FBM 08 SS 24 RM Ii

„Future Business Modeling“
Prof. Dr.-Ing. Stefanie Wrobel
Summer Term 2024
Central key terms and aspects of risk management

Summery of the 7th session
- „Risk is the effective uncertainty on objectives“ -> definition of risk

- Risk Managment is a part of the overall governance framework and
- assists the organisation in setting strategy, achieving objectives and doing informed decisions
- Innovation is risk, growth is risk – doing nothing is the highest risk in a turbulent environment
- Continouous review and improvement of the risk management framework is the responsibility of the board or
management
- Risk tolerance has to be defined and controlled, i. e. the level of risks (and potential) losses that can be tolerated
- Categories of risks: strategic and operational, emerging, people and compliance risks
- Methods and tools – risk management process, risk matrix, scenario planning, …
- Risk management as an iterative process, a cycle of monitoring, reviewing and focusing for continuous improvement
- Organisations have to develop an risk culture, i. e. create a working environmant where staff is confident about asking
questions and challenge assumption on how the business is conducted
2 Technische Hochschule Ingolstadt | Future Business Modeling | Prof. Dr.-Ing. Stefanie Wrobel
Summary
Introduction into Risk Management
• Risks cause possible deviations from planned corporate goals.

• Risks result from (unforeseen) developments within the company or in the business environment.
• A distinction is made between risks in the narrow sense, which represent negative deviations from targets, and a broader
definition, which also includes positive deviations from targets (opportunities).
• The legal risk definition of the KonTraG, which only describes negative and existentially threatening deviations, is too
narrow for business oriented risk management, since several „smaller risks“ can also threaten the existence of a company,
if they occur simultaneously. In addition, this definition neglects the existence and management of opportunities which can
have a negative impact on the future of the organisation, too.
• Risks that occur can lead to damages and losses. If the earnings and liquidity situation is permanently affected this can lead
to corporate crises and insolvency.
• Risks can be categorized according to a variety of criteria. Risk classification is seen as the basis for risk identification in
order to avoid blind spots and to deal with risks properly.
• Operational hazards arise from threats to the operational performance process, strategic risks often result from changes in
the corporate environment and are relevant over a longer period of observation and impact.
Categorization of risks (I)
• accompanying current activities undertaken in the enterprise of short-

term scope
Operational • how are resources used to achieve the objective
• risk of material and reputational loss and legal liability resulting from
Risks inadequate or failed processes and their essential resources
(personnel, material, IT and financial), a result of the impact of internal and
external threats
• connected with investment and development activities with a long-term

time horizon
Strategic Risks • strategic planning, including the definition of development directions in the
strategy
• related to the acquisition and use of own and debt capital and the
account of economic profitability of operational and strategic activities
Financial Risks • it accompanies both operational and strategic decisions involving financial
resources
Operational
Risks
Damage negative
(productivity, FINANCIAL
Strategic Risks quality, reputation,
customer loyalty,
EFFECT /
supplier…) LOSS
Financial Risks
Different perspectives and objectives of risk management
The main objectives of risk management can be viewed from two perspectives:
1. Prevention of threats that are the source of risk.

2. Minimizing damage (losses) associated with the occurrence of given hazards
-> The moment of intervention differs between these two approaches
Risk and opportunities response strategies
EXPLOIT AVOID Entirely eliminate uncertainty / take advantage

of the opportunity.
SHARE TRANSFER Transfer responsibility of a risk to a third party to bear the

consequences / share and make use of the benefits
ENHANCE MITIGATE Reduce (for a risk) or increase (for an opportunity)

the probability of occurrence and/or the severity of impact.
ACCEPT Do not initiate any action but continue to monitor.
Schedule
Future Business Modeling
Date Topic
0 18.03.24
1 25.03.24 Schedule, exam, objectives of the course, introduction into future oriented Business Developement and Business Modeling
01.04.24 Easter holiday
2 08.04.24 Introduction into Entrepreneurship, Business Ideas, Value Proposition Design
3 15.04.24 Business Models, Business Model Canvas, BM innovation, business model patterns
4 22.04.24 Sustainable Business Models, Digital Business Models
5 29.04.24 Business Modeling & Systems Thinking - Guest lecture and Exercise, Barbara Holzner, iCONDU
6 06.05.24 Social business & social impact assessment, guest lecture, Eva Wack SISTAC
7 13.05.24 Risk Management I
20.05.24 Whit Monday
8 27.05.24 Risk Management II
9 03.06.24 Dealing with uncertainty - lean startup, effectuation; decarbonization strategies, guest lecture Lars Nierula "Calculation of CO2-emissions"
10 10.06.24 Deep Dive SDGs and Sustainable Business Modeling - Exercise
11 17.06.24 Future preparedness of organisations - Organizational resilience
Prelim
12 01.07.24 Summary, preparation for exam in a r y in
Exam for
on 8 Ju mation:
? Exam
ly, 1 pm
Risk Management Process
The risk management process

