relationship between opportunities and risks. In other words, successful risk management contributes to decision-making and planning security, minimizes the risk of insolvency, and stabilizes the earnings situation.
Legal regulations and international standards for risk management
Risk management not only makes economic sense for companies, it’s also a legally binding building block in corporate management. However, risk management is not regulated in any single law or code – rather, there are a number of different laws in the US that impinge on risk management.
After several corporate crises in the early 1990s, the US federal government took a major reform step in 2002 and passed the Sarbanes-Oxley Act. It is a federal law that sets new or expanded requirements for all US public company boards, management and public accounting firms. A number of provisions of the Act also apply to privately held companies, such as the willful destruction of evidence to impede a federal investigation.
The sections of the bill cover responsibilities of a public corporation’s board of directors, add criminal penalties for certain misconduct, and require the Securities and Exchange Commission to create regulations to define how public corporations should comply with the law. In addition, there is a legal stipulation that risks must also be adequately taken into account in any business decision (this is called the Business Judgment Rule: It is rooted in the principle that the “directors of a corporation ... are clothed with [the] presumption, which the law accords to them, of being [motivated] in their conduct by a bona fide regard for the interests of the corporation whose affairs the stockholders have committed to their charge.”
In addition, there are still some national standards that may not be legally binding but are in effect required in order for businesses to meet investors’ expectations: These include, for example, the Auditing Standards for Private Companies (issued by the American Institute of Certified Public Accountants) and the Generally Accepted Accounting Principles.
The most important international standards include the risk management standard ISO 31000:2009, the quality management standard ISO 9001:2015, and the COSO Enterprise Risk Management Framework (COSO ERM 2017). The framework, also known as the COSO cube, categorizes risk management according to components, target categories, and organizational units.
The guidelines set out in these standards are intended to help companies implement their own risk management and develop it further. Both the ISO and the COSO standards are regularly reviewed and, if necessary, adapted to reflect current developments in the corporate world.
Significance of risk management in the company and interdependencies
Frequently, risk management is linked to compliance and corporate governance in companies, because all three disciplines are closely related to one another. They all contribute to proper and efficient corporate governance.
Corporate risk management can be divided into strategic and operational risk management. The strategic aspect involves defining risk management objectives, formulating an overarching strategy, and defining operational processes. Implementing these processes is the task of operational risk management.
The four phases of corporate risk management
Operational risk management doesn’t consist of one-off measures, but is a continuous process: Opportunities and risks that could influence corporate success must be permanently monitored.
Companies must implement risk management processes to systematically determine all relevant factors. These can be represented as a control loop in which the different phases are passed through in a continuous cycle.
The control loop for operational risk management can be divided into four phases:
- Risk identification (risk analysis I)
- Risk quantification (risk analysis II)
- Risk strategy
- Risk management
Risk identification
The first step is risk determination, which involves sorting, identifying, and describing all existing risks qualitatively, individually, and by risk area. This can be done on the company’s level as well as at the project level. Decision-makers can use different methods to structure the identification process and ensure that all threats and sources of harm are identified:
- Expert and employee surveys
- Evaluation of existing data and documents
- Internal risk workshops
- Factory and site visits
At the end of this phase, a complete risk catalog (also: risk inventory) should have been created.
Risk quantification
In the next step, each individual risk is quantitatively assessed with regard to its probability of occurrence and its potential impact. In the assessment, not only one risk must be considered in isolation, but also the consequences of several risks interacting or accumulating over time. This aspect is also referred to as risk aggregation.
Probability distributions or frequency distributions are used in quantification. The concrete measure used to assess a risk is called the “value at risk”.
Steps 1 and 2 are also referred to collectively as risk analysis. This analysis is considered to be the most difficult step in the risk management process, as not only current but also future risks need to be identified and assessed. Once the results of the risk analysis have been evaluated, the risks that have a particularly high probability of occurring have priority and should be dealt with first.
Risk strategy
“Risk strategy” is an umbrella term which covers all the measures that companies can take in response to risks. Basically, there are two possible responses: the active preventive response and the passive corrective response.
Active measures serve to reduce the probability of the threats identified in the risk analysis from occurring, or else to minimize the extent of damage by addressing the causes. Companies could, for example, improve their product to reduce liability risks. Risk avoidance is also an active prevention mechanism – for example, when a product that poses a health hazard is not launched into the market at all.
Passive reactions are intended to transfer the consequences of the onset of risk to other risk carriers (risk transfer) – for example, by taking out insurance policies or transferring them to the capital market.
In addition, there is often a residual risk that the company itself will ultimately have to pay for a loss despite all its control strategy measures. This risk cannot be completely eliminated. Almost always, a residual amount of unknown risk remains – even with very good analyses.
Risk management
Risk management involves examining the methods applied with regard to their efficiency, appropriateness, and effectiveness. Controlling can take place in two ways that ideally complement one another: as continuous monitoring in real time and as periodic in-depth risk assessment. The results are promptly forwarded to those responsible.
Responsibilities in risk management
Risk management is not the responsibility of one individual, but concerns every employee in the company. Although the strategy and fundamental orientation of risk management are determined by management, other employees are involved in the operational business.
The model of the three lines of defense is often used for allocating responsibilities in risk management:
- First line: Managers and employees react to operational risks in accordance with the defined strategies – supported by an internal system of controls.
- Second line: Employees who are directly involved in risk management tasks support and monitor the first line, e.g. by specifying methods or coaching.
- Third line: Risk management is monitored by an independent body.
Summary: Risk management as the cornerstone of success
Identifying and managing risks is an integral part of our corporate culture. Therefore, risk management is not confined to the top floor. However, it affects every single employee in his or her daily work.
Anyone who does not take into account the possible negative effects of their decisions in advance ultimately endangers the economic stability of a company. With its methods, risk management offers the necessary tools to clearly identify risks instead of relying on a vague gut feeling. This makes it possible for companies to take calculated risks that are necessary for growth and success.