Risk management
Risk management includes all measures for the systematic identification, analysis, evaluation, monitoring and control of risks.
Tasks of risk management
Risk management is according to the standard ISO 31000: 2009 a management task in identifying the risks of an organization, analyzed and evaluated. For this purpose, high-level objectives, strategies and policies of the organization are to establish risk management. Specifically, the concerns the definition of criteria by which risks are assessed and evaluated, the methods of risk assessment, the responsibilities for risk decisions, the provision of resources to risk prevention, internal and external communication on the identified risks (Reporting ) and the qualification staff for risk management.
A formal training and certification for risk managers can the state of the art according ONR 49003 "Risk management for organizations and systems - Application of ISO / DIN 31000 - Requirements for qualification of the risk manager " prefix.
Risk management is viewed as an ongoing process in the planning, implementation, monitoring and improving continuously held ( Deming: " Plan-Do- Check-Act "). Risk management is to come over the lifetime of an organization to apply and give rise to a culture of risk control in the organization.
The principles described in ISO 31000 and risk management procedures are applied generally. You can in all areas where risks exist, be applied and are not tailored to a specific industry.
The risk management (Risk Early Detection drying system ), especially of joint stock companies is based on the requirements of the Control and Transparency Act ( KonTraG) and based on IDW Auditing Standard 340 The aim is to recognize was threatening risks in a timely and understandable to monitor. Because often just combined effects of several individual risks was threatening, an aggregation of individual risks to determine the overall risk scale is required (risk aggregation). The economic added value of risk management is to reduce the probability was threatening crises through more risk transparency. The assessment of the degree of threat inventory is done by calculating the impact of risks on the future credit rating by means of a so-called rating prediction.
As further advantages of an efficient risk management are to improve the predictability and reducing the cost of risk mentioned.
The risk management process comprises the following details:
- Identification of hazards, describing their nature, causes and effects
- Analysis of the hazards identified in terms of their probability of occurrence and potential impact
- Risk assessment by comparison with previously determined criteria of risk acceptance (eg from standards and norms )
- Reduce risk management / risk control measures by the dangers and / or probabilities or make the consequences manageable
- Risk monitoring with the help of parameters that give information about the current risks (risk indicators)
- Risk records for documentation of all processes that take place in the context of risk analysis and assessment
Terms of risk management
Risk analysis - is used for the identification and assessment of risks. On the technical side, the probabilistic safety analysis is used.
Identification of risks - is part of the risk analysis, it is a list of the various risks created, in the case of technical systems based on the functional requirements (regardless of the technical design). Aids are: scenario technique, post - mortem analysis, expert interviews, Delphi method, creativity techniques, checklists ( Hazard: List of hazards in occupational safety ), analysis of possible hazards (Hazard and Operability Study ), evaluation of the experience (industrial accidents, bankruptcies ) from comparable areas of the company.
Risk matrix: - is used for the detailed surveying and evaluation of the overall risk of a company, a technical plant or a business or technical process by the identified risk factors in a matrix ( risk portfolio, risk matrix ) registered with the dimensions of probability and extent of damage.
Risk avoidance - by omission a risky activity.
Risk reduction - reducing the potential risk to an acceptable level.
Risk reduction - defined by specifying upper limits of risk.
Risk communication - the risk results - in a transparent and comprehensible manner - for decision on the acceptability of the risk by the operator, the authority involvement of experts as well as for those affected by the risk people in the plant and in the plant environment.
Risk acceptance - is achieved if the risk is assessed under the given social conditions, and taking into consideration any residual risks to be acceptable.
Residual risk - is the risk that remains after the application of safeguard measures. ( See also the statement of the Federal Constitutional Court of 1978 in the calcar judgment to residual risk. )
Border risk - is the largest still acceptable risk in respect of specified standards (prior art / Security ) (See also Minimum endogenous mortality is a measure of the accepted - inevitable -. Risk)
Risk perception - is perceived according to the influencing factors of voluntariness, control, trust and disaster potential ( according to the basic assumptions of psychology ) as inherently subjective.
Risk diversification - through the division of property of certain assets.
Risk transfer - by transferring the risk to another party by the carrier risk changes ( eg an insurance company ).
Risk control - by monitoring the identified current risks (risk indicators) and compliance with specified limits.
Risk indicators - measurement of system variables that shed light on the risks ( risk ratios ) give (sensitivity / sensitivity of a system to external influences ). In safety technology, the term security indicator will be used. In the financial sector, the indicators are distinguished:
- Lagging indicators, which change after the financial economy has changed as a whole.