Focusing on threats
Risk management is a structured process aimed at preventing potential hazards and minimizing
damage (loss) in the event of their occurrence.
• List the maximum number of threats as the starting
point for further steps
Risk • Conduct threats identification should be conducted with
identification the involvement of employees and external experts, taking
into account different (cognitive) perspectives.
• What is the probability that a given

Observation of the effects of Risk Risk source of risk (hazard) will occur?
threats identification, monitoring measurement/ • What damage (loss) can be caused
assessment and mitigation and control assessment
by the occurrence of a given source
of risk (hazard)?
Risk Selection and implementation of methods and tools that allow

mitigation • to prevent the occurrence of a given threat or
• minimize the consequences of its occurrence.
Risk Identification
Risk identification means detecting, describing and structuring
all potential risks (to assets and processes) that could negatively impact
business outcomes in terms of performance, quality, damage, reputation and finally loss .
It is the first step of the risk management process and acts as input for actual risk analysis / assessment
of the relevant risks to an organization.
Classification of risk identification - approaches
Criteria Characteristics
non-systematic, e.g. systematic, e. g. check-lists, early

Systematics
brainstorming detection systems
Aggregation of
single risks, e.g. check lists aggregated risks, e.e.
e.g. systems analysis
identified risks
Approach progressive methods retrograde methods
Sources of inspections, document Workshops, key figures, (Big)Data

information visits review Surveys indicators Analytics
Information forecasting, e.g. time series collecting search methods, e.g.

processing analysis methods, e.g. Bow-Tie-Analysis
interviews
Source: Wolke 2017
Systematic, process-based risk-analysis
Identification of
operational or
strategic risks?
Source: Hunziker 2021
Risk Checklists
Risk checklists should never
be solely used to identify risks.
If a company decides to use
checklists, it should be used as a
supplement and should be
combined with an assumption
analysis and qualitative interviews
Decision-making problems that

are entirely within the control of
the company must be recorded in
a separate list!

Systematics
Aggregation of
identified risks
Sources of inspections, document Workshops, key figures, (Big) Data


interviews
Source: Wolke 2017

Systematics
Aggregation of
identified risks


interviews
Source: Wolke 2017
Identification of strategic risks
Analysis of the business environment, trend research and strategic foresight
SWOT
PESTEL
Weak Signals and Trend Analysis
(Business) Scenario Development
Interviews, Delphi study
Why the analysis of the business environment is only one aspect of risk identification
Example SWOT
• Weaknesses and threats are not risks, they are more or less existing current conditions, for risk
management one should analyse and describe potential (future) consequences of weaknesses and
threats.
• The potential impact on the company’s objectives is regularly unclear as the degree of abstractness in
a SWOT analysis is high. All aspects are noted down in keywords.
• For each section of the SWOT analysis several scenarios with different probabilities can be described.
From a risk management perspective, SWOT serves as a basis for the next step.
In addition one has to be aware that SWOT analysis focuses on strategic aspects. Operational and
financial aspects are often excluded. They need to be included or identified with other tools and
techniques.

Systematics
Aggregation of
identified risks


interviews
Source: Wolke 2017
Enterprise-wide risk identification in ERM

Enterprise-wide interviews for gathering enterprise-wide information as a starting point of a systems analysis
Interviews with
carefully chosen
interview partners
are rated as the
best tool to gather
information and
identify sources
of risks and risks.
(compared to
questionnaires,
surveys…)
Interviews are quite

resource intensive ->
10 – 20 interviews
proofed to be
sufficient in most
Source: Hunziker 2021 cases.

