Success factors for corporations

The risk management process was carried out by the Swiss Group together with i-Risk on two levels. In a first step, the five business units of the company were considered individually. The results of the business units were then consolidated, and an overarching analysis was carried out at Group level. At both levels, the process progressed from risk analysis to action analysis. Finally, the risks were integrated and documented across the entire Group.

Analysis of risks and measures

In the risk analysis, the risks were identified by means of individual interviews with the members of the Executive Board and then summarized in a risk catalog. The risk assessment took place in a group workshop with the management. Each participant assessed the risks in terms of damage

Workshops with the bosses

The risk was assessed sequentially by first averaging the individual loss severity ratings for each risk. The assessment was carried out sequentially by first averaging the individual assessments of the extent of damage for each risk. If there was a large discrepancy between the individual ratings, they were discussed and adjusted if necessary. Then, for each risk, the participants assessed the probability of occurrence with the pre-determined extent of damage and, finally, the reputational impact of the event. Furthermore, each risk was assigned to a risk owner and an area. In the following analysis of measures, the respective risk owners were involved in a first step. In the case of their risks, they drew up a proposal for a management strategy. This mentions whether the risk should be accepted or reduced. In the same step, the central existing and proposed new measures were recorded and defined with start, end, internal effort, external costs as well as responsibility. For the definition and planning of new measures, a group workshop was again held with the management.

After the analyses had been carried out in all five business units and consolidated at Group level, the continuation of the process was ensured. In the integration and documentation step, a risk policy, a risk report and a process description with responsibilities were drawn up and the controlling of measures was defined and introduced.

Uniform risks with Bow-Tie methodology

To ensure that the risk management system can continue to be implemented efficiently throughout the Group in the future, attention must be paid to uniform risk identification and description. In the risk identification process, a risk register was successively built up during the interviews. This was then completed with risks from benchmarks of other companies in the industry and serves as a checklist within the company. Even if there are various business units with a wide range of risks within the company, a certain harmonization of the risks represents a significant reduction in the effort required for consolidation within the company.

When drawing up the risk register, emphasis must be placed on the creation of risk scenarios. In this case, the Bow-Tie methodology was used, which structures the risks into cause-event-effects. An event is analysed in terms of its possible causes and effects. Risk scenarios are then formulated for the most probable causes and effects, each of which represents a chain of cause-event effects. This structuring brings advantages to the entire risk management process. Risk assessment is facilitated and gains in accuracy by assessing the probability of an event occurring for the cause and the extent of damage and the reputational impact of the event for the effect.

In terms of measures, the Bow-Tie methodology achieves a separation of cause-related and effect-related measures. In this way, the appropriate risk management can be selected for the respective risk.

Evaluate risks precisely

The risk management strategy must be defined and introduced. Cause-related measures such as structural and process measures reduce the probability of occurrence and the extent of damage when the risk occurs. Impact-related measures such as insurance and crisis management are generally more favourable, but only reduce the damage caused by the event, not the probability of occurrence (Figure 1).

The reputation factor

Due to the composition of the Group from different business units, different brands are associated with the company at the same time. In order to be able to operate successfully in the market, the company is dependent on an excellent image of these brands. The inclusion of sustainable damage by considering reputation as an evaluation variable is becoming increasingly anchored in risk management and helps to evaluate and categorize risks more precisely. In this context, risks with a low external impact and small sustainable damage, such as a short-term currency loss, can be distinguished from risks with a high external impact and high sustainable damage, such as water pollution. The inclusion of reputation is particularly important in order to give greater weight to strategic long-term risks. In the Swiss Group's risk management system, a reputation matrix has therefore been drawn up in addition to the classic risk matrix, which consists of an assessment of the one-year probability of occurrence and the extent of damage. In the reputation matrix, the expected value of each risk (product of probability of occurrence and extent of damage) is compared with the impact on reputation. The top right-hand corner shows first-priority risks, which have both a high short-term expected value and a high long-term reputational impact. Second priority risks have either a high expected value or a high reputational impact.

The evaluation of the reputation influence is always carried out qualitatively. A scale of one to six is preferable here, as people intuitively know how to deal with six gradations.

View at group and business unit level

In the present case, the group combines five different business units. In order to be able to

Scenario Structuring

In order to map and compare the central risks at business unit level, two different matrices were used to evaluate the risks. A 6×6 risk matrix was used at Group level and a 6×8 risk matrix at business unit level. For the three assessment parameters probability of occurrence, impact on reputation and extent of damage, the scales differ in the extent of damage. At business unit level, two more levels were used to achieve the necessary depth. At Group level, risks were only consolidated above a threshold value. To determine the threshold value, the risks are assessed quantitatively.

A logarithmic scale is used for both the probability of occurrence and the extent of damage. On the one hand, this makes it possible to represent a wider range of risks, and on the other hand, human perception is logarithmic and not linear. Experience shows that with a linear classification, the risks on the risk matrix are hardly accurate. Once a logarithmic classification is chosen, the people involved in the process can assess risks much better. In the case of the Swiss Group, a scale with a logarithm of two was chosen for both the extent of damage and the probability of occurrence. Therefore, in the representation of the risk matrix, equivalent risks are located on parallel lines of equivalence from top right to bottom left (Figure 2).

Consolidation after highest expected value

There are four different approaches to consolidating risks, which can be combined or adapted as appropriate:

•  Threshold definition: In this procedure, risks whose expected value (multiplication of extent of damage and probability of occurrence) exceeds a certain limit are taken into account.
• Categorization: Categorization of risks presupposes that the level to which the risk is relevant (e.g. team, department, division, entire company, board of directors) has been determined in each case when the risks are identified. Only risks in the respective category are then taken into consideration.
• Scenario consolidation: In this approach, risks with the same cause are combined into new risk scenarios in order to achieve a grouping and reduction of risks. Subsequently, the risk scenarios created are reassessed at a higher level. 
• Simulation: This involves running thousands of simulations using quantitative models. Historical data and expert assessments are included to create the model.

The consolidation of risks at group level in this example already started with risk identification at business unit level by describing risks as identically as possible. Subsequently, the filter of the group-relevant extent of damage was applied. For the remaining risks, the risk with the highest expected value was transferred to the group matrix for each of the risks described in the same way. The risks thus consolidated from the business units were supplemented with Group-wide superordinate risks. The

Common expected values

Accordingly, consolidation by threshold definition with an addition of higher-level risks was applied here.

Conclusion

Risk management has changed significantly in recent years. In many companies, the topic has evolved from a mandatory legal introduction to a strategic management tool. A few factors determine the success or failure of the risk management system. Especially in a group with different business units, a process with tailored identification, assessment and consolidation of risks is of central importance. Only if the added value and efficiency of the process is recognized and advocated by the management can risk management be applied in a long-term and value-enhancing manner.