risk management definition in research

• Business Essentials
• Leadership & Management
• Credential of Leadership, Impact, and Management in Business (CLIMB)
• Entrepreneurship & Innovation
• *New* Digital Transformation
• Finance & Accounting
• Business in Society
• For Organizations
• Support Portal
• Media Coverage
• Founding Donors
• Leadership Team

• Harvard Business School →
• HBS Online →
• Business Insights →

Business Insights

Harvard Business School Online's Business Insights Blog provides the career insights you need to achieve your goals and gain confidence in your business skills.

• Career Development
• Communication
• Decision-Making
• Earning Your MBA
• Negotiation
• News & Events
• Productivity
• Staff Spotlight
• Student Profiles
• Work-Life Balance
• Alternative Investments
• Business Analytics
• Business Strategy
• Business and Climate Change
• Design Thinking and Innovation
• Digital Marketing Strategy
• Disruptive Strategy
• Economics for Managers
• Entrepreneurship Essentials
• Financial Accounting
• Global Business
• Launching Tech Ventures
• Leadership Principles
• Leadership, Ethics, and Corporate Accountability
• Leading with Finance
• Management Essentials
• Negotiation Mastery
• Organizational Leadership
• Power and Influence for Positive Impact
• Strategy Execution
• Sustainable Business Strategy
• Sustainable Investing
• Winning with Digital Platforms

What Is Risk Management & Why Is It Important?

• 24 Oct 2023

Businesses can’t operate without risk. Economic, technological, environmental, and competitive factors introduce obstacles that companies must not only manage but overcome.

According to PwC’s Global Risk Survey , organizations that embrace strategic risk management are five times more likely to deliver stakeholder confidence and better business outcomes and two times more likely to expect faster revenue growth.

If you want to enhance your job performance and identify and mitigate risk more effectively, here’s a breakdown of what risk management is and why it’s important.

Access your free e-book today.

What Is Risk Management?

Risk management is the systematic process of identifying, assessing, and mitigating threats or uncertainties that can affect your organization. It involves analyzing risks’ likelihood and impact, developing strategies to minimize harm, and monitoring measures’ effectiveness.

“Competing successfully in any industry involves some level of risk,” says Harvard Business School Professor Robert Simons, who teaches the online course Strategy Execution . “But high-performing businesses with high-pressure cultures are especially vulnerable. As a manager, you need to know how and why these risks arise and how to avoid them.”

According to Strategy Execution , strategic risk has three main causes:

• Pressures due to growth: This is often caused by an accelerated rate of expansion that makes staffing or industry knowledge gaps more harmful to your business.
• Pressures due to culture: While entrepreneurial risk-taking can come with rewards, executive resistance and internal competition can cause problems.
• Pressures due to information management: Since information is key to effective leadership , gaps in performance measures can result in decentralized decision-making.

These pressures can lead to several types of risk that you must manage or mitigate to avoid reputational, financial, or strategic failures. However, risks aren’t always obvious.

“I think one of the challenges firms face is the ability to properly identify their risks,” says HBS Professor Eugene Soltes in Strategy Execution .

Therefore, it’s crucial to pinpoint unexpected events or conditions that could significantly impede your organization’s business strategy .

Related: Business Strategy vs. Strategy Execution: Which Course Is Right for Me?

According to Strategy Execution , strategic risk comprises:

• Operations risk: This occurs when internal operational errors interrupt your products or services’ flow. For example, shipping tainted products can negatively affect food distribution companies.
• Asset impairment risk: When your company’s assets lose a significant portion of their current value because of a decreased likelihood of receiving future cash flows . For instance, losing property assets, like a manufacturing plant, due to a natural disaster.
• Competitive risk: Changes in the competitive environment can interrupt your organization’s ability to create value and differentiate its offerings—eventually leading to a significant loss in revenue.
• Franchise risk: When your organization’s value erodes because stakeholders lose confidence in its objectives. This primarily results from failing to control any of the strategic risk sources listed above.

Understanding these risks is essential to ensuring your organization’s long-term success. Here’s a deeper dive into why risk management is important.

4 Reasons Why Risk Management Is Important

1. protects organization’s reputation.

In many cases, effective risk management proactively protects your organization from incidents that can affect its reputation.

“Franchise risk is a concern for all businesses,“ Simons says in Strategy Execution . “However, it's especially pressing for businesses whose reputations depend on the trust of key constituents.”

For example, airlines are particularly susceptible to franchise risk because of unforeseen events, such as flight delays and cancellations caused by weather or mechanical failure. While such incidents are considered operational risks, they can be incredibly damaging.

In 2016, Delta Airlines experienced a national computer outage, resulting in over 2,000 flight cancellations. Delta not only lost an estimated $150 million but took a hit to its reputation as a reliable airline that prided itself on “canceling cancellations.”

While Delta bounced back, the incident illustrates how mitigating operational errors can make or break your organization.

2. Minimizes Losses

Most businesses create risk management teams to avoid major financial losses. Yet, various risks can still impact their bottom lines.

A Vault Platform study found that dealing with workplace misconduct cost U.S. businesses over $20 billion in 2021. In addition, Soltes says in Strategy Execution that corporate fines for misconduct have risen 40-fold in the U.S. over the last 20 years.

One way to mitigate financial losses related to employee misconduct is by implementing internal controls. According to Strategy Execution , internal controls are the policies and procedures designed to ensure reliable accounting information and safeguard company assets.

“Managers use internal controls to limit the opportunities employees have to expose the business to risk,” Simons says in the course.

One company that could have benefited from implementing internal controls is Volkswagen (VW). In 2015, VW whistle-blowers revealed that the company’s engineers deliberately manipulated diesel vehicles’ emissions data to make them appear more environmentally friendly.

This led to severe consequences, including regulatory penalties, expensive vehicle recalls, and legal settlements—all of which resulted in significant financial losses. By 2018, U.S. authorities had extracted $25 billion in fines, penalties, civil damages, and restitution from the company.

Had VW maintained more rigorous internal controls to ensure transparency, compliance, and proper oversight of its engineering practices, perhaps it could have detected—or even averted—the situation.

Related: What Are Business Ethics & Why Are They Important?

3. Encourages Innovation and Growth

Risk management isn’t just about avoiding negative outcomes. It can also be the catalyst that drives your organization’s innovation and growth.

“Risks may not be pleasant to think about, but they’re inevitable if you want to push your business to innovate and remain competitive,” Simons says in Strategy Execution .

According to PwC , 83 percent of companies’ business strategies focus on growth, despite risks and mixed economic signals. In Strategy Execution , Simons notes that competitive risk is a challenge you must constantly monitor and address.

“Any firm operating in a competitive market must focus its attention on changes in the external environment that could impair its ability to create value for its customers,” Simons says.

This requires incorporating boundary systems —explicit statements that define and communicate risks to avoid—to ensure internal controls don’t extinguish innovation.

“Boundary systems are essential levers in businesses to give people freedom,” Simons says. “In such circumstances, you don’t want to stifle innovation or entrepreneurial behavior by telling people how to do their jobs. And if you want to remain competitive, you’ll need to innovate and adapt.”

Netflix is an example of how risk management can inspire innovation. In the early 2000s, the company was primarily known for its DVD-by-mail rental service. With growing competition from video rental stores, Netflix went against the grain and introduced its streaming service. This changed the market, resulting in a booming industry nearly a decade later.

Netflix’s innovation didn’t stop there. Once the steaming services market became highly competitive, the company shifted once again to gain a competitive edge. It ventured into producing original content, which ultimately helped differentiate its platform and attract additional subscribers.

By offering more freedom within internal controls, you can encourage innovation and constant growth.

4. Enhances Decision-Making

Risk management also provides a structured framework for decision-making. This can be beneficial if your business is inclined toward risks that are difficult to manage.

By pulling data from existing control systems to develop hypothetical scenarios, you can discuss and debate strategies’ efficacy before executing them.

“Interactive control systems are the formal information systems managers use to personally involve themselves in the decision activities of subordinates,” Simons says in Strategy Execution . “Decision activities that relate to and impact strategic uncertainties.”

JPMorgan Chase, one of the most prominent financial institutions in the world, is particularly susceptible to cyber risks because it compiles vast amounts of sensitive customer data . According to PwC , cybersecurity is the number one business risk on managers’ minds, with 78 percent worried about more frequent or broader cyber attacks.

Using data science techniques like machine learning algorithms enables JPMorgan Chase’s leadership not only to detect and prevent cyber attacks but address and mitigate risk.

Start Managing Your Organization's Risk

Risk management is essential to business. While some risk is inevitable, your ability to identify and mitigate it can benefit your organization.

But you can’t plan for everything. According to the Harvard Business Review , some risks are so remote that no one could have imagined them. Some result from a perfect storm of incidents, while others materialize rapidly and on enormous scales.

By taking an online strategy course , you can build the knowledge and skills to identify strategic risks and ensure they don’t undermine your business. For example, through an interactive learning experience, Strategy Execution enables you to draw insights from real-world business examples and better understand how to approach risk management.

Do you want to mitigate your organization’s risks? Explore Strategy Execution —one of our online strategy courses —and download our free strategy e-book to gain the insights to build a successful strategy.

About the Author

What Is Risk Management? [Definition & Guide]

Last Updated: September 19, 2023

Curiously enough, uncertainty is the most certain part of life. The world will always be filled with uncertainty and with uncertainty inevitably comes risk. Risk management, in its simplest form, is assessing the possibility of something bad happening; i.e. “If I take this action, will it result negatively?”

Negative outcomes are widely understood among humans because of our shared values. Maslow’s hierarchy of needs illustrates those values.

At the most basic level, Maslow’s hierarchy suggests that humans need to be secure physiologically. From there, we need safety. Higher level motivations are then driven by a need for belonging, self-esteem and self-actualization.

If at any point our needs are not being fulfilled, we view the situation as an undesirable consequence. It’s only inevitable that life becomes a series of avoiding these undesirable consequences. Here is an example of what that looks like:

There’s a chance it might rain today, so when you leave your house you bring an umbrella. On the most basic level, you did this to eliminate the risk of getting caught in the rain with no protection, resulting in soaking wet clothes that are physically uncomfortable. You also wanted to stay dry to keep your property safe; smartphones are still not 100% waterproof so you’re avoiding the risk of having to pay for a new phone. You also want to avoid the risk of being cut off from loved ones; ruining your phone ruins your sense of connection. Perhaps you’re heading to a client meeting. If you get absolutely drenched and need to find a change of clothes, you’ll be late and potentially lose the client’s respect. Losing their respect may cost you your job, which you may have worked towards achieving your entire life.

