Use of Risk Management to Support Business Sustainability in the Automotive Industry

Abstract

Today’s companies operate in a dynamic, constantly evolving, and highly competitive environment. The globalization of markets has significantly changed the economy, where companies operate within increasingly complex supply chains. The ever-increasing expectations of customers and company stakeholders, as well as the need to incorporate a comprehensive approach to the life cycle of manufactured products in corporate strategies, expose companies to a whole range of risks. The research was based on the need of organizations operating in the (automotive) industry to manage the dynamics of the business environment. This was accomplished using an appropriate model that, through its universality, would help to ensure the effective risk management in a holistic approach, protecting their performance and meeting the needs of the relevant stakeholders. The main idea of the research was to create and implement a dynamic model of risk management in the environment of a production organization based on the use of available methods such as SWOT, PESTLE, brainstorming, affinity diagrams, risk matrix, SIPOC diagram, risk, and the results of questionnaire surveys. The research was conducted in two directions: (1) designing the structure of the dynamic risk management model for the strategic management process; and (2) verifying the effectiveness of the proposed model in specific cases and evaluating the technical and economic benefits. To support the dynamics of the model, three basic management tools have been proposed: process review, internal audit, and management review, enriched with features that support the concept of risk-based thinking.

1. Introduction

An essential element of any company’s strategy is to minimize the business risk to a level that ensures the safety of the market. To ensure efficiency, effectiveness, and competitiveness, the organization must implement a system and a comprehensive approach to managing risks, ranging from the identification of risks to analysis, the development of measures, and the evaluation of their effectiveness using appropriate tools and in a dynamic way that ensures that all the changes are considered and the risks resulting from them will be appropriately treated by this system. With a spectrum of factors impacting the business, such as regulatory risk, market disruption, the environment, human health, product safety, and even business model obsolescence, companies urgently need to rethink their management procedures. They need to shift their thinking to a risk-based strategy and risk-based decisionmaking, away from the operational level and regulatory compliance perspective [1].

The risk management process provides a basis for informed decisionmaking to determine one or more courses of action. Risk management is a discipline of decisionmaking that should be integrated into all the aspects of the organization. One of the characteristics of effective and efficient risk management is its dynamic nature [2,3]. Risks can change, be minimized, or eliminated when the internal and external conditions that influence the organization’s purpose and strategic direction change. Risk management anticipates, recognizes, and reacts to these changes and events in an appropriate and timely manner [4,5]. Finally, the STN EN ISO 9001:2015 and IATF 16949:2016 standards applied in the automotive sector also emphasize the importance of effective quality management while taking risks into account [6,7,8].

1.1. Risk

Risk is usually defined as something unstable and indeterminate, which is related to the course of the phenomenon and often disruptive to the intended behavior [9]. Risk, uncertainty, and indeterminacy are part of the human activity in any environment [10,11,12,13]. We can analyze risk from different perspectives [14]. The two main components of risk analysis are the probability that something will go wrong and the negative consequences if it does. Risks can be difficult to recognize, but not if we prepare properly [15]. Therefore, risk analysis is an important tool in all cases where a job or process involves risk [16,17,18]. It can help us to recognize and understand the risks we may be exposed to in any task. As explained in [19], the risk environment (Figure 1) in which we operate defines the risk areas that we can identify and control (the area of the gray circle), those that we can identify but not control (the area outside the circle bounded by a square), and finally all the existing risks, including the unknown and uncontrollable risks (the area bounded by the dashed line).

Risk as an effect of uncertainty is often expressed as a combination of the consequences of an event (including changes in circumstances) and the associated possibility of its occurrence [19]. As part of a comprehensive approach to risk management, risk can be defined as the impact of uncertainty on the achievement of objectives [3,20,21].

The term risk is an elusive construct with a variety of meanings, measures, and interpretations depending on the field of research [22].

Risk is the product of the probability of an event to occur and the severity of its consequences [23].

Risk is a two-dimensional entity (often referred to as risk equals impact times probability), and assessing the level of risk means assessing both the impact and probability and judging their combination against some risk criteria [24].

Strategic management can be defined as a complex, continuous, and internally divided process of developing long-term goals and their gradual implementation under the conditions of a changing environment.

Strategic management involves the formulation and implementation of the key objectives and initiatives decided by the organization’s top management on behalf of the owners based on considering the resources and assessing the internal and external environments in which the organization operates [25].

1.2. Risk Management

In a general sense, risk management refers to the architecture (principles, system, and processes) of effective risk management. Risk management refers to the practical application of this architecture to a specific risk. Risk management is a process in which the management attempts to prevent the effects of the existing and future factors and to propose solutions that help to eliminate the effects of undesirable influences and, on the contrary, enable the utilization of the opportunities created by the effects of positive influences [26]. An integral part of the risk management process is a decisionmaking process based on risk analysis. Risk management develops, analyzes, and compares the possible preventive and regulatory measures, considering other factors, primarily economic and technical, but also social and political. From these measures, it then selects those that minimize the existing risk.

Risk assessment and risk management as scientific disciplines provide important contributions to support decisionmaking in practice [27,28,29]. By implementing the risk management process, the management of the organization ensures that the resources are used appropriately and efficiently, which at least leads to the planned results [30].

The risk management process helps in decisionmaking because it takes into account the uncertainties and the possibility of future events or circumstances and their impact on the established objectives [23].

