Analyze and evaluate risks

First of all, it is important to define the context in which risks are to be analyzed and evaluated. Of course, risks exist everywhere, be it in a project, in a process or in an entire company.

If we look at the risks in different companies in this article, we can see that the risk exposure often differs greatly. This means that there is certainly no such thing as a "pattern F" in risk analysis.

Prerequisites for a risk analysis
Financial institutions have different risks than a construction company and even the companies of one industry cannot necessarily be compared. Of course, there are so-called industry risks. But some are internationally active and are therefore already exposed to completely different risks than local companies. Whether it is the different ownership structure, the special requirements of the company's location, the financial resources of the company, strategic orientation, age, size, political anchoring: all this and more has an influence on the risk exposure.

Certain risks also only arise as a result of specific combinations. Examples are the innovative strength of a company that does not keep pace with its strategic orientation, or liquidity risks that arise from reputational damage, or legal uncertainties that are triggered by country risks. For an analysis, it is therefore important to proceed holistically and systematically.

Identification of risks
Before risks can be analyzed and evaluated, they must first be found. When we think of risks, we spontaneously think of spectacular events: Terrorist attacks, cyber risks, natural catastrophes such as earthquakes or floods, bird flu, migration waves or even a meteorite impact ...

But are these really the relevant risks? Of course, these risks can cause great damage. But are they also relevant in every company?

Often the risks threatening the existence of a company are not necessarily these spectacular, external catastrophes, but above all the internal risks.

They are rooted in the strategic area, in the processes, in the company's handling of legal and ethical issues, in its innovative behaviour, etc. This does not necessarily make research, analysis and documentation easy. This does not necessarily make research, analysis and documentation easy, because many internal shortcomings come to light. On the one hand, this transparency is not always desired and can also open up various wounds and become a delicate matter when it comes to documentation.

For a holistic risk management system, however, no barriers must be imposed on the analysis, assessment and documentation of risks, otherwise the work becomes an alibi function.

On the other hand, internal risks can usually be managed very well, as internal problems can also be countered with internal measures. This results in a great potential in risk management, which, if successfully applied, can become a success factor for the company.

No matter which analysis method is used, whether bottom-up or top-down, quantitative or qualitative, inductive or de-ductive, it is necessary to evaluate and document the risks accordingly in order to be able to take meaningful action.

Analogy to knowledge management
The more digital challenges force companies to rethink their structures and processes, the clearer it becomes that internal risks in particular must be managed better. Therefore, not only organizations will become more agile in the future, but also risk management.

The risk process is based on the following rules: identifying risks, analysing risks, evaluating risks and processing risks.

Data is generated by collecting and measuring observations. Quantitative methods can generate vast amounts of data. Only through meaningful linking with an additional context does one arrive at relevant information from which one can generate applicable knowledge. Finally, one arrives at the realization of how to best apply this knowledge.

This is a process that must be lived in risk management by the risk manager, the risk owners, experts, employees and, of course, above all by the top management, which determines the goals of the company and their implementation. Risk analysis and risk assessment are successful when the knowledge about the corresponding risks and measures can be determined from the available data and information. Purely quantitative accumulation of data cannot lead to a goal-oriented result.

Success factors for risk analysis and risk assessment
In this context it becomes clear that many factors must interact for a valid risk analysis:

• Definition of the risk system: A clear definition of what the risk analysis refers to. What temporal, spatial, organizational boundaries should be considered? Where should the system boundaries be drawn?
• Avoid method errors: No faulty algorithms may be used in data collection and no insufficient data basis may serve as a starting point. Continuous critical questioning and cross-checking are important in order to avoid systematic errors.
• Organizational Form: It is a paradox that it is particularly difficult to find risks in risk-averse structures. On the one hand, this may be due to the fact that in strict structures the error culture is not very pronounced and fear of sanctions prevails. On the other hand, there is also often a tendency to ignore risks according to the motto "that which should not be, must not be".
• Company Culture: In this context, the so-called "tone at the top" is important, otherwise risk management can easily turn into an annoying token exercise. In addition, companies with a culture of mistrust and domi-nantly hierarchical structures are not particularly suited to identifying risks. There is also the possibility that risk owners conceal risks out of fear or false ambition.
• Person of the risk manager: Risk managers contribute a great deal to the success of risk management through their methodological competence and great integrative understanding.
• Anchoring risk management in the Organization: In the sense of a neutral, uninfluenced view, risk management would best be anchored under top management. Nevertheless, there must be the possibility of not being too detached from the operational processes.
• Appropriate structures and processes: The analysis and evaluation are, like the activities in accounting, a continuous task. Like the balance sheet, the risk report is a snapshot. Accordingly, it must be ensured that the risks are also always managed. Overly rigid systematization can also be an obstacle to finding risks.
• Avoid operational blindness: Over the years, routine can lead to a certain operational blindness among employees. Here, too, constant questioning, thinking outside the box and exchanging ideas with other experts, even from outside the industry, is necessary.
• Risk documentation:  The results of analyses and assessments must be documented in a suitable manner so that appropriate action can be taken.

Ultimately, the more motivated all those involved are in their efforts to achieve a good, transparent result, the more successful a risk analysis will be. It takes courage to address the issues, a certain overview to keep an eye on the relevant aspects, a certain amount of lateral thinking to pick up on the new and unexpected. Nevertheless, this must be accompanied by accuracy, meticulousness and constant questioning.

The documentation should be short and concise, but still comprehensive. This requires a lot of analytical work in advance, because a confusing flood of paper will certainly not lead to the goal. Nor will remaining in a sterile theoretical meta-level lead to success. Ultimately, it is a matter of analyzing and documenting relevant opportunities, problems, hazards and vulnerabilities and making the leadership aware of them and enabling the organization to act.

The more agile organizations become, the more agile risk management must become.