- Leading indicators that change before the financial economy is changing as a whole.
Risk aggregation - is a summary of all individual risks, the risks are weighted according to their relative importance in the development of the company, and not by the simple addition of the individual risks. This can be obtained by simulation of the factors used to determine the overall risk of the system take place ( using, eg, to determine the " market risk ").
ALARP principle ( As Low As Reasonably Practicable ALARP ) means that the risks should be minimized to a reasonable and feasible measure. In a risk -benefit analysis can be estimated whether the benefits of the product outweigh the residual risk.
RAMS management ensures that systems defined, risk analysis performed identified hazard rates, made detailed audits and safety cases are created ( in the English RAMS: Reliability, Availability, Maintainability, Safety / Reliability, Availability, Maintainability and Safety ).
Applications
Corporate risks
The business risk is initially in the volatility of the result ( profit or loss) reflected, which can be determined by statistical analysis or by means of forward-looking risk aggregation. The extreme form of corporate risk is called the risk of insolvency and expresses the probability of that the company can fulfill in full because of inability to pay its obligations or not. The extent of aggregate risk, but also the risk-bearing capacity ( equity) and profitability, dependent insolvency probability is expressed by the rating (see rating prediction and failure prediction method ).
A Bankruptcy can be attributed to several factors, being generally differentiates between internal and external causes of insolvency. Internal causes concern the activities emanating directly from the company itself and eventually lead to insolvency. This may be for example, bad planning or misperceptions of management. External causes of insolvency relate to factors that act from outside the company, such as structural and cyclical changes in the business environment and market entry of new competitors.
Public companies have to set up a monitoring system to ensure the continued existence of society against dangerous developments after the Law on Control and Transparency in Business Act ( § 91 para 2 AktG 1998 ) for the early detection of risks. The board of the AG stands on the top responsibility. An obligation of the Board to set up a monitoring system was according to § 76 AktG before the entry into force of the KonTraG.
For banks, it divides the total economic risk in operational risk (eg, due to failures in IT ), credit risk ( ie the default of borrowers ), the counterparty risk (ie the failure of counterparties to trades ) as a special part of the credit risk, liquidity risk ( demand deposits can not be serviced from the cash ), market liquidity risk ( transactions can not be completed at the expected terms due to lack of market liquidity ) and market risk ( eg, exchange rate risk, interest rate risk). In practice, the reputational risk (risk of reputation loss due to business decisions or the like. ) Is considered separately from the operational risk often. The accumulation of risk exposure, (eg, due to industry risk or country risk) are closely related, are referred to in the banking industry as a cluster risk.
Risk management in the financial services
The Minimum Requirements for Risk Management (BA ) for the credit institutions and financial services institutions in Germany provide a framework for appropriate and effective risk management. It should serve to counter abuses in the lending and financial services sector. The processes of risk management relate to:
- Identification,
- Assessment,
- Control and
- Monitoring and communication of key risks.
The institute has to derive suitable indicators for the early identification of risks that lead to the establishment and development of a system of risk indicators and a risk early warning and risk classification procedure.
To use the risk quantification is determined:
Since any methods and methods for risk quantification, the reality is not capable of fully map, is the fact that the risk values have inaccuracies or could underestimate the risk to take sufficiently into account when assessing the risk-bearing capacity.
In this context, there is also the requirement: Significant losses are to be analyzed immediately in terms of their causes. It is used to grant system vulnerabilities and deficiencies in the risk models and statistical determination of loss frequencies ( experience feedback ).
The minimum requirements for risk management for financial institutions provide a framework for the observance of fiduciary duty at the disposal of foreign assets. In case of breach of fiduciary duty ( abuse) of infidelity, § 266 of the Criminal Code applies.
Risks of domestic and international financial system
Financial crises are major disruptions in the financial system that are characterized by a decrease of assets and the insolvency of many companies in the financial sector and other sectors and which affect economic activity in one or more countries. So you manifest the potential risk of the financial system, as well as the failure of the national and international risk management and its supervisory bodies. National and international regulations, such as minimum requirements for risk management (BA ), Basel II and Basel III are created for risk control and - as experience shows - updated with each new crisis.
After Kondratyev the world economy goes through recurring cycles, each terminated by severe economic turmoil. The mechanisms for these business cycles are always the same.