Risk management is a gradual process and can be divided into three steps: identification, assessment, and mitigation [31].

The ISO 31000 standard has become an internationally recognized guide for implementing a logical and systematic risk management process that helps organizations to develop a risk management strategy, thereby increasing the probability of achieving their objectives and improving the protection of their assets. The main objective is to develop a risk management culture in which employees and stakeholders are aware of the importance of risk monitoring and management [4,32].

The risk management process involves the systematic application of policies, procedures, and practices in the areas of communication and consultation, identification, assessment, treatment, monitoring, control, recording, and reporting of risks [2].

Risk management requires the development of alternative risk management plans for situations that may arise and trigger the implementation of appropriate corrective actions that we plan when a risk occurs, and this is detected and diagnosed with the cause of the risk [33].

Surveys in this area confirm the dominance of the application of ISO 31000 in the decisionmaking processes [34]. The fundamental principle and purpose of risk management is to create and protect value. The principles of risk management connect the framework and practice of risk management to the strategic objectives of the organization [4].

Due to the increasing dynamics of socio-economic processes, risk and uncertainty are becoming more important and play a major role in decisionmaking. Dynamic management is management that assumes that the target system (i.e., the goals and the way alternative futures are evaluated) will change, although not necessarily in a predictable way [35,36,37]. Dynamic management is a natural aspect of what is commonly referred to as risk management [31,38,39]. Dynamic risk management can be defined as a continuous process of hazard identification, risk assessment, action to eliminate or reduce risk, monitoring, and review under rapidly changing operational event conditions [40].

Several examples of the application of dynamic risk management in the field of safety management can be found in the literature; e.g., [41,42] state that the use of a dynamic risk management framework strengthens the risk-informed decisionmaking process through continuous monitoring, evaluation, and performance improvement. The use of dynamic risk management dashboards (DRMDs) has been evaluated as a proactive safety tool that complements the existing risk management [43]. DRMDs provide support by identifying the cumulative risks of specific missions and effectively respond to unacceptable risks before a specific flight is authorized or cleared.

The authors of the study were motivated by the need of organizations operating in the automotive industry to manage the dynamics of the business environment. This has been achieved with the help of an appropriate model that, thanks to its universality, would help to ensure effective risk management in a holistic approach, thereby protecting their performance and meeting the needs of the relevant stakeholders. The strategic management process, which forms the framework of risk management in the certified organizations in the automotive industry, was used as a basic pillar of the research. Practice shows that the concept of risk management in organizations is not clearly structured. The individual elements are not linked to each other, and at the same time there is a lack of dynamism to ensure that the information is constantly updated and that the expected benefits are achieved.

Research objectives:

• To analyze the current state of solving the problem of dynamic risk management.
• To propose a suitable risk mapping (analysis) methodology that takes into account and strengthens the qualitative dimension of risk assessment and creates a subsequent building element of dynamic risk management in a suitable model.
• To propose the structure of the dynamic risk management model for the strategic management process.
• To verify the effectiveness of the proposed model in specific cases and evaluate the technical and economic benefits.

2. Materials and Methods

Recent surveys show positive trends in European companies in the integration of risk management into the decisionmaking process and companies’ management [44,45]. The most common objectives of risk management are to eliminate the impact of risks on the economic results (92%) and to ensure compliance with legislative requirements (91%) [46]. The use of appropriate scenarios that include identified risks provides a qualitatively higher level to the strategic management process, more stability to the company, enables the setting of more realistic performance targets, and ultimately stimulates the growth of the company’s value [47].

From the literature review, it is possible to use choose standardized and appropriately adapted risk management tools to manage risks and opportunities in organizations at both strategic and operational levels with an implemented quality management system, contributing to its efficiency and effectiveness and ensuring business continuity [26,48,49]. The need for a holistic view of risks throughout the entire organization with an implemented quality management system according to ISO 9001:2015 or IATF 16949:2016 is a necessity in terms of the new concept of risk-based thinking, which usefully complements the existing risk management approaches in the automotive sector at the system level, e.g., with FMEA tools at the production process and product levels (IATF 16949). Only the use of appropriate tools to identify, assess, and control risks in the process of strategic management within the framework of risk-based thinking provides a suitable basis for the creation of a model of process-oriented risk management throughout the organization that ensures the achievement of the desired results while maintaining dynamisms. The synergy between risk management and process management contributes to their mutual improvement [50].

In order to achieve the applicability of the research results in the real environment, cooperation with production organizations was established to implement and verify the benefits of the proposed model. Solving this problem helped us to answer key questions about the importance of a dynamic approach to risk management and the choice of appropriate tools given the ever-changing business environment in the automotive industry [51]. The research was based on objective findings from statistical processing of data provided by companies in the sector. The research was carried out for the period 2015–2022. The information was collected by studying foreign and domestic literature and interviewing experts in the field. The collected data formed the starting point for the qualitative and quantitative analysis of the data. Qualitative and quantitative evaluation and processing of data comprise an approach that focuses on description, interpretation, and understanding through analysis and comparison. As part of this approach, mathematical and statistical methods were used to process the data from the questionnaire survey. The aim was to obtain accurate data on the perception of the proposed risks of the strategic management process and the proposed measures to address them.

