Enterprise risk management – risks in business, made easy to understand
There are risks everywhere. But what do you need to know in the context of companies and the economy? What is special about enterprise risk management?
Business without risks – everything under control – and know in good time if something goes wrong. The best thing to do is to have the right decisions ready and take countermeasures. Just a dream? Is it even possible without risks? Or do risks perhaps even have a positive side that we pay far too little attention to? Let’s take an easy-to-understand look at the topic of enterprise risk management together.
Nothing is without risk. That’s what we learn from childhood, before we later have to decide for ourselves with further platitudes such as “no risk, no fun”. As soon as we arrive in professional life, we inevitably have to deal with money, obligations and consequences – suddenly the topic of risk is more present and, in a time of economic upheaval, sometimes also personal. In business, it is important to be risk-averse and yet mitigating – in other words, to take risks and avoid recklessness. How does this fit together and what enterprise risk management options and methods should you be aware of?
Risks: Present everywhere and yet difficult to grasp
In fact, nothing is without risk, neither human nor machine work. Wherever manual work is carried out, whether in carpentry or accounting, mistakes can happen. It doesn’t matter whether a piece of wood breaks just before a piece of furniture is finished or an invoice is incorrectly allocated and booked: in the end, it costs money. Mistakes happen in every company and both examples can be used to describe so-called “risk mitigating measures”.
A carpenter will be more careful with a workpiece at the end of the job than with the raw wood. If something goes wrong in the end, a lot of working hours and therefore labor costs are involved. Accordingly, he pays attention to the way in which he handles and stores the now almost finished and saleable piece of goods. The risk: dissatisfied customer, no payment received or repeat production. Everything costs money!
Every accounting department checks whether invoice data matches: Sender, items, order number and amounts. Where there is no invoice verification, there is a risk: forgotten discounts, incorrect quantities and taxes ultimately lead to financial losses.
However, risks can not only be avoided, but also consciously taken. This is worthwhile, for example, when large quantities of cheap goods are sold or production is carried out on an assembly line. In such cases, a decision is often made as to how much risk is worth taking: if the quantity of rejects is so low and the production speed so high that the advantages outweigh the disadvantages, a certain quantity of faulty parts is not a problem. A decision is also made based on the quality that the customer expects. If he is satisfied with an inexpensive product of average quality, there is more tolerance for risks than if it is a product from a manufacturer. At the same time, no car manufacturer would check parts that are invisibly installed for optical properties in the same way as a dashboard.
In the manufacturing industry as well as in management, the keyword is “risk appetite” – what initially sounds like a neologism is actually a common term. I am always surprised at how many companies and managers are unaware of the risk appetite of their own environment. Because nothing is without risk and excessive risks are critical, the risk appetite should be assessed, recorded and constantly reviewed.
EnterpriseRi context – what counts in management
In business, everything starts with interested parties. Knowing the stakeholders, i.e. all persons or groups who have a legitimate interest in the results and progress of projects and processes, is a widespread topic. These people and groups can be very heterogeneous: The production director or COO will claim very different interests to the HR director or HR department. An interested parties analysis, often also referred to as a stakeholder analysis, can be used to determine basic requirements and interests as well as individual risk appetite. However, this is often very personal information that stems from the focus of the company’s own responsibility.
The next question in relation to risks relates to assets. Often misunderstood as a financial term, assets are present and relevant in many more places in the company than you might think: IT operates an asset management system with all IT devices, software and peripherals, sales has customer data and production consists of machines and tools. Knowing these assets is fundamentally important: if assets fail or require maintenance, risks arise. Of course, these can be mitigated – a production facility could simply keep several machines on hand to replace them – but in the end it costs money. Take the example of the risk that your asset “my car” stops working on a winter morning. You can easily mitigate this risk – simply buy another one and drive both cars alternately. As a reader, you’re probably thinking: “That can’t be the solution, because who buys a second car for such a low risk?” – but that depends on your individual risk appetite. Just ask two different stakeholders – you’ll be surprised how indifferent the home office worker is to the car not starting, and how shocked the nurse would be if she couldn’t drive to work one morning. Fortunately, cars have had numerous technologies on board for many years that prevent such situations. Without digressing here, automatically switching off the lights, the warning that the alternator is no longer charging and the automatic cold start system are already absolutely standard for us – cars now start much more naturally in winter than was previously the case. Even the length of the engine start is regulated electronically when the start button is pressed.
