Risk management process in practice
The risk management process can be roughly divided into 5 steps. After each "risk monitoring" phase, a new cycle is initiated so that up-to-date and reliable information is always available on all areas.
Step by step
The cornerstone of successful risk management is the existence of a company-specific risk strategy. It determines the definitions of the terms risk and opportunity and provides a glossary to create a uniform basis of understanding within the company.
Furthermore, an upper limit for incoming risks is defined as well as principles on how to deal with them (risk minimisation, risk elimination, risk avoidance, risk acceptance).
From the risk structure, the risk culture is derived, which serves to strengthen the risk awareness of the employees within the company (division). Behaviours are defined to increase awareness and willingness to perceive and report threats.
Identification, together with assessment, is the most important phase in the risk management process and is part of risk analysis. The aim here is to list existing and potential risks at an early stage that could have a negative or positive impact on the existence of the company or the company's goals. In doing so, one considers both internal and external threats.
Different methods and instruments are used for risk analysis, for example SWOT analysis or potential analysis. In this way, customer- and market-specific risks can be identified and strategic success factors of the company can be worked out by determining internal strengths and weaknesses.
Following risk identification, the risks identified in the previous step are analysed and evaluated. The analysis involves prioritising them according to their hazard potential in order to prioritise the most critical threats. The following key figures play an important role in the assessment: probability of occurrence, amount of damage and damage expectation value. In addition, possible interrelationships with other risks should be determined, as these can reinforce or compensate each other.
In practice, the assessment of potential effects on results is carried out both qualitatively and quantitatively, if necessary with both methods. In order to visualise the risk potentials and as a basis for strategic decisions, the view in a risk matrix is suitable.
Subsequently, risk aggregation is used to determine the overall risk position and thus the risk-bearing capacity of the company.
Once the risk assessment phase is completed, appropriate control measures for the negative and positive risks are determined and initiated with the aim of bringing about a positive change in the current risk situation. Derived from the strategy defined in advance, it is decided for each risk how it should be dealt with. Is it negligible and can be accepted? Must it be avoided at all costs? Can it be specifically reduced through appropriate countermeasures?
With regard to the types of control measures, a distinction can be made between proactive and reactive measures. The former are activities that are initiated before the risk occurs. The aim of these activities is to minimise or increase the probability of occurrence, especially in the case of medium and large risks. Reactive measures, on the other hand, are only implemented once a risk has already occurred.
Risk monitoring is about checking at regular, predefined intervals whether or what changes in the risks have resulted from the measures taken. The changes in the probability of occurrence of the individual dangerous events are examined, as well as the tendency in which direction the amount of potential damage has moved. This analysis can be used to identify and implement potential improvements. It is also possible to determine whether any new risks have come to light.
The monitoring of risk management provides information about the functioning of the process and its effectiveness. Based on the results of this monitoring, conclusions can be drawn about improvement methods and the further development of the risk management process.
Finally, a detailed report on the findings is prepared and handed over to those responsible. The report provides the status quo of the risk situation in the company as well as suggestions for improvement derived from it and thus ensures appropriate communication within the organisation.
Within the company, every identified risk, negative or positive, must go through an internal approval process. First, the risk assessment is carried out by the person who discovered the threat (risk owner). The person estimates the amount of damage and the probability of occurrence and carries out the qualitative/quantitative assessments. In addition, best-case, worst-case and expected-case scenarios are run through. The possible risk development is estimated with the help of a time period assessment.
After the assessment, the risk moves to the next higher level, where it must be approved by the responsible person. If it is approved, the risk moves further up, otherwise it goes back to the risk owner, who then has to reassess the risk.
When the risk reaches the company's management, it is determined whether it is relevant for the whole group or only for the subsidiary.
Through the release of the decentralised management, it is forwarded to the risk management of the holding company. The parent company collects all reported risks from the subsidiaries and aggregates them. Subsequently, control measures are determined. Finally, a detailed report is prepared for the executive board, which includes all relevant key figures and data.
Efficient risk management with a system
In order to conduct effective and reliable risk management, it is advisable to introduce a structured and workflow-based risk management system and to integrate it into corporate management. In this way, the transparency of data and processes can be guaranteed and the risk management process can be traced at any time. The obligatory risk early warning system of the risk management system enables you to identify potential threats at an early stage so that you can carry out effective risk control.
Our established software solution for risk management antares RiMIS® offers you comprehensive functions for governance, risk and compliance management.
Identify risks at an early stage and counteract them effectively - with our GRC software solution antares RiMIS®.