2.1. Proposal and Implementation of a Solution

We carried out the research by gathering input information as part of the analysis of the context and stakeholder analysis with the help of a group of experts and then preparing this information for the strategic management process in the form of identified key risks and possible mitigation actions. These formed the basis for the creation of a multi-factor analysis of the selected risks identified. We then carried out a survey in the form of an online questionnaire with a sample of top management representatives of manufacturing companies operating in the automotive supply chain to assess their perception of the analysis of these risks based on the established criteria and the choice of the appropriate tool(s) for their management. The analysis obtained formed the basis for supporting decisionmaking mechanisms and developing a holistic and dynamic risk management model. Based on the data obtained, the model was created and implemented, and its usefulness was quantitatively verified in the form of a questionnaire survey and subsequent statistical analysis of the data obtained in two manufacturing companies. The process of implementation, the expected results, and the research techniques are clearly summarized (

Table 1. The summary overview of the problem-solving methodology steps.

The Step of Solving the Problem	Research Method Used	Outputs
Creating a team of experts		an identified team of experts
Context analysis	Brainstorming, PESTLE, SWOT, Mind maps	generic PESTLE analysis of the automotive sector generic SWOT analysis of a manufacturing car company identified and classified interested parties of this company determining the key risks of the strategic management process and defining appropriate measures to manage them
Development of risk analysis methodology	Consequence/probability matrix (heat map)	multi-factor consequence/probability matrix for strategic management risk analysis register of risks
Evaluation of the perception of key risks and measures to manage them by representatives of the top management of supplier companies	Online questionnaire Cluster analysis Statistical evaluation of data	data obtained from questionnaires and their quantitative evaluation
Design of a dynamic risk management model	Interaction matrix Graphic tools SIPOC	graphic processing of the model designated tools for supporting the dynamics of the model
Implementation of a dynamic risk management model	Case study	implemented dynamic risk management model
Evaluation of the benefits of the dynamic model of risk management	Online questionnaire Statistical evaluation of data	evaluated benefits of the model in specified areas

).

2.2. Identification of Key Risks and Proposal of Measures to Manage Them

The need to identify key risks and propose actions because of the analysis of the organization and stakeholder needs is a logical outcome as the next step in the process of managing these risks by the organization to meet the organization’s objectives. We identified these through the affinity diagram and brainstorming within the expert group (

Table 2. Affinity diagram—key risks of strategic management process and the proposed measures to manage them.

Group Risk	Risks from SWOT Analysis	Proposed Risk Management Measures
Non-compliance with applicable legislation and regulations	- New and stricter legislation - Consequences of non-compliance with legal and other requirements	Regular internal review of requirements by a cross-functional team of the organization; Outsourcing of monitoring and evaluation of compliance with legislation (using an expert); Membership in sectoral organizations.
Inadequately defined strategy and direction of the organization	- Loss of know-how - Insufficient business diversification - Lack of innovativeness	Creation of annual business plans; Observing what is happening in the market, following trends and competition; Regular review/updating of input data; Internal or external benchmarking; Diversification of business segments.
Lack of qualified workers on the labor market	- Insufficient employee motivation - Lack of qualified workforce - redominance of manual activities in production	Automation of activities; Use of employment agencies; Cross-qualification of workers; Identification of key players/succession planning; Incentive program; Structured process of further development of employees; Cooperation with schools.
Low customer satisfaction with the products provided	- Problem-solving process - Insufficient process of evaluation and monitoring of customer satisfaction - Reviewing customer requirements	Regular internal review of customer requirements; Regular internal evaluation of customer satisfaction; Structured process for solving customer complaints; Market research; Project management.
Inadequate process for defining goals and monitoring, evaluating, and analyzing performance	- Weak focus on performance - Manual data collection	Setting annual performance indicators and their monitoring by top management; Regular review by management; Digitization and automation of data collection; The connection of goals and their evaluation with the evaluation of the employee’s performance.
Restriction/stoppage of the organization	- Development in the field of IT and cyber threats - Force majeure - isruption of the global supply chain	Implemented and maintained emergency preparedness process; Application of lessons learned from previous situations; Increasing the safety stock of input material/finished products; Regular monitoring of the supply chain.
Ineffective leadership	- Insufficient employee motivation - Absence of development of worker management skills - Insufficient balance between the work and private life of senior employees	A robust selection process for managers; Incentive program for managers; Mentoring/couching; An environment of trust and stress minimization; A clearly defined strategy and direction of the organization; Interim management.

).

An affinity diagram is a tool for categorizing large amounts of scattered and complicated qualitative information—usually resulting from a brainstorming session—into small, manageable, and relevant groups [52]. The creation of an affinity diagram is completed in a team and, mainly, intuitive thinking is applied when working on it.

2.3. Development of Risk Assessment Methodology

For the risk analysis, we created a rating table with a five-point scale. To provide the assessors with a broader view of the impact and probability of occurrence, we formulated additional components. In the case of impact, we selected the following components: impact on strategy, impact on reputation, and financial impact; in the case of probability, we added the component impact on speed of risk response. On the basis of the above assessment (

Table 3. Evaluation table of risks in strategic management process.