Behind such achievements are processes and their constant optimization. In aviation, accidents have been investigated and de-icing processes introduced for wings, ground proximity warning systems developed to avoid collisions and strict checklists built into flight computers. Cars warn us loudly and clearly if we take the risk of driving without a seatbelt. ESP – now mandatory in all types of vehicles – regulates engine power and applies the brakes on slippery roads. In the food industry, metal detectors check your favorite cereal after it has been packaged in the factory – so that any metal parts from production machines cannot end up on your breakfast table. There are thousands of other examples of processes and how they can identify or avoid risks: From virus scanners to file systems, hopefully regular data backups to your email provider alerting you to spam and viruses in messages. Our whole life, our work and our everyday life are therefore less and less risky today, as we have learned to scrutinize and secure the processes of our lives. This can be seen from the fact that 10 years ago it was completely normal to log on to the Internet with just a password and no second factor. Our appetite for the risk of losing access and payment data has decreased, processes have improved and the risks are now greatly minimized. That’s why your browser warns you when you access a non-secure website. And because all these points in the company also protect against the infiltration of malware and viruses, they are a tangible example of applied risk management that is not too abstract.
Standards, frameworks and known references
In addition to the numerous examples mentioned, it should be noted that risk management is an integral part of established international standards and process models. ISO 31000, the best-known standard for risk management, clearly lists the points of risk identification, analysis, assessment and management, flanked by monitoring and review as well as constant communication to ensure a clear context at all times. Like other, perhaps better known ISO standards, e.g. 9001 for quality management or 27001 for information security, ISO 31000 focuses on the principle of Plan, Do, Check, Act (PDCA) as a continuous cycle. As you can see from the examples given here, quality, risks and information security are not completely separate and yes, of course the standards mentioned here also require a stakeholder analysis, assets and the identification of risks. Everything goes hand in hand!
In IT governance, the COBIT framework is established as a globally recognized framework for enterprise governance. During the last revision, the “Enterprise Risk” factor was directly integrated: Risk and Mitigation was built into the framework as a Business Design Factor, meaning it is now an integral part and much more comprehensive than before. Specifically, risk is now even a focus area to which special attention is to be paid. Experts in the field use the maturity models from COBIT to scrutinize IT processes and carry out risk optimization:
- Do we manage risk at all, is the risk appetite known and its impact on company values as well?
- Do we control risk management effectively – do we have targets, are we aware of critical processes in the company and do we report on them transparently?
- Do we monitor how the key figures are changing, whether the risk appetite is increasing too much and whether the company’s objectives are being jeopardized?
- How do we deal with resources? Do we keep in mind that we cannot work without resources and do we know what our future requirements will be?
These are just a few examples of the questions that professionals in this field are grappling with. Suddenly, omnipresent questions come into play that we have been familiar with from the daily press since the chip crisis at the latest:
- What about the availability of raw materials, and how are prices changing? What risks do we have in filling the warehouse now – or waiting?
- How prepared are we for outages – what happens if the power is cut or suppliers can no longer deliver? Do we have a buffer?
- Where can we get qualified staff if there are fewer and fewer applicants? Do we have the option of having employees work from home?
There are almost endless aspects and combinations, but we need to focus on a manageable number here. Finally, I have a popular anecdote from the coronavirus years: what was the biggest risk faced by numerous commercial enterprises that nobody saw coming in 2019? The unexpected shortage of tokens, small devices that millions of employees suddenly wanted to use to authenticate themselves at the company from home via the internet – because there simply weren’t enough tokens on the market in April 2020. Suddenly, prices skyrocketed and most companies quickly switched to software tokens or started using cell phone authentication. After all, many already had this in their pockets – apart from the sudden increase in demand for company mobile phones, which also led to bottlenecks.
As you can see, hindsight is always wiser, and no one knows what risks we will ultimately face. Not everything can be avoided, but many things can be recognized, managed as a risk and assigned sensible measures and hopefully mitigated.