The risk management system

Business owners have long relied on instruments and the people around them to overcome risks successfully. The bigger the  company, the wider responsibility has to be spread, for example, across controller, auditor, actuary, safety officer, accountant or lobbies. New areas of risk are constantly being added and new 'tools' constantly have to be developed, for example, information protection, compliance and sustainability development. Today, however, risk management has to play the key role in dealing with risks in large companies. The significance of this task is frequently underestimated.

Identifying and assessing risks reliably is a difficult skill that not only every person, but every company, has to master for themselves. There is no list and assessment of risks that can be transferred 100% from one company to another. To make their task easier, many companies rely on a – to a large extent – standardised risk management system installed by risk management service providers.

Most of these systems are computer-aided and focus primarily on external risks, such as market risks, credit risks, exchange rate risks, interest rate risks or regulatory risks. In these cases, the risk management system itself is a new risk. Generally, only a few internal risks are listed and are given lower priority, for example, IT outage, compliance violations, industrial accidents and fire.

If high importance is not placed on self-criticism in a company of this nature, selective risk awareness can lead to the worst-case loss.

An AZT analysis of the risk management systems of companies that went bankrupt showed that most frequently the collapse was triggered by the following in-house causes.

Thinking in terms of figures, instead of systemically

Example 1: Every risk is evaluated quantitatively (probability of occurrence, extent of loss) at a particular point in time and a measure budgeted for it according to a ranking scale. In this process, two errors are made repeatedly:

a) no follow-up is made to assess whether the evaluation and thus the ranking have changed over time; and

b) no analysis is made to check whether the various measures taken generated new risks.

Example 2: Depending on the level of risk assessed, risks are classified into categories with different action requirements, for example, 'not tolerable', 'must be reduced' and 'acceptable'. Such classification does not allow for a number of acceptable risks combining to become a risk that is not tolerable.

Example 3: Significant qualitative factors have been identified (for example, demotivation, loss of expertise and taboos) that cannot be assessed using quantitative evaluation methods. Because the computer-aided system cannot process them without figures, they are not entered into the system and, as a consequence, are not managed.

Thinking in terms of specialist discipline

Example 1: The risks are identified – if at all – and assessed only by the specialist discipline that generates them. Because of a lack of knowledge about the consequences, secondary effects and delayed effects in other disciplines, these are not taken into consideration. In addition, because analysis by an independent and interdisciplinary body is lacking, tunnel vision becomes an organisational principle.

Example 2: Two companies are merged to utilise technological synergies. Risk analysis deals primarily with technological risks only. Those pertaining to organisational psychology are not identified and are not managed. The two corporate cultures become enmeshed in a covert power struggle that prevents the utilisation of the technological synergies.

Short-term instead of long-term orientation

Employees' and executives' performance is only rewarded subject to achieving short-term goals. No examination is carried out to determine possible negative effects of this performance in a subsequent period.

Invisibility of risks at top management level

No risk identification and assessment takes place for risks that are generated at the top management level. Lower levels make no attempt to do this because of fears that they will be sanctioned negatively.

Insufficient experience

Responsibility for risk management is delegated to a newcomer who neither knows the systemic relationships within the company nor has sufficient life experience. Because he regards the position as a stepping stone to greater tasks, the task seduces him to posturing and to 'whitewash' the results.

Passing responsibility to the risk management department

After a risk management system is introduced, the various divisions in the company feel they have been relieved of their responsibility. Because they count on the reliable functioning of the system, they increase their risks without informing the system accordingly.

Return to main article "The Inside Job"