	1	2	3	4	5
Impact on strategy (A)	Insignificant effect	An event that affects the delivery of products and services by impairing the achievement of process objectives	An event that affects the delivery of products and services by impairing the achievement of strategic objectives	An event that affects the delivery of products and services by impairing the achievement of the organization’s vision	An event that affects the delivery of products and services by impairing the achievement of the organization’s mission
Financial impact (B)	An event that will negatively affect the company’s costs in the range of less than EUR 25,000	An event that will negatively affect the company’s costs in the range of EUR 25,001 to 50,000	An event that will negatively affect the company’s costs in the range of EUR 50,001 to 100,000	An event that will negatively affect the company’s costs in the range of 100,001 to 250,000 EUR	An event that will negatively affect the company’s costs in the range of over EUR 250,000
Impact on reputation (C)	Negligible (Informal complaints from customers; no media coverage)	Slightly significant (up to 10 complaints from customers; media coverage may express concerns)	Moderately important (from 10 to 50 complaints from customers; long-lasting negative media coverage—local media)	Significant (from 50 to 100 complaints from interested parties; negative media coverage—local or national)	Very significant (more than 100 complaints from interested parties; widespread; prolonged negative media coverage—local or national)
Impact of probability of occurrence (D)	The event is highly unlikely	The event has a remote possibility of occurrence	The event is likely to happen some time in the future	Event likely to happen (within 1–2 years)	The event is already occurring or is expected to occur
Impact of risk response speed (E)	Extremely low speed (in the horizon of 5 or more years)	Low speed (in the horizon of 2 years)	Medium speed (within 1 year horizon)	High speed (up to 1 month)	Within 24 h

), we then analyzed the key strategic management risks selected by the respondents to the questionnaire survey.

In the next step of creating the risk management model, we transformed the above table into the form of a matrix, with the consequences axis consisting of three components (strategy, finance, and reputation) and the probabilities axis consisting of two components (probability and reaction speed). At the same time, we complemented the matrix with a decision field (heat map), which determines the position of the risk on the heat map based on the resulting risk factor (the product of all 5 components), namely in the areas of low (green area), medium (yellow area), and high (red area) risk value (Figure 2). This classification of the risk then determines the expectations of how the organization should deal with the risk.

The creation of a functional methodology (mapping) of risk analysis in a complex environment with targeted simplification is a fundamental element of a dynamic risk management model. This model will significantly support the decisionmaking processes of strategic management and subsequently also the operational level of management of the individual processes. The use of multi-factorial probability method in combination with a central risk register enables a more precise dimensioning of risk assessment and makes a significant contribution to increasing the reliability of strategic management decisions.

The next step is to transfer the information on risks from the risk assessment, including proposed actions, to the proposed centralized risk register, which serves as a tool for recording the assessment and management of risks in the organization (Figure 3). It can be used at strategic, sectoral, operational, and project levels when a large number of risks, management activities, and ways of dealing with risks need to be identified.

This register is then actively used as part of the developed model. To describe the strategic management process, we have used the SIPOC diagram as a visual representation of the process in the form of a table (

Table 4. SIPOC strategic management process diagram.

S	I	P	O	C
Input Sources	Inputs	Activities	Outputs	Recipients of Outputs
Relevant internal and external stakeholders of the organization	SWOT PESTLE review by management customer views investment requirements financial plans	determining the strategic direction of the organization creating a budget creating a strategic plan setting the goals of the organization planning for emergency situations analysis of the context of the organization identification and analysis of risks and opportunities defining responsibilities and powers	vision, mission, and policies of the organization strategic plan determination of the QMS subject determining the processes of the organization budget key performance indicators and their target values risks and opportunities—register of risks emergency plans organizational structure	QMS processes: resource management determining requirements design and development EPPPS management product realization and delivery monitoring, measurement, and analysis continuous improvement

).

The SIPOC analysis is used to map the relationships between the analyzed process, its inputs and outputs, and the influence of customers and suppliers on the processes. It is the bridge between the problem definition and project scope in the project brief and the detailed process map. It helps to obtain a comprehensive picture of the mutual influences between the analyzed elements. We can also use the SIPOC to map process requirements. It is a very good tool for delimiting the area under consideration. It is a process map that covers both the supplier and the customer.

The visual SIPOC tool helps to understand the whole process, from start to finish. It provides valuable information about areas where there are major problems. The problems may be on the supplier’s side, they may be related to the input specifications, or they may be related to processes and results that do not meet the customer ‘s requirements. A SIPOC chart or diagram provides an excellent opportunity for teams, senior management, and all stakeholders to address process-related issues and develop appropriate improvement strategies accordingly. At the same time, it illustrates the continuity of this process with other QMS processes and the application of the selected tools.

The use of electronic questionnaires is on the increase. The reasons for this lie in the undeniable advantages, such as speed, cost-effectiveness, and facilitation of the entire research process. Another important factor is the rapidly growing number of people who actively use this means of communication.

The questionnaire was created using the software solution www.survio.sk. We used the questionnaire to ensure quantitative data collection via a web form. The research sample was selected from production organizations (Tier1—direct suppliers to vehicle manufacturers up to Tier 4—level 4 contractors) operating in the automotive industry supply chain. The questionnaire was sent to 68 organizations in the automotive industry. The response rate was 100%.

The data were collected by evaluating the individual responses received. These were then analyzed using statistical methods. The responses show that the largest group of respondents included quality management representatives (60%), followed by general management representatives (22%), and the third largest group was production management representatives (9%).