Whether you realize it consciously or not, bringing that umbrella just eliminated a risk that could have crumbled your entire hierarchy of needs.

Risk Management allows you to imagine tomorrow’s surprises today by managing risk.

While packing an umbrella is one of the most basic ways to stay prepared, risk is complex and life is unpredictable. The way humans manage risk is an undertone; we are always subconsciously thinking about the risk-reward tradeoff. Businesses, being powered by humans, naturally follow suit.

When we think about an organization, oftentimes risk-based decisions are made considering the consequences of inaction or taking a particular action. This is how people implicitly operate. However, implicit risk management is not enough to successfully operate a business.

Risk management should also involve a strategic and formalized process. With the right Enterprise Risk Management (ERM) software , your risk management efforts can help you imagine the unimaginable and prepare for what’s to come.

In this guide, we’ll answer what is risk management, detail the makings of a risk management plan, explain why risk management is important, and outline action items for enacting the risk management steps within your risk management plan.

Table of Contents

What Is Risk Management?

The risk management process involves identifying and assessing the likelihood of bad situations occurring. Once you have assessed these risks you will want to create a plan for risk mitigation and risk monitoring so that you are in control of potential threats.

Risk Management Definition

Risk Management Types

Now that you understand risk, understanding risk management seems fairly simple. It’s a concept that has been around for ages. However, risk management is an umbrella term that accounts for a number of more granular activities and encompasses the topic of GRC .

Let’s examine risk management as the sum of the following parts:

Enterprise Risk Management (ERM)

Effectively as se ssing risks , mitigating and monitoring activities as you uncover critical risks across your entire enterprise. Ultimately, it helps the company allocate resources effectively to protect its reputation, employees, investors and community.

Incident Management

Reporting, resolving, remediating and preventing incidents — from small hiccups to disasters — in order to protect your workplace by managing risk. An equally important aspect of incident management is giving employees a voice to speak up about any issue.

IT Governance & Security

Protecting your company’s assets, data and reputation by assessing risk and responding to incidents. This involves tracking your company’s technological resources, making sure their vulnerabilities are under control, and creating policies and procedures that are compliant with today’s evolving regulations.

Compliance Management

Tracking regulations that you must adhere to, proving compliance, and staying on top of an ever-changing landscape. Doing so helps you maintain an exemplary reputation and empowers your company to operate under the highest standards of honesty and integrity.

Vendor Management

Ensuring that you’re working with top-notch vendors by managing who your third parties are, what services they provide, what sensitive information they have access to, which internal policies apply to them and so much more.

You can view our complete What is Vendor Management Guide here.

Financial Reporting

Tracking operational activities, attestations, and accountability to improve reporting efficiency and accuracy. This entails identifying risks of non-compliance, designing controls to address vulnerabilities, mapping controls to key objectives, testing controls for effectiveness, and reporting to regulators.

Audit Management

Making sure that every business area within your organization is stacking up and improving accordingly. This means monitoring controls to make sure they are as effective as possible. Internal process, compliance, IT, and facility-driven audits are essential to reduce threats and ineffectiveness and keep your business thriving.

Business Continuity & Disaster Recovery

Knowing which areas of your business are most critical, identifying resources for employees to keep crucial processes functioning and outlining recovery steps should havoc arise. Learn more in this business continuity guide .

Policy Management

Keeping track of the multitudes of policies your company has and creating the basis for which each one is implemented. This also means knowing every person associated with every policy and what their responsibilities are every time one of those processes kicks off.

Risk management should involve all of the areas discussed above. You can look at risk management as a way to proactively catalog organizational concerns and develop plans for how to address them. Once you’ve developed a thoughtful strategy, you enable better performance across your organization.

Why is Risk Management Important?

Realizing the importance of having a strong risk management function can save you money and drastically improve operational performance.

Asking, “What do we need in order to be prepared?” rather than planning a reaction pays dividends in the long run and is a key part of risk analysis.

Not only does having a strong risk management program save you money, but it also enhances performance. In fact, organizations that have a formalized enterprise risk management program tend to have higher evaluations thanks to their risk analysis. An independent research study, “ The Valuation Implications for Enterprise Risk Management Maturity ,” was published in the prestigious Journal of Risk and Insurance. This peer-reviewed and rigorous study conducted by Queens University MBA program definitively quantifies a 25% market valuation premium for organizations that have reached mature levels of ERM.

The connection between an organization’s risk management maturity level and market evaluation can be better understood by finding out your risk maturity score. The RMM Assessment allows you to score your ERM program on a five-level scale. Immediately after completing the assessment, you’ll receive an immediate benchmarking report that explains your current maturity level and offers actionable ideas for improvement.

For a complimentary copy of the RMM report “Why a Mature ERM Effort is Worth the Investment,” complete a free online RMM assessment here .

Risk Management Examples

Chipotle: Poor Risk Management

Since 2015, Chipotle has maintained notoriety for their repeated cases of food-borne illnesses. As they experienced one E-coli outbreak after another, the company disclosed to investors that its profits had plummeted by 95% in 2016 compared to the year prior. The stock price of company shares also plummeted by 45% the year following the outbreaks.

It turns out that the root cause of the outbreaks could be linked to the company’s decision to shift the process of prepping produce from central commissary kitchens to individual locations. While the initial decision to innovate could may have seemed smart at the time, Chipotle did not do their due diligence and monitor the vendor management risks, which led to significant losses.

Wimbledon: Good Risk Management

The most timely demonstration of risk management’s ROI is Wimbledon’s pandemic insurance plan . Over 17 years ago, following the SARS outbreak, Wimbledon purchased pandemic insurance at a rate of around $2 million per year. Fast forward to 2020 and the Wimbledon tennis tournament has been canceled as a result of the COVID-19 pandemic. Instead of suffering tremendous financial losses, Wimbledon is expected to receive an insurance payout of roughly $142 million.

It would be an understatement to say that Wimbledon was a step ahead of the rest of the world in terms of undertaking risk analysis. This was tremendous foresight that could have only been realized through detailed analysis and thoughtful planning; planning that did not happen implicitly.

What is a Risk Management Plan?

Having a clear, formalized risk management plan brings additional visibility into consideration. Standardizing risk management makes identifying systemic issues that affect your entire organization simple. The ideal risk management plan serves as a roadmap for improving performance by helping you understand key dependencies, risk analysis, and control effectiveness. With proper implementation of your plan, you ultimately should be able to better allocate time and resources towards what matters most.

Since every business has its own unique set of risks, it’s important to create a customized risk management plan for your organization. Profit motive, brand, size, industry, market share and many more characteristics all will prescribe your risk management program. That being said, all plans should be standardized, meaningful and actionable. The same framework for defining the steps within your risk management plan can be applied across the board.

Risk Management Steps

Step #1: Identify

Implementing risk identification techniques across your organization should be the first step to developing your risk management program. Note that it’s not enough to simply identify what happened; the most effective risk identification techniques focus on root cause. This allows you to identify systemic issues so that you can design controls that eliminate the cost and time of duplicate effort.

Step #2: Assess

Assessing risk in a uniform fashion is the hallmark of a healthy risk management system. Collect and analyze data so that you can determine the likelihood of any given risk and subsequently your remediation efforts with risk prioritization best practices .

It is also imperative to calculate your own risk appetite levels so that you can determine how much risk your organization is willing to accept.

Step #3: Mitigate

Risk mitigation is defined as the process of reducing risk exposure and minimizing the likelihood of an incident. Your top risks and concerns need to be continually addressed to ensure your business is fully protected.

Step #4: Monitor

Monitoring risk should be an ongoing and proactive process. It involves testing, metric collection, and incidents remediation to certify that your controls are effective. It also allows you to identify and address emerging trends to determine whether or not you’re making progress on your initiatives.

Step #5: Connect

Create relationships between risks, business units, mitigation activities, and more to create a cohesive picture of your organization. This allows you to recognize upstream and downstream dependencies, identify systemic risks and design centralized controls. When you eliminate silos, you eliminate the chances of missing critical pieces of information.

Step #6: Report

Presenting information about your risk management program in an engaging way demonstrates effectiveness and can rally the support of various stakeholders. Develop a r isk metric s key risk indicators repor t that centralizes your information and gives a dynamic view of your company’s risk profile.

The ultimate goal of your risk management plan is to be as accessible and intuitive as possible. Even the most intentional and holistic plan will not be effective unless it is transparent and efficient. The best way to ensure a successful risk management program is by investing in smart software.

Frequently Asked Questions

What is the first step in the risk management process.

The first step in the risk management process is to identify the risks that are likely to occur. The company will need to identify the risks related to their business by conducting a risk assessment based on surrounding areas that could potentially affect them.

What Are Different Ways To Manage Risk?

Risk avoidance and risk mitigation are the two main ways companies try to manage their risks. Risk avoidance is when a company tries to avoid taking on certain risks that could have negative effects. Risk mitigation is when a company tries to reduce the impact of risks that they are taking on. These actions will help companies manage their risk level.

What Are Some Benefits Of Risk Management?

Some benefits of risk management are saved time and money, better customer service, improved decision making by employees, increased productivity, decreased turnover rates among employees and increased profits for the company.

Why Is Risk Management Important?

Risk management is important as it helps reduce the impact of risks on business operations. If a company were to not take any risk management measures, this could lead to serious consequences where the company may incur great losses or even go bankrupt.

Your ERM platform should enable you to bridge the gap between organizational silos. It should take a risk-based approach and allow you to manage all of your information with a common framework. This is the most clear-cut path to driving results.

LogicManager’s ERM software is built on the very idea that silos hinder success. It empowers organizations to anticipate what’s ahead, uphold their reputation and improve business performance through strong governance.

Now more than ever, risk and understanding both ERM and ESG should be top-of-mind for every organization. Social platforms like Twitter, Facebook, Glassdoor and Yelp have empowered consumers to monumentally impact a company’s reputation. Corporate mishaps can now be instantly shared, magnified and multiplied. With this unprecedented control of the market, it’s no wonder there are multitudes of corporate scandals dominating news headlines.

Unlike the undesirable outcomes that we try so hard to steer clear of in our daily lives, undesirable outcomes in business are avoidable as long as you’re equipped with the right tools and services. Gone are the days of corporate risk management being recognized as merely a part of compliance. If you’re truly aiming to realize the full potential of your business, it’s critical to keep risk management top-of-mind.

Want to see exactly how you can benefit from our risk-based approach ?

