The risk management takes into companies , the management of corporate risks through its risk identification , risk analysis , risk quantification , risk aggregation , risk assessment , risk assessment , risk communication and final risk management .
Risk management includes risk assessment, risk management and risk communication, with risk assessment being subdivided into the sub-areas of risk identification, risk analysis and risk assessment. Risk management can only begin with risk perception ; it is the prerequisite for risks to be recognized and discovered at all. The problem arises here that different risk carriers perceive the same risk differently or not at all. If the risk is perceived incorrectly as selective perception , only certain risks are perceived, but other existing risks are ignored. Inadequate risk perception has a negative effect on the subsequent phases of risk management.
Risk management tasks
Risk management is a task that is assigned to a function in an organizational unit in a company or government agency . According to the ISO 31000 : 2009 standard, risk management is a management task in which the risks in an organization are identified, analyzed and later assessed. To this end, overarching goals, strategies and policies of the organization for risk management are to be defined. In detail, this concerns the definition of criteria according to which the risks are classified and evaluated, the methods of risk determination, the responsibilities for risk decisions, the provision of resources for risk prevention, internal and external communication about the identified risks (reporting) as well as the qualification of the staff for risk management. An updated version of the ISO 31000 standard was published in 2018.
Formal training and certification as a risk manager can be carried out in Germany according to the state of the art in accordance with DIN VDE V 0827 "Emergency and Hazard Systems - Part 1: Emergency and Hazard Response Systems (NGRS) - Basic requirements, tasks, responsibilities and Activities "and in Austria according to ONR 49003" Risk management for organizations and systems - Requirements for the qualification of the risk manager - Application of ISO / DIN 31000 in practice ".
Risk management is understood as an ongoing process in which planning, implementation, monitoring and improvement take place continuously ( Deming group : “Plan-Do-Check-Act”). Risk management should be applied over the entire lifespan of an organization and create a culture of risk control in the organization.
The principles and procedures for risk management described in the ISO 31000 standard apply in general. They can be used in all areas where risks exist and are not tailored to a specific industry.
The risk management ( early risk detection system ) in particular of the stock corporations is based on the requirements of the Control and Transparency Act (KonTraG) and the IdW audit standard PS 340 based on it and the more recent DIIR audit standard No. 2 of the German Institute for Internal Audit (from 2018). The aim is to identify risks that threaten the company's existence at an early stage and to monitor them in a comprehensible manner. Since it is often precisely the combination effects of several individual risks that threaten the company's existence, an aggregation of the individual risks is required to determine the overall risk scope ( risk aggregation ). The economic added value of risk management is the reduction in the likelihood of a crisis that threatens the company's existence through greater risk transparency. The degree of the financial threat to the existence of the company is assessed by calculating the effects of risks on the future rating using a so-called rating forecast .
Further advantages of efficient risk management are an improvement in planning security and a reduction in risk costs .
The risk management process includes in detail:
- Identification of the risks, description of their nature, causes and effects
- Analysis of the identified risks with regard to their probability of occurrence and possible effects
- Risk assessment by comparison with previously defined criteria for risk acceptance (e.g. from standards and norms)
- Risk management / risk control through measures that reduce dangers and / or the probability of occurrence or make the consequences manageable
- Risk monitoring with the help of parameters that provide information about the current risks (risk indicators)
- Risk records for the documentation of all processes that take place in connection with the risk analysis and assessment
In order to cope with the complexity of the risk management process, to analyze large amounts of data and to implement strategic risk management, many companies use risk management software. This is able to map the risks of a company or to simulate future risks.
Risk management terms
- Risk analysis : is used to identify and assess risks. In the technical area, the probabilistic safety analysis is used.
- Risk identification : creates a list of the various risks, in the case of technical systems based on the functional requirements (independent of a technical design). Aids are: scenario technology, post-mortem analysis, expertsurveys, Delphi method , creativitytechniques, failure mode and influence analysis, risk workshops, checklists (hazard: list of hazards in occupational safety), analysis of possible hazards ( hazard and operability study ), evaluation the experience (industrial accidents, bankruptcies) from comparable company areas.