The use of the best available information and the cooperation and involvement of stakeholders are essential for effective risk management. Appropriate stakeholder involvement helps to ensure that the information on which the risk assessment is based is valid and applicable, and that stakeholders understand the rationale for the decision. A cross-functional approach to risk identification and management contributes significantly to the effectiveness of the process. To test this assertion, the following research hypotheses are put forward.

2.4. Data Analysis Using the Cluster Method

The respondents’ data were analyzed using cluster analysis. Cluster analysis is a statistical method that uses computational procedures that aim to divide a data set into a number of relatively homogeneous clusters. The essence of cluster analysis is to form clusters of objects whose mutual similarity is as low as possible and at the same time the similarity of the objects within the cluster is as high as possible [53,54,55]. One of the two main approaches to determining the number of significant clusters is the heuristic approach, which is one of the most widely used approaches to selecting significant clusters and represents the determination of the number of clusters based on the subjective opinion of the solver. The basic indicator of clustering quality is the comparison of intra-cluster and inter-cluster variance based on the intra-cluster variability matrix (Equation (1)):

$$W={{\displaystyle \sum }}_{h=1}^q{{\displaystyle \sum }}_{i=1}^{n_h}(x_{hi}-{\overline{x}}_{C_h})\left(x_{hi}-{\overline{x}}_{C_h}\right)$$

(1)

and inter-cluster variability matrix (Equation (2)):

$$B={{\displaystyle \sum }}_{h=1}^q{n}_h({\overline{x}}_{C_h}-\overline{x})\left({\overline{x}}_{C_h}-\overline{x}\right)$$

(2)

where $\overline{x}$ is the total vector of averages of feature values for the entire set. Clustering will be optimal if

• the determinant of the intra-cluster variability matrix is minimal;
• the trace of the inter-cluster variability matrix is maximal.

The result of the hierarchical cluster analysis is a two-dimensional diagram, a so-called dendrogram (Figure 4 and Figure 5), which graphically represents the clusters at different cluster levels and serves to illustrate the connections made at each stage of the analysis [56].

H₀: Respondents in the given management category have a statistically significantly common opinion on the classification of risks.

H₁: Respondents in the given management category do not statistically significantly share the same opinion on the classification of risks.

The respondents who completely (100%) or statistically significantly (within the selected significance level α = 0.05) agree with the risk analysis are summarized in clusters (Z), which are shown in Figure 4 and displayed in

Table 5. Interaction matrix—cluster versus management category.

A Cluster	Respondent	Position	A Cluster	Respondent	Position
Z1	C36	General management	Z5	C64	Quality management
	C37	Quality management		C53	Quality management
	C34	Production management		C58	General management
	C25	Quality management		C22	Quality management
	C21	Quality management		C52	Quality management
	C15	Quality management		C43	Production management
	C51	Quality management		C27	General management
	C44	Quality management		C59	Quality management
	C35	Production management		C40	Resources management
	C18	Resources management		C68	Production management
	C10	General management		C32	Quality management
	C16	Quality management		C7	Quality management
	C2	Quality management	Z6	C11	Quality management
Z2	C49	Quality management		C9	Operation management
	C47	Quality management		C45	Quality management
	C48	Quality management		C12	General management
	C56	Quality management		C23	General management
	C65	General management		C62	General management
	C54	Quality management		C28	General management
	C4	General management		C6	Resources management
Z3	C39	Quality management		C31	General management
	C24	Quality management		C3	Engineering management
	C38	Quality management	Z7	C61	General management
	C26	Quality management		C66	General management
	C20	General management		C55	Quality management
	C17	Quality management		C67	Production management
Z4	C57	Quality management		C42	Production management
	C50	Quality management		C14	Quality management
	C30	General management		C19	Quality management
	C41	Engineering management		C46	Quality management
	C60	Quality management		C5	Quality management
	C29	Quality management		C33	Quality management
				C1	Quality management

.

The analysis shows that, in clusters Z2 and Z3, more than 70% of respondents are represented in the Quality Management position compared to the other clusters, which may indicate a similar view of risk analysis in the respective position (confirmation of hypothesis H₀). At the same time, this indicates a different view of risk analysis compared to respondents in other positions. In cluster Z6, 50% of the respondents are in the position of General Management, which is the largest representation compared to the other clusters and could indicate a different view of risk analysis compared to respondents in other positions.

Respondents C13 (Quality Management), C8 (Quality Management), and C63 (Quality Management) represent a special case. Quality Managers C13 and C8 agreed 100% on the risk classification questions (6, 9, 12, 15, 18, 21, and 24) and were in statistically significant agreement with Quality Manager C63 on the risk classification. These quality managers tend to belong to group Z2, which is mainly composed of respondents in Quality Management positions (71%). This fact may again indicate a different view of respondents in the given position (Quality Management) compared to respondents in other positions.

H₀. 

Respondents in the given management category have a statistically significant common opinion on the choice of an appropriate risk management tool.

H₁. 

Respondents in the given management category do not statistically significantly share the same opinion on the choice of an appropriate risk management tool.

The respondents who completely (100%) or statistically significantly (within the selected significance level α = 0.05) agreed with the identification of a suitable tool for risk minimization are in the group clusters (Z), which are shown in Figure 5 and displayed in

Table 6. Clusters of respondents with complete or statistically significant agreement in the area of determining the appropriate risk minimization tool.