Free Risk Assessment Template

Our easy-to-use risk assessment template allows you to complete risk assessments in Excel to better mitigate risk, direct your business strategy and much more.

Share This Post

Stay informed, related content.

Your Content Goes [...]

Manage Tomorrow’s Risks Today Using LogicManager’s Enterprise Risk Management Software

Request a demo to see how our software can protect and reduce negative impacts against your business.

My Favorites List

Submit your Favorites List and our experts will reach out to you with more information. You will also receive this list as an e-mail which you can share with others. Here are the solutions you've added to your list so far:

An official website of the United States government

The .gov means it’s official. Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

The site is secure. The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

• Publications
• Account settings

Preview improvements coming to the PMC website in October 2024. Learn More or Try it out now .

• Advanced Search
• Journal List
• Springer Nature - PMC COVID-19 Collection

Transforming risk management

Utz schäffer.

1217698904001 WHU – Otto Beisheim School of Management, Vallendar, Deutschland

Florian Storek

1217698904002 Janssen, Neuss, Deutschland

In an increasingly volatile and uncertain world, organizational risk management is critical. However, it tends to be perceived as a rather bureaucratic activity with a one-sided focus on known risks. Against this backdrop, we analyze the status quo of corporate risk management and develop a four-step approach to make risk management more effective.

In many large companies, risk management practices have grown organically and reflect the perceived risks and regulatory requirements of the organization's different functions, regions, and businesses. At the same time, sufficient top management attention and a comprehensive top-down approach to risk governance are frequently missing (cf. Gius et al. 2018). As a consequence, risk management tends to be characterized by multiple players, processes, and interfaces. Since the roles and responsibilities of these players are often not sufficiently clarified and aligned, risk identification and assessment activities tend to exist in parallel or are even duplicated, interfaces are often not clearly defined, and an integrative perspective, the "big picture" of risk management, may be lacking. Controllers often assess the risks and opportunities of a business throughout the internal planning process. In contrast, risk managers evaluate the same risks for external risk reporting - likely with different results. Such a lack of alignment is neither efficient nor effective. It provides a breeding ground for internal politics and a situation where risk-related knowledge is not shared and organizational learning is hampered. To be clear: we are not advocating that risk management should necessarily be centralized or performed by one corporate actor alone. However, we are saying that risk management activities ought to be aligned and comprehensively governed across functions, regions, and businesses.

Risk management often neglects strategic and uncontrollable risks

Preventable risks arising from within the company such as quality, supply chain, and compliance risks are manifold. They can cause substantial damage, offer no strategic benefit, and are often subject to regulatory requirements. Companies, therefore, tend to employ boundaries and formalized processes around standard operating procedures and internal control systems to eliminate or avoid these risks (cf. Kaplan/Mikes 2012). Risk managers, in turn, focus on this type of risk and the respective formalized procedures (cf. Gius et al. 2018; Taleb/Goldstein/Spitznagel 2009). Other risks which require a different approach tend to be neglected, as a recent study of the WHU Controller Panel shows: strategic business risks which companies incur to obtain higher returns and the risk of external shocks such as 9/11 or COVID-19 both receive less management attention than operational and compliance risks (cf. Schäffer/Brückner 2021). In a context of intense competition and volatile, uncertain, complex, and ambiguous environments, such neglect of strategic business risks and external, uncontrollable risks seems far from optimal.

Managers oftentimes do not act as first line of defense

According to the Three Lines of Defense model (Institute of Internal Auditors 2020), managers should be fully accountable for reaching organizational objectives and act as the first line of defense in risk management. However, most managers tend to focus on business opportunities rather than risk. They have learned that ignoring or even denying risks can help to get investment proposals accepted (Levy et al. 2015). In addition, they may simply lack the resources for effective risk management or have become used to risk managers and other service providers (such as compliance officers, quality officers or controllers) taking care of the identification, assessment, and mitigation of risks. Consequently, risk management is mostly perceived as a downstream activity that reactively deals with the risks created by previous decisions. Managers are often frustrated with the "paperwork" and the formalized nature of risk procedures rather than seeing the benefits of integrating risk management considerations into strategic decision-making.

A four-step approach to effective risk management

Most of the challenges mentioned above are difficult to address since organizational routines that deal with risk are often taken for granted and deeply embedded in the corporate DNA. Vested interests and internal politics form additional barriers to change. Against that backdrop, we propose a four-step approach (see figure 1 ) to increase the effectiveness of corporate risk management and leave it to the discretion of individual companies to what extent they approach the steps sequentially or in parallel.

Step 1: Map risk management activities

As a first step, it is helpful to map the status quo by creating an overview of existing activities across organizational units, hierarchy levels, and risk types. Managers should make sure that they do not limit this exercise to known risks that risk managers or other internal service providers are already dealing with. On the contrary, they need to make sure that preventable risks, strategic business risks, and external, uncontrollable risks are all covered in the mapping of risk-related management activities, and that overlaps, parallel work, relevant interfaces, and white spots are identified. Finally, the proclaimed relevance of different risk types should be compared with the actual management attention given to the respective risks: is the management team walking the (risk) talk? One way of doing this is to measure the time allocated to different risk types during board and annual business review meetings and to compare it with the statements of senior board members about the importance of operational and strategic, internal and external, and known and unknown risks.

Step 2: Establish clear governance principles

In the second step, managers should leverage the transparency created by the mapping exercise to ensure proper distribution of management attention and to develop or fine-tune a shared risk management language as well as a set of risk oversight and governance principles. While this might sound straightforward, we firmly believe that any set of governance principles will only be implemented successfully if top management understands the importance of effective and coordinated risk management and develops a shared understanding of the company's risk profile across all the risk types mentioned above. In addition, the principles need to

• emphasize the role of management as the owner of all risks and define risk ownership for all relevant risk categories in the "first line of defense" accordingly,
• provide a clear definition of the role of supporting staff groups (i. e., risk managers, controllers, strategists, etc.) and clearly outline the type of support these staff groups should provide,
• provide suitable incentives to ensure that all relevant business decisions are based on an analysis of both risks and opportunities (cf. Gleißner/Romeike 2020),
• define interfaces and encourage coordination between the staff groups mentioned above. Aligning key parameters for planning and risk management, for example, can be a pragmatic first step to improving the collaboration of risk managers, controllers, and strategists (cf. Angermüller/Gleissner 2011),
• take account of the fact that requirements might differ across the company's regions, business models, and business units,
• and, finally, be communicated, enforced, and continuously improved under the oversight of top management, e. g., via a risk committee chaired by the CEO or the CFO (cf Tonello 2012).

Step 3: Rethink the role of risk managers

With a shared understanding of the company's risk management activities and clear governance principles in place, corporate risk managers and other staff groups can embark on their journey to change their focus from running the process of managing operational and compliance risks to supporting the management of strategic business risks and external, uncontrollable risks.

As a first step, we recommend freeing up support resources for the management of strategic business risks and external, uncontrollable risks by combining two levers. Firstly, CEOs and CFOs need to make sure that risk managers and controllers do not "run" the whole process of managing preventable risks but rather support managers as risk owners and the first line of defense in the process of identifying, assessing, and mitigating risks. Secondly, top management should foster the use of big data and analytics and the automation of risk-related reporting, monitoring, and, if possible, mitigation activities. Both levers should free up resources that can then be used to shift the role of risk managers and controllers from operating the management of operational and compliance risks to becoming full-fledged business partners with a stronger focus on strategic risks.

To succeed in this endeavor, staff groups need to complement the support for existing risk management processes with a new role that focuses on enabling the first line of defense and facilitating the corporate risk dialogue by

• facilitating discussions on strategic business risks, utilizing methodologies such as scenario analyses, war games, and similar formats,
• providing relevant frameworks, techniques, and risk management expertise,
• raising awareness of cognitive biases in the risk management process and employing debiasing techniques,
• ensuring adequate monitoring of strategic business risks as well as risk signposts and early warning indicators,
• being involved in business continuity management activities and making sure that these activities are sufficiently aligned with other risk management activities,
• challenging and assessing the appropriateness of given risk assessment and mitigation strategies,
• and, last but not least, ensuring that the dialogue results in risk-related decisions and initiatives (cf. Schäffer/Brückner 2021; Gleißner 2020).

Making the outlined changes in the risk-related role profile of managers and staff groups work requires additional competencies among risk managers and controllers. For example, staff group members might need to develop business acumen, strategic thinking, competencies in digital technologies and analytics, as well as communication and collaboration skills. However, changing the competency profile of risk managers and controllers is not enough.

Step 4: Foster an appropriate risk culture

Guidelines and changes in the profile of staff groups alone will not be enough to make management accept its role as the first line of defense across risk types. Therefore, top management needs to complement the first three steps with a cultural change effort and make sure that the sum of mindsets and behavioral norms that determine how an organization identifies and manages risks (cf. Higgins et al. 2020) are adequate. This process can be kicked off after completing step three or can be carried out simultaneously. To get started, managers and staff groups must analyze the existing risk culture and answer the following questions:

• Is there a sufficient degree of risk-related transparency?
• What is considered to be the adequate level of risk appetite, and for what type of risk? Is this appetite clearly defined, communicated, and monitored?
• Is the organization characterized by an open exchange of risk-related information across functions and hierarchy levels? Is the corporate risk dialogue open and candid or rather political, especially when it comes to strategic business decisions?
• To what extent does the organization derive sufficient learnings from failures?
• To what extent are insights from the risk management process translated into managerial action?
• To what degree does management feel accountable for all relevant risk types? To what extent does management accept its role as the first line of defense?
• Is the risk culture in place sufficiently aligned with the overall management culture and incentive schemes?

Based on an honest discussion of these questions, top management needs to analyze where the status quo is counterproductive to the intended changes in risk management and then initiate cultural change. This process may contain the usual elements of change processes such as intensive communication, training, and workshops at all hierarchy levels, but also changes in compensation schemes and staffing. Role modeling from the top and a long-term approach are paramount. Let us be clear: cultural change is a marathon, not a sprint.

Many companies suffer from formalized, bureaucratic risk management processes that are mainly delegated to functional experts and do not focus enough on strategic risk management. This frequently leads to frustrations and cynicism. To help corporate risk management realize its full potential and to add value, we recommend a comprehensive approach that starts out with mapping risk management activities across organizational units, hierarchy levels, and risk types and implements clear risk oversight and governance principles. Once this is done, companies can embark on a journey to transform their risk management practices. They need to make sure that managers themselves are in the driver's seat and act as the first line of defense across different risk types - internal and external, operational and strategic. Risk managers and other involved staff groups should be enabled to add value as business partners and centers of expertise in supporting risk-aware strategic business decisions. Finally, companies must put effort into fostering and developing an appropriate risk culture.