Systematics
Aggregation of
single risks, e.g. check lists aggregated risks, e.e. systems analysis
identified risks


interviews
Source: Wolke 2017
Data Analytics as an approach to risk identification

Example: IBM
Data Analytics as an approach to risk identification
Example: IBM
https://www.ibm.com/topics/predictive-
analytics?utm_content=SRCWW&p1=Search&p4=43700075186370023&p5=e&p9=58700008274769501&gad_source=1&gclid=E
AIaIQobChMI8MKQvr6jhgMVYD4GAB10agzfEAAYASAAEgJfAfD_BwE&gclsrc=aw.ds
Exercise
- Come together in groups of 3 – 4

- Take a look at the IBM website and the explanation on predictive analytics and types of predictive
modeling.
Link to IBM website Link to Miro
- What types of models are explained? Do you know further types of models? Note and explain the models.
- How can these models be used in risk management? What are benefits and limitations?
Predictive analytics models
Example IBM
Predictive Analytics
Example
Have a look at this example. What is this example about? What specific risks could be identified?
What are preconditions for a successful risk identifiction?

Systematics
Aggregation of
identified risks


interviews
Source: Wolke 2017
Bow-tie-analysis
Cause-and-effect chain for risk identification and analysis
Enterprise Risk Identification
Visualising the Cause-Effect-Chain with the bow-tie technique – example: The risk of a car accident for a taxi company
Risk as an Risks and The cause-and-effect-

event that subrisks
might occur chain helps visualising
how and why risks
come up and what
different impacts
might be.
TAXI
DRIVER is
having an In the next step of ->
ACCIDENT risk mitigation it helps
finding measures of
Damage to the
road /
infrastructure
prevention (combating
causes) of limitation of
damage/impact.
Regulatory
breach
Bow-tie-analysis
Example: Reputation risk
Risk as an Risks and

event that subrisks
might occur
negative
reputation
negative
media
coverage loss of
confidence

Systematics
Aggregation of
identified risks


interviews
Source: Wolke 2017
Benefits of the the cause-and-effect-chain approach

Identification of points of intervention
The main objectives of risk management:
1. Prevention of threats that are the source of risk.

2. Minimizing damage (losses) associated with the occurrence of given hazards
Cause
Effect
Once a risk is confirmed,
we no longer refer to it as a risk
but as an issue.
Risk Assessment
Risk assessment includes the analysis of risk causes/sources (risk factors), the quantification of
the impact of risks on the financial and non-financial objectives of the company
as well as the integrated assessment of the relevance of the risk. In addition, the aggregation of
individual risks to the overall risk of a company is also part of risk assessment.
Filtering risks to identify key risks
Filter I
Exclude
• „fake“ risks (that are e.g. unrealistic)
• risks that are completely outside
the organisations' sphere of influence
Filter II
Exclude
• decision-based problems,
• risks with low impact
Filter III
Identify key risks by assessing
potential impact and probability. included in ERM
38 Technische Hochschule Ingolstadt | Future Business Modeling | Prof. Dr.-Ing. Stefanie Wrobel Source: Hunziker 2021
Is a flood desaster a risk that should be considered in ERM?
?
Is a flood desaster a risk that should be considered as a relevant risk?
§ The risk is manageable to a certain degree. It can be insured, for example,

and preventive measures (protective walls, early warning systems, redundant
production sites) can be put in place.
§ The risk is realistic, but rare. There is a broad consensus that it could
happen at some point in the future (and some latest events prove that right)
§ The risk has a company-specific impact. A company may be disadvantaged
relative to its competitors when it occurs (e.g. loss of a productions site and
thus decrease in production, sales, trust…).
§ The risk affects one production site only. This makes it riskier than other
locations, everything else held constant.
➡ a company can manage it with some effort in case it occurs.
Filtering risks to identify key risks

What makes a key risk?
It is recommended not to
exclude low probability risks.
The key risk list should