A Cluster	Respondent	Position	A Cluster	Respondent	Position
Z1			Z2	C59	Quality management
	C67	Production management		C47	Quality management
	C32	Quality management		C15	Quality management
	C65	General management		C19	Quality management
	C10	General management		C43	Production management
Z3	C39	Quality management		C12	General management
	C31	General management		C60	Quality management
	C28	General management		C51	Quality management
	C35	Production management		C34	Production management
	C23	General management		C64	Quality management
	C11	Quality management		C63	Quality management
	C25	Quality management		C18	Resources management
	C4	General management		C16	Quality management
	C17	Quality management		C30	General management
	C41	Engineering management		C27	General management
	C54	Quality management		C38	Quality management
	C61	General management		C9	Operation management
	C22	Quality management		C46	Quality management
	C6	Resources management		C44	Quality management
	C20	General management		C45	Quality management
	C2	Quality management		C5	Quality management
Z4	C62	General management	Z4 continuation	C37	Quality management
	C36	General management		C3	Engineering management
	C29	Quality management		C24	Quality management
	C26	Quality management		C56	Quality management
	C49	Quality management		C57	Quality management
	C53	Quality management		C14	Quality management
	C21	Quality management		C50	Quality management
	C66	General management		C40	Resources management
	C55	Quality management		C33	Quality management
	C7	Quality management		C68	Production management
	C52	Quality management		C1	Quality management

.

The analysis shows that, in clusters Z2 and Z4, more than 70% of the respondents are represented in the Quality Management position compared to the other clusters, which could indicate that the choice of an appropriate tool for risk minimization in a particular position is viewed in the same way (confirmation of hypothesis H₀). At the same time, this suggests that the choice of an appropriate risk mitigation tool in a particular position is viewed differently than in the other positions. In cluster Z3, there are twice as many respondents in the General Management position than in the other clusters, indicating that respondents in other positions have a different view on the choice of an appropriate risk mitigation tool than respondents in other positions.

The cluster analysis confirmed the validity of the research hypothesis (H₀) and confirmed the need for a cross-sectional approach to risk analysis to ensure that the views of the relevant groups of senior management are considered in the decisionmaking process.

Based on the results of the cluster analysis, it is necessary to form a cross-sectional team of experts who can select an appropriate tool that allows risks to be correctly assigned to each colored area on the temperature map (

Table 7. The location of the risk factor for selected risks on the temperature map.

Inappropriately Defined Strategy and Direction of the Organization		Lack of Qualified Workers on the Labor Market		Low Customer Satisfaction with the Products Provided		Inadequate Process for Defining Goals and Monitoring, Evaluating, and Analyzing Performance		Limitation/Suspension of the Company		Ineffective Leadership
10	14.71%	24	30.88%	26	38.24%	11	16.18%	37	54.41%	17	25.00%
32	47.06%	34	50.00%	38	55.88%	30	44.12%	22	32.35%	33	48.53%
26	38.24%	13	19.12%	4	5.88%	27	39.71%	9	13.24%	18	24.47%

).

2.5. Creation of a Dynamic Risk Management Model

The creation of a dynamic model is based on the proposed concept of risk-based thinking using the basic structure of the requirements of the ISO 9001:2015 standard in the PDCA cycle, which allows organizations to achieve process and system management focused on risk-based thinking. The essential steps of risk management according to ISO 31000:2018 with specified tools form the introduction to managing the organization’s processes with a process approach, as well as the requirements of both standards for risk management. To support the dynamics of the created model, so that the process ensures the necessary updates and changes in relation to the changing business environment and the needs of the organization, we have proposed the appropriate tools.

Subsequently, we developed the mentioned concept in a more detailed represenation (Figure 6). As a complement to the created model, we created the interaction matrix to show the necessary interactions between the risk management requirements of the ISO 9001 and IATF 16949 standards and the proposed processes of the organization (

Table 8. Interaction matrix—processes versus requirements of risk management standards.

	Strategic Management	Resources Management	Requirements Managem.	Design and Development	EPPPS Management	Product Realization and Delivery	Monitoring, Measurement, Analysis	Continual Improvement
Risk Management Requirements	4, 5, 6, 7.1	7.1.2, 7.1.5, 7.1.6, 7.2–7.5	8.2	8.1, 8.3	8.4	7.1.3, 7.1.4, 8.5, 8.6	9.1, 9.2, 9.3	8.7, 10
4.1—ISO	x
4.2—ISO	x
4.4.1—ISO	x	x	x	x	x	x	x	x
4.4.1.2—IATF	x		x	x	x	x		x
5.1.1—ISO	x
5.1.2—ISO	x	x	x	x	x	x	x	x
6.1.1, 6.1.2—ISO
6.1.2.1—IATF	x						x	x
6.1.2.2—IATF	x	x	x	x	x	x	x	x
6.1.2.3—IATF	x	x			x	x
7.1.3.1—IATF			x	x		x
7.1.5.2.1—IATF		x	x			x
7.2.1—IATF	x	x	x	x	x	x	x	x
7.2.3—IATF		x	x
7.2.4—IATF		x	x		x
7.3.1—IATF		x	x			x
8.1—ISO						x
8.3.2.1—IATF				x
8.3.2.3—IATF				x
8.3.3.1—IATF				x
8.3.3.2—IATF				x
8.3.3.3—IATF				x		x
8.3.5.1—IATF				x
8.3.5.2—IATF				x
8.4.1.2—IATF					x
8.4.2.1—IATF					x
8.4.2.3.1—IATF					x
8.4.2.3.1—IATF					x
8.4.2.4.1—IATF					x		x
8.4.2.5—IATF					x
8.5.1.1—IATF				x		x
8.5.2.1—IATF				x	x	x
8.5.6.1—IATF				x		x
8.5.6.1.1—IATF				x		x
8.7.1.4—IATF				x		x
8.7.1.5—IATF						x
9.1.1.1—IATF						x		x
9.1.1.2—IATF				x			x
9.1.3—ISO	x	x	x	x	x	x	x	x
9.2.1.1—IATF							x
9.2.2.2—IATF							x
9.2.2.3—IATF							x
9.3.1.1—IATF							x
9.3.2, 9.3.2.1—IATF							x
10.2.1—ISO	x						x	x
10.2.3—IATF								x
10.2.4—IATF				x
10.3.1 —IATF								x

