What a tool can do

Gn general, the much-cited problem of the "blind spot" arises. This refers to the fact that in risk management one can at best identify those things that have an impact on the immediate business. This was the starting point of Nassim N. Taleb's figure of the "black swan": he discussed that people did not believe in a black swan until one was discovered - on the other side of the world. In short, what you can't see, you don't believe. It remains abstract and rather ineffective.

Anyone who has ever led an interdisciplinary risk workshop knows the dynamics involved in identifying risks and the associated sources of danger. Confusion between risks and hazards is an ongoing issue, agreement on the right "grain size" of risk description is complicated, brainstorming is poorly facilitated or methodologically soporific. In addition, the application of pre-developed forms is a feat, the early detection of newly appearing risks often impossible or difficult to assess in terms of consequences. In the end, the available time is usually insufficient and motivation is limited. The productive discussion of risks ultimately falls by the wayside. If you want to compare this process understandably with an analogy to the construction of a racing car, then most employees like to work on the engine and the exterior design, but the braking, control and driver assistance systems remain underdeveloped. Good, if you can afford it. In fact, it has to be said that the Swiss economy, often known as Europe's most innovative economy, has built up appropriate buffers to be able to absorb risks exceptionally well. But is this sufficient in the longer term? Anyone who has ever been affected by bankruptcy or the liquidation of a business will answer in the negative. So it is good for those who are aware of their risks. Such awareness promotes operational robustness in the face of business (in modern terms, this would be referred to as "resilience" or "antifragility", see box "Terms"). Or put another way: Sustainable business security cannot be achieved without systematic risk management.

Organizational dynamics of management processes

Sensible risk management is a prerequisite for this. The analysis of the initial situation alone and the taking of suitable measures to minimise risk are often a challenge. There is still no mention of the implementation of a suitable strategy or the appropriate monitoring of measures. In addition, methods and instruments are usually not isolated "tools". In many cases, they originate from other disciplines or are derived from them. For the famous cause-effect analysis, for example, the fishbone diagram (the "fault tree") is often chosen. In quality management, this is known from Kaizen as the "Ishikawa" diagram.

Significant preliminary work also exists for integral risk management in various specialist disciplines, for example in the areas of continuity management, crisis and disaster management and the internal control system. Recently, in the area of "human factors", occupational health management has been gaining in importance.

In existing management structures, therefore, there is always usable prior knowledge. However, such knowledge must also be known in order to be utilized. And employees must also make it available. This often poses a problem, as managers often run a career risk when they divulge knowledge. In addition, a good portion of professional pride and bossiness plays a role in cooperation, even if it is explicitly supposed to be about the matter at hand. Maintaining one's own positional power suppresses knowledge sharing and was once described by organizational psychologist Karl Weick as one of the central obstacles in organizational learning. Integral risk management, however, cannot be achieved without meaningful knowledge generation.

For the person in charge, this means networking if they want to be efficient. The risk manager is therefore a specialist required on all fronts: As a connoisseur of the risk map, as a moderator of risk workshops, as a compiler of a risk report, as an enforcer of a risk strategy and policy, as a "networker" and playmaker to other disciplines.

Why a tool?

In order to be able to bundle the existing specialist content into an integral risk management, one can refer to the relevant material, which is already very well documented. For example, there are the standards ISO 310xx / ONR 4900x on risk management, ISO 223xx on continuity management, ISO 2700x on information security, various applied standards such as COSO, COBIT, the Machinery Directive, etc., which provide extensive information on the "what" and "how". Unfortunately, however, this knowledge is already too detailed for most SMEs. And a discussion within the organization usually does not lead to a decision on which standard should really be built upon. As a coping strategy, the company can delegate risk management processing to an external party, but without being able to escape the careful risk assessment obligation. The responsibility remains unalterably with the board of directors. For management consultants, the preparation of and work on risk management topics is an attractive source of income, and "speaking the SME language" ensures access to the client as a house and court advisor for a wide range of topics. The result of this starting position is that although there are templates, risk lists etc. suitable for SMEs, these tend not to be exchanged or shared. Specialised consultants have a wealth of concrete methods and options at their disposal. However, only very general solutions come into the public domain and require a great deal of customisation to apply. It is also questionable what prior knowledge is helpful for the most solid and reliable handling of risks without contributing to over-bureaucratised risk management. In a research project funded by the CTI with the participation of Thomson Reuters, the professional association BCMnet.CH as well as the Lucerne University of Applied Sciences and Arts, the basics for an "Integral Risk Management for the Holistic Safeguarding of Business Activities" were elicited and prepared in the form of a method. The visible result is an informative toolbox, which also contains a benchmarking tool as well as further checklists, explanations and impulses for action (see Fig. 1).

Compare your own risk management

At the end of the tool development process, there were six central questions on integral risk management (see box "Six central questions"), the answers to which indicate whether the topic should be addressed at all. For most regular companies, this is the case today, although there are exceptions.

The benchmarking tool itself is made available on the Accelus platform from Thomson Reuters via the Internet. After logging into the protected area, processing can begin (see Fig. 2). The questionnaire covers key aspects of risk management, continuity and crisis management, and the internal control system. The questions are divided into different topic blocks and formulated in such a way that duplication between the four specialist areas is largely avoided. The thematic blocks include questions such as the scope of risk management in the area of strategy or the responsibilities in the area of communication and responsibilities. If aspects of all four specialist areas are also covered, most agents will feel at home when they are active in the area of risk management.

The given answer options to the questions are sufficiently abstract so that the person processing the question can answer the individual aspects with rough statements. The answers are evaluated by a key grid and compared with the anonymised answers of the previously completed questionnaires. The answers are displayed in eight different topic groups, which comprise previously defined interface topics between the four integrated disciplines. The evaluation is finally available as an electronic document and can serve as a point of reference for the further improvement of "integral risk management" (for an example, see the evaluation graphic in Fig. 3). Often, for example, a risk policy is missing or is only implicit and does not build on existing information.

The answering of the questions takes about 45 minutes and can also be done with accompaniment or guidance; the project partners involved are available for such coaching on an individual basis.

Useful additional material

In addition to the central benchmarking tool, supplementary documents can be accessed. In addition to a collection of various checklists, links and addresses are also available, as well as a strongly integrated glossary with the most important terms (see under www.hslu.ch/integrales-rm). The user of the benchmark can analyse the initial situation in greater depth on the basis of the comparative information obtained. The checklists and accompanying materials developed also provide documents for the further development of integrated risk management that can serve as a template. It is important to implement a small number of targeted measures which, if the benchmark is repeated after a certain period of time, will lead to more advanced responses.

Meaningful mediation The tool was developed over several months with the involvement of a wide range of experts. The result is a solution in which questions were dealt with systematically. For this purpose, specific questions of each industry and company have to be deepened in individual scenarios. However, a systematic and non-double-track approach is already achieved with the existing tool (see box "Beverage producers").

In summary, this toolbox can be used to achieve a systematic approach with a model-based assessment of the individual risk management activities. In this way, a meaningful communication of risk management topics to decision-makers can be achieved and expert contact can be established via the links and addresses provided.