primarily be based on the
impact criterion, probabilities
of risks may be included in
the risk assessment as extra
information.
The meaning of assessing probability of occurrence of an event
In pratice it is very difficult to assess probabilities. An example illustrates this challenge.
Depending on the assigned probability of the risk that a new competitor appears on the market, it may become a key risk
or not. A company sets the filter in a risk map at the 5% probability level for the next year. If a board member assesses this
risk a bit lower at 3%, it falls below the threshold for being included in the risk matrix. Thus, it is not reported and discussed
as a key risk. Yet, this probability of 3% is difficult to verify. It could also be 7% or 10%. Other probabilities can also be
considered plausible.
This problem can be mitigated by assessing and reporting the impact and the probability separately. This allows
the risk manager to rank the key risks based on impacts.
The probabilities serve as extra information. Probabilities can and should be discussed but are not an equally weighted
selection criterion.
Why correlated risks of low probability are relevant in ERM
„We illustrate a third reason why the probability of occurrence is not a good selection criterion by the following example. Let
us assume our key risk list contains 25 risks. The risk manager analyses the selected risk scenarios and concludes that
each key risk scenario has a very low probability. For the sake of simplicity, we assume that all risks have an equal
estimated probability of occurrence of 1% (p). In other words, each risk is expected only once in a hundred years. Are we
confident that none of the top risks will occur next year? Can we inform our board that there will be no unpleasant surprises
next year due to the very low probabilities? Let us assume that the 25 (N) top risks are uncorrelated. This assumption may
be quite realistic. Risk interdependencies are already incorporated during individual scenario developments. What is the
probability that at least one of the rare risks will occur next year? The math is as follows: 1-(1-p)N. If we use our figures
(p = 1%; N = 25), we calculate a probability of 22.2%. This value is high and is underestimated in traditional risk
management that is based on individual risk assessments (e.g. by means of risk maps). If we extend the time horizon to
e.g. 5 years (according to the achievement of the strategic objectives), this probability already increases to 71.5%. In the
long term, rare risks are thus very much to be expected. The lesson here is that very low probability-risks should not be
excluded from the key risk selection process.“ (Hunziker, 2021, p. 102)
Classification of risks, taking into account the probability of occurrence and scale of
potential impact (damage/loss)
Risk Map
A risk map (or a risk matrix) is frequently used
in practice and recommended in risk management
literature and several frameworks.
Is it a good decision making tool?

What makes it an appropriate decision
making tool ?
What are pros and cons?
Risk Map
Individual experiences, overconfidence, confirmation

bias, and optimism bias may impact the assessment
of probability and impact.
Verbal, subjective scales such as “low” to “high”

or “unlikely” to “very likely” are “translated” by people
into divergent percentages, which can make the
classification in one of the fields almost unusable
Thus, scales of the risk should be stored with

quantitative values (e.g. “low” with an annual
Potential probability of occurrence of 1–20% and an extent
blind of damage of 0 – 50.000 €)
spot
The resolution has to be considered when using
a risk matrix as a decision making tool, as well as
different potential impact levels or relations between
risks.
Defining key risks based on quantitative figures
Regardless of the approach chosen, non-key risks

should be included in a "watch-list" and observed
over time.
Overview of quantitative and qualitative risk measurement approaches

Wolke, Thomas (2017): Risk Management, de Gruyter, Berlin/Boston
Source: Wolke 2017, p. 9

Maximum loss
Examples
Example A:
Two players, S and T, play a game and start with capital of € 1,000 each. Their assets
at the beginning of the game, then, amount to € 1,000 each. They throw once. If it
comes up heads, player S has to pay player T € 500, and if it comes number, T has pay
S € 500. It is assumed that the throw (and the coins) aren’t manipulated and that the
probability of either heads or tails coming up is 50 % respectively.
Maximum loss A ML(A) = –€ 500.00
Example B:
Student C bought an asset worth € 1,000 from an arbitrarily chosen market. So his
assets amount to € 1,000. In the future, he can sell these assets on the exchange for
€ 1,300 with a probability of 70 %. The probability of selling for only € 700 is 20 %,
and the probability that his asset is worthless on the exchange is 10 % (that is, a total
loss of € 1,000).
Maximum loss B ML(B) = –€ 1,000.00
Maximum loss
discussion
The advantage of maximum loss lies in its easy calculability, that is, no probability has to be included. The
maximum loss is also suitable as a control figure, since a risk calculation with results greater than the maximum loss
can’t be correct. The simplicity of the maximum loss is at the same time its crucial disadvantage.
There is no qualitative assessment of the risk content, that is, what is riskier cannot be judged. It becomes immediately
apparent that B is not necessarily riskier than A just because the maximum loss is much higher. The probability of the
maximum loss occurring remains fully unconsidered. The maximum loss has a 50 % chance of occurring in example
A, while in example B the greatest damage has only a 10 % chance of occurring! So this measurement should not, at least,
be used for a qualified risk evaluation.
A maximum loss also cannot be determined for risks or damages with potentially incalculable monetary
consequences. An example here would be the risks from the operation of a nuclear power plant. If there were a
catastrophic nuclear accident, liability insurance (in Germany there is a ceiling of € 2.5 billion for damages) would fall far
short of covering the potential maximum losses. The rest of the damages would have to be carried by the state or the
taxpayers.
Quantitative risk assessment
Critical discussion
§ Risk models are a simplification of reality, sometimes even an

oversimplification, thus quantitative measures will be wrong.
§ In most cases, historical data are used where available.
In this sense, alle quantitative risk models are wrong by definition.
§ Quantified risk assessments are never accurate or only coincidentally correct,
because they deal with the future.
§ Risk quantification and later risk aggregation produce false accuracies.
§ No or too little data available. The quality of the result is thus poor.
§ Nobody understands risk models and the quantitative assessment, in the best
case the risk manager him- or herself.
Quantitative risk assessment