- Risk matrix: is used for the detailed recording and evaluation of the overall risk of a company, a technical system or a company or technical process by entering the determined risk factors in a matrix (risk portfolio, risk matrix) with the dimensions probability of occurrence and extent of damage.
- Avoidance of risk : by neglecting a risky activity.
- Risk reduction : reduces the risk potential to an acceptable level or tries to reduce the probability of occurrence of risks.
- Risk reduction : takes place by setting defined upper limits for risks.
- Risk communication : the risk results are published - in a transparent and comprehensible manner - for the decision-making about the acceptability of the risk by the risk taker with the involvement of experts and for the persons affected by the risk in the system and in the system environment.
- Risk acceptance : it is achieved if the risk is assessed as acceptable under the given social framework and taking any residual risks into account.
- Residual risk : is the risk that remains after the application of protective measures. (See also the statement of the Federal Constitutional Court of 1978 in the Kalkar ruling on the residual risk.)
- Borderline risk : is the greatest risk that is still acceptable if the specified standards are observed ( state of the art / safety technology ) (see also minimum endogenous mortality and is a measure of the accepted - inevitable - risk.)
- Risk perception : is perceived as inherently subjective according to the influencing variables of voluntariness, control, trust and disaster potential (according to the basic assumptions of psychology).
- Risk diversification : by dividing the assets into different assets or technical redundancies .
- Risk transfer : by transferring the risk to third parties bychangingthe risk carrier (e.g. to an insurance company ).
- Risk control : by monitoring the identified, current risks (risk indicators) and compliance with specified limit values.
Risk indicators : Measurement of system variables that provide information about the risks (risk indicators ) (sensitivity / sensitivity of a system to external influences). The term safety indicator is used in safety technology. In the financial sector , a distinction is made between indicators:
- Lagging indicators : those that change after the financial economy as a whole has changed.
- Leading indicators : those that change before the financial economy as a whole changes.
- Risk aggregation : is a summary of all individual risks, whereby the individual risks are weighted according to their relative importance on the company's development, and not by simply adding the individual risks. This can be done by simulating the factors to determine the overall risk of the system (use, for example, to determine the “market price risk ” ).
- Risk reporting : Generation and transmission of information on opportunities and risks as a risk report . The main goals of risk reporting are: creating transparency about the risk situation, preparing decisions on risk control measures and supporting risk monitoring.
- Risk interdependence: Dependencies on risks: Independent risks do not influence each other, positively correlated risks reinforce each other, negatively correlated risks weaken each other. Usually, the statistical dependency of risks is first checked for plausibility and quantified using a correlation coefficient.
- Risk-bearing capacity : the ability to absorb the consequences of risks that have become apparent.
- Risk prevention : In order to be able to bear the residual risk, precautionary measures must be taken through risk prevention. B. financial reserves ( reserves ), provisions but also excess stocks of material, personnel, etc. Ä. Can be formed.
- ALARP principle ( ALARP : A s L ow A s R easonably P racticable ) means that the risks are to be minimized to a reasonable and feasible size. A risk-benefit analysis can be used to assess whether the benefits of the product outweigh the residual risk.
- RAMS Management: ensures that systems defined, carried out risk analyzes, hazard rates determined, made detailed checks and create safety cases (in English RAMS: R eliability, A vailability, M aintainability, Sa fety / Reliability , Availability , Maintainability , Safety ).
Areas of application
The corporate risk is initially reflected in the volatility of the result (profit or loss), which can be determined through statistical analyzes or future-oriented using risk aggregation . What is meant is the possibility of deviating from operational goals due to the unpredictable future. The extreme form of corporate risk is called insolvency risk and expresses the probability that the company will not be able to meet its obligations, or not fully, due to insolvency and / or over-indebtedness . The insolvency probability, which is dependent on the aggregated risk scope, but also the risk-bearing capacity ( equity ) and profitability , is expressed by the rating (see also rating forecast and insolvency forecasting procedure ).
A bankruptcy can be attributed to various factors, being generally differentiates between internal and external causes bankruptcy. Internal causes concern the activities that originate directly from the company itself and ultimately lead to bankruptcy. This could be, for example, incorrect planning or incorrect assessments by management. External causes of insolvency relate to factors that have an external effect on the company, for example structural and economic changes in the company environment and the entry of new competitors into the market.
