Risk management: How to make sound decisions

“Risk management” describes all the measures for identifying and influencing the opportunities and threats that arise in the course of business activity. These opportunities and risks can have a positive or negative impact on the success of the business.

It is not the task of risk management to eliminate all threats – because that is practically impossible. Rather, the goal is to optimize the relationship between opportunities and risks. In other words, successful risk management contributes to decision-making and planning security, minimizes the risk of insolvency, and stabilizes the earnings situation.

Risk management not only makes economic sense for companies, it’s also a legally binding building block in corporate management. However, risk management is not regulated in any single law or code – rather, there are a number of different laws in the US that impinge on risk management.

After several corporate crises in the early 1990s, the US federal government took a major reform step in 2002 and passed the Sarbanes-Oxley Act. It is a federal law that sets new or expanded requirements for all US public company boards, management and public accounting firms. A number of provisions of the Act also apply to privately held companies, such as the willful destruction of evidence to impede a federal investigation.

The sections of the bill cover responsibilities of a public corporation’s board of directors, add criminal penalties for certain misconduct, and require the Securities and Exchange Commission to create regulations to define how public corporations should comply with the law. In addition, there is a legal stipulation that risks must also be adequately taken into account in any business decision (this is called the Business Judgment Rule: It is rooted in the principle that the “directors of a corporation ... are clothed with [the] presumption, which the law accords to them, of being [motivated] in their conduct by a bona fide regard for the interests of the corporation whose affairs the stockholders have committed to their charge.”

In addition, there are still some national standards that may not be legally binding but are in effect required in order for businesses to meet investors’ expectations: These include, for example, the Auditing Standards for Private Companies (issued by the American Institute of Certified Public Accountants) and the Generally Accepted Accounting Principles.

The most important international standards include the risk management standard ISO 31000:2009, the quality management standard ISO 9001:2015, and the COSO Enterprise Risk Management Framework (COSO ERM 2017). The framework, also known as the COSO cube, categorizes risk management according to components, target categories, and organizational units.

The guidelines set out in these standards are intended to help companies implement their own risk management and develop it further. Both the ISO and the COSO standards are regularly reviewed and, if necessary, adapted to reflect current developments in the corporate world.

Frequently, risk management is linked to compliance and corporate governance in companies, because all three disciplines are closely related to one another. They all contribute to proper and efficient corporate governance.

Corporate risk management can be divided into strategic and operational risk management. The strategic aspect involves defining risk management objectives, formulating an overarching strategy, and defining operational processes. Implementing these processes is the task of operational risk management.

The first step is risk determination, which involves sorting, identifying, and describing all existing risks qualitatively, individually, and by risk area. This can be done on the company’s level as well as at the project level. Decision-makers can use different methods to structure the identification process and ensure that all threats and sources of harm are identified:

• Expert and employee surveys
• Evaluation of existing data and documents
• Internal risk workshops
• Factory and site visits

At the end of this phase, a complete risk catalog (also: risk inventory) should have been created.

In the next step, each individual risk is quantitatively assessed with regard to its probability of occurrence and its potential impact. In the assessment, not only one risk must be considered in isolation, but also the consequences of several risks interacting or accumulating over time. This aspect is also referred to as risk aggregation.

Probability distributions or frequency distributions are used in quantification. The concrete measure used to assess a risk is called the “value at risk”.

Steps 1 and 2 are also referred to collectively as risk analysis. This analysis is considered to be the most difficult step in the risk management process, as not only current but also future risks need to be identified and assessed. Once the results of the risk analysis have been evaluated, the risks that have a particularly high probability of occurring have priority and should be dealt with first.

Risk management involves examining the methods applied with regard to their efficiency, appropriateness, and effectiveness. Controlling can take place in two ways that ideally complement one another: as continuous monitoring in real time and as periodic in-depth risk assessment. The results are promptly forwarded to those responsible.

Risk management is not the responsibility of one individual, but concerns every employee in the company. Although the strategy and fundamental orientation of risk management are determined by management, other employees are involved in the operational business.

The model of the three lines of defense is often used for allocating responsibilities in risk management:

• First line: Managers and employees react to operational risks in accordance with the defined strategies – supported by an internal system of controls.
• Second line: Employees who are directly involved in risk management tasks support and monitor the first line, e.g. by specifying methods or coaching.
• Third line: Risk management is monitored by an independent body.

Identifying and managing risks is an integral part of our corporate culture. Therefore, risk management is not confined to the top floor. However, it affects every single employee in his or her daily work.

Anyone who does not take into account the possible negative effects of their decisions in advance ultimately endangers the economic stability of a company. With its methods, risk management offers the necessary tools to clearly identify risks instead of relying on a vague gut feeling. This makes it possible for companies to take calculated risks that are necessary for growth and success.