Synergies in risk management

Under the umbrella term risk management, ERM (Enterprise Risk Management), as well as sub-areas such as ICS (Internal Control System), BCM (Business Continuity Management), CMS (Compliance Management), QMS (Quality Management), SMS (Security Management), etc., are often subordinated. Unfortunately, there are different silos of perception.

An overly simple, but hardly feasible solution would be to use risk management as an umbrella term in order to integrate all other sub-areas. However, "total risk management" is difficult to implement in IT reality because each subarea pursues a different objective, includes specific content, has different technical requirements, has a different scope of application, or uses a different methodology.

How can costly overlaps and wasted resources be avoided instead of synergies and simplifications?

The following explanations pursue two objectives: Firstly, to clarify the areas of application and the interfaces between the areas of application of risk management; secondly, to demonstrate conceptual solutions in order to avoid duplications and to bring about simplifications.

Risk management and sub-areas
Organizations use risk management as a management tool. This is not only done by private companies, but increasingly also by public institutions and administrations. Risk management is sometimes prescribed by law. Standards such as the international standard "ISO 31000 Risk management - Guidelines" or the American "COSO Enterpri se Risk Management Framework" are used for implementation. Risk is defined as the "impact of uncertainty on objectives, activities and requirements".

The risk management standards can be applied to all organizations, all decision-making situations and all corporate processes. One often speaks of "enterprise risk management" or "enterprise risk management (ERM)".

Risk management in a broader sense includes many sub-areas that are similar, yet different. Here you will find the most important areas:

- In compliance management (CMS) is about ensuring that the organization complies with laws, regulatory requirements, relevant standards and guidelines. According to the international standard ISO 19600, compliance management should be "risk-based". This means that especially those laws and regulations are of high importance whose non-compliance becomes a (negative) risk for the organization.

- In the Internal Control System (ICS) controls (four-eyes principle, spot checks, system controls, etc.) should ensure that the f inancial processes run correctly, which should lead to error-free f inancial reporting.

In addition, the focus is on the careful use of financial resources and the prevention of fraud and losses. Internal control systems also deal with compliance with legal regulations and internal directives, whereby care must be taken to ensure that there is no overlap or duplication with compliance management.

- In emergency, crisis and continuity management (known in the English-speaking world as Business Continuity Management / BCM) is about ensuring that the organisation reacts correctly after serious incidents have occurred and prepares measures to quickly restore the interrupted operating functions.

In order to identify the neuralgic points in the organization that are particularly critical for the assurance of operational processes, ISO 22301, for example, recommends performing a business impact analysis, which creates a direct link to the risk management process.

- In the area of information security when dealing with IT systems It is important that the availability, integrity and protection of the data are guaranteed. The international standards ISO 27001 and ISO 27005 provide the information security management system and give specific guidance on the need for risk analysis.

- In security management we encounter many industry-specific individual areas. They include occupational safety (new ISO 45001) and environmental safety (ISO 14001) as well as product safety (e.g. ISO 14971) and patient safety (EN 15224). Risk analyses are mandatory in all these areas.

Nevertheless, it is necessary for the many specialists to work together in order to avoid duplication and create synergies.

Risk management in complex companies
The system of order in risk management requires a systematic approach: on the one hand, it is a matter of taking risk-related aspects into account. On the other hand, the subject-specific contents and methods of individual sub-areas must be maintained.

If you place corporate risk management at the centre of a complex organisation and link it with the risk-based subsystems, you can find the solutions in the conception of the top-down and bottom-up approach. Corporate risk management is the top-down approach, which encompasses long-term survival, safeguarding the existence of the company, the "preservation of its existence" or - to use a very nice French expression - "pérennité" (perpetuity / sustainability). This approach is anchored in German stock corporation law in KonTraG § 91 (2) AktG ("developments that endanger the continued existence of the company").

Top management, i.e. the Board of Directors / Supervisory Board and the Executive Board, must deal with these risks regularly. In doing so, it must be ensured that the risks are correctly identified, analysed with their causes and effects, described in a comprehensible manner, correctly assessed and regularly controlled and monitored.

Risk management in daily business
Even if a risk does not threaten the existence of the company, it should have a certain "exceptionality" in order to stand out as a risk from day-to-day business. In day-to-day business, there are many disruptions, irregularities and deviations. Under no circumstances should these be made the subject of risk management or a risk-based approach, because this would create a huge bureaucracy that would not provide any benefit. Here, the instrument of continuous improvement must ensure that the performance processes are continuously improved and optimized.

A distinction must be made between this and error management. Errors can lead to a major safety risk due to a "chain of unfortunate circumstances". Here, dealing with errors is a method of risk management that is often referred to as "cri tical incidents reporting" or error reporting system.

As a rule, an organization has only a few risks that threaten its existence, perhaps about 10 in number. These include not only strategic risks of an organization, but also operational risks.

The analysis of incidents in terms of frequency of occurrence and their impact, illustrated in the following example with the financial dimension, is helpful for the allocation of possible deviations to risk management, to a risk-based sub-area or to daily business.

The chart (left) shows that, from a risk perspective, the corporate risks threatening the company as a going concern can have a considerable qualitative and quantitative impact on the company's objectives, although they only occur with a low probability of occurrence (low frequency / high severity).

In contrast, risks from the corresponding sub-sectors generally have a high frequency but a rather limited impact on the company's objectives. This does not apply to risks that jeopardize the company's existence. The treatment of risks with high frequency and limited impact within the framework of sub-areas (e.g. in the internal control system) can be worthwhile or profitable.

Risk summary
The design of a synergetic risk management system is a challenging task. It requires not only a deep understanding of the management areas listed above, but also a high degree of internal communication and coordination. Unfortunately, standards hardly offer any support in this respect, as they are available in a separate architecture or only partially integrated structure.

Organizations that have succeeded in structuring risk management in a comprehensible way will not only have appropriate "governance", but will in particular secure a clear advantage in effective and efficient use of their resources.