According to the law on control and transparency in the corporate sector ( (2 ) AktG ), stock corporations must set up a monitoring system for the early detection of risks in order to secure the continued existence of the company against dangerous developments. The executive board of the AG has the ultimate responsibility. According to AktG, the board of directors was obliged to set up a monitoring system before the KonTraG came into force.
Risk management in financial services
- Credit institutions
For credit institutions , the overall business risk is divided into operational risk (e.g. due to IT failures), credit risk (i.e. the failure of borrowers), and counterparty risk (i.e. the failure of counterparties in trading transactions) as a special part of the credit risk, the liquidity risk (due funds cannot be serviced from liquid funds), market liquidity risk (transactions can not be concluded under the expected conditions due to insufficient market liquidity ) and the market risk (e.g. exchange rate risk , interest rate risk ). In practice, reputational risk (risk of loss of reputation due to business policy decisions, etc.) is often considered separately from operational risk. The accumulation of high-risk commitments that are closely related (e.g. due to industry or country risks) is also referred to as cluster risk in the banking industry .
The minimum requirements for risk management (BA) for credit institutions and financial services institutions in Germany provide a framework for appropriate and effective risk management. It should serve to counteract grievances in the credit and financial services sector. The risk management processes concern:
- Control as well
- Monitoring and communication of the main risks.
The institute has to derive suitable indicators for the early identification of risks, which enable the establishment and further development of a system of risk indicators and an early risk identification and risk classification procedure.
With regard to the application of risk quantification, the following is stated: Since any methods and procedures for risk quantification are not able to fully reflect reality, the fact that the risk values are inaccurate or could underestimate the risk must be adequately taken into account when assessing the risk-bearing capacity.
In this context there is also the requirement: Significant damage cases must be analyzed immediately with regard to their causes. It is used to identify system weaknesses and inadequacies in the risk models as well as the statistical determination of damage frequencies (feedback from experience).
The minimum requirements for risk management for credit institutions provide a framework for compliance with the duty of loyalty when disposing of third-party assets. In the event of a breach of the duty of loyalty (abuse), the punishability of breach of trust according to Criminal Code applies.
- Insurance industry
For insurance companies, taking on risks is part of the actual business model . Insurance companies limit the likelihood of an above-average burden from loss events through the size of the insurance collective , and primarily through reinsurance , with the help of which they limit major losses and accumulation risks .
Underwriting risks play a central role in the insurance market as a preliminary stage to insurance . Before a risk can be properly insured, it must be identified, assessed and how the risk should be dealt with must be determined.
The European Solvency II Directive places extensive requirements on risk management in insurance companies.
Types of risk
Risks of the national and international financial system
Financial crises are major upheavals in the financial system , which are characterized by a decline in assets and the insolvency of numerous companies in the financial sector and other sectors and which affect economic activity in one or more countries. They manifest the risk potential of the financial system , as well as the failure of national or international risk management and its control bodies. National and international regulations such as minimum requirements for risk management (BA) , Basel II and Basel III are created for risk control and - as experience shows - updated with each new crisis.
The basic mechanisms for the collapse of complex systems, be it in the financial sector or a complex industrial facility such as a chemical plant or nuclear power plant, are always the same. It is characteristic of these systems that they consist of a practically no longer manageable number of components or functional units and that they achieve the common system result through multi-layered effect structures. The system is constantly being improved based on user experience, so that after a trial period it is considered stable and mature. Because of the great risks associated with failure of the system, these systems are subject to a variety of control mechanisms. The longer a system is operated without major damage, the more it will be perceived as safe by its operators and controllers. In this state, the system's safety net begins to lose its effectiveness. Compromises in favor of the company's success compared to security precautions are easier to implement, with the result that increasingly undetected errors become lodged in the system (cf. Charles Perrow , Normal Accidents, 1984). In the financial sector it explains - depending on the status in the current cycle - the call for more or less rules on the financial market .