), which visualizes the necessary links between the requirements and processes in detail.

3. Results

To meet the demands of the future, companies must evolve risk management from mere prevention and mitigation to dynamic strategic enablement and value creation. This requires clear objectives, such as focusing the efforts on the most significant risks, providing information on risk levels and risk appetite in a way that facilitates effective business decisions, and ensuring that the organization is prepared to manage risks and adverse events. For this reason, dynamic and integrated risk management, which includes the ability to identify risks, determine the risk appetite, and decide on actions in real time, is becoming increasingly important.

To ensure the dynamism of the proposed risk management model, we have proposed two existing QMS management processes (internal audit and management review) with enhanced attributes that support the dynamism of risk management, as well as a new process review tool. These three tools, management review, internal audit, and process review, should form a feedback loop between the strategic and operational management of the organization’s processes.

• Process review

One of the fundamental characteristics of efficient and effective process management should be the regular review of processes and their interrelationships. The concept of reviewing QMS processes and linking the results of this process to the management review process appears to be an appropriate tool. As a more efficient way of carrying out this process, we have suggested that the process team should meet at least once every 4 months. All the processes listed in the process map are subject to review.

• Internal audit

Quality audits are the most important diagnostic and feedback tool for top management. As a necessary step to support the dynamics of the model, we have proposed a framework for a holistic risk-based reasoning approach in a simplified audit cycle. This conveniently combines the overarching risk management requirements of IATF 16949:2016 at three levels: quality management system audit, production process audit, and product audit.

• Management review

To support the dynamics of the model, we have proposed a matrix structure for the management review process. The individual inputs and outputs are discussed and recorded in management meetings at varying frequencies. The aim of this process is to assess the continuing suitability, adequacy, effectiveness, and alignment of the QMS with the strategic direction of the organization at the end of each review period (at least one per year). This ensures the higher added value of the analysis and evaluation for the top management. It provides more dynamism in the decisionmaking process and in the implementation of actions and is not just a formal record. As an effective tool for the proposed support techniques (process review and management review), we have used the risk register created, which combines the operational and strategic perspectives and brings together all the necessary information in one document.

3.1. Implementation and Evaluation of the Benefits of the Proposed Model

The proposed model was implemented on a sample of two selected manufacturing companies with the specified parameters (

Table 9. Parameters of the companies in the case studies.

Company A	Company B
tier 1 over 250 employees QMS-certified according to ISO 9001:2015 the time frame of SMK implementation according to the requirements of IATF 16949:2016, including the model 7 months time frame for operating the model 12 months	tier 2 from 49 to 250 employees without an established QMS the time frame of QMS implementation according to the requirements of IATF 16949:2016, including the model 12 months time frame for operating the model 12 months

).

For the introduction of the model, we developed a framework to ensure its effective implementation in both organizations. The implementation was carried out under the supervision of an external consultant with regular meetings on the progress of the implementation with the author of the model according to the successive steps listed below:

1. 

interview with senior management;

2. 

resource availability analysis;

3. 

determination of responsibilities and method of motivation;

4. 

analysis of the internal and external context;

5. 

analysis and treatment of project risks;

6. 

determining the time schedule, method of evaluation, communication, and escalation;

7. 

training of workers;

8. 

implementation of tasks and control of their fulfillment;

9. 

internal audit of the quality management system + follow-up actions;

10.

management review + follow-up actions;

11.

model operation;

12.

model evaluation.

We evaluated the usefulness of the above questions with the following statistical tests using the Quantum XL software (v.5.29.1700). To assess the normality of the data (Figure 7), we used the Anderson–Darling method.

If the p-value is less than the selected significance level α = 0.05, it means it is different than the normal distribution of values; that is, we reject the hypothesis H₀.

• H₀: The set of values has a normal distribution.
• H₁: The set of values does not have a normal distribution.

Testing the statistical significance of the benefits of the model was carried out using Dot plots (Figure 8). To test the statistical significance of benefits before and after fitting the model, we used the non-parametric Moods median test (Figure 9) (given the non-normal distribution of values).

Mood’s median test is a hypothesis test used to compare the medians of two or more samples like ANOVA but without the assumption of data normality. The null hypothesis is that the medians are equal. This is like one-way ANOVA but for medians instead of means [56].

