50 years of interdisciplinary risk management

It is 2015, and technological leaps are increasing rapidly, products and production lines appear more complex, digital networking is on the rise, and consequently, value concentrations and stricter legislation are also dominating Swiss companies. One might think that today's society sees risks as a constant threat. It would be much better to create an uninformed corporate culture that allows risks and their changes, standards and protective measures to be managed clearly and transparently, if not continuously.

In order to assess and control risks more uniformly, business scientists working in Switzerland also developed the first structures and laws regarding risk management. Prof. Dr. Bruno Brühwiler, a well-traveled expert and managing director at Euro Risk Ltd. who has played a key role in the development of national and international standards, told Management & Quality: "Business came across the topic on both sides of the Pacific. However, 50 years ago there was no widespread risk management - except for space, disaster or reactor studies. The science itself only gained momentum through large multinational companies, most of which had to run an insurance and risk management department.

In this first wave in the 1970s, companies such as Swiss RE, Zurich or Winterthur Insurance defined the first risk management approaches that still "resonate" today. In the meantime, every economist has learned that a need for risk aversion cannot simply be outsourced by means of an insurance contract. Prof. Dr. Brühwiler: "Insurance against risks makes sense as long as cost factors are not exceeded and causal relationships are ignored".

Many managers and employees, however, still lack awareness of mostly dynamic disruptive potentials or a methodical approach to risk management.

Professional risk management

Risk Management (RM), sometimes an element of a larger set of rules, forms a constant guard rail at all times - so that, for example, crisis management under ISO 22301 (Business Continuity Management) not only focuses on actual loss events, but also identifies processes and gaps in upstream and downstream rescue chains. In fact, RM - not least due to new technical developments and far-reaching management tasks - organizes increasingly complex working and sensitive product worlds.

"However," says Prof. Dr. Brühwiler, "risk management unfortunately only came back into the public eye because of the financial crises."

However, the actual definition of the standard to be applied for the endangerment (and also for the rescue) of the company's existence is and remains problematically vague. Since 1. 5. 1998, the German Stock Corporation Act (AktG) only states in paragraph 91 (2) that "the board of directors must set up a monitoring system in order to identify at an early stage any risks that might jeopardise the existence of the company". In Switzerland, article 663b of the Swiss Code of Obligations requires "information on the performance of a risk assessment" (see Infobox).

Managers would have to admit one maxim at the latest in practice: "Responsibility can never be delegated."

On the one hand, such laws can entail massive archiving tasks for even the smallest of companies. On the other hand, a company manager who does not have a stringent overview of his company's hazards will almost certainly make disastrous decisions. Therefore, yesterday, today, and tomorrow, RM specialists must be able to survey and assess those situations that are less dangerous to the achievement of a project's goals, but which can equally diminish successful outcomes.

At the latest since serious events such as the Swissair grounding have affected the Swiss economy, ad hoc risk management guidelines have also been taught at universities. Managers have to admit one maxim in practice at the latest: "Responsibility can never be delegated". Corporate phrases are gradually becoming obsolete, even if many decisions seem so abstruse to a manager and possible events seem so remote.

Requirements for companies

The SAQ (Swiss Association for Quality) was founded in 1965. The association, which today has around 1,800 members, 80 percent of which are companies, is more than just a catalyst for the equivalence of internationally applied ISO standards. For 50 years, SAQ has revolved around the certification and auditing of professionally managed companies. This gave rise to the SQS (Swiss Association for Quality and Management Systems) in 1983.

"Perhaps in the past, RM was often confused with quality management, process optimization and underwriting," says Prof. Dr. Brühwiler, lecturer and president of Euro Risk Ltd, but in the last few years there has been a clear trend towards the integral assessment of hazards. SAQ training courses and events help managers to do justice to their task of coordinating corporate security with the expectations of employees (and possibly shareholders) via standards and optimal guidelines.

Company-specific planning integrates other departments around the actual financial area. "It does not operate RM simply through models," says Prof. Dr. Brühwiler. This is also the opinion of Bettina Hübscher, lecturer and project manager for RM at the Lucerne University of Applied Sciences and Arts, HSLU. For the development of the company, it is more important to be able to evaluate, weigh and cushion the risks and opportunities that really arise - despite all the declarations of conformity, product safety guidelines, incident regulations, emergency, crisis and continuity management systems that have been designed.

Bettina Hübscher: "The HSLU therefore always relies on short-term ad hoc measures in addition to sustainable strategic measures. However, they only work if the RM is coordinated with the CC, it is lived from the top of the company to each employee and practiced regularly (combine analysis with synthesis, exercises/training) ".

Good corporate governance is accompanied by risk and compliance measures. For HSLU lecturer Bettina Hübscher, it consists of at least six important aspects. Central to this is "a holistic view of the company and the inclusion of the corporate culture".

• Safeguarding the interests of different groups
• functional management
• target-oriented cooperation of the company management and supervision
• Transparency in corporate communications
• appropriate management of risks
• Management decisions are geared towards long-term value creation

If a functioning "corporate culture" is not created, further risks will definitely arise. In order to not only react to events in a reactive, hasty or improvised manner, RM processes should be integrated into the corporate management. In this context, the standards co-defined by Prof. Dr. Brühwiler, such as ISO 31000 (Risk Management - Principles and Guidelines) and ONR 49000, Risk Management for Organizations and Systems, Application of ISO 31000 in Practice, can serve as important trades in professionalization. The latter standard is currently among the top 5 professionally applied ISO standards.

The OECD declared it to be a "de facto world standard". In any case, it corresponds to an expansion and upgrading of classic risk management in Enterprise Risk Management. Based on this, companies are increasingly setting up positions for Chief Risk Officers.

Read more in part 2 about milestones, respectively standards, on the way to Integrated Risk Management in the next issue of Management & Quality, which will be published in June 2015.