In the past, the world seemed less dangerous. Today, more and more companies are moving with increasingly complex technologies and increasingly sensitive know-how on the international stage. However, the larger the stage on which one moves, and the more complex the role is played, the more numerous are the fall cords which endanger the achievement of the corporate objectives. Increased attention and appropriate instruments are therefore the order of the day – especially in the difficult economic environment.
It could be so simple to close contracts and do business: exchanges goods or services. Nevertheless, the words “entrepreneurial” and “risk” exist as a firm team – almost inseparable. After all, nothing is simpler if services become more complex, commitments from contracts are to be fulfilled over longer periods of time, or the contracting parties are spread all over the world, operate in different markets and legal orders and settle in different currencies. One would have to look to the future in order to know whether all stakeholders remain reliable, what their achievements are actually worth in the future and how possibly conditions change.
As a result of globalization, companies are more closely intertwined than ever before. The number of multinational corporations has risen from 7000 to nearly 104000 in the last 50 years. By the 2020, there will be 140000 multinational corporations, which will increase further the complexity of risk. Natural catastrophes and cyber-attacks, for example, can lead to operational interruptions that damage not only a company, but a whole industry or infrastructure.
Through a global networking, political/social unrest and war will threaten more and more companies worldwide. The latest developments in Russia, the Ukraine, the Middle East, Hong Kong and Thailand show that the geopolitical tensions have recently intensified. The negative consequences of this instability are added to the direct headlight. Because of the fact that this kind of dangers will affect all countries worldwide, the risk assessment will become volatile and the companies more vulnerable.
In the long time, companies are faced with a twofold challenge: they must also face the negative effects of technological innovations and are exposed to more volatile environmental conditions. Business risks and opportunities for so-called “disruptive” or breakthrough technologies such as 3D printing and nanotechnology have the potential to fundamentally change the competitive landscape. At the same time, the companies face a fundamental risk with climate change, which cannot be directly controlled.
Lately, operational risk and supply chain interruptions are the top priority in the risk barometer study, this category being recognized of one of the biggest risks to companies. The impact of natural catastrophes is seen as the second largest risk, while fire and explosion are the third. Since companies often take several years to recover completely from the effect of a business interruption, it is not surprising that it remains the main business of companies in Europe, the Middle East and Africa (EMEA), USA and Pacific-Asia.
During the years many companies have suffered losses from natural catastrophes. In particular, the experiences with the flooding in Bangkok and the tsunami in japan have made the companies more sensitive to the reactions of the supply chain. Companies are now aware of the risk aggregations, not just at a geographical level, but also in the event of a possible downtime. It is believed that risk awareness and management have developed significantly in many global companies.
The stronger integration of the global economy is reflected in increasingly complex production processes with higher economic values. As a result, this leads to more severe business implications. For insurers, these developments are potentially greater and more complex. In addition, the risks are more closely interrelated. One and the same incident, such as a fire in a production facility or flooding in a region, can be cause of numerous insurance claims by several companies.
The insurers already know the potential for high business losses from energy industry. They are now increasingly seeing a trend towards similarly high damage requirements in certain production areas, such as a semiconductor and automotive industries. The retroactive effects of the mitigation of risk (such as the damage that a company suffers from disruption to a supplier) as well as the business continuity management are still insufficiently covered in the supply chain risk management programs of many multinational companies.
Taking into account the cyber-attacks, it could be said that the reputational loss is its biggest damage. At the latest hacker attack on Sony Pictures shows, hardly a day without media reports about cyberattacks or data abuse. The increasing importance of cyber risks is also reflected in the risk barometer. The rise of risk is applied for all industrialized companies, financial services providers, the manufacturing sector, the energy and utility industry and also the mechanical and plant engineering sector. Reputational losses are the main cause of economic losses, followed by business interruptions and the loss of customer data. The almost implicit reputational damage suffered by a company through a cyber-attack can have a dramatic effect on the balance sheet. Therefore, companies must be aware of such reputational risk, analyze them and assess possible scenarios in order to assess and minimize the residual risk.
Not only hackers can ruin a company’s reputation. Increasingly, everyday business decisions are also being targeted by the public. Those who are striking with decisions that are considered inappropriate are quickly confronted with the pillory. Such reputation risks are difficult for companies to calculate. Targeted and effective corporate governance must therefore ensure a sustainably compliant and therefore also risk-conscious culture within the company.
This also encompasses all legal and regulatory requirements, so that compliance risks are reduced. At the same time, this behavior has lowering effects on other risks: in the event of errors and negligence in the area of compliance, claims for damages are quickly threatened, the trust of business partners and capital providers is at stake.
Trust and good reputation may be existential if – for example, by exceptional circumstances such as the economic and financial crisis – everything slips. If the reputation is ruined, the financing becomes more difficult – liquidity and hence solvency are at stake. If this is known, business partners are threatening to lose their trust in performance and delivery capacity. And when customer relationships become problematic, their own employees may also be less engaged. These, in turn, are the ambassadors of the company, whose image is part of it – and this is only a part of the diverse network of interactions.
There are uncertainties and risks in each business for both parties. Because buyers rely on the ordered goods or services – the entire production process may depend on a few or even a single supplier. In such cases the supplier risk is enormous. On the other hand, sellers can never be completely certain that their customers actually pay for the goods ordered – or even delivered. If a larger claim or a major customer emerges, such default risks can threaten the existence of a company.
If the contracting parties have different currencies, they must take account of fluctuations in their exchange rates during the calculation. For if the currency of the one partner loses value unexpectedly, either its costs increase or the revenue of the other partner shrinks – depending on the currency in which it is billed. The value of a currency is dependent on the economic development in a currency area: currencies of boom nations are in demand on the foreign exchange markets. If the economy crises, in many cases the currency also falls.
