Why theory and practice on risk standards so often diverge
Search for risk management and you quickly land on norms, checklists and certificates — the theoretical frame. In the business, people, time pressure and habit decide whether that becomes action. In episode 18 of Risiko Radar, Till Manfred Blania and Peter Münstermann walk through everyday assumptions: where standards orient, where they suggest false security — and where the gap between paper and practice actually opens. Not as a rejection of rules, but as guidance for managing directors and risk owners in SMEs who sense that "everything is regulated" and something still jams.
What does an ISO certificate really deliver — and what does it not?
Google and networks point first to ISO — often ISO 9001 — as shorthand for "proper" risk and quality management. The certificate signals reviewed structures, gives customers and partners orientation and can build trust. Peter knows the other side: many know a certificate is often a file — built once, hung on the wall or filed away. What counts is whether requirements are lived, understood and implemented with time and space over years — not only the week after certification.
Till describes the classic break: the standard does not say why people should follow it. Push from above "because we are ISO now" and you invite resistance — processes get bypassed because they slow work, and perhaps a fraction of staff comply while leadership assumes the job is done. Beraterium does not bet on more control but on intrinsic motivation: anchor rules so they make daily work easier — aligned with the method of collecting hazards and prioritising a few effective measures instead of filling a hundred binders.
You must be careful not to confuse documentation with reality.
Why documentation alone is not risk management
Peter's core message for owners: not everything is 100% fulfilled every minute — that would be unrealistic. What matters is whether you ask and check at the important points whether what is documented actually exists. That is not criticism of standards but of treating paper as the thing itself.
| Dimension | On paper | In practice |
|---|---|---|
| ISO / QMS | Processes described, audit passed | Bottlenecks, workarounds, "eyes closed and through" |
| Responsibility | Roles on the org chart | Emotional handovers, micro-management |
| Risk assessment | Traffic light or "high/medium" | Debate over terms weeks later |
| Measures | Long action lists | Few that are actually lived |
To build employee awareness of risk, you need more than a handbook — clarity about what counts when it matters.
How CE marking and product standards can fail in practice
From ISO to technical EU requirements: CE marking, guards, fire and electrical risks — sensible when manufacturers and importers take them seriously. Till and Peter also explain the shadow side: CE can look formal and still mislead — when letters are arranged to mean "China Export" rather than compliant marking, or when customs certificates cover a supplier without every imported unit being checked.
The same pattern applies to Ökotex, organic labels or leather claims: stickers and seals can be printed; "100% leather" says little about quality layers. For buyers and managing directors: duty of care remains — especially on imports from low-price markets. A contact in Peter's network working with lithium batteries describes heavy EU storage and training rules — while receiving batteries from China in flimsy packaging. Not a licence for lax rules, but a sign: competitive distortion and residual risk often sit beyond the label.
How much quality and safety do SMEs really need?
Not every company size needs the same tool or rule depth. Peter illustrates with the drill: four holes for a curtain — if the cheap tool fails, it barely matters; in continuous use you choose differently. Privately you decide yourself; commercially, duty of care and liability apply. Till shows a damaged charging cable with CE print at his desk — still works, insulation doubtful. Short circuit near something flammable, recourse, liability: standards reduce probability but do not replace maintenance, judgement and risk trade-offs.
For business security and risk management, the point is not maximum regulation by default — but depth matched to your damage potential.
Why guarantees, promises and insurance often protect less than assumed
Delivery guarantees, price guarantees or completion promises sound convincing in sales — Till asks: what remains if the company goes bankrupt? Obviously nothing. The same with insurance: fine print often lists long conditions when payment is excluded. Builder contracts can run to dozens of pages — and if the contractor disappears, nobody continues building anyway.
In risk terms: promise and reality sit on different sides. Weigh whether you trust the counterparty, whether the promise holds on impossibility or insolvency — and whether you carry the rest as a conscious risk or insure it. Not blind trust — but thinking in euros and scenarios, as the Beraterium method proposes.
What specifications and contracts actually deliver
Specifications can run to many pages — and parties still disagree on what was delivered. Peter tells of the craftsman next door: trust, reachability, neighbourhood do not replace a contract but gain weight when anonymous low-cost providers fail. In parallel: long contracts with recourse clauses — read, understood, enforceable?
Till quotes a public prosecutor: Everything disputable in court is problematic — everything open to interpretation. If you draft contracts yourself, ask: what is documentable, traceable, enforceable — and where might interpretation dispute arise? Standard clauses and case law help; perfect security does not exist. Sometimes conscious trust plus luck remains — Peter calls that honestly "eyes closed and through" when the alternative would be standstill.
Why safety rules and IT standards only half work
Safety rules — like contract clauses — can be interpreted. The boss can prescribe many rules; whether the third emergency stop is pressed when it matters is another question. On IT and cyber security, Peter describes a typical tension: rules for protection exist, penetration tests and benchmarks are possible — often more interesting is what is actually implemented and lived, not what the rulebook says.
According to the Allianz Risk Barometer, 52% of companies in Germany name cyber risk as the top threat in 2026 — paper compliance without ongoing checks does not close that gap. To understand why employees make risky decisions, the answer is often the same: rules without understood meaning in daily work.
Where SMEs sit between rules, global competition and pragmatism
Peter compares pharma in Germany and India — patent protection, environmental rules, wastewater: different game, different cost. Till extends to Chinese electric cars, textile production, technology imports, trademark issues like "cutting off Hydra heads". Plus high tax burden and why founding in Germany stays hard — without denying the value of rules.
For mid-market firms: requirements can be sensible and create comparability; smaller businesses cannot mirror corporate depth everywhere. The line is not "rules yes or no" but bearable risk — and what you actually live operationally. For the broader frame, see what risk management is; the SMB clarity roadmap translates it into six weeks of business proximity.
How euros instead of interpretation help in risk assessment
Peter links contract and rule interpretation to Beraterium logic: classic analyses quickly end in dispute — what is "high damage", what is "likely"? That is why they quantify risks in euros under documented assumptions so participants mean the same thing and do not debate terms later. That does not replace legal advice — but it closes the gap between a theoretical matrix and a shared decision basis.
Conclusion: take rules seriously — without confusing paper with reality
Peter summarises episode 18 in one pattern: there are rules for quality, safety, processes and products — often describing a perfect, unambiguous, documented world. Reality interprets, adapts and acts anyway. Not every rule is wrong; not every rule improves practice. Till adds the line for the German context: Being in the right is not the same as getting your rights — on standards, contracts and guarantees.
Operationally: you cannot insure everything or eliminate every risk. Accepting that allows conscious trade-offs instead of freezing the business. The decisive question is not "Did I do everything right?" but: What does it cost me if I am wrong — and can I absorb the damage? Answered in euros and scenarios, risk work becomes manageable — not as a substitute for rules, but as a bridge between theory and what actually counts in the business.
This article does not replace legal, tax or insurance advice. For contracts, liability and individual cases we recommend qualified specialists — for example from the RisikoRadar network.
