What is M_o_R (Management of Risk)
In the rarest occasions, critical situations can totally surprise organisations. Usually, the risks are known, but only seldom are they taken seriously or identified in time. In order to understand this, it is necessary to define the term risk:
A risk is an uncertain event or set of events that, should it occur, will have an effect on the achievement of objectives. It is important to remember that this kind of an event can also have positive consequences, not just negative ones. A risk is measured by a combination of the probability of a perceived threat or opportunity occurring, and the magnitude of its impact on objectives. People and companies are confronted with risks every day, on the way to work, driving cars or, in companies, making a decision on a new business strategy.
For organisations, the topic of risk management (Management of Risk, M_o_R®) is a central part of the business strategy. Every organisation will have to deal with risk management in one form or another. These conscious or unconscious activities usually take place in an opaque and untraceable manner. Above all, this is caused by a lack of appropriately defined risk management processes.
Why is risk management necessary?
New business management principles and legal requirements has made more intensive assessment of risks indispensable for businesses.
Especially as a consequence of the accounting scandals in the US, including companies like Enron and Worldcom, and the Sarbanes Oxley Act (SOX) applying to companies listed in the US stock market that followed them, dealing with risks has become crucial for companies. SOX includes aspects of corporate governance, compliance and reporting. This obligatory compliance ensures that risks can be identified earlier and thus protects companies and investors against losses.
In addition, SOX pushes companies toward implementing best practice approaches, such as PRINCE2 and ITIL. This also includes the methods that the best practice approach envisages in the context of risk management.
The objective of risk management is to give companies a tool which they can use to gain a better evaluation of their current situation and better assess the imminent impacts in defined steps (best practice).
The objective of risk management is not necessarily to completely avoid risks and their impacts. It is more important to obtain a correct evaluation of the situation and to initiate appropriate measures to enable the achievement of business, programme, project or operative objectives.
When and where should risk management be used?
It is recommended to apply and establish risk management wherever critical decisions are made. Risk management that is aligned with long-term objective focuses on the assessment of risks in relation to the strategic objectives of an organisation. In most cases, strategic risk management is Chancen Management on the highest level of the business.
Within projects and programmes, risk management has to be an essential part of every planning activity in the medium term as well. This also applies to securing operative functions. These areas are precisely where, in daily operations, it has to be ensured that all threats are identified and that the operation is secured.
Risk management principles
Various principles have to be defined in order to be able to develop measures in the context of corporate risk management. They have to precise, understandable and easily implementable. In the context of the best practice approach, M_o_R describes the following generic principles or requirements:
- Understanding the organisational relationships
- Role and integration of stakeholders
- Knowing the objectives of the organisation
- Establishing M_o_R methods
- Implementing management information (reports)
- Defining roles and responsibilities
- Structured operational procedures
- Early warning systems
- Review cycles, quality assurance
- Overcoming barriers in M_o_R (critical success factors, obstacles)
- Culture and organisation
- Continual improvement processes (CIPs)
These principles can also be regarded as success factors for the implementation of risk management.
Like all success factors, the principles of risk management develop continuously and have to be adjusted from time to time. Organisations have to adapt their strategies to the needs of the markets. This also includes continual risk assessment.
Risk management methods
Every business uses different approaches in the field of risk management.
In order to formulate these methods and bring them closer to those involved, the M_o_R approach recommends developing correspondent documents that include and disseminate the approaches of risk management.
Principally, this is about creating awareness about the risks of the business in the organisation and developing appropriate measures for it. The following guidelines are recommended for this purpose:
- Risk management policy: A high-level statement that defines risk management guidelines, determines how risks are dealt with within the organisation and describes types of communication. These guidelines are strategically aligned.
- Risk Management Process Guide: Describes the processes of risk management from identifying through to implementing.
- Risk Management Strategies: Description of risk management activities for (specific) parts of the organisation
- Risk Registers: A record or summary of all threats and opportunities of all areas of the organisation
- Issue Logs: Issue-related recording of all identified topics including risks that have already occurred.
The awareness of these topics has to become a part of the organisational culture. For this purpose, the documents summarise tasks, responsibilities and competencies in the context of risk identification and assessment.
Risk management processes
Risk management can be divided into four sub-processes:
- Identify (identifying the context and the risks)
- Assess (assessing the risks and their impacts, calculating probabilities of occurrence using mathematical methods)
- Plan (preparing measures from the viewpoint of the management in order to react to identified risks)
- Implement (carrying out the selected measures to tackle the risks with subsequent monitoring)
These four processes form a cohesive, logical approach to the implementation of risk management. In the context of risk management, no following step can produce useful statements without the outcomes of its predecessor.