How much risk management is really necessary?


Active risk management helps companies to deal with insecurities, to reach operative and strategic goals and to improve the performance of the management system [1]. This makes it an important element in safeguarding entrepreneurial success. At the same time, risk management does not add direct, but merely indirect value, by avoiding risks or exploiting an opportunity.
Regrettably, legal requirements like the German Stock Corporation Act [2] do not provide sufficient hints how this task of optimisation can be solved by the individual company. However, the maturity concept for risk management offers helpful guidance as the model’s levels of development can be easily linked to the structure and characteristics of a specific enterprise.

Maturity Level 1: Linear companies

The first level of risk maturity is represented by companies characterised by linear structures. These companies are typically relatively small, have a limited portfolio of products and services, and their target market is clearly defined. As a result, the risks arising from the direct environment and internal processes can be easily handled by one person.
Accordingly, it is rather simple to meet the requirements for a risk management system in such settings. The only thing a company has to do is to make sure that there is at least one person who systematically keeps track of risks and evaluates them. Moreover, it must be guaranteed that this person takes a responsible part in decision-making processes and that relevant information about risks are duly considered.

Maturity Level 2: Ramified businesses

Businesses of the second level are marked by a ramified system of structures, resulting either from a division of labour (e.g. development – manufacturing – sales), parallel marketed products and services, or different target markets. This means that the company can no longer be controlled and managed by a single person alone, while each of the branches within the company structure still have the features of a linear enterprise.
Efficient risk management under such circumstances demands that it be shared: In each branch at least one person should adopt the role of a risk manager in charge of identifying, assessing and addressing risks in the respective area. If in all parts of a company this is to happen in more or less the same way, tools and processes for risk management have to be clearly defined and aligned with each other. Within these branches it is the risk managers’ job to make sure that the information about risks is sufficiently taken into account when decisions are made. To ensure that this is common practice even on the top management levels, a system of filing and transmitting information has to be created. In this way information collected on lower levels of a company will be equally accessible to higher levels.

Maturity Level 3: Matrix companies

Complex companies are characterised by a matrix structure. Communication and decision-making does not take place in a linear top-down or bottom-up manner, but both horizontally and vertically. As a consequence there are many interfaces where information has to be exchanged and decision-making is increasingly decentralised. Going along with this, information about risks has to be available at many different places. Decision-makers have to be capable of dealing with this information to handle risks and opportunities* effectively.
To meet these requirements, an effective risk management system must have tools and processes that run smoothly. It should be clearly defined where there are interfaces between different areas and how risks are transferred and re-evaluated in different settings. Also, information about relevant risks have to be accessible to all people who are responsible for making important decisions. At the same time, staff members need to have the necessary knowledge about risks and opportunities and the technical expertise for dealing with them. Their skills should comprise the ability to identify and assess risks, and to integrate them into decision-making processes. In this way the collected information about risks is sufficiently accurate and the information can be used efficiently and adequately.

Maturity Level 4: Risk-taking companies

Companies of the fourth stage have a high level of risk-taking, i.e. these companies systematically try to exploit opportunities by taking calculated risks, which, once a reality, can endanger the company as a whole or in parts.
It is an essential element of these companies’ business models to create an ideal balance between opportunities and risks. The requirements that matrix companies have to meet in terms of risk management have to be fulfilled for opportunity management as well. What is more, performance indicators should help to assess how efficient the respective risk and opportunity management strategies are. These indicators should of course be under constant surveillance and modified where necessary.

Maturity Level 5: High risk companies

The keyword “high risk companies” comprises two different types of enterprises: those whose main business is managing risks and those for which risks, once a reality, will have a desastrous impact on their environment.
In both cases it is essential to have effective risk management strategies. This requires that all risk management processes be systematically and constantly improved, on the basis of adequate performance indicators. Companies whose main job is risk management should also apply this to opportunity management.


[1] DIN ISO 31000:2018 Risk management – guidelines

[2] §91.2 AktG (German Stock Corporation Act)

*According to the definition [1], the term “risk” signifies both negative and positive effects of uncertainty on targets. In contrast, following the common usage, we here use “opportunity” for positive and “risk” for negative effects.