In addition, the economic environment influences each individual business and the market and economic risks that must be taken into account. If, for example, you are forced to pay higher wages in an upturn, you may not be able to keep up the price. There are signs of renegotiation and new, higher prices. Weakening the economy, buyers may or may not want to lose less than initially agreed.
The overall economic development also characterizes the level of long-term interest rates and thus the financing conditions for the companies. Changes in the financing and therefore also the investment conditions must be calculated as interest rate risks. For example, when loans are financed, rising interest rates are more expensive. If financing for long-term interest rates is too high, interest rates may be offset against competition. The interest rate is therefore an important factor in the management of the liquidity that a company holds. Risks also lurk in liquidity control.
Too many liquid funds may cause high opportunity costs – after all, the money that is cash in the cash register could also be profitable. However, if a company considers that there is insufficient liquidity; short-term expenditures may not be paid. Especially in the past economic and financial crisis, quite a few companies have painfully learned that liquidity risks can be a threat to their lives.
- Literature review
In general, risk is seen as an ambiguous division, position, issue or event which, by its materialization, could signify a possible loss or a positive event in completing the targeted intentions by an individual or an action and which nurtures a certain amount of doubt. (Danescu, Prozan, & Danescu, 2014) Entrepreneurial activity is always associated with uncertainties. The task of risk management is to systematically identify opportunities and risks and to assess them with regard to the potential impact on the company. The term risk is therefore defined as a spread around an expected value. According to this definition, both positive deviations (chances) and negative deviations (dangers) should be taken into account.
When speaking about the risk of a certain company, we should have in mind two concepts, namely “risk assessment” and “risk acknowledgement”. These two concepts are much more taken into consideration in particular case in the oil and gas industry and in societal safety and security, due to the fact that these types of industries contain a higher degree of personnel’s injuries, hence the investigations must be made taking into account the cause and effect events. A report from July 2011, on the terror attacks on the government quarter in Oslo, states that one of the major causes of that severe damage, where 77 people were killed, was the lack of “risk understanding” and “risk acknowledgement”. (Amundrud & Aven, 2015)
There are no certain definitions for these two risk concepts, despite the fact that they are widely used, therefore this fact makes creates ambiguity on the moment of interpretation. In the oil and gas industry, the concept of deficient risk understanding can have multiple meaning, such as deficiency in communication, deficiency in accomplishing the requirements, absence of capability, or missing risk assessment. Therefore an adequate “risk assessment” is needed for understanding the whole picture of risk, whereas the findings of this assessment should be accurately communicated. Fundamentals for a good understanding of risk are suitable expertise and training. Moreover, “risk understanding” expresses itself “at the individual level by the individual offshore worker, but also at the system and organizational level”. (Amundrud & Aven, 2015)
Successful risk management is only possible with target-oriented companies. Risk management cannot be viewed independently of corporate objectives. If one or more of these objectives are not met, a company is endangered. When defining the risk management objectives, management or the Management Board is the highest decision-making authority. In addition to the target definition, strategic risk management involves the organizational embedding in a company as well as the communication of risk-based policy decisions. (Romeike & Finke, 2003)
One of the biggest triggers that the company has to take care nowadays is represented by risk management failures. Enterprise risk management (ERM), a wide organized process which detects the possible hostile actions and offers methods to be able to cope with risks, has been proposed as a method to struggle with the capacity and complexities of the risks handled by the organizations nowadays. (Ahmad, Chew, & McManus, 2014) According to Kot (2015) there are 7 major components that should be specified if we pursue to build the ERM structure, namely:
- Identification of risk – here we take into consideration the fact that the risk’s occurrence is already included in risk definition, and the lost opportunity is a bigger danger than business interruption;
- Risk owner identification – it is an assignment of owner which has an appropriate experience and skills in exposure management to each risk category;
- Responsibility for risk orientation – risks are assembled in such a way that they could be handled by one responsible;
- Generating a fundamental risk function – it is usually a person in charge of organization of debate about risk. This certain person should be placed high in the organizational hierarchy, due to the fact that he/she might have greater experience;
- Building a “storehouse of knowledge” regarding ERM – it is a method for supporting decisions, intended to comprehend risk mechanism. This is a kind of source generated in order to share information;
- Participation of company’s Management Board – this element is grounded on the awareness that Management Board should concern about management and that is the purpose of creating a clear system of risk reporting;
- Use of standardized risk valuation process – only in this way it is possible to decrease or avoid exposure to risk.
The business environment in the 21st century is characterized by a high dynamic of economic, social and technological change, as well as by the increasing competition and rationalization pressure, the internationalization of the markets and the ever-increasing demands on the management of the company. Every day, the decision-makers see themselves confronted with more uncertainty, higher complexity, increasing information expenditure and growing responsibility. The merging of world markets, in particular, leads to fundamental changes which especially export-dependent industrial companies cannot escape if they wish to remain competitive. Companies must always open up to new markets, constantly implement new processes and bring new products onto the market, in order not to lose the connection. (Götz, 2004)
The framework conditions for entrepreneurial activities have changed fundamentally in recent years. Aggressive price struggles, shortened economic cycles and an increasing volatility of the markets have already contributed to an intensification of the competition environment for years. A comprehensive knowledge of possible risks as well as their control is now essential prerequisites in order to ensure the survival of a company. There are many advantages to assign risk management to controlling. By participating in numerous planning sessions, controllers know exactly how to plan carefully and honestly. Planning uncertainties and the associated risks are part of their day-to-day business. Controllers have an overall view of the company and are therefore able to recognize interconnection risks. The role as a “counterpart function” helps them to identify management errors even before they occur. Lacking business management knowledge of the managers or self-serving behavior of the entrepreneurs can thus be countered in time. However, this also entails the risk that controllers contribute to a company’s development and innovation potential if the risk management system additionally strengthens it in this (counterpart) function. The conceptual delimitation of risk management from risk control, as well as an exact definition of tasks, represents the first step to avoid this risk.
