Risk management strategies

In this article in our series on risk management, we look at all the strategies used to manage risk. These include reducing the probability of occurrence, limiting the potential impact, changing the risk situation or balancing opportunities and risks. A basic distinction is made between active and passive risk management.

Active risk management takes a cause-oriented approach and aims to actively shape and influence risk structures. It includes measures such as risk avoidance and risk reduction, which aim to reduce the likelihood of a risk occurring or minimise the potential extent of damage. An example of risk avoidance would be to eliminate potential risks from the outset by reorganising personnel or using alternative resources.
Passive risk management, on the other hand, takes an impact-oriented approach in which the risk structure remains essentially unchanged. Passive risk management strategies include risk transfer and risk acceptance. These strategies accept the risk and focus on mitigating potential losses through compensatory measures.
Each strategy is described in more detail below.

Risk avoidance aims to prevent a risk from arising in the first place, thereby minimising both its probability and potential impact. This can be achieved through alternative solutions or preventive protective measures. An example of this would be refraining from carrying out high-risk projects or parts of projects. However, this strategy may mean foregoing opportunities and could have a negative impact on reputation or profit. For instance, if a team developing a new, low-noise keyboard is forced to switch to a proven system due to delays, the risk of further delays can be avoided – but the likelihood of a market disadvantage increases. Therefore, risk avoidance is not always a viable solution.
Risk avoidance is particularly useful when interactions with other risks could lead to an incalculable overall problem. For example, the combination of sound-absorbing materials and ergonomic design may present unexpected challenges if the two aspects are not optimally harmonised. Once risks have escalated, they are often difficult to control, making preventive risk avoidance a wise choice in certain situations.

Risk mitigation begins when a risk has already occurred and aims to minimise its impact. This requires targeted actions to make the risk manageable. These include obtaining additional information, detailed investigation (e.g. through testing and assessment), the use of skilled resources, and improvements in management and communication. Other risk mitigation strategies include building buffers into scheduling and resource planning, and incorporating risk premiums into costing.
A practical example is the risk of faster wear and tear on a new keyboard design, which could jeopardise customer satisfaction. To minimise this risk, the company could run additional long-term tests under simulated conditions to check the durability of the keyboard. Different use scenarios could be simulated, such as different frequencies and intensities of key presses. In addition, a test group could test the product in everyday use and provide feedback so that weaknesses in the design or choice of materials can be identified and rectified at an early stage - before the keyboard is launched.

Risk transfer refers to the allocation of risk to multiple project participants, where responsibility for certain risks is shared and contractually regulated. This clarifies responsibilities by specifying who bears what risk. Risk can also be transferred through insurance or special contractual clauses, such as indemnity agreements or product liability insurance in the event of a product recall.
In one example, the company decides to outsource the production of a new keyboard to a specialised external manufacturer. The contract stipulates that the manufacturer is responsible for meeting defined quality standards. In addition, the company takes out product liability insurance to cover potential customer claims in the event of quality defects. These measures successfully transfer the production risk to the external manufacturer and the insurer.

Risk acceptance is a conscious decision by management to tolerate certain risks as part of the project objectives. This strategy is often chosen when all other measures to avoid or minimise risk have been exhausted, but the risk still exists and the project is still to be delivered. It is important that sufficient financial resources are available to mitigate potential damage and to manage the risk in an emergency.
Another reason for accepting risk may be a strategic decision to focus only on the major risks and deliberately accept smaller or medium risks. Risk acceptance can make sense if the cost of avoiding, minimising or transferring the risk is higher than the cost of the risk if it occurs. There are also unavoidable risks, such as natural disasters that can cause power or internet outages and against which little can be done. In such cases, the only option is to accept these risks, often in combination with contingency plans for emergencies.

The different risk management strategies open up a wide range of options for dealing with risks. As risks are often dynamic, it may be necessary to combine several approaches. For example, attempts to minimise a risk may fail and make it necessary to accept the risk. It is therefore important to continually assess and adjust risks and the measures taken to deal with them. Finally, risks offer opportunities that should also be considered as part of a well-designed risk management process.