From the company's point of view, environmental risks are economic risks that arise from environmental damage ( soil contamination , pollutant emissions , contamination of buildings , damage to health of personnel , product defects ), assets being subject to depreciation in whole or in part , having to be disposed of at high cost or being able to be restored at high costs. Employees can fall ill due to inadequate occupational health and safety and thus increase the risk of absenteeism .
The Environmental Risk Management deals with the handling of this environmental risk and provides enterprise a portion of the company's environmental management is and risk management. We distinguish between internal and external environmental risks, and external environmental risks such as storm or flood may occur. The internal environmental risks are justified in the company and can be technical, technological or organizational damage, such as operational disruptions .
There are three types of environmental risk:
- Financial risks for a company that arise from changes in the state of the environment or the environmental awareness of society
- Risks of the company's environmental liability for environmentally relevant activities and
- Risks to human health and the ecosystem.
In the field of flood protection, the state introduced the Flood Risk Management Directive 2007/60 / EC. In the area of fire protection, fire protection requirement plans for fire brigades with standardized protection goals as well as local characteristics are created. Large-scale risks are shown in a hazard zone plan.
Security management (SM) is synonymous with risk management and is defined: "SM: Leads, directs and coordinates an organization in relation to all security activities." The use of the term "security management" in technology (in the German-speaking world) is explained by its general usage of the term "security" in technology.
Safety management systems (SMS) are used today in all areas of industry with risk potential. The necessity of introducing and using the SMS arose in practically all industrial sectors from experience of accidents, according to which serious deficiencies in the organization turned out to be the main causes of accidents beyond the potential for errors in technology and personnel.
In aviation, the need to introduce safety management systems (SMS) is justified as follows:
“ Safety management is based on the premise that there are always safety hazards and human errors . The SMS creates processes that improve communication about these risks and the measures to reduce them. The security level and the security culture of an organization are thus sustainably improved. "
Project Management Risks
Risk management in projects deals with all activities that contribute to the prevention of or dealing with unplanned events that endanger the course of the project.
Product and medical risks
Under product risks are understood hazards that charged to the customer (failure, failure, death, destruction) and also at the expense of the manufacturer (liability, loss of reputation, maintenance) may fall. A systematic risk management process is intended to ensure that product risks are identified, assessed, controlled and monitored during development [see also Product Safety Act (Germany) ].
In the development and manufacture of medical devices , among other things, the risk management methods in accordance with the requirements of the EN ISO 14971 standard must be used in order to effectively and safely counter the increasing complexity and the associated susceptibility to errors. Aspects of risk management should be taken into account over the entire system life cycle , i.e. starting with the concept, through development, production, use and in use with other medical devices and during operation up to the disposal of a medical device.
In the development and implementation of information systems , methods of risk management are increasingly used in order to counter the complexity and the associated susceptibility to errors of software products (see software technology ). Aspects of risk management should be taken into account over the entire system lifecycle , i.e. starting with the concept, through development or programming, implementation and configuration and during operation up to the decommissioning of the system.
Supply chain risk management
Procurement and logistics risks
Due to dependencies on suppliers , unfavorable deviations from the target may result. Suitable countermeasures can be: contractual ties with suppliers , supplier ratings , backward integration or just-in-time contracts . In addition, there is a procurement price risk that can be controlled through contractual price fixing, price escalation clauses in contracts with customers or forward transactions on raw material markets . There is a storage risk during the storage period .
Risk management maturity models
“A maturity model describes the maturity of a field of observation with regard to a certain method or an action or management model.” To achieve a maturity level, certain requirements must be met and all previous levels must be achieved. According to Rosemann and De Bruin, maturity is defined as "a measure to evaluate the capabilities of an organization" - a measure to evaluate the capabilities of an organization.
Risk management maturity models are used to evaluate the risk management system in the company and enable comparison with other companies ( benchmarking ). They consist of maturity levels, dimensions and assessment tools. Development can be top-down or bottom-up . With top-down there are fixed maturity levels that are specified with further properties. With the bottom-up, properties and evaluation elements are first defined and later grouped into maturity levels. For example, creativity techniques , the Delphi method or focus group surveys are used for this purpose.