Risk control can be seen as a supporting element in risk management. The goal is to coordinate the planning, control and control of risk-relevant issues. It also provides evaluations and documentation to strengthen the risk awareness of managers and employees. The tasks of risk controlling are essentially derived from the tasks of the controlling department. Ensuring the provision of information and the hierarchical risk reporting are the central tasks of risk control. In addition, the company is responsible for the identification, assessment and management of risk potentials.
Due to the fact that the risks could not be eliminated, generally companies choose to implement ERM, because it is seemed to be a strategic planning tool which helps at the identification and management of the risk, responding effectively to the encountered issues. (Ahmad, Chew, & McManus, 2014) It is mandatory to take care of the policy procedures, making sure that they are complete and operationally applied, due to the fact that throughout the annual risk evaluation, the following features are measured: the actions that were taken in the previous period concerning the risk issues and its fluctuations in examined period, substantial events that happened in the previous period regarding the previous assessment, the observation of risk management by control committees, development of ERM application and its audits, outside advisers and rating agencies. (Kot & Dragon, 2015)
In the field of social safety and security domain, the term of understanding of risk has mostly the same meaning as in the case of oil and gas industry. As a consequence, the method used for risk understanding is the professionally prevention and management of the incidents that are seen as being very serious, assuming that those in care improve the knowledge about the risks they encounter and actively adjust their manners accordingly. Hence, understanding of risk supports the decision in which initiatives are to be taken and helps define the extents of the safety and emergency awareness that society decide on having. (Amundrud & Aven, 2015)
The objectives of risk management can only be determined in connection with the respective corporate objectives. A purely isolated view of risk management goals without consideration of underlying supervisory targets is therefore not possible. When defining the target, the assumption about the company’s existence is a basic requirement. Business activity is dominated by the management of risks. A general risk-mitigation or mitigation is not possible, since risks always involve potential successes (chances) and the complete elimination of the company would paralyze the company. The objectives of risk management can be summarized as follows:
- Securing future success
- Avoidance or reduction of risk costs
- Increase in market value of the company
The general task of risk management is to support the company’s management in the realization of the defined corporate objectives and to raise the management of existing risks. By actively addressing the risks, a risk-conscious corporate philosophy is to be built in the long term. The detailed tasks of risk management include the systematic handling of risks (within the framework of the so-called risk management process, in which risks are identified, controlled, evaluated and monitored), as well as a continuous improvement of the risk management tools.
Risk management and control is a key part of the entire risk management process. This phase aims to positively change the risk profile of the company or to achieve a balance between profit (opportunity) and risk of loss (risk) in order to increase the company’s value. Risk management and control includes all mechanisms and measures for influencing the risk situation, either by reducing the probability of occurrence and/or the extent of damage. Risk management and control should be consistent with the objectives defined in the risk strategy as well as the general corporate objectives. The objectives of this process phase are the avoidance of unacceptable risks as well as the reduction and transfer of unavoidable risks to an acceptable level. An optimal risk management and management is the one that increases the company’s value by optimizing the risk positions of the company. (Wiederkehr, 2010)
Moreover, precise risk understanding is established over time by accumulating information about the probability that several situations will take place, and the consequences of diverse results. It can be seen that “risk understanding” is acknowledged as gathering of the risks one is confronting, however this action may take time to be completed, so the suitable “risk understanding” is a requirement for suitable risk mitigation. Also, the concept of “risk understanding” enhances the foundation for dimensioning of safety and emergency alertness procedures. (Amundrud & Aven, 2015)
The risk management process is at the heart of risk management. Basically, it is divided into five phases. The actual process consists of risk identification, assessment and control. Parallel to these phases are risk and process monitoring. The risk identification is at the beginning of the risk management process and is directional for all further phases. To be competitive in the long term, companies must take risks in order to exploit the resulting opportunities. Depending on the industry, companies are threatened by a wide variety of risks. In order to carry out a successful risk management, all risks relevant to the company must first be recorded in the identification phase. The potential risks should also be recognized. Risk identification includes the risk assessment used to analyze, evaluate and classify risks. The aim of the assessment phase is to identify the risks that are characterized by a high potential loss and a very probable occurrence. In the context of risk management, the previously determined and analyzed risks are actively influenced by the targeted use of strategies and instruments. The company has the following options for counteracting the risks:
- Risk avoidance: Risks which have a high probability of occurrence and which have a high potential damage potential should be avoided if they cannot be sufficiently planned and controlled.
- Risk reduction: The aim of the risk reduction is to reduce risk potentials to an acceptable level.
- Risk Limitation: A further risk strategy is that of risk mitigation with its areas of risk diversification and risk mitigation. In connection with the risk distribution, e.g. the lateral diversification. By risk mitigation, on the other hand, is the establishment of loss limits.
- Risk transfer: Risks can be transferred to the contractual partner by paying a risk premium.
- Risk Acceptance: All those risks whose probability of occurrence and loss potential are very low are accepted.
The final phase of the risk management is process monitoring. In this, the risk identification is checked for completeness, the risk assessment for correctness, the risk management for adequacy and the risk monitoring for compliance.