Critical discussion
Nevertheless, the process of quantitatively assessing a risk is often very usefull, as risk
managers can question assumptions and get new perspectives and ideas, may identify
emerging risks, have a basis for risk assessment and comparison of different risks.
Quantification sometimes requires uncomfortable transparency that is important as a basis for

discussion and might reveal blind spots.
Risk Impact Assessment
Estimation or calculation?
What next?
How to use your new learning for the project Business Scenarios & Risk Management
• Come together in your project groups

• Have a look at / think about the trends and the business scenario you developed and make
an initial list of potential events / aspects / risks that might have an impact on the business of
your startup individually.
• Discuss your individually identified risks and agree on a common list. Filter the risks, exclude
„non-risks“, non-manageable risks etc.
• Agree on how to define (criteria, qualitative evaluation) and visualize key risks (e. g. risk
map, risk matrix…).
• Take one of the events/risks, that you rate as a key risk
and use the bow-tie-analysis to find causes and
effects of the risk (-> use the Bow-Tie-Analysis
Template in Moodle)
Literature

FBM 08 SS 24 RM Ii

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FBM 08 SS 24 RM Ii

Uploaded by

Copyright:

Available Formats

„Future Business Modeling“

Prof. Dr.-Ing. Stefanie Wrobel

Summer Term 2024

Central key terms and aspects of risk management

- „Risk is the effective uncertainty on objectives“ -> definition of risk

• Risks cause possible deviations from planned corporate goals.

Categorization of risks (I)

• accompanying current activities undertaken in the enterprise of short-

• connected with investment and development activities with a long-term

Different perspectives and objectives of risk management

1. Prevention of threats that are the source of risk.

-> The moment of intervention differs between these two approaches

EXPLOIT AVOID Entirely eliminate uncertainty / take advantage

SHARE TRANSFER Transfer responsibility of a risk to a third party to bear the

ENHANCE MITIGATE Reduce (for a risk) or increase (for an opportunity)

ACCEPT Do not initiate any action but continue to monitor.

The risk management process

• What is the probability that a given

Risk Selection and implementation of methods and tools that allow

Classification of risk identification - approaches

non-systematic, e.g. systematic, e. g. check-lists, early

Approach progressive methods retrograde methods

Sources of inspections, document Workshops, key figures, (Big)Data

Information forecasting, e.g. time series collecting search methods, e.g.

Decision-making problems that

Source: Hunziker 2021

non-systematic, e.g. systematic, e. g. check-lists, early

Approach progressive methods retrograde methods

Sources of inspections, document Workshops, key figures, (Big) Data

Information forecasting, e.g. time series collecting search methods, e.g.

Classification of risk identification - approaches

non-systematic, e.g. systematic, e. g. check-lists, early

Approach progressive methods retrograde methods

Sources of inspections, document Workshops, key figures, (Big)Data

Information forecasting, e.g. time series collecting search methods, e.g.

Weak Signals and Trend Analysis

(Business) Scenario Development

Interviews, Delphi study

non-systematic, e.g. systematic, e. g. check-lists, early

Approach progressive methods retrograde methods

Sources of inspections, document Workshops, key figures, (Big)Data

Information forecasting, e.g. time series collecting search methods, e.g.

Enterprise-wide risk identification in ERM

Interviews are quite

non-systematic, e.g. systematic, e. g. check-lists, early

Approach progressive methods retrograde methods

Sources of inspections, document Workshops, key figures, (Big)Data

Information forecasting, e.g. time series collecting search methods, e.g.

Data Analytics as an approach to risk identification

- Come together in groups of 3 – 4

Link to IBM website Link to Miro

non-systematic, e.g. systematic, e. g. check-lists, early

Approach progressive methods retrograde methods

Sources of inspections, document Workshops, key figures, (Big)Data

Information forecasting, e.g. time series collecting search methods, e.g.

Risk as an Risks and The cause-and-effect-

Risk as an Risks and

non-systematic, e.g. systematic, e. g. check-lists, early

Approach progressive methods retrograde methods

Sources of inspections, document Workshops, key figures, (Big)Data

Information forecasting, e.g. time series collecting search methods, e.g.

Benefits of the the cause-and-effect-chain approach

The main objectives of risk management: