**1. Introduction**

Determining all risks that businesses are exposed to, evaluating these risks, and planning preventive actions against these risks play an important role in achieving a sustainable competitive advantage and improving business performance. The modern risk management approach has strategic importance as it manages all risks and adopts a holistic approach in the context of the survival of the businesses [1]. Risk management gains special importance in being prepared for changing business conditions, managing change effectively, and minimizing the negative effects of uncertainties on the objectives of the enterprises while increasing their positive effects.

Vocational Qualifications Authority (VQA) is a public institution with administrative and financial autonomy established in Turkey in order to establish and operate a national qualification system compatible with the European Union. The national occupational standards of the occupations performed in Turkey are prepared by the Vocational Qualifications Authority and also national qualification documents that design the assessment and certification processes to be carried out in order to determine the competent individuals in the relevant occupation based on the occupational standards are developed. Both occupational standards and qualifications documents are developed according to needs of sectors in cooperation with sector institutions. Assessment and certification processes are operated through the certification bodies authorized by VQA in accordance with national qualification documents [2].

Certification bodies authorized by VQA are for-profit organizations, and their financial sustainability is among the authorization conditions. These institutions are required to be accredited according to the "ISO 17024 Conformity assessment – General requirements for bodies operating certification of persons" and meet the authorization conditions determined by VQA [3]. Within the scope of the authorization conditions, these institutions regarding risk management evaluate their assessment activities and define, measure, and evaluate their risks in a way to eliminate uncertainties in the realization of their objectives and in the effective implementation of their procedures and to carry out the necessary preventive actions to prevent these risks [3].

In this context, a new risk management model has been designed and proposed by using the fuzzy DEMATEL method, which is one of the multi-criteria decisionmaking methods, in order for authorized certification bodies to determine their risks, evaluate and measure risks, and plan the necessary preventive and corrective actions according to the results obtained.

## **2. Risk and risk management**

Although the concept of risk appears in the literature in two ways, traditional and new, in the traditional approach, risk is considered a negative concept and is expressed as a threat, danger, damage, or loss [4]. In the traditional approach, risks are handled independently from each other, focused on specific risks, and activities to reduce risk are continued [5].

In classical risk management, each unit in the business focuses on the risks that are directly affected, and in its area of interest, the focused risks are related to the financial dimension and other risks are not taken into account. Independent determination of the risk in other units, without considering the effects on the entire enterprise, prevents the formation of a risk policy adopted both among the units and throughout the enterprise [6].

In the modern approach, risk management is under the coordination of the senior manager, but under the responsibility of all units and employees, and not only limited to the financial dimension but also considers other risks. In this approach, which integrates with all employees and all processes of the enterprise, risk management exhibits an approach that is compatible with all goals and objectives of the enterprise [1].

Risk, which was seen as a danger for many years, can be seen as an opportunity today. Hazard is only the negative aspect of risk that can lead to undesirable consequences. Opportunity, on the other hand, is the probability of an event that positively *Development of a Risk Management Model by the Fuzzy DEMATEL Method in the Evaluation… DOI: http://dx.doi.org/10.5772/intechopen.110018*

affects the realization of business objectives, and it is aimed to create value and protect the value created with opportunities. Our age's risk management approach adopts a risk management approach that transforms risks into opportunities and thus increases value [7].

With the new approach, risks are evaluated by taking into account the entire enterprise, critical risks are primarily focused, the most appropriate response to risks is determined, and all employees take responsibility [5].

For this reason, while the concept of risk was defined as the negative effect of an unexpected event or uncertainty on targets in the early periods [8], with the new approach adopted in recent years, the negative side of risk was not only focused on but also aspects such as opportunity, profit, and gain, which express the positive aspects, were also discussed [4].

In this framework, the concept of risk is considered as threats, negativities that may prevent the realization of the objectives, or opportunities that may facilitate the achievement of the objectives [9, 10].

The Project Management Institute defines the concept of risk as "an event or condition with uncertainty that, if realized, could have a positive or negative impact on the objectives of the organization." According to the ISO 31000:2009 Principles and Principles standard risk, it is explained as the effect of uncertainty on the targets, and with the effect expressed here, positive or negative deviations from the expected situation are expressed [11].

The concept of risk management was first used in the insurance field in the early 1950s. The first principles of risk management were developed in the early 1960s, and in this context, it was emphasized that risks should not be contented with only insurance, but all risks should be managed. In parallel with this, risk management started to play an active role in political, economic, military, scientific, and technological fields in the following years [7].

Risk management, which was applied only for insurable risks in the past, has gained a different dimension today. Businesses have started to implement risk management in a way that takes into account strategic, operational, and financial risks [12].

As external factors, while it is expressed as economic events, natural environmental events, political events, social events, and technological events, it is classified as infrastructure-related events, personnel-related events, process-related events, and technology-related events as internal factors [13].

While the risks faced by businesses are generally classified as being from strategic, financial, operational, and external environments, the classification system based on internal and external factors by COSO (Committee of Sponsored Organizations), which offers a widely accepted risk management framework, is one of the comprehensive classifications [13].

The activities for businesses to define their risks and evaluate and reduce their risks appear as risk management. According to ISO 31000, the risk management process includes communication, negotiation, scoping, assessing risks, responding to risks, monitoring, reviewing, recording, and reporting [14].

All activities carried out on this basis, with the identification and evaluation of events or situations that are likely to occur and which are considered to affect the achievement of the administration's goals and objectives, constitute the subject of risk management [15].

In summary, risk management exhibits a proactive approach that reduces uncertainties and the negative effects of uncertainty to a more acceptable level and prevents problems before they arise. In addition, it aims to lead the way in which opportunities are recognized in advance and turn them into advantages for the business.

Thanks to risk management, businesses identify the risks involved in the activities they carry out, evaluate the possibility of the risks to occur and the effect they will have when they occur, plan the necessary preventive actions, and thus turn the threat or danger element posed by the risks into an advantage [12]. With risk management, it is aimed not to completely eliminate risks, but to enable businesses to better understand their risks and manage them at a level they can control [16].