• Tested hypothesis:
• H₀: μ_d = μ₀
• H₁: μ_d ≠ μ₀

where μ_d is the mean value of the differences and μ₀ is the expected mean value of the differences.

Each question contains a number of values that have a non-normal distribution. A statistically significant difference between the results of the questionnaire before and after the implementation of the model was confirmed by the non-parametric median test (

Table 10. Evaluation of questions through the statistical methods used.

Questions	p-Value
	Normality Test (Anderson–Darling)	Mood’s Median Test
Benefit rate before implementation (of 10)	<0.005	0.0
Rate of benefit after implementation (of 10)	<0.005
A measure of momentum before implementation (of 10)	<0.005	0.0
Rate of dynamics after implementation (of 10)	<0.005
Degree of integration before implementation (of 10)	0.0394	0.0
Degree of integration after implementation (of 10)	0.0158
Benefit rate before implementation (of 10) 2	<0.005	0.0
Rate of benefit after implementation (of 10) 2	<0.005
A measure of momentum before implementation (of 10) 2	<0.005	0.0
Rate of dynamics after implementation (of 10) 2	0.0127
Degree of integration before implementation (of 10) 2	<0.005	0.0
Degree of integration after implementation (of 10) 2	<0.005
Benefit rate before implementation (of 10) 3	<0.005	0.0
Rate of benefit after implementation (of 10) 3	<0.005
A measure of momentum before implementation (of 10) 3	0.0302	0.0
Rate of dynamics after implementation (of 10) 3	<0.005
Degree of integration before implementation (of 10) 3	<0.005	0.0
Degree of integration after implementation (of 10) 3	0.0059

).

The data analysis confirmed the statistically significant differences before and after the implementation of the model regarding all the assessed factors (overall benefits of the model, degree of model dynamics, and degree of model integration) and areas of impact on the strategy, financial performance, and reputation of the organization. Based on the above, it can be concluded that the dynamic risk management model created and implemented is, in the opinion of the respondents, meeting the objectives set and can be considered effective.

4. Discussion and Conclusions

The research was based on a literature review and confirmation that the concept of risk-based thinking is also applicable to the manufacturing organizations in the automotive industry. The research analyzed and conceptualized the steps of a structured approach to identifying, analyzing, and assessing risks using Brainstorming, PESTLE, SWOT, the multi-factor risk matrix, and risk register tools. The questionnaire survey conducted provided important information on the perceptions of risks and the tools used. The statistical analysis of the feedback confirmed the need for a cross-sectional approach to risk management and the correctness of the selection of risks evaluated within the strategic management process. The proposed dynamic risk management model takes into account management principles such as PDCA, a process approach, and the requirements of the quality management system standards according to ISO 9001:2015 and IATF16949:2016, respecting the basic steps of risk management according to ISO 31000. Three basic management tools have been designed to support this dynamic model: process control, internal audit, and management control, complemented by aspects that support the concept of risk thinking. The next step was to implement the framework of the proposed model in a selected sample of manufacturing organizations. The model was then applied to their quality management systems. Finally, the benefits of the implemented model were evaluated through a questionnaire survey among the top management representatives. The results confirmed the contribution of the model in both organizations regarding all the evaluated criteria.

Within the research objectives, the following aspects were achieved:

• To analyze the current state of solving the problem of dynamic risk management.

The available literature provides a wide range of dynamic risk management applications in various areas of activity, and the application of the risk management models in risk management systems is analyzed and evaluated in Section 1.2. The use of these models is based exclusively on their application in organizations with implemented ISO 9001 requirements.

• To propose an appropriate risk mapping (analysis) methodology that takes into account and strengthens the qualitative dimension of risk assessment and creates a subsequent building element of dynamic risk management in an appropriate model.

The output will be a multi-factor risk matrix applicable to the risk assessment process of the strategic management process and a centralized risk register serving as a source of risk information for the stakeholders, including the top management, and highlighting the particularly important risks.

• To propose the structure of the dynamic risk management model for the strategic management process.

The created conceptual model, together with the matrix of interactions of the risk management requirements of both quality management standards (ISO 9001:2015 and IATF 16949:2016) with the organization’s processes, including the tools to support its dynamics, were implemented in two production organizations with the aim of verifying the model’s benefits.

• Verify the effectiveness of the proposed model in specific cases and evaluate the technical and economic benefits.

The proposed framework for the implementation of the dynamic model was used in the implementation of the model, and the perceptions of the benefits of its implementation were obtained through a questionnaire survey among the members of the top management of the organization and then statistically evaluated in Section 3.1.

In terms of the research limitations, the current research does not address the use of risk management tools to manage opportunities (the positive impact of risks). For management needs, a modified multi-factor matrix can be used that takes the opportunities into account. However, a different methodology can be used for their analysis, evaluation, and resolution. Failure Modes and Effects Analysis (FMEA) risk analysis is not part of the investigation as IATF16949:2016-certified organizations must use it as a risk management tool for the manufacturing process and product. However, a prerequisite for the effective functioning of the proposed dynamic risk management model is the appropriate use of the FMEA tool.

The future research will focus on a more detailed statistical evaluation of the usefulness of the model in a larger number of organizations where this model will be implemented.