Risk management is a continuous process that identifies and assesses risks with regard to the objective. There are several areas where risk management can be applied; financial risk management focuses on managing financial risks, project risk management focuses on managing risks in realizing large projects. It is important to what extent there is a measurable risk or an immeasurable uncertainty, more specifically Knightian uncertainty.
Risk management in six steps
The risk management process consists of six models in many models: setting objectives, identifying risks, assessing consequences, assessing risks, managing risks and monitoring.
The objective is what an organization wants to achieve, for example the realization of turnover growth, continuity or the completion of a project within a certain budget or term. Determining the objective can be done by using the rules of the SMART principle.
Since the Credit Crisis, the focus on risk appetite, the extent to which organizations want to take risks to achieve their objectives, has increased. To integrate risk management into business operations, organizations will have to determine, communicate and monitor their risk appetite in relation to their objectives.
A risk is an uncertain event with possible consequences for the target. The event occurs through internal and / or external causes. The internal causes influence the activities, which together with the external causes influence the goal (the objective). The influence then has consequences again, which may represent new risks.
A risk can be both positive and negative in terms of risk management. A negative risk is also called a danger, threat, downside risk or static risk. A positive risk is also called a chance or upside risk. A dynamic risk is a risk that can be or become positive as well as negative.
Risk identification (including risk analysis or event identification) can also take place through the following models: SWOT, DESTEP / PESTEL, Five Force Model, PIOFACH and a combination of the five force model and the DESTEP model.
Then risks are assessed for the chance of occurrence and possible consequences. This can be quantified, but qualitative estimates of risks can also be useful. The assessment and classification of risks is based on the Kinney method or the expected value method.
Expected value = probability x consequence
Kinney method = probability x consequence x exposure
The chance of occurrence is determined as a percentage. If an event occurs once every 100 years, the probability may be noted as 1%.
A risk acceptance level is set, this is the risk that a company, for example wants to take at the most to achieve the target. It can be deduced from the risk acceptance level whether the risk is looked up (risk-seeking) or avoided (risk aversion). Two factors that play a part in determining the risk acceptance level are the consequences and the probability. The risk assessment can be visually displayed in a risk matrix or risk map and / or a Likelihood diagram.
Two elements that are central to managing risks are the measures and the reactions. A risk without control measures is called a gross or inherent risk. A risk on which control measures are taken is subsequently assessed less, and can be called residual risks. Control measures are preventive, with the aim of reducing the chance of occurrence, or repression, with the aim of reducing the consequences. There are two types of control measures, namely: hard controls (agreements and guidelines) and soft controls (aimed at the functioning of employees).
There are four types of reactions: avoid (or prevent, terminate), control (or reduce, treat), transfer (or outsource, transfer) and accept (take). Risks can be avoided by drastic measures, for example to replace all wooden furniture with steel in the event of a fire hazard. Controlling can be done, for example, by making the furniture fire-resistant and transferring it by taking out a fire insurance policy.
Monitoring takes place in the course of the process, and can be monitored by means of indicators (Key Risk Indicator and Key Control Indicator) together also known as the Early Warning Indicators.
Within the discipline of risk management, a distinction is made between the following types:
Operational risks – These are consequences that can occur when carrying out the work that the organization is called for. An example is a price fluctuation that causes the income of a multinational to turn out differently after currency exchange.
Financial risks – This is the risk that the financial reporting of the organization deviates from reality. An example is the value of the inventory that deviates from what is actually in the inventory due to incorrect counts or due to unforeseen loss due to damage or theft.