A challenge even for professionals

EThe coordinated ISO standards ISO Guide 73, ISO 31000 and ISO 31010 on the subject of risk management, for example, provide a foundation for methods and terms. A simple conclusion is that competent handling of risks requires knowledge of these standards and the associated risk assessment methods (Fig. 1). Dealing with risks then requires an overarching operational, coordinated risk management process.

corporate risk management
Swiss companies spend a considerable amount of time and effort on their risk management, but they face major challenges. As lecturers in the MAS Integrated Risk Management courses, the authors accompany project work that the course participants carry out in their organisations. Three challenges typically emerge in the process:

• Methodological competence: Terms such as danger and risk tend to be used colloquially. This results in considerable communication problems and unclear formulations of objectives and tasks. Knowledge of the variety of available risk assessment methods is often limited to single, simple and industry-standard procedures, which, moreover, are not always used optimally or correctly. An example of this is the FMEA (Failure Mode and Effects Analysis). Here, a large analysis and evaluation potential often remains unused due to ignorance.
• Silo thinking: Communication and action paths between risk, quality management, business continuity management, IT security, compliance, etc. are hardly developed. This makes it difficult for the management of an organization to obtain a comprehensive and consistent picture of the risk landscape, which makes decision-making more difficult. An organizational culture of integrated risk management can create cross-connections here.
• Complexity: Even the most complex products, processes, devices and systems are usually examined using table-based methods such as FMEA. This even applies to the increasingly strongly networked and automated systems (Industry 4.0, Smart Manufacturing), which should also be examined in a socio-technical context, e.g. via a resilience analysis. This overlooks new dangers and vulnerabilities, e.g. "misguided" control systems (Industrial Control System, ICS) at the interface between devices and production monitoring (Supervisory Control and Data Acquisition, SCADA). Suitable analysis methods must be found and their strengths and weaknesses should be known.

The integrated management approach
The world-renowned standard ISO 9001:2015 "Quality Management Systems - Requirements".

recommends a risk-based approach. This integral approach combines the processes of an organization, e.g. compliance, quality and information security management, into a self-contained and coordinated, proactive risk management process (Fig. 2).

Continuing education CAS Risk Analysis and Risk Assessment
The continuing education courses offered by the ZHAW School of Engineering as part of the MAS Integrated Risk Management and the CAS contained therein cover the entire process of risk management in accordance with ISO 31000. The CAS Risk Analytics and Risk Assessment covers the central area of risk management: What risks exist? How can these risks be presented or calculated to suit the organization? And finally: How can we decide whether the identified risks are acceptable or not? The lecturers are proven experts in risk assessment methods. Theory and practical exercises alternate. Students also write a project paper in which they work with a coach to find solutions to the risk assessment challenges identified in the CAS Risk Analytics and Risk Assessment in their organizations. In this way, the CAS Risk Analytics and Risk Assessment conveys a sound and practical know-how of the most important analysis methods and promotes reflection on these methods. The CAS Risk Analysis and Risk Assessment is primarily aimed at those responsible for safety, risk, quality, project, IT and environmental management, senior development and process engineers, representatives in the field of consulting and control.

Knowledge of the variety of available risk assessment methods is often limited to single procedures.

ling and experts in the fields of risk analysis in companies, insurance companies, administration and protection organisations.

The next CAS in Risk Analysis and Risk Assessment will start on 20 September 2016. For further information, please visit www. zhaw.ch/engineering/continuing-education.