Risk management: definition
Risk management is a process that aims to identify, analyse and assess possible risks related to a company’s activity, and to treat them in order to eliminate them or reduce their impact. It is a structured approach, framed by the international standard ISO 31000, which applies to all sectors of activity and all sizes of companies.
This strategy can be very effective in anticipating crisis situations, and in measuring the possible risks associated with a profound transformation or change management (new commercial positioning, digital transformation, internationalization project).
Risk management will thus make it possible to avoid or minimize situations that could jeopardize the achievement of objectives or the sustainability of the company.
Some organizations have specialized risk management teams, led by a risk manager. Waydena also supports industrial companies in this process, in particular through internal audit and compliance management missions.
The different types of risks
- Financial risks : increase in manufacturing or production costs, fall in demand, drop in turnover, bankruptcy, cash flow problems. In the financial sector, a lack of management control can lead to considerable losses — which is why Wayden commissions industrial management control experts to secure flows.
- Strategic risks : related to inadequate decision-making or strategic orientations, a shaky mode of governance, the arrival of a new competitor on the market, a change in demand, an obsolete commercial positioning, damage to reputation.
- Legal, regulatory or legal risks : compliance of premises, change in law in employment law or data processing, implementation of new standards and legal requirements, disputes. In the healthcare sector, non-compliance with regulations (GDPR, patient data, HAS standards) can lead to heavy penalties and a loss of trust.
- Environmental risks : their origin is external to the company (political instability, natural disaster, economic crisis, health crisis).
- Computer and technical risks : cybercrime, breakdowns, technical problems. The figures speak for themselves: the average cost of a cyberattack reaches 466,000 euros for an SME and 13 million euros for a medium-sized company. And 60% of victim companies close their doors within 18 months .
- Operational risks : reduced productivity (absenteeism, disengagement, teleworking, too high turnover), limited production capacity. In industry, an unanticipated production line shutdown can cost several hundred thousand euros per day.
How to set up effective risk management?
The implementation of risk management follows four main steps, in accordance with the ISO 31000 framework.
1. Identify the risks
Identifying risks is the first step. Factors that represent a potential hazard should be analysed. This requires a comprehensive internal audit and a careful analysis of the environment and the market.
This will make it possible to research and define the nature of the risk, and to identify its sources, causes and characteristics.
2. Assess the risks
Risk assessment consists of analyzing the issues, the probability of occurrence, the severity and the acceptability of the risk. Parameters such as costs, deadlines, and performance are all indicators that allow us to gauge the degree of risk.
To this end, the ISO 31000 standard “Risk management guidelines” is a reference guide that provides the principles of risk management. In particular, it includes benchmarks for assessing the criticality scale of a risk.
The risk analysis must make it possible to evaluate the actions to be taken: is the risk acceptable? Should it be monitored? Reduced? Or totally eliminated?
3. Treat the risk
If the risk is not acceptable, an elimination or reduction strategy will need to be put in place.
To eliminate a risk, it will be sufficient to remove the causes, and to reassess the project management strategy or, where appropriate, the objectives to be achieved or the means to be deployed.
To reduce a risk, it will be necessary to reduce its probability of occurrence and/or minimize its impact and/or reduce its scope.
Risk management also requires the implementation of prevention systems (quality control, obtaining certifications, competitive and environmental monitoring, employee training, implementation of safety protocols, insurance subscription).
4. Continuously monitor and improve
Risk management does not stop at treatment. It is part of a continuous improvement process : risks evolve, new threats appear, and the systems must be reassessed regularly via management reviews and monitoring indicators.
Risk Management Framework
|
Step
|
Action
|
Tools
|
Output
|
|---|---|---|---|
|
1. Identify
|
Audit, risk mapping
|
Brainstorming, SWOT, feedback
|
Prioritized list of risks
|
|
2. Evaluate
|
Probability x Severity
|
Criticality matrix, ISO 31000
|
Risk prioritization
|
|
3. Treat
|
Eliminate, reduce, accept or transfer
|
Action Plan, FMEA, Insurance
|
Prevention measures
|
|
4. Monitor
|
Ongoing monitoring, periodic reviews
|
Dashboards, KPIs, audits
|
Continuous improvement
|
Concrete risk management tools
The Criticality Matrix
The criticality matrix is the most widely used tool in risk management. It crosses two axes: the probability of occurrence (rare, possible, probable, frequent) and the severity of the impact (negligible, moderate, severe, critical). The cross-referencing gives a criticality score that allows you to prioritize the actions:
- Red zone (high criticality): immediate treatment required
- Orange zone (medium criticality): action plan to be planned
- Green zone (low criticality): monitoring and monitoring
The FMEA method
FMEA (Failure Mode, Effects and Criticality Analysis) is a structured method for anticipating potential failures of a process, product or system. It evaluates each risk according to three criteria: severity, frequency and detectability.
Historically used in the automotive and aeronautics industries, FMEA now applies to all sectors: health (patient safety), finance (SOX compliance), logistics, services. It allows you to generate preventive and corrective action plans.
Calling on an interim manager in risk management
Enterprise risk management is an activity in its own right. It is very time-consuming and can be tricky to carry out internally. The lack of time, skills, but also the lack of hindsight make this task all the more complex.
It can therefore be very beneficial to outsource this strategy to an interim manager specializing in risk management. Thanks to his many years of experience, his neutral view and his solid expertise, this risk manager is able to analyse and eliminate the risks incurred by the organisation, whatever they may be.
Wayden has made it possible for you to provide interim managers specialized in risk management. It is possible to call on them at any time, whether in a preventive context, during change management, or in an emergency, for crisis management (cyberattack, absence of the manager, social conflict, financial instability).
Do you have a risk management or compliance project?
Frequently asked questions
What is risk management?
Risk management is a structured process that aims to identify, assess, treat and monitor risks that may affect a company’s activity. It is based on international standards such as ISO 31000 and applies to all sectors.
What tools should be used to manage risks in companies?
The most widespread tools are the criticality matrix (probability x severity crossover), the FMEA method (failure analysis), internal audits, and monitoring dashboards. The choice depends on the sector and the nature of the risks.
What is the cost of unmanaged risks to a company?
The cost varies depending on the nature of the risk. In terms of cybersecurity, the average cost of an attack reaches 466,000 euros for an SME and 13 million euros for a mid-sized company. More broadly, poor risk management can lead to financial losses, regulatory penalties and lasting reputational damage.
Why call on an interim manager for risk management?
An interim manager brings an outside perspective, cutting-edge sector expertise and an ability to act quickly. It is particularly useful during large-scale transformations, crises or to set up a risk management framework where it does not yet exist.