Angermüller, N. O./Gleißner, W. (2011): Verbindung von Controlling und Risikomanagement: Eine empirische Studie der Gegebenheiten bei H-DAX Unternehmen, in: Controlling, 23 (6), pp. 308-316.

Gius, D./Mieszala, J.-C./Panayiotou, E./Poppensieker, T. (2018): Value and resilience through better risk management, https://go.sn.pub/2Z5RHi (latest view: 11.09.2021).

Gleißner, W. (2020): Risikomanagement: Gegenwart und Zukunft, in: Rethinking Finance, 2020 (4), pp. 24-28.

Gleißner, W./Romeike, F. (2020): Entscheidungsorientiertes Risikomanagement nach DIIR RS Nr.2, in: Der Aufsichtsrat, 2020 (4), pp. 55-57.

Higgins, R./Liou, G./Maurenbrecher, S./Poppensieker, T./White, O. (2020): Strengthening institutional risk and integrity culture, https://go.sn.pub/xGLU5f (latest view: 11.09.2021).

Institute of Internal Auditors (2020): The IIAs three lines model - an update of the three lines of defense, https://go.sn.pub/P9jLYl (latest view: 11.09.2021).

Kaplan, R. S./Mikes, A. (2012): Managing risks: a new framework, https://hbr.org/2012/06/managing-risks-a-new-framework (latest view: 11.09.2021).

Levy, C./Krivkovich, A./El Ouali, M./Graf, J. (2015): Managing the people side of risk - risk culture transformation, https://go.sn.pub/IV1bIU (latest view: 11.09.2021).

Schäffer, U./Brückner, L. (2021): Fünf Herausforderungen für das Risiko-Management, in: Controlling & Management Review, 65 (4), pp. 52-59. https://go.sn.pub/w7chSW

Taleb, N./Goldstein, D./Spitznagel, M. (2009): The six mistakes executives make in risk management, in: Harvard Business Review, 87(10), pp. 81-85.

Tonello, M. (2012): Should your board have a separate risk committee?, https://go.sn.pub/u3mkGu (latest view: 11.09.2021).

• Within corporate risk management, strategic business risks and external, uncontrollable risks are frequently given insufficient attention.
• To counteract this, the authors have developed a four-step approach to make risk management more effective.
• The authors' approach encompasses mapping risk management activities, establishing clear governance principles, rethinking the role of risk managers, and fostering an appropriate risk culture.

Springer Professional

Risiko-management.

Heß, G./Kleinen, A.-C. (2021): Resilienz im Einkauf. Konzept und Praxisleitfaden zum Management unerwarteter Risiken in der Lieferkette, Wiesbaden. https://go.sn.pub/zPLbsb

Romeike, F./Hager, P. (2020): Erfolgsfaktor Risiko-Management 4.0. Methoden, Beispiele, Checklisten, Praxishandbuch für Industrie und Handel, 4. Auflage, Wiesbaden. https://go.sn.pub/zlBv9u

Brauweiler, H.-C. (2019): Risiko-Management in Unternehmen. Ein grundlegender Überblick für die Management-Praxis, 2. Auflage, Wiesbaden. https://go.sn.pub/HFD2lD

Biographies

is a Director of the Institute of Management Accounting and Control (IMC) of WHU - Otto Beisheim School of Management, Vallendar, and Co-Editor of the Controlling & Management Review. E-Mail: [email protected]

is Head of Operational Excellence & Governance Germany at Janssen Europe, Middle East & Africa, Neuss. E-Mail: [email protected]

To read this content please select one of the options below:

Please note you do not have access to teaching notes, a review of supply chain risk management: definition, theory, and research agenda.

International Journal of Physical Distribution & Logistics Management

ISSN : 0960-0035

Article publication date: 11 January 2018

Issue publication date: 22 March 2018

The purpose of this paper is to review the extant literature on supply chain risk management (SCRM, including risk identification, assessment, treatment, and monitoring), developing a comprehensive definition and conceptual framework; to evaluate prior theory use; and to identify future research directions.

Design/methodology/approach

A systematic literature review of 354 articles (published 2000-2016) based on descriptive, thematic, and content analysis.

There has been a considerable focus on identifying risk types and proposing risk mitigation strategies. Research has emphasised organisational responses to supply chain risks and made only limited use of theory. Ten key future research directions are identified.

Research limitations/implications

A broad, contemporary understanding of SCRM is provided; and a new, comprehensive definition is presented covering the process, pathway, and objectives of SCRM, leading to a conceptual framework. The research agenda guides future work towards maturation of the discipline.

Practical implications

Managers are encouraged to adopt a holistic approach to SCRM. Guidance is provided on how to select appropriate risk treatment actions according to the probability and impact of a risk.

Originality/value

The first review to consider theory use in SCRM research and to use four SCRM stages to structure the review.

• Supply chain risk
• Risk management
• Supply chain risk management (SCRM)
• Systematic literature review (SLR)

Fan, Y. and Stevenson, M. (2018), "A review of supply chain risk management: definition, theory, and research agenda", International Journal of Physical Distribution & Logistics Management , Vol. 48 No. 3, pp. 205-230. https://doi.org/10.1108/IJPDLM-01-2017-0043

Emerald Publishing Limited

Copyright © 2018, Emerald Publishing Limited

Related articles

We’re listening — tell us what you think, something didn’t work….

Report bugs here

All feedback is valuable

Please share your general feedback

Join us on our journey

Platform update page.

Visit emeraldpublishing.com/platformupdate to discover the latest news and updates

Questions & More Information

Answers to the most commonly asked questions here

Value and resilience through better risk management

Today’s corporate leaders navigate a complex environment that is changing at an ever-accelerating pace. Digital technology underlies much of the change. Business models are being transformed by new waves of automation, based on robotics and artificial intelligence. Producers and consumers are making faster decisions, with preferences shifting under the influence of social media and trending news. New types of digital companies are exploiting the changes, disrupting traditional market leaders and business models. And as companies digitize more parts of their organization, the danger of cyberattacks and breaches of all kinds grows.

Stay current on your favorite topics

Beyond cyberspace, the risk environment is equally challenging. Regulation enjoys broad popular support in many sectors and regions; where it is tightening, it is putting stresses on profitability. Climate change is affecting operations and consumers and regulators are also making demands for better business conduct in relation to the natural environment. Geopolitical uncertainties alter business conditions and challenge the footprints of multinationals. Corporate reputations are vulnerable to single events, as risks once thought to have a limited probability of occurrence are actually materializing.

The role of the board and senior executives

Risk management at nonfinancial companies has not kept pace with this evolution. For many nonfinancial corporates, risk management remains an underdeveloped and siloed capability in the organization, receiving limited attention from the most senior leaders. From over 1,100 respondents to McKinsey’s Global Board Survey for 2017 , we discovered that risk management remains a relatively low-priority topic at board meetings (exhibit).

A long way to go

Boards spend only 9 percent of their time on risk—slightly less than they did in 2015. Other questions in the survey revealed that only 6 percent of respondents believe that they are effective in managing risk (again, less than in 2015). Some individual risk areas are relatively neglected, and even cybersecurity, a core risk area with increasing importance, is addressed by only 36 percent of boards. While many senior executives stay focused on strategy and performance management, they often fail to challenge capabilities or strategic decisions from a risk perspective (see sidebar, “A long way to go”). A reactive approach to risks remains too common, with action taken only after things go wrong. The result is that boards and senior executives needlessly put their companies at risk, while personally taking on higher legal and reputational liabilities.

Boards have a critical role to play in developing risk-management capabilities at the companies they oversee. First, boards need to ensure that a robust risk-management operating model is in place. Such a model allows companies to understand and prioritize risks, set their risk appetite, and measure their performance against these risks. The model should enable the board and senior executives to work with businesses to eliminate exposures outside the company’s appetite statement, reducing the risk profile where warranted, through such means as quality controls and other operational processes. On strategic opportunities and risk trade-offs, boards should foster explicit discussions and decision making among top management and the businesses. This will enable the efficient deployment of scarce risk resources and the active, coordinated management of risks across the organization. Companies will then be prepared to address and manage emerging crises when risks do materialize.

A sectoral view of risks

Most companies operate in a complex, industry-specific risk environment. They must navigate macroeconomic and geopolitical uncertainties and face risks arising in the areas of strategy, finance, products, operations, and compliance and conduct. In some sectors, companies have developed advanced approaches to managing risks that are specific to their business models. These approaches can sustain significant value. At the same time companies are challenged by emerging types of risks for which they need to develop effective mitigation plans; in their absence, the losses from serious risk events can be crippling.

• Automotive companies are controlling supply-chain risks with sophisticated monitoring models that allow OEMs to identify potential risks upfront across the supply chain. At the same time, auto companies must address the strategic challenge of shifting toward electric-powered and autonomous vehicles.
• Pharma companies seek to manage the downside risk of large investments in their product portfolio and pipeline, while addressing product quality and patient safety to comply with relevant regulatory requirements.
• Oil and gas, steel, and energy companies apply advanced approaches to manage the negative effects of financial markets and commodity-price volatility. As social and political demands for cleaner energy are increasing, these companies are actively pursuing growth opportunities to shift their portfolios in anticipation of an energy transition and a low-carbon future.
• Consumer-goods companies protect their reputation and brand value through sound practices to manage product quality as well as labor conditions in their production facilities. Yet they are constantly challenged to meet consumers’ ever-changing tastes and needs, as well as consumer-protection regulations.

Toward proactive risk management

An approach based on adherence to minimum regulatory standards and avoidance of financial loss creates risk in itself. In a passive stance, companies cannot shape an optimal risk profile according to their business models nor adequately manage a fast-moving crisis. Eschewing a risk approach comprised of short-term performance initiatives focused on revenue and costs, top performers deem risk management as a strategic asset, which can sustain significant value over the long term. Inherent in the proactive approach are several essential components.