6 levels of risk management according to Gleißner and Mott
There are 6 stages of development in this model:
- Level 1 - no risk management
The company management has insufficient risk awareness and therefore no systematic approach to dealing with risks. Entrepreneurial decisions in response to dangers only take place sporadically.
- Level 2 - Damage Management
The existence of certain risks is known. Measures are consciously introduced to prevent dangers. Regulations such as environmental protection and occupational safety are also taken into account. In the case of rarer and greater risks, insurance policies are taken out to minimize damage. No specific instrument is used for hazard assessment and risk action plans are processed in “silos” (isolated teams ).
- Level 3 - Regulatory risk management ("KonTraG risk management")
The company has a continuous risk management system. Risks are constantly monitored and assessed. The totality of the risks form the so-called risk inventory. Information such as scope, responsibility and frequency are set in writing in accordance with the KonTraG. Risk management strategies are developed for the important risks, for which the risks are quantified and assessed in terms of the amount of damage and the probability of occurrence. At the end there is a simple risk aggregation .
- Level 4 - Economic, decision-oriented risk management
Both dangers (negative deviations) and opportunities (positive deviations) are considered risks. There is a comprehensive, software-supported risk management system in the company, based on a strong risk awareness of the company management. An overall risk scope is calculated by aggregating the individual risks. Using the Monte Carlo simulation , “developments threatening the continued existence of the company” can be made clear after a combination of individual risks. The aim is to create flexible and agile risk management that is closely linked to strategy development. Ideally, it should adapt to unforeseen developments. Risks should be assessed in such a way that a company remains liquid and can maintain its rating even in the event of market fluctuations. This can be done by weighing possible risks and rewards using capital market models (e.g. CAMP). The company should consider outsourcing business activities not only in terms of cost reduction, but also in terms of the associated risk reduction. This risk reduction also takes place with a broad diversification of the portfolio and a loss and liability limitation.
- Level 5 - Integrated value-based risk management
The risk management process is closely linked to the operational level of the company. All plans can be assigned to risks (stochastic planning) so that planning security can be determined from them. From this, the company can calculate the value contribution, "which enables an optimization of risk management based on the company's value" and with which strategic moves can be assessed in relation to risks. The hypothesis of a perfect capital market is rejected and replaced by a realistic view of an imperfect capital market. All risks that are relevant to the valuation are taken into account (“risk coverage rate”). Risk measures such as equity requirements, probability of default and value-at-risk are used to assess and optimize the portfolio .
- Level 6 - Embedded Risk Management (holistic)
The assessment of the risk-adjusted earnings value or the risk benefit reflects the risk preference of the owner and forms the basis for strategic and operational decisions. The risk analysis includes the ex ante integration of entrepreneurial reaction options to the development of target values and exogenous risk factors. Metarisiks, d. H. Uncertainties and reactions from competitors, as well as other "behavioral risks" and "management risks" are also included in the assessment. Risk management is firmly integrated into corporate culture and entrepreneurial thinking, so that every form of management in the company is viewed as risk management.
Good risk management is a success factor for every company. As many employees as possible should be integrated in order to give the company management the opportunity to correctly record risks, to correctly assess the returns and risks and to put them into practice. However, this is only achieved in the 4th stage. The management must be the “top risk manager” because they make decisive decisions about the scope of risk. In doing so, strategies and fixed organizational patterns and methods should be applied in order to ensure that possible "developments threatening the continued existence of the company" are recognized early on.
Mathematical quantities in risk management
- Correlation coefficient
- Mean , expected value
- Performance (risk management)
- Annualized return
- Arithmetic return
- Geometric return
- Risk measures
- Standard deviation
- Steady, logarithmic return
- Value at Risk
Psychological aspects of risk management
Psychological aspects play an important role in the subjective assessment of how relevant and likely a risk is. The perception of risk depends, among other things, on personal experience, upbringing, moral standards or educational background. The intuitive risk perception is to be equated with the perceived risk.
Risk perception is influenced by qualitative risk characteristics. The properties of the source of risk take into account the extent of the consequences and the familiarization with this source. The properties of the risk situation deal with the possibility of personal control and the clarity of the hazard information. Man strives for security and complete control. It is difficult for him to make a purely rational and objective risk assessment. A distinction must be made between intuitive and rational thinking.
