Risk Management –
Process, Analysis and Methods

Risk Management Definition

Risk management is, by definition, a management task based on DIN Standard 31000 and is an ongoing process that runs continuously according to the principles of the Deming Cycle “Plan-Do-Check-Act.” It supports companies, organizations and authorities in identifying, quantifying, classifying and assessing risks and opportunities.

It’s important to note that risk identification, which is part of the Check phase, is the starting point of risk management. Without the identification of a risk, its assessment and further resulting steps would not be possible.

Integrated Risk Management

Integrated Risk Management (IRM) is the holistic approach of risk management practices and processes in the enterprise. Corporate governance, risk management and compliance are the three essential components of governance, risk & compliance (GRC). By implementing it in all areas of the company, it ensures efficient operations, achievement of objectives and identification of opportunities under acceptable risk conditions (risk awareness and risk appetite) for a company.
Key components of integrated risk management are:

• The overall strategy
• Identification and evaluation of the risks, as well as the plans that are in place to mitigate or respond to the risk
• Plans for communicating and reporting on risks, as well as an understanding of how and when risks will be monitored
• An understanding of the technology and overall business environment

Establishing a risk culture creates space for innovation and growth

One benefit of employing IRC is that the entire organization becomes more risk aware.
Objectives, corporate strategies, compliance rules and guidelines are important elements of corporate governance. They are used by management to draw up instructions for action, responsibilities, the calculation of necessary resources and a communication strategy for internal and external use.

The balance between risk awareness and the establishment of a culture that also supports and promotes a certain degree of risk appetite is more important than ever for a company today. This is the only way to create a climate that gives ideas and innovation the space they need and encourages employees to break new ground.

Breaking down silos reduces duplicate effort and competing priorities

Involving leaders from all business units in integrated risk management means that data is shared across functional boundaries and processes are streamlined to support the organization overall.

It also helps to keep risk management in mind during strategy and planning sessions. Everyone gains an understanding of how a risk could impact the business today and going forward.

The organization has a more realistic view on the various impacts that a risk may have, and it can pursue mitigation efforts that support all organizational areas.

ISMS and IT Risk Management

As the world races towards ever increasing digitalization, IT risk management plays a key role in the overall IRM portfolio – particularly when it comes to protecting information.
Like enterprise risk management, information security risk management has impacts on the company’s objectives, finances and operations. It involves the use of an information security management system (ISMS) whose requirements are defined by ISO 27001. As elsewhere in risk management, the identification, assessment, and treatment of risks are among the fundamental characteristics.

ISMS software helps companies oversee risk by enabling the systematic oversight of controls, like procedures and processes, that are used to keep the company – and data – safe. Such a solution also enables management to take appropriate governance and compliance actions.

Risk Management Process

The risk management process covers all necessary steps of risk management:

1. Risk analysis (assessment and evaluation about the risk’s likelihood and impact on the company),
2. Risk control (the procedures, policies, security measures, etc. that are put in place to prevent the risk from occurring),
3. Risk monitoring (ongoing evaluation of the security and business landscape to make sure that risks remain well controlled and that new risks are noted as needed), and
4. Risk reporting (sharing necessary information about potential risks).
   Like risk management, the risk management process is understood to be ongoing.

Risk Analysis

Risk analysis includes the evaluation and weighting of possible risks. It is the basis for corporate governance, risk & compliance in the company.

The following areas are analyzed and evaluated:

• Technical risks
• Software risks
• Human resource risks
• Project management risks
• Product risks
• Economic and financial risks
• Environmental risks
• Political risks

There are many suggested risk analysis techniques that you can use for both for the initial evaluation and for ongoing monitoring.

SWOT Analysis

The SWOT (strength, weakness, opportunities, threats) analysis is probably the best-known analysis method in risk analysis.

In this technique, strengths, weaknesses, opportunities and threats are placed in relation to each other. It represents the basis for management’s strategic planning.

Risk Management Techniques

Risk Matrix – ALARP

The ALARP (As Low As Responsible Practicable) method is a risk assessment method that takes into account the probability and extent of damage if a risk occurs. Green areas are considered harmless in terms of extent and probability – red areas must be avoided at all costs. The yellow medium areas represent acceptable risks, taking into account possible growth opportunities. This method is one of the most frequently used assessment methods.

DRBFM – Design Review Based on Failure Modes

DRBFM is a method originally developed by Toyota that describes the development process of a process or a product. It is used by management to identify and avoid errors, and it is intended to contribute to quality assurance in new developments.

FTA – Fault Tree Analysis

Fault Tree Analysis is used for the risk analysis of manufacturing plants and systems. The goal here is to identify all individual components whose failure could lead to an entire system failure.

FMEA – Failure Modes & Effects Analysis

Failure Modes & Effects Analysis enables, through teamwork, the identification of possible errors and sources of influence in products or processes and works out suitable precautionary measures to avoid the identified errors/risks.

Risk Monitoring

Risk Monitoring is also an integral part of the risk management process: it used to keep on top of identified risks. This enables management teams to respond to changes in good time and to adjust corporate governance, risk & compliance (GRC) accordingly.

Whether changing regulations, competition, economic or political factors, the following questions arise when monitoring a risk:

• How has the risk changed?
• What are the implications of these changes for corporate governance, compliance or other important aspects?
• Is the relationship between risk and risk avoidance in healthy balance?

Risk Management Software

Risk management software enables the risk situation of a company to be documented and evaluated by combining internal and external data. It enables risks to be identified in good time and is a major aid to management in decision-making.
By collecting data centrally and across departments, for example from vulnerability management or security incident management systems, management can review at any time whether the achievement of goals is in jeopardy, policies need to be adjusted or new opportunities for the company need to be/can be identified.

Basic risk management software functionalities include tools for risk:

• Analysis
• Evaluation
• Control
• Monitoring
• Reporting

Learn how OTRS Group solutions can help your organization manage risk.

Contact Our Experts