Strategic decision making

More rigorous, debiased strategic decision making can enhance the longer-term resilience of a company’s business model, particularly in volatile markets or externally challenged industries. Research shows that the active, regular reevaluation of resource allocation, based on sound assessments of risk and return trade-offs (such as entering markets where the business model is superior to the competition), creates more value and better shareholder returns. 1 See, for example, Yuval Atsmon, “ How nimble resource allocation can double your company’s value ,” August 2016; William N. Thorndike, Jr., The Outsiders: Eight Unconventional CEOs and Their Radically Rational Blueprint for Success , Boston, MA: Harvard Business Review Press, 2012; Rebecca Darr and Tim Koller, “ How to build an alliance against corporate short-termism ,” January 2017. Flexibility is empowering in a dynamic marketplace. Many companies use hedging strategies to insure against market uncertainties. Airlines, for example, have been known to hedge future exposures to fuel-price fluctuations, a move that can help maintain profitability when prices climb. Likewise, strategic investing, based on a longer-term perspective and a deep understanding of a company’s core proposition, generates more value than opportunistic moves aiming at a short-term bump in the share price.

Debiasing and stress-testing

Approaches that include debiasing and stress-testing help senior executives consider previously overlooked sources of uncertainty to judge whether the company’s risk-bearing capacity can absorb their potential impact. A utility in Germany, for example, improved decision making by taking action to mitigate behavioral biases. As a result, it separated its renewables business from its conventional power-generation operations. In the aftermath of the Fukushima disaster, which sharply raised interest in environmentally friendly power generation, the utility’s move led to a significant positive effect on its share price (15 percent above the industry index).

Higher-quality products and safety standards

Investments in product quality and safety standards can bring significant returns. One form this takes in the energy sector is reduced damage and maintenance costs. At one international energy company, improved safety standards led to a 30 percent reduction in the frequency of hazardous incidents. Auto companies with reputations built on safety can command higher prices for their vehicles, while the better reputation created by higher quality standards in pharma creates obvious advantages. As well as the boost in demand that comes from a reputation for quality, companies can significantly reduce their remediation costs—McKinsey research suggests that pharma companies suffering from quality issues lose annual revenue equal to 4 to 5 percent of cost of goods sold.

Comprehensive operative controls

These can lead to more efficient and effective processes that are less prone to disruption when risks materialize. In the auto sector, companies can ensure stable production and sales by mitigating the risk of supply-chain disruption. Following the 2011 earthquake and tsunami, a leading automaker probed potential supply bottlenecks and took appropriate action. After an earthquake in 2016, the company quickly redirected production of affected parts to other locations, avoiding costly disruptions. In high-tech, companies applying superior supply-chain risk management can achieve lasting cost savings and higher margins. One global computer company addressed these risks with a dedicated program that saved $500 million during its first six years. The program used risk-informed contracts, enabling suppliers to lower the costs and risks of doing business with the company. The measures achieved supply assurance for key components, particularly during market shortages, improved cost predictability for components that have volatile costs, and optimized inventory levels internally and at suppliers.

Stronger ethical and societal standards

To achieve standing among customers, employees, business partners, and the public, companies can apply ethical controls on corporate practices end to end. If appropriately publicized and linked to corporate social responsibility, a program of better ethical standards can achieve significant returns in the form of heightened reputation and brand recognition. Customers, for example, are increasingly willing to pay a premium for products of companies that adhere to tighter standards. Employees too appreciate being associated with more ethical companies, offering a better working environment and contributing to society.

The three dimensions of effective risk management

Ideally, risk management and compliance are addressed as strategic priorities by corporate leadership and day-to-day management. More often the reality is that these areas are delegated to a few people at the corporate center working in isolation from the rest of the business. By contrast, revenue growth or cost savings are deeply embedded in corporate culture, linked explicitly to profit-and-loss (P&L) performance at the company level. Somewhere in the middle are specific control capabilities regarding, for example, product safety, secure IT development and deployment, or financial auditing.

Would you like to learn more about our Risk Practice ?

To change this picture, leadership must commit to building robust, effective risk management. The project is three-dimensional: 1) the risk operating model, consisting of the main risk management processes; 2) a governance and accountability structure around these processes, leading from the business up to the board level; and 3) best-practice crisis preparedness, including a well-articulated response playbook if the worst case materializes.

1. Developing an effective risk operating model

The operating model consists of two layers, an enterprise risk management (ERM) framework and individual frameworks for each type of risk. The ERM framework is used to identify risks across the organization, define the overall risk appetite, and implement the appropriate controls to ensure that the risk appetite is respected. Finally, the overarching framework puts in place a system of timely reporting and corresponding actions on risk to the board and senior management. The risk-specific frameworks address all risks that are being managed. These can be grouped in categories, such as financial, nonfinancial, and strategic. Financial risks, such as liquidity, market, and credit risks, are managed by adhering to appropriate limit structures; nonfinancial risks, by implementing adequate process controls; strategic risks, by challenging key decisions with formalized approaches such as debiasing, scenario analyses, and stress testing. While financial and strategic risks are typically managed according to the risk-return trade-off, for nonfinancial risks, the potential downside is often the key consideration.

Finding the right level of risk appetite

Companies need to find the right level of risk appetite, which helps ensure long-term resilience and performance. Risk appetite that is too relaxed or too restrictive can have severe consequences on company financials, as the following two examples indicate:

Too relaxed. One nuclear energy company set its standards for steel equipment in the 1980s and did not review them even when the regulations changed. When the new higher standards were applied to the manufacture of equipment for nuclear power plants, the company fell short of compliance. An earlier adaptation of its risk appetite and tolerance levels would have been significantly less costly.

Too restrictive. A pharma company set quality tolerances to produce a drug to a significantly stricter level than what was required by regulation. At the beginning of production, tolerance intervals could be fulfilled, but over time, quality could no longer be assured at the initial level. The company was unable to lower standards, as these had been communicated to the regulators. Ultimately, production processes had to be upgraded at a significant cost to maintain the original tolerances.

As well as assessing risk based on likelihood and impact, companies must also assess their ability to respond to emerging risks. Capabilities and capacities needed to manage these risks should be evaluated and gaps filled accordingly. Of particular importance in crisis management is the timeliness of an effective response when things go awry. The highly likely, high-impact risk events on which risk management focuses most of its attention often emerge with disarming velocity, taking many companies unawares. To be effective, the enterprise risk management framework must ensure that the two layers are seamlessly integrated. It does this by providing clarity on risk definitions and appetite as well as controls and reporting.

• Taxonomy. A company-wide risk taxonomy should clearly and comprehensively define risks; the taxonomy should be strictly respected in the definition of risk appetite, in the development of risk policy and strategy, and in risk reporting. Taxonomies are usually industry-specific, covering strategic, regulatory, and product risks relevant to the industry. They are also determined by company characteristics, including the business model and geographical footprint (to incorporate specific country and legal risks). Proven risk-assessment tools need to be adopted and enhanced continuously with new techniques, so that newer risks (such as cyberrisk) are addressed as well as more familiar risks.
• Risk appetite. A clear definition of risk appetite will translate risk-return trade-offs into explicit thresholds and limits for financial and strategic risks, such as economic capital, cash-flow at risk, or stressed metrics. In the case of nonfinancial risks like operational and compliance risks, the risk appetite will be based on overall loss limits, categorized into inherent and residual risks (see sidebar, “Finding the right level of risk appetite”).
• Risk control processes. Effective risk control processes ensure that risk thresholds for the specified risk appetite are upheld at all levels of the organization. Leading companies are increasingly building their control processes around big data and advanced analytics. These powerful new capabilities can greatly increase the effectiveness and efficiency of risk monitoring processes. Machine-learning tools, for example, can be very effective in monitoring fraud and prioritizing investigations; automated natural language processing within complaints management can be used to monitor conduct risk.
• Risk reporting. Decision making should be informed with risk reporting. Companies can regularly provide boards and senior executives with insights on risk, identifying the most relevant strategic risks. The objective is to ensure that an independent risk view, encompassing all levels of the organization, is embedded into the planning process. In this way, the risk profile can be upheld in the management of business initiatives and decisions affecting the quality of processes and products. Techniques like debiasing and the use of scenarios can help overcome biases toward fulfilment of short-term goals. A North American oil producer developed a strategic hypothesis given uncertainties in global and regional oil markets. The company used risk modelling to test assumptions about cash flow under different scenarios and embedded these analyses into the reports reviewed by senior management and the board. Weak points in the strategy were thereby identified and mitigating actions taken.

2. Toward robust risk governance, organization, and culture

The risk operating model must be managed through an effective governance structure and organization with clear accountabilities. The governance model maintains a risk culture that strongly reinforces better risk and compliance management across the three lines of defense—business and operations, the compliance and risk functions, and audit. The approach recognizes the inherent contradiction in the first line between performance (revenue and costs) and risk (losses). The role of the second line is to review and challenge the first line on the effectiveness of its risk processes and controls, while the third line, audit, ensures that the lines one and two are functioning as intended.

• Three lines of defense. Effective implementation of the three lines involves the sharp definition of lines one and two at all levels, from the group level through the lines of business, to the regional and legal entity levels. Accountabilities regarding risk and control management must be clear. Risk governance may differ by risk type: financial risks are usually managed centrally, while operational risks are deeply embedded into company processes. The operational risk of any line of business is managed by the business owning the product-development, production, and sales processes. This usually translates into forms of quality control, but the business must also balance the broader impact of risk and P&L. In the development of new diesel engines, automakers lost sight of the balance between compliance risk and the additional cost to meet emission standards, with disastrous results. Risk or compliance functions can only complement these activities by independently reviewing the adequacy of operational risk management, such as through technical standards and controls.
• Reviewing the risk appetite and risk profile. Of central importance within the governance structure are the committees that define the risk appetite, including the parameters for doing business. These committees also make specific decisions on top risks and review the control environment for enhancements as the company’s risk profile changes. Good governance in this case means that risk decisions are considered within the existing divisional, regional, and senior-management governance structure of a company, supported by risk, compliance, and audit committees.
• Integrated risk and compliance governance setup. A robust and adequately staffed risk and compliance organization supports all risk processes. The integrated risk and compliance organization provides for single ownership of the group-wide ERM framework and standards, appropriate clustering of second-line functions, a clear matrix between divisions and control functions, and centralized or local control as needed. A clear trend is observable whereby the ERM layer responsible for group-wide standards, risk processes, and reporting becomes consolidated, whereas the expert teams setting and monitoring specific control standards for the business (including standards for commercial, technical compliance, IT or cyberrisks) become specialized teams covering both regulatory compliance as well as risk aspects.
• Resources. Appropriate resources are a critical factor in successful risk governance. The size of the compliance, risk, audit, and legal functions of nonfinancial companies (0.5 for every 100 employees, on average), are usually much smaller than those of banks (6.9 for every 100 employees). The disparity is partly a natural outcome of financial regulation, but some part of it reflects a capability gap in nonfinancial corporates. These companies usually devote most of their risk and control resources in sector-specific areas, such as health and safety for airlines and nuclear power companies or quality assurance for pharmaceutical companies. The same companies can, however, neglect to provide sufficient resources to monitor highly significant risks, such as cyberrisk or large investments.
• Risk culture. An enhanced risk culture covers mind-sets and behaviors across the organization. A shared understanding is fostered of key risks and risk management, with leaders acting as role models. Especially important are capability-building programs on risk as well as formal mechanisms to assess and reinforce sound risk management practices.