Intuitive thinking happens quickly and often subconsciously, it is not controlled willfully. The problems to be treated are known and can therefore be solved spontaneously and with the knowledge available. Decisions take little effort. Due to a lack of experience, rational thinking takes more time and creates a conscious, cognitive effort. In order to be able to solve a problem, targeted concentration is necessary.
Decision theory from a psychological point of view
The decision theory assumes that decisions made rationally and information can be included in unlimited size and processed. Emotional, random decisions are left out. It is therefore more about specifying how a decision should be made, not how the implementation will look in reality. The Homo oeconomicus is considered the ideal decision maker in the model. He decides on the basis of his personal preferences and existing restrictions .
Contrary to the homo oeconomicus theory , economically active people do not act completely rationally and are not completely informed. His preferences change over time, and so do his actions. Personal goals are difficult to measure, their origins and changes are not explained.
Problem solving is handled through heuristic strategies. This is about the satisfaction of the demands, not the achievement of the optimum. Most decisions are made intuitively to reduce complexity. The prospect theory describes risk-averse behavior when there is a chance of winning as well as risk-taking behavior when there is a potential loss. In the case of cognitive heuristics , easily accessible, existing information is used to assess a situation with little effort. So-called biases refer to misjudgments made on the basis of these rules of thumb.
- Representativeness heuristic : The agreement of a category or class with a sample is checked. The likelihood of affiliation increases with the number of applicable properties of the special situation with the classic case. Base rates are neglected in favor of specific information on the individual case, which can lead to wrong decisions.
- Availability heuristic : The easier information is accessible and retrievable, the more likely it is that a decision will be made based on the known examples. An event that can easily be recalled in the head seems to occur particularly frequently. The assessment based on experience can be falsified by media or personal influences.
- Anchor heuristic / adaptation heuristic : An anchor serves as the starting value for a decision, which is subsequently changed and adapted by environmental influences. It is a judgment heuristic in which the result contains a bias towards the starting value.
Dealing with Risks
The personal assessment of a risk varies greatly, which is why it is not possible to standardize the scope. In order to be able to make an assessment, risks must be recorded and consequences collected in order to finally assess the probability of occurrence . The human subconscious is influenced by experience in making decisions. The more readily available information about a risk, the more likely it appears. Risks that are discussed more strongly are thus assessed with a higher probability, although the facts speak against it.
When assessing a risk, a comparison is often made with similar risks and their probabilities. The result to be achieved is influenced by known scales.
Stereotypes lead to the fact that the base rate is ignored and perceived factors distort the assessment of the risk. Because of the risk-averse attitude, people ignore risks and feel safe. Occurring consequences are more focused than the probability of occurrence. In the case of potentially higher profit opportunities, the probabilities of their occurrence tend to be hidden, just as the extent of damage is more important than the probability. Large investments are made by companies to achieve zero risk. In order to assess a risk as precisely as possible, one relies on judgments by experts and authorities. Expert skills are often overestimated. Here it is often neglected to check whether the information is reliable, relevant for the risk assessment and is based on a stable regularity. Another falsification and simplification technique is based on the fact that complex questions are answered too simply and potential risks are overlooked. Heuristics are used to make the best possible use of limited cognitive resources.
In general, a distinction must be made between the following strategies when dealing with risks:
- Avoidance of Risks
- Risk reduction
- Risk optimization
- Risk transfer
- Sticking to the risk structure.
Transferred from the area of investor typology, there are three types of risky decisions:
- Belly man : Intuitive action can be explained on the basis of a risk- taking attitude towards risk . Decisions can be made within a short period of time.
- Heart person : The human emotions strongly shape his actions. Above all, positive feelings are expressed more intensively, while negative feelings are tried to suppress. He tries to avoid having to make decisions alone and to bear too much responsibility.
- Kopfmensch : Broad knowledge should help to keep dangers under control. Cause, effect and their connection have priority in decision-making in order to be able to control the risk as best as possible.
