Risk can be defined as follows:

”A probability or threat of damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided through pre-emptive action.”

To the majority of all business directors, many risks are seemingly not very concrete, but fact of the matter is that it is indeed possible to identify, analyse and mitigate most of the risks that a company is exposed to in its daily operations. Furthermore, risks are often perceived as external factors, but actually most of the risks related to daily operations are threats linked to lack of competences and/or processes internally in the company – competences and/or processes whose presence is needed to ensure avoiding some of the many potential operational losses and hazards.

Finally, it is important to emphasize, that in this context the risk management is not solely about avoiding losses. It is also about turning potential threats into advantages and possibilities. In its terminology, Propia applies the following risk segmentation:

Financial risks are risks related to loss of financial liquidity with direct influence to a company’s bottom line. Loss on creditors, budget reporting and authority related disciplines such as book keeping and normal certificationstandards such as ISO9001 are disciplines, where most companies are in compliance thanks to assigned experts and resources to ensure that penalties and other consequences are being avoided. On the contrary, much less attention is given to the cross organizational financial risks. These are perceived to be internal (such as contractual risk management) or perceived to be external (such as cost volatility). Both examples represent serious threats in case of not being well defined and well managed internally in the company. They are also good examples of areas, where potential risks can be turned into advantages and possibilities. The last sub-category of financial risks is related to regulatory risks– it specifically means; the ability to stay in compliance and be continually updated on the most recent regulatory requirements. Thereby proactively mitigating risks pertaining to loss of revenue and customers.

Operational risks are related to potential losses caused by lack of ability to supply – this being disturbances in inbound supply from the suppliers or outbound supply to the customers. These types of risks often bring big consequences to the company as they can influence both the company’s financials and its ability to compete in a given market, when delays in the production and/or deliveries to the customers are affected. In this context the challenge is covering the entire process including management of the strategic procurement, the operational and strategic planning, production, distribution chain and the outbound logistics.

Strategic risks relate to a company’s ability to be perceived as a professional, innovative and reliable business partner to its stakeholders. The main objective of managing the strategic risks is to ensure competitiveness related to the above-mentioned aspects. This is traditionally an area where the SMEs do not have a structured approach. Here, Propia puts focus on the entire value chain – the ability to continually innovate a company’s product portfolio, its go-to-market strategy and how to ensure reliability and their good reputation. This part of the risk management concept is mainly externally orientated and targets to proactively mitigate potential risks and thereby to ensure long term competitiveness.


Our concept has developed from more than 30 years of combined experience with risk management in global production and distribution companies. The methodology is built from the international standards ISO31000, IEC 31010 and COSO 2013. The concept is flexible and can be customized for the concrete context, situation and company culture – and the main success criteria are the ability to transfer it onto the company’s employees making it a natural part of the company culture and ways of working.

Propia Concept consists of an initial diagnosis leading to two methods depending on the particular context.


The objective in the diagnosis phase is to determine the level and the maturity of a company with regards to risk management and to build an overview of the management standing points and goals regarding internal mandates, responsibility areas, company risks and the management of these risks.

Furthermore, the diagnosis must clearly define the direction, which the management chooses for the future work with the risk management. Our concept offers a long term orientated implementation method, where a full implementation of a risk management framework is done in all organizational levels following the international ISO 31000 standard – and a more result and short term orientated risk management method for situations, where more progressive impact is desired for one or multiple business areas.

A diagnosis can be executed as a cross-organizational assessment, where relevant internal stakeholders are actively involved – or as a risk management audit looking more specific on the company risk profile.

Implementation method

Following ISO guidelines, the purpose of this method is to secure a long term and integrated risk management concept in all levels of the organization. Thus enabling the company employees by their own accord to identify, assess and mitigate risks.

The method is developed to design and implement a systematic risk management framework in the company with ISO 31000 and COSO 2013 as theoretical references.

The end results include a customised risk management framework and thereafter a its implementation. The risk management is herewith meant to become an integral part of the company’s problem-solving process and a dynamic part of the cross organizational framework.

Treatment method

If the diagnosis concludes need for control and short-term results with the risk management in the company, the treatment method would be recommended.

As the Propia concept above illustrates, this method is designed to conduct an extensive risk assessment, which can be done end-to-end or for specific business areas solely. This is followed by a risk treatment with the overall purpose to avoid, reduce, transfer or manage the risk in the selected business areas.

The risk assessment is the overall term for the process, where risks are being identified, analysed and evaluated.

The risk treatment is the process, where the conclusions from the risk assessment are being actively used to mitigate the identified risks.

The treatment method is an efficient tool quickly to mitigate potential risks. Once concluded and control of the largest perceived risks is regained, it would be beneficial for the company to continue its work with the anchoring tools – the risk plan, the risk policy and the risk framework.