In the past, the term “risk management” was thought to be a mean to diminish or even remove negative results of exposures. Although, the outcome of the researches on this issue has shown that risk management can be considered much more than a tool to diminish or remove the issues of a company, due to the fact that this concept can be stimulated by market factors, which are out of management control, controlling volatilities in earning which eventually increase corporate performance. If we go further with this idea and compare the relationship between risk management and company’s performance, we will find that the companies which have invested higher level of intellectual capital have shown a positive relationship between risk management and company’s performance. (Mohammed & Knapkova, 2016)
There is also another term which is specific to risk management, namely “risk awareness”. The term “risk awareness” refers to the awareness of hazards for specific hazards. Such endangered objects can be persons, animals, things, environment, assets, organizations, etc. We humans have learned through the evolution a differently pronounced feeling for dangerous situations. This is essentially due to the learning time that we had at our disposal in order to build the appropriate risk awareness. Direct dangers to body and life or physical integrity are almost the oldest risks known to humans. The impact of these risks has also been dramatic for a long time. For these dangers, we have developed pronounced risk awareness. If one now thinks of more abstract risks such as a business interruption in a room operation by the failure of the hard disk, on which the binding software is installed, then the risk awareness quickly drops to a very low level. You simply do not know the risks of a lack of experience. (Wiederkehr, 2010)
Currently, there is an outsized evolution in business environment, triggered by the economic and political conditions. It underlines more and more the issue of risk management in business. Companies that wish to stay in the market have to change dynamically their exposure to risk. Therefore, the concept of Enterprise Risk Management is increasingly gaining popularity. This concept implies worldwide approach to risk by taking into account the business’s strategy and goals. Sometimes, risk management is not considered as being one of the many functions inside business, but it is extent throughout the business in combination with all company’s processes. One of the representative purposes of ERM application in a company is to develop economic performance and attain bigger stability. The feature of this application could reveal the so-called “rating of risk management”, which taking into consideration the world research is connected to the company’s financial results. (Kot & Dragon, 2015)
In the case of companies that deal with natural resources, the great level of ambiguity characteristic in natural resource management needs developers to create wide-ranging risk analysis, often in circumstances where there are scarce assets. Globally, natural resource managers regularly fight with the achievement of operational goals taking into the consideration the fact that there are three kinds of factors that can impact this type business environment: frequently reduced understanding of the intricacies of nature; the overabundance of processes and the related risk factors that need management and resource limitations issues. Furthermore, risk analysis is considered to be an important component of decision making that, combined with other socio-economic information, gives a greater outcome in selecting priority management actions. Nevertheless, it would we useless to invest resources in activities where failure to encounter management targets is possible. (Smith, Wallace, Lewis, & Wagner, 2015)
In order to survive in the market and also to collect all the benefits of managing the risk, companies should have in mind that the idea of risk aversion can be associated with an individualistic behavior, but it is not possible to avoid all kinds of risk. Therefore many companies are used to take risks associated with opportunities. Risk management has solid stimulating outcome on the main stakeholders to participate further on the organization. This participation is an advantage for the company to deliver better business opportunities which eventually leads to long term competitive advantage. Unsuccessful risk management leads to extra charges and costly lower end results on both the company and shareholders. (Mohammed & Knapkova, 2016)
Strategic risk management is the integrative staple and foundation of the entire risk management process. It mainly includes the formulation of risk management objectives in the form of a “risk policy” or “risk strategy” as well as the definition of the organization of risk management. Before risk management can be introduced and lived as a continuous process, the basic parameters (such as risk policy statement), organization (such as functions, responsibilities and information flow) and the actual process phases must first be defined.
The operational risk management process involves the process of systematic and ongoing risk analysis. The purpose of risk identification is the early detection of “developments that jeopardize the company’s continued existence”, such as the most complete possible recording of all risk sources, causes of damage and potential for interferences. For an efficient risk management process, it is important that risk management is integrated into the business processes as a continuous process – in the sense of a control loop. Risk management and control is a key part of the entire risk management process. This phase aims to positively change the risk profile of the company or to achieve a balance between profit (opportunity) and risk of loss (risk) in order to increase the company’s value. Risk management and control includes all mechanisms and measures for influencing the risk situation, either by reducing the probability of occurrence and / or the extent of damage. (Wiederkehr, 2010)
The special feature of operational risk is that it is inherent to each individual process, which in principle is differentiated from most other risk types. As a matter of principle, each process owner becomes an actor in operational risk management, every decision of him influencing the operational risk, being able to control the risk. Hence, several points are important, from which a certain potential problem can arise. On the one hand, the active management of operational risk management costs only valuable resources. On the other hand, a consistent assessment of operational risks makes it possible for the process owner to improve his performance, since this means that it needs less capital. There may therefore be little incentive for the owner of the process to manage, deal with, and forward information. In addition, there is the risk of incentives to increase risks in certain, performance-based forms of remuneration. If a fund manager’s compensation consists of a fixed amount and a share of the fund’s value, he may increase his expectation by increasing the risk.
Corporate management should first have an overview of the operational risks and set up a risk strategy in which the entire risk management process should be aligned. It defines the areas of responsibility within the scope of the organizational structure and provides instructions and thresholds. As a rule, independent departments for risk management only exist with a larger scope of business, since they can then promote the coordination of the risk management process and provide an overview of the numerous cross-process risks. In contrast to the risk committee, the risk management department also documents the risks.
For the allocation of operational risks, it is a good idea to assign risk to the individual business processes. However, since it is often not possible to process a process-oriented assignment, cross-process risks are also defined, for example in the human resource area, which cannot be attributed to a business process. In doing so, care must be taken to ensure that no gaps arise, no risks are disregarded, since operational risk is often more versatile than other types of risks. Therefore, a risk catalog or a risk map should be developed with all processes, persons, systems and external factors from which operational risk can arise. Taking into account this specificity, the management process of operational risks is similar to other risk management processes. In all process steps a smooth flow of information is to be provided.
The risk strategy shows the general handling and the procedure with risks, which is necessary for the achievement of the company objectives. For example, the tolerance against incoming risks is described, as well as threshold values, which are to be displayed by the control instruments. The risk strategy is derived from the general corporate strategy, which in turn is oriented towards the corporate objectives.
The identification is intended to gain all information that is important for the management of operational risks. This includes both the individual process-related risks as well as the process-transversal. Outsourced areas (for example IT) should also be considered. The operational risk information can be divided into three groups: actual losses, near-losses and risk potentials, as well as risk indicators. The risk potential is intended to ensure that events with severe consequences and low probability are taken into account. For instance, events like the 11th September did not have (almost) lost data from the past due to the uniqueness of the companies, although the risk would always have existed. Indicators provide an indication of changes in the risk profile as risk potentials need to be reevaluated on a regular basis as a result of the various changes in business processes.
The determination of this information is carried out in various ways, but the actual losses incurred can still be obtained relatively easy by implementing a loss database for operational risks. Here again, the complete and complete recording of the loss data is essential. More difficult is the collection of near-losses, since these are often not reported by the employees, or very subjective assessments result. Here, problem-solving of the employees, for example through training, is necessary. In contrast, risk potentials cannot be directly detected, but must be estimated indirectly through scenario analyzes and self-assessments. Since the loss data are inherently historical-related and the risk potentials determined can only be used to a limited extent for future prognoses, conclusions are drawn about the changing risk by means of indicators. If an indicator, for example the number of system failures, shows a significant increase, an increased operational risk must also be assumed. It may be a problem to determine the exact relationship between the indicators and the actual entry.
Following the identification of the risks, they are analyzed and assessed as the basis for the subsequent control. For this purpose, all the information obtained must be assigned to the individual processes, and in the case of cross-process risks proportionally. In order to enable management decisions, statements and assessments of operational risks are necessary. In the case of loss data, however, a direct monetary quantification exists, but from the past. Risk potentials, on the other hand, are clearly future-oriented, but pose risks through the strong subjectivity and consideration of past experiences.
Traditionally speaking, there are two perceptions of risk management. On one hand, risk management is seen as the way of managing the hostile effects of risk, without taking into consideration the opportunities that accompany that certain risk. On the other hand, we can talk about independent management of risks, which means that every risk in part is classified into different categories. This being said, we can conclude that the occurrence of one event can have a adverse effect on one unit of the entity, however it can be considered in the same time as an opportunity for another unit of the organization. When we speak about traditional risk management, we do not take into consideration the last principle, because it only manages the treat without bearing in mind the counterbalancing outcome of the opportunity. (Mohammed & Knapkova, 2016)
Some people define risk as the possibility of negative or positive deviation of the result from the expected value. With regard to companies, this can mean both the chances of profits and the risk of losses. In many cases, however, only the negative case is referred to as a risk and only the risk of losses under it is understood. The concept of risk in the sense of the risk of loss is then compared to the term chance in terms of profit margins. In order to define the opportunity as a possibility of a positive deviation of the actual result, risk and opportunity are therefore two sides of the same medal. (Götz, 2004)
When we talk about risk, we can be considered it as a phenomenological variable, making it fascinating to examine in terms of how people comprehend the term. Nevertheless, the uncertainty and variability of the results of certain actions, determine the risk to be associated with a threat. An anticipation or extenuation system for potential effects to threat should be formed by taking into account understanding and the dynamics of the progress of threats to security at the international, regional, national and local levels. Such a system should be grounded on the rules of risk management in crisis circumstances. (Ostrowska & Mazur, 2015)
As opposed to traditional risk management, due to its dynamic character, the total risk may take into consideration potential failures, but in the same time can exploite the opportunities. Furthermore, we can see the risk management as a systematic and practical way that attempts to be more than a collection of understanding, measures and evaluations, in this way this concept can manage the entire risks faced by the company. (Mohammed & Knapkova, 2016)
In principle, risk management means the continuous assessment and collection of events, actions and developments that could hinder an enterprise achieve the objectives and successfully implement the strategy. A distinction is made between strategic (corporate risk management) and operational risk management. Corporate Risk Management closes the gap between corporate strategy and operational risk management. In operational risk management, the company and its business processes are systematically and continuously analyzed for their risk potential. The focus is on individual risks. It is important to notice that the risk management process is always understood to be a control cycle in which the results of operational risk management are again integrated into the objectives of strategic risk management. (Wiederkehr, 2010)
There are many corporate businesses that deal with the topic of risk management, however it is said that the area of studying the concepts of risk management was not entirely explored, because most of the management risk area tries to measure the effectiveness of different risk management systems only by the examination of risk management which take into consideration the potential failures. This measure can lead to risk examination and termination, without taking into account the means for higher corporate performance. (Mohammed & Knapkova, 2016)
An efficient risk management process works similarly to the human organism or other network structures in nature. In a human organism, the brain, the heart and the nervous system work together. Networks are adaptable and flexible, share common goals, play together, and avoid hierarchies. Network structures are scalable and extremely viable. Transferred to the process of risk management, this means that different sensors and senses absorb the risks and forward them to a central point. And overall, the strategic orientation of the system (company) decides on the risk profile. In this context, it is important not to look at the strategic dimension of risk management in isolation from strategic management. Rather, the strategic risk management is part of the strategic management of the company. (Romeike & Finke, 2003)
The choice of the risk identification methodology is highly dependent on the specific risk profiles of the company and the industry. In practice, the individual methods and tools should be combined. Checklists, workshops, visits, interviews, organizational plans, balance sheets and damage statistics help to identify risks. The results of the risk analysis are incorporated into a risk inventory. The identified risks must be analyzed and evaluated in detail. The objective should be a reasonable risk measure that is as far as possible for all risk categories. In company practice, a traditional quantification of the risks depends on the extent of damage and probability of occurrence. (Wiederkehr, 2010)
Effective and integrated risk management system must increase the situation of the company. To apply effective risk management it requires enormous supply utilization. Therefore, company assumes improved development in performance caused by risk management system engaged. There is known the fact that effective risk management improves the company’s consideration of experiences that are anticipated to possibly test the firm and handling risk as an opportunity, rather than threat. Hence, integrated and effective risk management anticipated to support the decision making process, can lead eventually to the development of company’s performance by successfully predict the balance of the tradeoff between risk and expected return. This being said, in order to exploit its opportunities, an organization should understand its integrated risks. (Mohammed & Knapkova, 2016)
It should be state very clear the idea that each decision which we take today may not have the expected results in the future, mainly because nobody can be sure how particular factors, that contribute to the development of one certain decision, may influence the future. Hence, we could say that each decision is related to a prediction of a given state in the future. Daily risk can be the effect of numerous causes. It may be the consequence of predetermined circumstances such as biological influences. A considerable foundation of risk in daily life is the inappropriate comportment of others. They surge the amount of fatalities of road accidents and also accidents at home and at work. Nevertheless, these issues are not always connected to an individual or local dimension. On occasion these are dangers related to a large number of persons, such as epidemiological risks, the risk associated with the consumption of genetically modified food, and ecological risk, and also the risk of a military conflict or war. (Ostrowska & Mazur, 2015)
Taking into account only the operational part of risk, in the context of decision making process, there are a sort of complex issues regarding its practical-methodological nature. There are some studies made by the Basel Committee and the Central Bank of the Russian Federation regarding the assessment of operational risks on the activity of banking system, however those researches do not mention the impact on the activity. According to Daryakin, the absence of an integrated methodology concerning the impact of operational risk is one of the main shortcomings of the existing studies. (Daryakin & Andriashina, 2015)
The efficiency of risk management increases liability in the midst of stakeholders, therefore improving the efficiency of competitive advantage in the context of strategy. Hence, assimilating risk management actions and search of the risk management procedure would have bigger influence in identifying the opportunities of businesses and simplifies the delivery of information and best performances. Nevertheless, integrated and effective risk management can improve the company’s strategy, by leading to sustainable resource allocation. (Mohammed & Knapkova, 2016)
An aggregation of the identified and relevant risks is necessary because they also act together in terms of profit and equity. It is thus obvious that all risks jointly burden the risk-bearing capacity of a company. The risk-bearing capacity is determined by two variables, namely equity capital and liquidity reserves. The assessment of the overall risk scope makes it possible to state whether the risk-bearing capacity of a company is sufficient to actually bear the risk scope of the company and thus ensure the company’s continued existence. (Wiederkehr, 2010)
To manage and control risks efficiently and to recognize and exploit opportunities is part of the core business of the company. Despite this, the company’s ability to take risks is very different and depends on the ownership, liquidity, the affiliation of the company and the personal risk management of the company management or the owner. (Romeike & Finke, 2003)
Globalization is a concept that is indispensable in the economy. Trading, procurement and also the sales markets are distributed worldwide. More and more companies are operating outsourcing and concentrating on their core competences. The result is value chains, which consist of networked plants and production plants. These chains are to react more efficiently and sensitively to changing customer requirements. The range of products has greatly increased, therefore costs must be reduced, storage times must be minimized, and the quality must be consistently high. This makes the structures more and more complex and thus more susceptible to disturbances. A prominent example is Toyota. In 1997 a fire broke out at a supplier for brake valves. The production had to be interrupted for two weeks. This resulted in a loss of US $ 325 million. Therefore it is becoming increasingly important to deal with the risk of such value chain. If the risks are not recognized or not well controlled, interruption, loss of sales, loss of value, additional costs, delivery bottlenecks, overproductions or quality problems are the short-term consequences, which can lead to bankruptcies or the entire value chain can be destroyed.
Nonetheless, effective risk management reduces the likelihood of insolvency and decreases the cost of gaining capital. This concept is anticipated to alleviate incomes. A constant income leads to a good image of the company, because the organization can be ready any time to refund dues which is a sign of a lower company and market risk. This situation can be a great advantage for the company, due to the fact that its credibility on the market stage makes it easy to access borrowing at a reduced interest rate. A lesser fluctuation of income may lead to a greater external demand for the company’s shares.
Possible stockholders might be stimulated to make investments for the company’s projects due to the encouraging proofs of less fluctuation in netting. As a result, the cost of capital can be diminished, the company being able to obtain both debt and equity at a lower cost. The performance of a company can also be the result of the lesser average cost of capital. As a consequence, the performance of a company can be associated with effective risk management. (Mohammed & Knapkova, 2016)
- Operational risks for OMV Petrom SA
As OMV Petrom SA is a company that discover, produce and process oil & gas and distribute fuels and other oil products in order to provide Romania and neighboring regions with energy and mobility, managing the risks of suck a company involves that the process of identifying, assessing and mitigating existing operational risks should be done in accordance with the profile of the company. The sustainable and profitable growth of this company is of benefit to its shareholders, customers, employees and the Romanian economy.
Risks, in fact, represent the net negative impact that exercised vulnerability has, taking into consideration the probability of its occurrence has and the impact on the whole organization. Operational risks are not arising as a result of revenue-modification on a year-to-year basis, they solely arise from the operational nature of the business activities pursued in a specific location. In order to align the identification and assessment of the operational risks with their mitigation, several tools should be used to link risk management to the system development life cycle (SDLC) (Stoneburner, Goguen, & Feringa, 2002).
In terms of operational risks, many companies separate Enterprise Risk Management (ERM) from Corporate Performance Management (CPM), while they should integrate them one into another and not necessarily have separate management system within the organization. By integrating both systems, the overall risk awareness and culture within the company will become coordinated with the internal control function. That is, OMV Petrom should intertwine these two types of management that analyze Key Performance Indicators (KPIs) and Key Risk Indicators (KRI) and provide a holistic approach (Raid, 2012).
At a first glance, OMV Petrom is active in the Oil & Gas Industry and the risks related to this industry could be classified according to their impact on the whole organization:
- Availability risk – lack of resources – required resources, such as people, tolls, financial resources, input from other processes, are not available to perform the process.
- Performance risk – lack of knowledge or skills of people, which implies that the employees do not have sufficient knowledge or skills to perform the process as designed.
- Compliance risk – the risk of not complying with the legal framework, regulations or other policies, leading to additional costs because of the fact that the regulatory compliance activities remain still not optimized.
This, in turn, is only one type of organizational risk classification. A more deepened sub-classification of the operational risks that Bitdefender has, according to risk causes is:
- Risks arising from faulty decision-making processes
- Risks arising from operational processes (supply chain management, procurement, distribution)
- Risks from not complying with laws, regulations, agreements
- Intellectual Property Rights Infringement
- Discontinued operations
- Lack of control over Tangible Assets
- Management of Information within and outside the company
The overall risk classification for OMV Petrom SA will be divided further on into smaller, specific-wise risks that cover the overall classifications of risks presented above. The company has the following specific risks:
- There is the risk that OMV Petrom SA would suffer from power shortages, force majeure events, earthquakes and other hazards
There are several risks from this point of view, and these are represented by the uncontrollable factor that stays at the fundament of hazards.
These might imply:
- having high costs for energy, power shortages
- interruptions of production and services to some of the business customers
- interruption of business operations, destruction of technology and physical infrastructure
- creation of social turmoil
As causes, we have:
- earthquakes, biological disasters and other hazards; the uncontrollable factor
(b)INTERNAL: OMV Petrom is uninsured against massive losses and business disruptions caused by a large scale hazard
How to mitigate/protect against this risk:
- build up insurance plans for the business that are indexed to the location and the likelihood of those hazards happening
- incorporate earthquake mitigation into the local planning
- map the vulnerability to seismic hazards
- monitor buildings, infrastructure
- develop proper assessment of the abusive impact a hazard would have on the overall business
- develop an emergency plan in case the worst scenarios arise
- The company could be affected by labor market mobility and further fluctuations in the labor market
Finding the right people for the right careers could be real challenges, especially because the company needs highly qualified engineers.
- increased salaries and overall increased costs, even though the Oil & Gass Industry is given incentives to become competitive (no level of income taxation in Romania)
- originating from Romania, most of the labor force is based there. Labor costs are low, but as Romania is an emerging economy, overall cost of living and level of development is believed to be increasing
- talent war with competitors
- high employee turnover
(b) INTERNAL: inefficient recruiting
How to mitigate/protect against this:
- find a strategic solution for the recruiting process: in this case, outsourcing the recruiters is not the best solution since there is a very intensive and extensive tech process and continuous strive for innovation. The best solution is recruiting the employees/managers by using recruiters from within the company, because they know all the technical and business processes best
- offer employees/managers professional and personal development tools
- offer attractive salaries according to expertise, adjusted to the cost of living in a certain country where OMV Petrom’s subsidiary is
- provide a friendly, pleasant working environment, where efforts are rewarded
- In case of non-compliance with the legal environment that will lead to being considered law violations, OMV Petrom would be adversely affected.
- expensive litigation and regulatory procedures
- reputational damage
- operational disruption
- more severe administrative and penal regulations to correct the law violations
- loss of customers, damage of relationship in the whole distribution chain
- increased costs of products and services due to tightened regulations
- managers/officers within the group that could not abide the law
- possible unclear business conduct standards and not enough knowledge of the existing law in place, regulations and what is considered to be violations, in case of employees/managers/officers of the company
How to mitigate/protect against this:
- establish standard operating procedures and internal controls of Bitdefender and make sure that all employees/managers are following them
- segregate the actions and dual authorizations given to managers
- monitor closely and verify if the operating procedures are being followed by everybody without exception
- discover deviations from complying with the operating routine
- provide the company with an internal audit department
- perform Sarbanes-Oxley audit (in the case of the US subsidiary)
- perform external audit
- OMV Petrom SA must manage properly its business growth. As the company is expanding (it currently has subsidiaries in Austria, Romania, Turkey, Bulgaria, Hungary and more others), it has to use efficiently the resources available, including management and personnel to bring value to the company, increase market share or take advantage effectively of the profits.
Effects of such risk include:
- unresponsiveness in terms of providing customer service
- inability to deliver products and services on time
- inability to coordinate ERM and CPM and implement proper control systems and effective financial reporting.
Some causes why this risk might affect OMV Petrom SA are:
- the improper allocation of resources (from physical to intangible, know-how, expertise)
- the inability to properly assess the opportunities and threats when deciding to expand internationally (proper macro-environment analysis)
- inadequate management system to control the business growth
- misalignment of the company’s objectives and its actions
- uncertainty and the uncontrollable factor – if OMV expands in a new environment, the holistic knowledge of that place of expansion is unlike the knowledge of the point of origin of the company
How to mitigate/protect against this risk:
- have availability solutions for building reliability and optimized storage management capability for the clients
- offer faster, more efficient security solutions
- assess properly the risk when entering a new market; provide proper market segmentation, targeting, do PESTEL and competition analysis etc.
- create the risk aversion profile of the company. Is the company willing to take the risk of expanding? Is the business aligning its objectives with the actions that it takes?
- see the limitation-characteristic of the resources involved in the process and try to allocate them as efficiently as possible
- align the management of the company with the cultural/business profile of the country of expansion and the company. Provide intense recruiting to find the right level of “adequate management”
- Risk at the workplace, when performing activities that may endanger the life, health and body integrity of the personnel
Below are described the risk factors and also how to mitigate them.
- Errors might appear during the execution of the work. There are several types of error that should be taken into consideration:
- Wrong execution of operations, such as commands, maneuvers, positioning, assembly, adjustments, misuse of protection means
- Operation deviations – delayed in advance
- Execution of operations not included in the job task, for example starting or stopping the energy supply (electricity, energy fluids, etc)
- Misses – not using the protection means or lack of some operations
- When employees receive tasks that are inappropriate, errors may occur:
- Inappropriate content of the job task against security requirements, for example wrong operations, rules, procedure or inappropriate working methods (wrong sequence of operations)
- Under/oversized tasks compared with the executants ability, such us physical demands (static effort, forced or vicious working postures, dynamic effort) and also mental demands (alert work pace, difficult decisions in a short time, short cycle repetitive tasks)
- The fact that most of the risk factors appear in the production field is well known. Moreover, this type of risk can produce the highest damage with the worst consequences. The main 5 factors found in this type of company are as follows:
- Mechanical risk factors – such as functional movements of the machinery (moving machine parts, fluid flows, movement of vehicles), movements under gravity (slipping, rolling on wheels, free fall, discharge, etc), excessive vibration of machinery which can lead to fuel leakages and waste of time. Moreover, there can be dangerous surfaces or contours (stinging, sharp, slippery, abrasive, and adhesive) which can cause the harmful or even death on the workplace. 
- Thermal risk factors – this type of factors are influenced by the changes in the temperature and the company has to take into consideration the equipment and the facilities give to the employees who work in low/high temperature
- Electrical risk factors – direct touch/indirect touch
- Chemical risk factors – given the fact that we are talking about oil and gas industry, the substances used by the employees can be toxic, caustic, flammable, explosive and even cancerous
- Biological risk factors – there can be cultures or preparations with microorganisms (bacteria, viruses, fungi, protozoa, etc), dangerous plants or dangerous animals (venomous snakes)
- Working environment can also be full of risks, if we take into consideration the physical risk factors (air temperature, air humidity, air pressure, air ionization, noise, ultrasounds, vibration, natural calamities and many others)
How to mitigate/protect against this risk:
- Conducting tests and inspections within established terms
- Eliminating the possibility of generating mechanical sparks
- Preventing the use of the initiation sources in the installation area
- Checking the lighting installation
- Permanent inspection of the connections to the grounded belt
- Following instructions and procedures for work safety and health, taking into account the four components of the working system: executive, working environment, means of work and tasks
- Delimitation and marking of each Ex hazardous area
- Certification of personnel performing work in Ex areas
- Appropriate training of staff according to instructions, security and health procedures in prevention and fire fighting
- All the equipment should be checked with a detailed examination consisting of identifying defects that can be detected visually, but also rigorous inspection which require opening the equipment casing using tools
- Another important aspect that should be taken into consideration is maintenance of the equipment by preventing the formation of explosive atmospheres and reducing the effects of an explosion so that the workers would not be at risk
Risk matrix and the interconnection map
Step1. I will classify the risks according to their occurrence and their impact.
Table1. Risks’ classification
|1. There is the risk that OMV Petrom SA would suffer from power shortages, force majeure events, earthquakes and other hazards||Moderately Likely||Major|
|2. The company could be affected by labor market mobility and further fluctuations in the labor market||Moderately Likely||Low|
|3. In case of non-compliance with the legal environment that will lead to being considered law violations, OMV Petrom would be adversely affected.||Moderately Likely||Major|
|4. OMV Petrom SA must manage properly its business growth. As the company is expanding (it currently has subsidiaries in Austria, Romania, Turkey, Bulgaria, Hungary and more others), it has to use efficiently the resources available, including management and personnel to bring value to the company, increase market share or take advantage effectively of the profits.||Likely||Low|
|5.a) Risk at the workplace – errors||Likely||Major|
|5.b) Receiving tasks that are inappropriate||Likely||Moderate|
|5.c) Risk encountered in the production field||Likely||Major|
|5.d) Working environment – physical factors||Moderately
Step2. I will group the identified data according to the degree of risk:
- minor risk,
- moderate risk,
- majore risk.
Table2. Risk Severity Matrix
|Risk severity matrix||Impact|
|Likely||4. OMV Petrom SA must manage properly its business growth. As the company is expanding (it currently has subsidiaries in Austria, Romania, Turkey, Bulgaria, Hungary and more others), it has to use efficiently the resources available, including management and personnel to bring value to the company, increase market share or take advantage effectively of the profits.||5.b) Receiving tasks that are inappropriate||5.a) Risk at the workplace – errors
5.c) Risk encountered in the production field
|Moderately Likely||2. The company could be affected by labor market mobility and further fluctuations in the labor market
|1. There is the risk that OMV Petrom SA would suffer from power shortages, force majeure events, earthquakes and other hazards
3. In case of non-compliance with the legal environment that will lead to being considered law violations, OMV Petrom would be adversely affected.
5.d) Working environment – physical factors
|Green zone (minor risk)|
|Yellow zone (moderate risk)|
|Red zone (major risk)|
Step3. Perform the risk matrix
We numbered the risks according to the numbers we gave in the Table1. Quadrant I (P>50%, i>8) has high impact and high probability; Ouadrant II (P<50%, i>8) has high impact and low probability; Quadrant III (P<50%, i<8) has low impact and low probability, and Quadrant IV (P>50%, i<8) has low impact, high probability.
 https://www.risknet.de/themen/risknews/top-10-risiken-heute-und-morgen/0c111c1b7e5c46d3e1a33d21c00f43f6/ accessed on 13th of April 2017
 http://www.pwc.de/de/risiko-management/risiken-fuer-unternehmen-werden-immer-vielfaeltiger.html accessed on 13th of April
 https://www.risknet.de/themen/risknews/top-10-risiken-heute-und-morgen/0c111c1b7e5c46d3e1a33d21c00f43f6/ accessed on 13th of April 2017
 http://www.grin.com/de/e-book/350756/netzwerkuebergreifendes-supply-chain-risiko-management-durch-moderne-informations accessed on 28th of April 2017
 http://intranet.petrom.com/portal/02/petromintranet accessed on 13th of April 2017