- Marc Diederichs: Risk management and risk controlling: Risk controlling - an integral part of a modern risk management concept . (= Controlling practice). Vahlen, Munich 2004, ISBN 3-8006-3084-2 .
- Tom DeMarco, Timothy Lister: Bear Tango. ISBN 3-446-22333-9 .
- Roland Erben, Frank Romeike: Alone on stormy seas. Wiley-VCH, 2004, ISBN 3-527-50073-1 .
- Christoph Gebler: Risk Management and Rating for Entrepreneurs. Beuth, 2005, ISBN 3-410-16110-4 .
- Werner Gleißner: Fundamentals of risk management. 3. Edition. Vahlen, 2017, ISBN 978-3-8006-3767-6 .
- John C. Hull : Risk Management - Banks, Insurance and Other Financial Institutions. Pearson Studium, Munich 2011, ISBN 978-3-86894-043-5 .
- Detlef Keitsch: Risk Management. Schäffer-Poeschel, 2004, ISBN 3-7910-2295-4 .
- C. Locher, JI Mehlau, R. Hackenberg, O. Wild: Risk management in finance and industry. 2004.
- Frank Romeike, Peter Hager: Success Factor Risk Management 2.0. 2nd Edition. Gabler-Verlag, 2009, ISBN 978-3-8349-0895-7 .
- Worst case. Between fear, alarm and serenity. Special issue of the Swiss monthly issue . September / October 2006.
- Business continuity management
- Operational safety management
- Bow tie analysis
- Opportunity management
- Management Risk Controlling (MRC)
- Risk analysis and risk management for customs controls of the German customs administration
- Risk Management Standard
- Robert Schmitt / Tilo Pfeifer, Quality Management: Strategies - Methods - Techniques , 2015, p. 363
- Nikolaus Raupp, The decision-making behavior of Japanese venture capital managers under the influence of risk perception in conjunction with other factors , 2012, p. 27
- Frank Romeike (Ed.), Success Factor Risk Management , 2004, p. 165
- MQ - Management and Quality 5-2008, Bruno Brühwiler: New standards in risk management: ISO / DIS 31000 and ONR 49000: 2008 New standards in risk management ( Memento of March 3, 2011 in the Internet Archive ), archived from the original (PDF; 166 kB) on qm-aktuell.de
- St. Mayer, DNV Business Assurance Germany GmbH: 6 steps in risk management, a derivation of risk management according to ISO 31000: 2009 ( memento of September 20, 2012 in the Internet Archive ) on June 14, 2011, archived from the original (PDF 5 MB) on vdi-saar.de
- ISO / IEC Guide 51: 1999, term 3.12.
- DIN EN ISO 14971 : 2009-10: Medical devices - Application of risk management to medical devices.
- Federal Ministry for the Environment, Nature Conservation and Nuclear Safety , Risk Management as part of the Major Accidents Ordinance, SFK-GS-41.
- Karl Hartung, Felix Walther: Realitätsgesinnung. ( Memento from July 21, 2015 in the Internet Archive ) In: Business Intelligence Magazine. No. 3/2014.
- A. Schlagbauer: Hazard analysis using HAZOP using an example. ( Memento from April 13, 2016 in the Internet Archive ) University of Paderborn, Informatik AG Schäfer.
- H. Ketterer: Risk Management ISO / DIS 31000: 2008-04, Challenge and Opportunity for SMEs. DGQ Regionalkreis Ulm, February 3, 2009. cdn.b-ite.de (PDF; 620 kB)
- BVerfG, decision of August 8, 1978, Az .: 2 BvL 8/77, BVerfGE 49, 89 - Kalkar I.
- Economic indicator , Economic indicator.
- Axel Roebruck: Risk Management . Ed .: Springer. Straubenhardt June 21, 2018, p. 210 .
- Ute Vanini: Risk Management . Schäffer-Poeschel, Stuttgart 2012, p. 228, 229 .
- Thomas Hutzschenreuter: General Business Administration. 3. Edition. Gabler, Wiesbaden, 2009, ISBN 978-3-8349-1593-1 , p. 80.
- bundesbank.de ( Memento from February 19, 2014 in the Internet Archive ), Federal Financial Supervisory Authority (BaFin), December 14, 2012.
