Ask your doctor or pharmacist about risks and side effects. You can already see from this sentence that risks do not mean anything good in German. However, in order to delve deeper into risk management in general and the risk-based approach in particular, you need to detach yourself a little from the everyday meaning of the word “risk”. Since both “risk management” and the “risk-based approach” originate from the English language, it is important to see risks not only as threats, but also as opportunities. This is illustrated by phrases such as “No Risk, No Fun” or the more categorical description “Upside Risk & Downside Risk”. The former is to be understood as an opportunity, the latter as a threat. Risk management is also the basis for data protection, information security and business continuity management in order to increase the resilience of your own organization.
What is risk management?
Risk management is clearly defined. In the first step, it means identifying, assessing and prioritizing risks. This is followed by the coordinated and economical use of resources to minimize, monitor and control the probability or impact of unfortunate events. At the same time, opportunities should also be maximized.
Risk management therefore gives companies the opportunity to control risks rather than accepting them as a mixture of luck and bad luck. Risk management is now an integral part of ISO 9001 (standard for quality management systems). In economics, quality management is the sum of all measures that are necessary to maintain and improve process quality, work quality and thus product and service quality. Quality is the fulfillment of requirements – for example by customers. Delivering the required quality is always associated with risks. A risk is the impact of uncertainty on an expected result. It is therefore important to manage risk elegantly and professionally in order to be able to deliver the desired quality.
Examples of dealing with opportunities and risks
With the revision of ISO 9001 (standard for quality management), the concept of a risk-based approach came more into focus. What is new about it? Basically, the risk-based approach emphasizes the positive aspects of the term risk. It says between the lines: “Have the courage”. Imagine you have the opportunity to introduce new software. You decide against it because you have too many reservations. But the competition does not. This could have negative consequences for your company. Not recognizing opportunities can therefore mean another risk for you.
Therefore: In order to be certified with ISO 9001:2015, management in particular is required to implement the risk-based approach in the company. The risk-based approach has been much more present since March 2020: With the onset of the corona pandemic, companies had to make a great many decisions within a short space of time, most of which affected process quality. Remote work, restructuring of supply chains or budget cuts – measures that could have a negative impact or even encourage innovative action.
Even without coronavirus, Gartner already predicted in 2018 that 20% of larger companies will effectively embed their risk decisions in a business context by 2020. The actual figure is likely to have risen sharply due to the coronavirus crisis. Companies that have had to deal with risk management in a very short space of time are still facing major challenges.
What is risk-based thinking?
The most obvious analogy is crossing a suspension bridge stretched over a gorge. If you look left, right and down, risk-based thinking automatically kicks in. While the decision to go or stay is made in your head in a few seconds, we can also break it down to business risk assessment. If you assume that the bridge is shaky and already old, you now have various options:
- Acceptance: You can accept the risk of falling. You cross the bridge.
- Avoidance: You can also avoid the risk by changing your plans. You look for a way through the valley. Or you go home altogether.
- Reduction: You could also reduce the risk. For example, by waiting for the bridge to be repaired and not crossing it until all the rotten planks have been replaced.
- Transfer: You could also redistribute the risk by taking out insurance. In case of doubt, this will not save you personally in this specific situation, but you could mitigate the consequences of the accident for yourself or your relatives.
- Sharing: You could also share the risk. You could cooperate with someone by crossing the bridge together and protecting each other.
- Contingency: In risk management, there is also the possibility of a contingency plan. You simply come back when the ravine has been filled in or a concrete bridge has been built.
The risk-based approach: not only threats – but also opportunities
As mentioned above, crossing the bridge is not only a threat, but also an opportunity. In all situations crossing the bridge, the time factor plays a role. An opportunity awaits you on the other side of the gorge – an important business meeting, for example. You now have to weigh up how quickly you want to make the appointment. If you simply stay on your side of the gorge, there is no risk. But you also have no appointment – and therefore no chance of closing the deal.
Risk management: opportunities and risks
Risk management must be implemented company-wide: In many companies, risk management is still a departmental matter. Management is still too rarely involved, as a risk-based approach also requires a cultural change. There is no such thing as crossing the road completely risk-free. There is no perfect protection. However, many managers find it difficult to adapt to this paradigm and exchange ideas accordingly. This step is very important, as the risk-based approach is about identifying and naming the effects of business uncertainties for the entire organization and using them as a basis for planning the next business steps.
Ideally, a CRO (Chief Risk Manager) or a person with similar competencies brings together the risk management efforts of the individual departments. The relationship between risk managers and executives is very important at this time, as many executives may make risk decisions without having security sufficiently in mind. The CRO should discuss the company’s risk tolerance with the directors and determine whether the new actions the decision makers are taking are within that range.
Despite the current crisis situation, it is important to remember that risk management is not just an IT matter. Decisions must also be weighed up with the risk stakeholders in the non-IT areas of the company. In order to make effective decisions, residual risk must be accepted. Risk stakeholders have the choice of accepting more risk at a lower cost or less risk at a higher cost. It is a legitimate business decision to choose any level of risk that benefits the company’s bottom line. The challenge is balancing the need for protection with the requirements of business operations.
Entrepreneurial risk assessment: reaping economic benefits through a risk-based approach
The risk-based approach therefore builds a strong knowledge base, moving from a reactive approach to a proactive culture of improvement. However, only when risks are weighed up throughout the organization is there a greater likelihood of improving performance in order to continue to guarantee this quality. As a result, customer confidence will increase and customers will become your advocates.
Once this cultural aspect is accepted within the company, practitioners are faced with the challenge of deriving measures based on strategic and vital objectives that can only be prioritized with a systematic approach. Management systems can provide a remedy here by pooling resources and making processes more efficient.
If an organization gradually builds up several management systems, it can become confusing and lead to overlaps. In this case, an integrated management system provides a remedy. Software-supported management systems in particular, i.e. the use of software to set up and operate a management system, increase this efficiency gain even more significantly.
The management of risks, audits, findings and measures is facilitated by the possibilities of digital documentation. Ideally, the basic features of a management system are even easier to learn and grasp thanks to intuitive operation and increased clarity. Similar to the synergies resulting from the consistent structure of the High Level Structure (HLS), company structures, processes, systems and applications are only recorded once in modern solutions.