Difficult implementation

Risk management is becoming increasingly important in companies and organizations. The necessity of active, conscious risk management adapted to individual requirements is becoming apparent (e.g. "Deepwater Horizon" and "financial crisis"). Legal requirements and regulations force to act. New approaches such as GRC (Governance, Risk & Compliance) are already seeking to integrate the various risk management disciplines (governance, EH&S, financial risks, compliance, ICS risks, etc.). GRC aims to anchor risk management more consciously and thus generate more impact, prevent redundancies and exploit synergies between similarly positioned management systems.

ERM as a management tool

Risk management systems should basically be implemented for two reasons: First, to comply with legal requirements (ensuring legal compliance), and second, to generate added value in the company or organization.

In the context of defining risk management concepts today, complicated implementation models are often proposed where the benefits are difficult to see. Management systems are service products and

Benefit difficult to see

how to design and apply such. These should be integrated into the company's processes using practical approaches. They should be resource-efficient by supporting the "business" in day-to-day operations with appropriate risk information. Typically, risk management systems with aggregated risk overviews and risk-adjusted solutions for measures should support management in decision-making, strategy development, corporate planning and project management.

Furthermore, the management is constantly being covered with new management systems. A saturation in top management as well as among the respective business process owners is clearly noticeable. A real commitment from management towards their line and the workforce is only possible if the leadership perceives risk management not only for compliance reasons, but as a management tool and also recognizes a practical benefit. Further development of a risk management structure that is inadequate in most organizations today can only succeed top down and with the participation of the executive management (CEO) and the board of directors. According to practical experience, it is primarily a question of thought-provoking ideas in four areas:

1. lack of responsibility / commitment

There are various reasons why risk management is not or only rudimentarily applied at the highest level in the corporate world, including the fact that opportunities are in the foreground and top management responsibilities are still not or insufficiently enforced. Is it the tempting opportunities that present themselves and which, without considering the risk side, appear to be much higher and more attainable? The financial sector confirms exactly the picture that any risk management processes (including internal control systems) are deliberately not applied and that top management presents itself as completely naïve and naïve in retrospect. It is also a fact that billions in value are lost for the shareholders, the public steps in and the management does not have to bear enough responsibility.

The Swiss legal basis for risk management (see box) is very brief and unclearly formulated; there is no explicit reference to how risk management is to be implemented. The "how" is also hardly answered by current standards. In particular, there is a lack of clear "best practices" in the main risk areas. The focus of ERM systems should be on planning measures and developing model-like solutions here. A large proportion of the top risks are cross-sectoral and similar. Action standards would generate significant additional benefits here. For example, risks such as the loss of key personnel or purchasing risks, to name just two examples, can be found in many different industries. Current trends such as "Governance, Risk & Compliance" are of a theoretical nature and are particularly well suited as a basis for consulting, but bring little additional practical benefit in practice (eliminating duplications is definitely not a key effect).

Often, there is no real commitment from top management. In most cases, a good risk overview is of little importance to the CEO, who is measured by profit maximization and not by risk minimization. Often, the existence of a rudimentary risk map is sufficient for the demands of an executive management or the board of directors, which is also completely sufficient according to the legal basis in Switzerland (no auditor requires more detailed information).

The commitment of the management too often depends on personal preferences and the agenda of the respective management member. Commitment also determines the risk manager's ability to move successfully within the organization.

2. insufficient ERM organisation

Today, risk management is carried out with varying depth and thoroughness in companies, often as an isolated process, which in itself is a contradiction (controlling approaches are also not carried out separately and not in an integrated manner).

A risk assessment is generally carried out by top management in the quarterly and annual reports once to four times a year. A continuous integrated risk management process involving all hierarchical levels and addressing responsibilities is mostly not in place.

Only the integration and the inclusion in strategic, operative and support processes as well as the addressing of responsibili

deficiencies in training

This enables an overall risk view, as required in an ERM (Enterprise Risk Management). Of course, expert disciplines such as internal control systems, occupational health and safety, security, business continuity management, treasury, crisis management, financial risk management, information security, etc. must also be integrated accordingly.

Risk management is a young discipline, at least as far as the conscious implementation of risk management processes is concerned. Consequently, risk management approaches and standardized action plans are very heterogeneous. Despite the increasingly widespread application of risk management, generally trained risk managers are still a rarity. Training should be based on current practical needs and existing risk fields and provide students with standards and management methods (risk measures). This can only be ensured if basic research and an exchange of expertise from teaching to practice is carried out. Today, education lacks methods on how specific risk categories should be managed through their risk potentials. Exceptions, where a large number of well-qualified experts are available, include areas such as IT security, occupational safety, fire protection, credit and market risks. However, these rarely understand the benefit of an integrated solution for the respective company/organization.

Since prevented risks cannot be measured and comparisons of risk states before or after the introduction of possible measures (gross-net comparisons) do not stand up to any deeper scrutiny, risk measures and their value cannot be measured directly either. With the impossibility of measuring value enhancement, the provision of resources at corporate level will also not be easy to enforce.

Added value can only be generated if, in addition to key risks, standards of measures and simple

Tools only suitable to a limited extent

practical methods are made available. However, this is the task of the universities and not of the companies.

3. complicated methods with little added value

The methods of risk management for the recording and in-depth analysis of risks and their measures are time-consuming and not standardized. These attributes not only overtax the risk managers, but usually also the management bodies. Of course, there are exceptions, for example, sophisticated risk models exist for financial risks. However, as numerous events in the financial services industry in recent years have significantly demonstrated, these models can only be used to a limited extent in reality and have too many deficiencies to manage financial risks in the long term.

For reasons of practicability, the assessment of various risk categories in companies is often not carried out on a cross-divisional basis. Risk assessments are very difficult to understand and are only carried out on a qualitative basis (except in the so-called easily quantifiable fields of financial risks, etc.). Tools are only suitable to a limited extent. Risks in business processes are dealt with in an intuitive, rarely conscious and thorough way, detached from risk management. ERM tools do not provide business process support.

Cultural linkage

Today, even in large international groups, reporting is done manually, i.e. without or only partially using ERM tools. Integrated reports - in which different risk categories are reported on in an integrated manner - are rarely prepared. The effort required for reporting to the board of directors and the management board is therefore very high and the applicability of ERM tools for reporting in practice is still far too little developed. Today, the tools are mostly databases, but they can also be operated on the basis of Excel, Share Point. The simulation options for ERM tools are also very limited in some cases; here too, user-oriented concepts would create added value.

4. lack of risk culture

The prevailing corporate culture is related to the business conducted in the company. Furthermore, the culture is very strongly dependent on the company history and also on the culture exemplified by the management.

In addition, the risk culture is also strongly influenced by ways of thinking that tend to be represented in individual professions. The risk manager must therefore adapt to these ways of thinking, and the results of the risk analysis are therefore different. So a risk analysis must be carried out by as heterogeneous a unit of an organisation as possible in order to avoid steering into overly one-sided results.

The corporate culture often offers too little basis to be able to culturally link risk management. Localized errors and risks by employees can often be freely discussed and are not communicated to the management. Whistle-blowing approaches only work to a limited extent and can have consequences under criminal law.