- bundesbank.de ( Memento of February 19, 2014 in the Internet Archive ), Circular 10/2012 (BA) of December 14, 2012 Minimum Requirements for Risk Management - MaRisk.
- bundesbank.de ( Memento of February 19, 2014 in the Internet Archive ), BaFin - Annex 1: Explanations of the MaRisk in the version of December 14, 2012 - page 1 of 64.
- Charles Perrow: Normal Accidents, Living with High Risk Technologies. Basic Books, USA 1984.
- Springer Fachmedien Wiesbaden (ed.), Kompakt-Lexikon Management , 2013, p. 383
- Wilfried Polin, Christian Sierpinski: Security Management vs. Risk Management. (PDF; 0.3 MB)
- ACRP Report 1: Safety Management Systems for Airports. Volume 1: Overview, Transportation Research Board. Washington, DC, 2007. onlinepubs.trb.org (PDF; 1.7 MB)
- S. Rogler: Risk management in industrial operations: Analysis of procurement, production and sales risks. Habilitation thesis. DUV, Wiesbaden 2002, ISBN 3-8244-9084-6 .
- Hans-Christian Pfohl / Philipp Gallus / Holger Köhler: Risk management in the supply chain. Status quo and challenges from an industry, trade and service provider perspective. In: Hans-Christian Pfohl (Ed.): Security and Risk Management in the Supply Chain. Design approaches and practical implementation. Hamburg 2008, ISBN 978-3-87154-387-6 , pp. 95-147.
- Frederik Ahlemann / Frank Teuteberg / Christine Schroeder: Competence and maturity models for project management. Basics, comparison and use . In: ISPRI work report . No. 01 , 2005.
- Michael Rosemann / Tonia De Bruin: Towards a business process management maturity model . In: 13th European conference on domestic formation system (ECIS2005) . Regensburg 2005, p. 1 .
- Frederik Marx: A maturity model for corporate control systems . In: Business Informatics . No. 04 , 2012, p. 189-190 .
- W. Gleißner, B. Mott: Risk management on the test bench - benefits, quality and challenges in the future . In: ZRFG (magazine for Risk, Fraud & Governance) . No. 02 , 2008, p. 55-63 .
- W. Gleißner: Series Risk Measures and Evaluation: Part 1: Basics - Decisions under uncertainty and expected utility theory . In: RISK MANAGER . No. 12 , 2006.
- Werner Gleißner: Maturity models and development stages of risk management: a self-test . In: Controller Magazin . No. 06 , 2016, p. 31-36 .
- Klaus-Rainer Müller: Maturity model of the RiSiKo management . In: Corporate Security Manual . Springer Vieweg, Wiesbaden 2015, p. 520-522 .
- Werner Gleißner: The human factor - psychological aspects of risk management. In: Journal of Insurance. Issue 10, May 2004, pp. 285–288.
- Ottfried Renn, Pia-Johanna Schweizer, Marion Dreyer, Andreas Klinke: Risk. About how society deals with uncertainty. Oekom, Munich 2007, ISBN 978-3-86581-067-0 .
- Eric Eller, Bernhard Streicher, Eva Lermer: Psychology and risk management: Why we misjudge risks. In: Risk Manager. No. 23, 2012.
- Werner Gleißner: Rules of thumb for entrepreneurs. 1st edition. Gabler, 2000, ISBN 3-409-18688-3 .
- Werner Gleißner, Peter Winter: The risk management process as a problem-solving process - a behavioral perspective. In: V. Lingnau, A. Becker (Hrsg.): The role of the controller in medium-sized companies. Josef Eul Verlag, 2008, pp. 221–244.
- Amos Tversky, Daniel Kahneman: Judgment under Uncertainty - Heuristics and Biases. In: Science, New Series. Vol. 185, No. 4157, 1974, pp. 1124-1131.
- Sebastian Festag: Dealing with Risks. Qualification and quantification. 1st edition. Beuth Verlag, 2014, p. 6.
- Roland Eller: Compact Knowledge Risk Management. Look up, understand and implement successfully. 1st edition. Springer Gabler, 2010, ISBN 978-3-8349-8894-2 .