An enhanced risk culture covers mind-sets and behaviors across the organization. A shared understanding is fostered of key risks and risk management, with leaders acting as role models.

3. Crisis preparedness and response

A high-performing, effective risk operating model and governance structure, with a well-developed risk culture minimize the probability of corporate crises , without, of course, completely eliminating them. When unexpected crises strike at high velocity, multinational companies can lose billions in value in the first days and soon find themselves struggling to keep their market position. A best-in-class risk management environment provides the ideal conditions for preparation and response.

• Ensure board leadership. The most important action companies can take to prepare for crises is to ensure that the effort is led by the board and senior management. Top leadership must define the main expected threats, the worst-case scenarios, and the actions and communications that will be accordingly rolled out. For each threat, hypothetical scenarios should be developed for how a crisis will unfold, based on previous crises within and beyond the company’s industry and region.
• Strengthen resilience. By mapping patterns that arose in previous crises, companies can test their own resilience, challenging key areas across the organization for potential weaknesses. Targeted countermeasures can then be developed in advance to strengthen resilience. This crucial aspect of crisis preparedness can involve reviewing and revising the terms and conditions for key suppliers, shoring up financials to ensure short-term availability of cash, or investing in advanced cybersecurity measures to protect essential data and software in the event of failures and breaches.
• Develop action plans and communications. Once these assessments are complete and resilience-building countermeasures are in place, the company can then develop action plans for each threat. The plans must be well articulated, founded on past crises, and address operational and technical planning, financial planning, third-party management, and legal planning. Care should be taken to develop an optimally responsive communications strategy as well. The correct strategy will enable frontline responders to keep pace with or stay ahead of unfolding crises. Communications failures can turn manageable crises into irredeemable catastrophes. Companies need to have appropriate scripts and process logic in place detailing the response to crisis situations, communicated to all levels of the organization and well anchored there. Airlines provide an example of the well-articulated response, in their preparedness for an accident or crash. Not only are detailed scripts in place, but regular simulations are held to train employees at all levels of the company.
• Train managers at all levels. The company should train key managers at multiple levels on what to expect and enable them to feel the pressures and emotions in a simulated environment. Doing this repeatedly and in a richer way each time will significantly improve the company’s response capabilities in a real crisis situation, even though the crisis may not be precisely the one for which managers have been trained. They will also be valuable learning exercises in their own right.
• Put in place a detailed crisis-response playbook. While each crisis can unfold in unique and unpredictable ways, companies can follow a few fundamental principles of crisis response in all situations. First, establish control immediately after the crisis hits, by closely determining the level of exposure to the threat and identifying a crisis-response leader, not necessarily the CEO, who will direct appropriate actions accordingly. Second, involved parties—such as customers, employees, shareholders, suppliers, government agencies, the media, and the wider public—must be effectively engaged with a dynamic communications strategy. Third, an operational and technical “war room” should be set up, to stabilize primary threats and determine which activities to sustain and which to suspend (identifying and reaching out to critical suppliers). Finally, a deliberate effort must be made to address and neutralize the root cause of the crisis and so bring it to an end as soon as possible.

In a digitized, networked world, with globalized supply chains and complex financial interdependencies, the risk environment has grown more perilous and costly. A holistic approach to risk management, based on the lessons, good and bad, of leading companies and financial institutions, can derive value from that environment. The path to risk resilience that is emerging is an effort, led by the board and senior management, to establish the right risk profile and appetite. Success depends on the support of a thriving risk culture and state-of-the-art crisis preparedness and response. Far from minimal regulatory adherence and loss avoidance, the optimal approach to risk management consists of fundamentally strategic capabilities, deeply embedded across the organization.

Daniela Gius is a senior expert in McKinsey’s Hamburg office, Jean-Christophe Mieszala is a senior partner in the Paris office, Ernestos Panayiotou is a partner in the Athens office, and Thomas Poppensieker is a senior partner in the Munich office.

Explore a career with us

Related articles.

The business logic in debiasing

Are you prepared for a corporate crisis?

Nonfinancial risk today: Getting risk and the business aligned

Knowledge Risk Management pp 3–10 Cite as

Knowledge Risk Management—State of Research

• Susanne Durst 3 &
• Thomas Henschel 4  
• First Online: 05 February 2020

1366 Accesses

3 Citations

Part of the book series: Management for Professionals ((MANAGPROF))

The aim of this chapter is to set the frame for the book’s topic, namely knowledge risk management. In order to do so, the chapter starts broadly and introduces the topics of risks and risk management and knowledge risks and knowledge risk management, respectively. This is followed by a brief summary of the current body of knowledge with regard to knowledge risk management from a research point of view. The outcome shows that there is a clear need for more systematic research; thus, this chapter opens the door for the subsequent chapters presented in this book and intended to further our understanding of knowledge risk management.

• Knowledge risks
• Knowledge risk management
• Risk management

This is a preview of subscription content, log in via an institution .

Buying options

• Available as PDF
• Read on any device
• Instant download
• Own it forever
• Available as EPUB and PDF
• Compact, lightweight edition
• Dispatched in 3 to 5 business days
• Free shipping worldwide - see info
• Durable hardcover edition

Tax calculation will be finalised at checkout

Purchases are for personal use only

Alhawari, S., Karadsheh, L., Talet, A. N., & Mansour, E. (2012). Knowledge-based risk management framework for information technology project. International Journal of Information Management, 32 (1), 50–65. https://doi.org/10.1016/j.ijinfomgt.2011.07.002 .

Article   Google Scholar  

Bogodistov, Y., & Wohlgemuth, V. (2017). Enterprise risk management: A capability-based perspective. Journal of Risk Finance, 18 (3), 234–251. https://doi.org/10.1108/JFR-10-2016-0131 .

Bromiley, P., McShane, M., Nair, A., & Rustambekov, E. (2015). Enterprise risk management: Review, critique, and research directions. Long Range Planning, 48 (4), 265–276.

Google Scholar  

Brustbauer, J. (2016). Enterprise risk management in SMEs: Towards a structural model. International Small Business Journal, 34 (1), 70–85. https://doi.org/10.1177/0266242614542853 .

Committee of Sponsoring Organizations of the Treadway Commission (COSO). (2017). Enterprise risk management—integrating with strategy and performance. Retrieved 22.11.2018 https://www.coso.org/Documents/2017-COSO-ERM-Integrating-with-Strategy-and-Performance-Executive-Summary.pdf .

Dickinson, G. (2001). Enterprise risk management: Its origins and conceptual foundation. The Geneva Papers on Risk and Insurance, 26 (3), 360–366.

Durst, S. (2019). How far have we come with the study of knowledge risks? VINE Journal of Information and Knowledge Management Systems. https://doi.org/10.1108/VJIKMS-10-2018-0087 .

Durst, S. (2013). An exploratory study of intangibles risk disclosure in annual reports of banking companies from the UK, US, Germany and Italy—Some descriptive insights. Financial Reporting (Vol. 1, pp. 81–120); Durst, S. (2012). Innovation and intellectual capital (risk) management in small and medium-sized enterprises. International Journal of Transitions and Innovation Systems, 2 (3/4), 233–246.

Durst, S., & Ferenhof, H. A. (2016) Knowledge risk management in turbulent times. In K. North, & G. Varvakis (Eds.), Competitive strategies for small and medium enterprises increasing crisis resilience, agility and innovation in turbulent times (pp. 195–209). Springer International Publishing, Cham.

Durst, S., & Zieba, M. (2018). Mapping knowledge risks: Towards a better understanding of knowledge management. Knowledge Management Research & Practice . https://doi.org/10.1080/14778238.2018.1538603 .

Durst, S., & Zieba, M. (2017). Knowledge risks—towards a taxonomy. International Journal of Business Environment, 9 (1), 51–63.

Durst, S., Bruns, G., & Henschel, T. (2016). The management of knowledge risks: What do we really know? International Journal of Knowledge and Systems Science (IJKSS), 7 (3), 19–29.

Durst, S., Hinteregger, C., & Zieba, M. (2019). The linkage between knowledge risk management and organizational performance. Journal of Business Research, 105, 1–10. https://doi.org/10.1016/j.jbusres.2019.08.002 .

Gatzert, N., & Martin, M. (2015). Determinants and value of enterprise risk management: empirical evidence from the literature. Risk Management and Insurance Review, 18 (1), 29–53.

Glaser, C. (2018). Risikomanagement im Leasing: Grundlagen, rechtlicher Rahmen und praktische Umsetzung (2nd ed.). Wiesbaden: Springer Gabler.

Book   Google Scholar  

Grant, R. M. (1996). Toward a knowledge-based theory of the firm. Strategic Management Journal, 17, 109–122.

Heinze, I., & Henschel, T. (2019). Risk(ing) sophistication: Towards a structural equation model for risk management in small and medium-sized enterprises. International Journal of Entrepreneurship and Small Business, in press.

Henschel, T. (2008). Risk management practices of SMEs: Evaluating and implementing effective risk management systems . Berlin: Erich Schmidt.

Henschel, T., & Durst, S. (2016). Risk management in Scottish, Chinese and German small and medium-sized enterprises: A country comparison. International Journal of Entrepreneurship and Small Business, 29 (1), 112–132. https://doi.org/10.1504/IJESB.2016.078048 .

Henschel, T., & Heinze, I. (2018). Governance, risk and compliance. In W. Schmeisser, Becker, W., Beckmann, M., Brem, A., Eckstein, P., & Hartmann, M. (Eds.), Neue Betriebswirtschaft. Theorien, Methoden, Geschäftsfelder . UVK Publishing, München (pp. 339–370).

Hetland, P. W. (2003). Chapter eight uncertainty management. In N. J. Smith (Ed.), Appraisal, risk and uncertainty: Construction management series (pp. 59–88). London: Thomas Telford.

ISO 31000. International Organisation of Standardisation. (2018). Principles and generic guidelines on risk management. Retrieved 22.11.2018 https://www.iso.org/standard/43170.html .