The basic mechanisms for the collapse of complex systems, whether in finance or a complex industrial plant, such as a chemical plant or nuclear power plant, are always the same. It is characteristic of these systems is that they consist of a practically non- manageable number of components or functional units and achieve the common system results over multi-layered effect structures. From the user experience, the system is constantly being improved, so that it applies for a trial period as stable and mature. Because of the high risks associated with a failure of the system, these systems are subject to a variety of control mechanisms. The longer a system is operated without major damage, the more it is perceived by its operators and inspectors to be safe. In this state, the security system of the system begins to lose effectiveness. Compromises in favor of the company's success over the security precautions are easier to implement, with the result that set (see Charles Perrow, Normal Accidents, 1984) in the system increasingly undetected errors.
In the financial sector, it explains - depending on the state in the current cycle - the call for more or less rules in the financial market.
Environmental risks
Environmental risk management is concerned with the handling of environmental risk and represents companies in a portion of the environmental management and risk management dar. We distinguish internal and external environment risks, with external environmental risks may be a storm or flood. The internal environmental risks lie in the company founded and can be technical, technological or organizational damage.
There are three different types of environmental risks:
- Financial risks for a company that arise from changes in the environment or of environmental consciousness of society
- Risks associated with the liability of the company for environmentally relevant activities and
- Risks to human health and the ecosystem.
In the area of flood protection flood risk management directive 2007/60/EC was introduced, after a multi-phase approach to management is required: The preliminary assessment, the creation of flood hazard maps ( HWGK ) and flood risk maps ( HWRK ) and the preparation of flood risk management plans ( HWRMP ) (see also the danger zone planning).
In the area of fire protection fire protection requirements for fire plans are created with standardized protection goals as well as local features.
Technical risks
Security Management (SM) is synonymous with risk management and is defined: "SM: Performs, directs and coordinates an organization in relation to all security activities. " Use of the term " security management " in the art ( in the German language ) can be explained by the widespread use of of the term " security " in the art.
Safety Management Systems (SMS) now in use in all industrial sectors with potential hazards to the application. The need for the introduction and use of SMS resulted in virtually all industrial sectors from the accident experience, which exposed about the error possibilities of technology and personnel addition, serious shortcomings in the organization as key causes of accidents.
In aviation, the need for the introduction of safety management systems (SMS) as follows is justified:
" Safety management (safety management) is based on the premise that there are always security risks and human errors (safety hazards and human errors). The SMS gives rise to processes that improve communication about these risks and the measures to reduce them. The level of safety and the safety culture of an organization thereby improving the long term. "
Insurance industry
For insurance companies included the takeover of risks to the actual business model. Insurance companies limit the likelihood of above-average burden of claims primarily through reinsurance, by which they limit large losses and accumulation risks.
Underwriting risks play in the insurance market as a precursor to the insurance a central role. Before a risk can be properly insured, it must be recognized, evaluated, and dealing with the risk to be determined.
Risks of project management
Risk management in projects concerned with all activities which employed to prevent or to deal with unplanned events that could jeopardize the project.
Product and medical risks
Sub-product risk is defined as hazards that charged to the customer (failure, failure, death, destruction ) and thus also at the expense of the manufacturer ( liability, loss of reputation, maintenance ) may fall. Use of a systematic risk management process is to ensure that product risks are identified during the development, assessed, controlled and monitored.
In the development and manufacture of medical devices, among others, the methods of risk management in accordance with the requirements of EN ISO 14971 must be used to meet the increasing complexity and the associated error rate effectively and safely. Aspects of risk management should be over the entire system life cycle, ie starting with the concept, through development, production, use and considered in use with other medical devices during operation to disposal of a medical product.
Software risks
In the development and implementation of information systems risk management methods are increasingly being used to address the complexity and the associated error-proneness of software products (see Software Engineering ). Aspects of risk management should over the entire system life cycle, ie starting with the concept, to be considered on the development or programming, implementation, and configuration and during operation to decommissioning of the system.
Supply Chain Risk Management
The Supply Risk Management is a part of risk management, which is engaged in the identification, analysis and control of hazards occurring in the procurement environment of a company.
The risks arise from disruptions and delays of the flows within the goods, information and financial network and the social and institutional network.
Mathematical sizes in risk management
- Annualized Performance
- Arithmetic return
- Geometric return
- Profit
- Correlation coefficient
- Average, expected value
- Performance (risk management)
- Yield
- Risk measures
- Standard deviation
- Continuous, logarithmic returns
- Variance
- Volatility