Khan, M. J., Hussain, D., & Mehmood, W. (2016). Why do firms adopt enterprise risk management (ERM)? Empirical evidence from France. Management Decision, 54 (8), 1886–1907.

Kless, T. (1998). Beherrschung der Unternehmensrisiken: Aufgaben und Prozesse eines Risikomanagements. Deutsches Steuerrecht, 36 (3), 93–96.

Knight, F. H. (1921). Risk, uncertainty and profit . New York: Hart, Schaffner and Marx.

Leitner, F. (1915). Die Unternehmensrisiken—Einzelwirtschaftliche Abhandlungen, Heft 3 . Berlin: Friedrich Reimer.

Leitch, M. (2010). ISO 31000: 2009—the new international standard on risk management. Risk Analysis, 30 (6), 887–892.

Louisot, J.-P. (2004). Managing intangible asset risks: Reputation and strategic redeployment planning’. Risk Management: An International Journal, 6 (3), 35–50.

Lundqvist, S. A. (2015). Why firms implement risk governance—stepping beyond traditional risk management to enterprise risk management. Journal of Accounting and Public Policy, 34 (5), 441–466. https://doi.org/10.1016/j.jaccpubpol.2015.05.002 .

Massingham, P. (2010). Knowledge risk management: A framework. Journal of Knowledge Management, 14 (3), 464–485.

McShane, M. (2018). Enterprise risk management: History and a design science proposal. The Journal of Risk Finance, 19 (2), 137–153. https://doi.org/10.1108/JRF-03-2017-0048 .

Mohun, A. P. (2016). Constructing the history of risk. Foundations, tools, and reasons why. Risikogeschichte: Wie, warum und zu welchem Ende schreiben wir eine Geschichte des Risikos? Historical Social Research, 41, 30–47. https://doi.org/10.12759/hsr.41.2016.1.30-47 .

Mowbray, A. H., Blanchard, R. H., & Williams, C. A. (1969). Insurance: Its theory and practice in the United States (6th ed.). New York: McGraw-Hill.

Myšková, R., & Doupalová, V. (2015). Approach to risk management decision-making in the small business. Procedia Economics and Finance, 34 (1), 329–336.

Sax, J., & Torp, S. S. (2015). Speak up! Enhancing risk performance with enterprise risk management, leadership style and employee voice. Management Decision, 53 (7), 1452–1468.

Smallman, C. (1996). Risk and organizational behaviour: A research model. Disaster Prevention and Management, 5 (2), 12–26.

Smallman, C. (1999). Knowledge management as risk management: A need for open governance? Risk Management, 1 (4), 7–20.

Vargas-Hernández, J. (2011). Modeling risk and innovation management. ACR, 19 (3/4), 45–57.

Vaughan, E. J., & Vaughan, T. (2001). Essentials of risk management and insurance. New York, Chichester, Weinheim, Brisbane, Singapore, Toronto, John Wiley & Sons.

Verbano, C., & Venturini, K. (2013). Managing risks in SMEs: A literature review and research Agenda. Journal of Technology Management & Innovation, 8 (3), 186–197.

Vasvári, T. (2015). Risk, risk perception, risk management—a review of the literature. Public Finance Quarterly, 60 (1), 29–48.

Download references

Author information

Authors and affiliations.

Department of Business Administration, Tallinn University of Technology, Ehitajate Tee 5, 19086, Tallinn, Estonia

Susanne Durst

Hochschule für Technik und Wirtschaft Berlin, Treskowallee 8, 10318, Berlin, Germany

Thomas Henschel

You can also search for this author in PubMed   Google Scholar

Corresponding author

Correspondence to Susanne Durst .

Editor information

Editors and affiliations.

Department of Business Administration, Tallinn University of Technology, Tallinn, Estonia

Faculty of Business and Law, Hochschule für Technik und Wirtschaft, Berlin, Germany

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this chapter

Cite this chapter.

Durst, S., Henschel, T. (2020). Knowledge Risk Management—State of Research. In: Durst, S., Henschel, T. (eds) Knowledge Risk Management. Management for Professionals. Springer, Cham. https://doi.org/10.1007/978-3-030-35121-2_1

Download citation

DOI : https://doi.org/10.1007/978-3-030-35121-2_1

Published : 05 February 2020

Publisher Name : Springer, Cham

Print ISBN : 978-3-030-35120-5

Online ISBN : 978-3-030-35121-2

eBook Packages : Business and Management Business and Management (R0)

Share this chapter

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

• Publish with us

Policies and ethics

• Find a journal
• Track your research

• SUGGESTED TOPICS
• The Magazine
• Newsletters
• Managing Yourself
• Managing Teams
• Work-life Balance
• The Big Idea
• Data & Visuals
• Reading Lists
• Case Selections
• HBR Learning
• Topic Feeds
• Account Settings
• Email Preferences

Risk management

• Change management
• Competitive strategy
• Corporate strategy
• Customer strategy

Banks with More Women on Their Boards Commit Less Fraud

• Barbara Casu
• Scott Berinato
• From the May–June 2021 Issue

Bringing the Environment Down to Earth

• Forest L. Reinhardt
• From the July–August 1999 Issue

Overcoming the Financial Barriers to Building Resilient Supply Chains

• James B. Rice Jr.
• Walid Klibi
• November 01, 2022

Doing Business in a Dangerous World

• L. Paul Bremer
• Gardiner Morse
• From the April 2002 Issue

Strategic Analysis for More Profitable Acquisitions

• Alfred Rappaport
• From the July 1979 Issue

What I've Learned About White-Collar Crime

• Mary Jo White
• From the July–August 2019 Issue

Reducing Directors' Legal Risk

• Michael Klausner
• From the April 2007 Issue

Generative AI-nxiety

• Reid Blackman
• August 14, 2023

Is Anyone Really Responsible for Your Company’s Data Security?

• Joel Brenner
• June 19, 2013

Treat Employees like Adults

• Frank Furedi
• From the May 2005 Issue

How to Face Your Company’s Mortality

• Ron Ashkenas
• February 22, 2010

Look Beyond Obvious Risks

• Mihir A. Desai
• June 16, 2015

Your Company Needs a Digital Nomad Policy

• Miles Everson
• Carolyn Ockels
• July 12, 2021

What’s Your Company’s Water Footprint?

• August 05, 2009

Pitfalls in Evaluating Risky Projects

• James E. Hodder
• Henry E. Riggs
• From the January 1985 Issue

U.S. Businesses Need to Be More Prepared for Physical Risks

• Mark Herrington
• February 09, 2023

The HBR Agenda 2011

• Peter Cappelli
• Thomas H. Davenport
• Esther Duflo
• Claudio Fernández-Aráoz
• Vijay Govindarajan
• Lynda Gratton
• J. Richard Hackman
• Herminia Ibarra
• Paul Kedrosky
• A.G. Lafley
• Charlene Li
• Jean-Francois Manzoni
• Daniel H. Pink
• Michael E. Porter
• Edgar H. Schein
• Eric Schmidt
• Klaus Schwab
• Clay Shirky
• Joseph E. Stiglitz
• Robert I. Sutton
• Laura D. Tyson
• From the January–February 2011 Issue

The Power of "Risktakes"

• Vineet Nayar
• August 18, 2010

Which of Your Employees Are Most Likely to Expose Your Company to a Cyberattack?

• December 05, 2017

Purchasing Managers Have a Lead Role to Play in Cyber Defense

• Thomas Y. Choi
• July 10, 2018

BSI Bank of Switzerland: Victim of Growth or Perpetrator of a Crime?

• Salvatore Cantale
• October 12, 2016

To Feed the Planet: Juan Luciano at ADM

• Joshua D. Margolis
• David E. Bell
• Damien P. McLoughlin
• Stacy Straaberg
• James Weber
• December 27, 2022

Why Is the Universe Against Me? (B)

• Kristin Behfar
• Jolene H. Bodily
• April 16, 2015

Cybersecurity: The Insights You Need from Harvard Business Review

• Harvard Business Review
• Andrew Burt
• Boris Groysberg
• Roman V Yampolskiy
• September 17, 2019

Why Is the Universe Against Me? (A) and (B) (Abridged)

• August 18, 2015

TenAlpina Tools: The Entrepreneur's Dilemma

• Alfred Nanni
• June 02, 2015

Champion International Corp.: Timber, Trade, and the Northern Spotted Owl

• August 15, 1991

Crystal Catering

• Gregory B Fairchild
• Rebecca Goldberg
• Elisabeth Ivaniw Jones
• December 18, 2018

Mastercard Labs (A) (Abridged)

• Linda A. Hill
• Sunil Gupta
• Emily Tedards
• Julia Kelley
• April 08, 2022

A Diamond in the Rough: J. M. Huber and the PATH Business

• John L. Ward
• Carol Adler Zsolnay
• Sachin Waikar
• March 13, 2017

BP Amoco (A): Policy Statement on the Use of Project Finance

• Benjamin C. Esty
• Michael Kane
• January 09, 2001

The Walt Disney Studios

• Anita Elberse
• April 28, 2016

Blood Bananas: Chiquita in Colombia

• Mary B. Teagarden
• Andreas Schotter
• November 11, 2010

ProSight: New Millennium Financial Technology Portfolio Management

• Mark Jeffery
• Chuck Olson
• Robin Barnes
• January 01, 2006

Beta Management Co.

• Michael E. Edleson
• March 23, 1992

Going Rogue: Choson Exchange in North Korea

• Sophus A. Reinert
• Amy MacBeath

Sy Friedland and JF&CS

• Jesseca Timmons
• April 01, 2017

AGENTS.inc: Pathways to Growth at an AI Startup

• Frank Nagle
• Manuel Hoffmann
• Karoline Strohlein
• Susan Pinckney
• February 13, 2024

Southern Implants: Designing and Manufacturing Dental Implants to the World

• Marianne Matthee
• October 30, 2020

Cleveland Clinic Abu Dhabi: Leading Through the Fog of the COVID-19 Pandemic

• February 18, 2022

James McAllister: Learning from BP and NASA, Teaching Note

• William E Youngdahl
• December 01, 2017

Popular Topics

Partner center.

• Search Search Please fill out this field.

What Is Risk Management?

• How It Works

The Cost of Risk

The bottom line.

• Portfolio Management

What Is Risk Management in Finance, and Why Is It Important?

Amanda Bellucco-Chatham is an editor, writer, and fact-checker with years of experience researching personal finance topics. Specialties include general financial planning, career development, lending, retirement, tax preparation, and credit.

Risk management involves identifying, analyzing , and accepting or mitigating uncertainty in investment decisions. Put simply, it is the process of monitoring and dealing with the financial risks associated with investing. Risk management essentially occurs when an investor or fund manager analyzes and attempts to quantify the potential for losses in an investment, such as a moral hazard , and then takes the appropriate action (or inaction) to meet their objectives and risk tolerance .

Key Takeaways

• Risk management is the process of identification, analysis, and acceptance or mitigation of uncertainty in investment decisions.
• Risk is inseparable from return in the investment world.
• Risk management strategies include avoidance, retention, sharing, transferring, and loss prevention and reduction.
• One of the tactics to ascertain risk is standard deviation, which is a statistical measure of dispersion around a central tendency.

Investopedia / Joules Garcia

How Risk Management Works

Risk is inseparable from return. Every investment involves some degree of risk. It can come close to zero for U.S. T-bills or very high for emerging-market equities or real estate in highly inflationary markets. Risk is quantified in absolute and in relative terms. A solid understanding of risk in its different forms can help investors to better understand the opportunities, trade-offs, and costs involved with different investment approaches .

Risk management involves identifying and analyzing where risk exists, and making decisions about how to deal with it. It occurs everywhere in the realm of finance. For instance:

• An investor may choose U.S. Treasury bonds over corporate bonds
• A fund manager may hedge their currency exposure with currency derivatives
• A bank performs a credit check on an individual before issuing a personal line of credit
• A stockbroker uses financial instruments like options and futures
• A money manager uses strategies like portfolio diversification, asset allocation, and position sizing to mitigate or effectively manage risk

Diligent risk management can help reduce the chance of losses while ensuring that financial goals are met. Inadequate risk management, though, can result in severe consequences for companies, individuals, and the economy. The subprime mortgage meltdown that led to the Great Recession stemmed from bad risk management. Lenders gave mortgages to people with bad credit and investment firms bought, packaged, and resold these loans to investors as risky, mortgage-backed securities (MBSs) .

Risk Management Techniques

The following is a list of some of the most common risk management techniques.

• Avoidance: The most obvious way to manage your risk is by avoiding it completely. Some investors make their investment decisions by cutting out volatility and risk completely. This means choosing the safest assets with little to no risks.
• Retention: This strategy involves accepting any risks that come your way and acknowledging that they come with the territory.
• Sharing: This technique comes with two or more parties taking on an agreed-upon portion of the risk. For instance, reinsurers cover risks that insurance companies can't handle on their own.
• Transferring: Risks can be passed on from one party to another. For instance, health insurance involves passing on the risk of coverage from you to your insurer as long as you keep up with your premiums .
• Loss Prevention and Reduction: Rather than eliminate the potential for risk, this strategy means that you find ways to minimize your losses by preventing them from spreading to other areas. Diversification may be a way for investors to reduce their losses.

The word risk is often thought of negatively. But risk is an integral part of the investment world and is inseparable from performance.

Risk Management and Volatility

Investment risk is the deviation from an expected outcome. This deviation is expressed in absolute terms or relative to something else like a market benchmark . Investment professionals generally accept the idea that the deviation implies some degree of the intended outcome for your investments, whether positive or negative.

To achieve higher returns, one expects to accept the greater risk. It is also a generally accepted idea that increased risk means increased volatility . While investment professionals constantly seek and occasionally find ways to reduce volatility, there is no clear agreement on how to do it.

How much volatility an investor should accept depends entirely on their risk tolerance. For investment professionals, it is based on the tolerance of their investment objectives. One of the most commonly used absolute risk metrics is standard deviation , which is a statistical measure of dispersion around a central tendency.

Here's how it works. Take the average return of an investment and find its average standard deviation over the same time period. Normal distributions (the familiar bell-shaped curve) dictate that the expected return of the investment may be one standard deviation from the average 67% of the time and two standard deviations from the average deviation 95% of the time. This provides a numeric risk evaluation. If the risk is tolerable (financially and emotionally), they can invest.

Risk Management and Psychology

Behavioral finance highlights the imbalance between people's views of gains and losses. In prospect theory, an area of behavioral finance introduced by Amos Tversky and Daniel Kahneman in 1979, investors exhibit loss aversion . They noted that investors put roughly twice the weight on the pain associated with a loss than the good feeling associated with a profit.

Investors often want to know the losses that come with an investment as well as how much an asset deviates from its expected outcome. Value at risk (VAR) tries to quantify the degree of loss associated with an investment with a given level of confidence over a defined period. For example, an investor may lose $200 on a $1,000 investment with a 95% level of confidence over a two-year time horizon . Keep in mind that a measure like VAR doesn't guarantee that 5% of the time will be much worse.

It also doesn't account for any outlier events, which hit hedge fund Long-Term Capital Management (LTCM) in 1998. The Russian government's default on its outstanding sovereign debt obligations threatened to bankrupt the hedge fund, which had highly leveraged positions worth over $1 trillion. Its failure could have collapsed the global financial system. But the U.S. government created a $3.65-billion loan fund to cover the losses, which enabled LTCM to survive the volatility and liquidate in early 2000.

The confidence level is a probability statement based on the statistical characteristics of the investment and the shape of its distribution curve. 

Types of Risk Management

Beta and passive.

One risk measure oriented to behavioral tendencies is a drawdown , which refers to any period during which an asset's return is negative relative to a previous high mark. In measuring drawdown, we attempt to address three things:

• The magnitude of each negative period (how bad)
• The duration of each (how long)
• The frequency (how often)

For example, in addition to wanting to know whether a mutual fund beat the S&P 500, we also want to know its comparative risk. One measure for this is beta . Also called market risk, beta is based on the statistical property of covariance . A beta greater than 1 indicates more risk than the market while a beta less than 1 indicates lower volatility.

Beta helps us to understand the concepts of passive and active risk . The graph below shows a time series of returns (each data point labeled "+") for a particular portfolio R(p) versus the market return R(m). The returns are cash-adjusted, so the point at which the x and y-axes intersect is the cash-equivalent return. Drawing a line of best fit through the data points allows us to quantify the passive risk (beta) and the active risk (alpha).

The gradient of the line is its beta. So a gradient of 1 indicates that for every unit increase in market return, the portfolio return also increases by one unit. A money manager employing a passive management strategy can attempt to increase the portfolio return by taking on more market risk (i.e., a beta greater than 1) or alternatively decrease portfolio risk (and return) by reducing the portfolio beta below one.

Alpha and Active

If market or systematic risk were the only influencing factor, then a portfolio's return would always be equal to the beta-adjusted market return. But this isn't the case. Returns vary because of a number of factors unrelated to market risk . Investment managers who follow an active strategy take on other risks to achieve excess returns over the market's performance, including:

• Tactics that leverage stock
• Sector or country selection
• Fundamental analysis
• Position sizing
• Technical analysis

Active managers hunt for an alpha, the measure of excess return. In our diagram example above, alpha is the amount of portfolio return not explained by beta, which is represented as the distance between the intersection of the x and y-axes and the y-axis intercept. This can be positive or negative.

In their quest for excess returns, active managers expose investors to alpha risk , the risk that the result of their bets will prove negative rather than positive. For example, a fund manager may think that the energy sector will outperform the S&P 500 and increase her portfolio's weighting in this sector. If unexpected economic developments cause energy stocks to sharply decline, the manager will likely underperform the benchmark.

The more an active fund and its managers can generate alpha, the higher the fees they tend to charge. For purely passive vehicles like index funds or exchange-traded funds (ETFs) , you're likely to pay one to 10 basis points (bps) in annual management fees. Investors may pay 200 bps in annual fees for a high-octane hedge fund with complex trading strategies, high capital commitments, and transaction costs. They may also have to give back 20% of the profits to the manager.

The pricing difference between passive ( beta risk ) and active strategies (alpha risk) encourages many investors to try and separate these risks, such as paying lower fees for the beta risk assumed and concentrating costly exposures to specifically defined alpha opportunities. This is popularly known as portable alpha , the idea that the alpha component of a total return is separate from the beta component.

For instance, a fund manager may claim to have an active sector rotation strategy for beating the S&P 500 with a track record of beating the index by 1.5% on an average annualized basis. This excess return is the manager's value (the alpha) and the investor is willing to pay higher fees to obtain it. The rest of the total return (what the S&P 500 itself earned) arguably has nothing to do with the manager's unique ability. Portable alpha strategies use derivatives and other tools to refine how they obtain and pay for the alpha and beta components of their exposure .

Example of Risk Management

During a 15-year period from Aug. 1, 1992, to July 31, 2007, the average annualized total return of the S&P 500 was 10.7%. This number reveals what happened for the whole period, but it does not say what happened along the way.

The average standard deviation of the S&P 500 for that same period was 13.5%. This is the difference between the average return and the real return at most given points throughout the 15-year period.

When applying the bell curve model, any given outcome should fall within one standard deviation of the mean about 67% of the time and within two standard deviations about 95% of the time. Thus, an S&P 500 investor could expect the return, at any given point during this period, to be 10.7% plus or minus the standard deviation of 13.5% about 67% of the time. They may also assume a 27% (two standard deviations) increase or decrease 95% of the time. If they can afford the loss, they invest.

Why Is Risk Management Important?

Risk management is a key part of the investment and financial world. It requires investors and fund managers to identify, analyze, and make important decisions about the uncertainty that comes with reaching their goals. Risk management allows individuals to reach their goals while mitigating or dealing with any of the associated losses .

How Can I Practice Risk Management in Personal Finance?

There are a few different steps that individuals can take to practice risk management in their personal finances. Start by identifying your goals, and then highlight the risks associated with your objectives. Once you know what the risks are, evaluate them and research the best ways to manage these risks. You will likely have to monitor and make adjustments to ensure you stay on top of your goals.

How Do Companies Manage Their Operational Risk?

Operational risk is any risk associated with the day-to-day operations of a business. Companies can manage it by identifying and assessing potential risks, measuring them, and putting controls in place to either mitigate or eliminate them altogether. It's also important that corporations monitor their operations and risk management techniques to see if they are working and make changes whenever necessary.

Risk is an important part of the financial world. The word often brings up feelings of negativity since there is the potential for capital and investment loss. But risk isn't always bad because investments that have more risk often come with the biggest rewards. Knowing what the risks are, how to identify them, and employing suitable risk management techniques can help mitigate losses while you reap the rewards.

• Terms of Service
• Editorial Policy
• Privacy Policy
• Your Privacy Choices