Governance, Risk Management & Compliance in Network Risk Management

Governance, Risk Management & Compliance - how do the three forces of GRC interact? Are there differences between public and private companies? Could international standards further strengthen risk management? And how should its strength be audited? To address these multi-layered questions, four exciting expert presentations were on the agenda of the General Assembly of the Risk Management Network on 27 March 2019 at the Migros Aare Business Centre.

Fresh produce logistics at Migros 

First, however, the 90 or so participants were captivated by the fast-paced world of fresh produce logistics, as this year's host of the annual conference, the Migros Aare Cooperativeat its Schönbühl (BE) operations centre: Firstly, the one-hour tour of the logistics platform gave an idea of how much planning and precision is required to ensure that over 400 different articles, including around 200,000 pots of yoghurt or around 100,000 crates of fruit and vegetables, can be delivered to the 126 Migros sales outlets in the cantons of Berne, Solothurn and Aargau with pinpoint accuracy every day.

On the other hand, planning and precision are also key requirements when it comes to expanding the scarce capacities of this logistics platform in a large-scale project, and doing so without interrupting operations. It is not surprising that this also places special demands on risk management. Systematic process modeling is indispensable to ensure that the relevant risks remain in focus among the multitude of possible critical events - with an impact on financial performance, the competitive position or on society and the environment. However, close contact with the line managers remains at least as important, as Christian Müller, controller and risk manager for the project, impressively described.

More than a governance expert

The sequence of specialist presentations in the afternoon was opened by Dr. Daniel L. Bühr, a partner at the international law firm of Lalive, noting that Switzerland is in the Anti-Money Laundering Index (of the NGO Basel Institute on Governance) ranks only in the middle of 129 countries. The rating is astonishing, because it contrasts not only with one's own feeling, but also, for example, with the great support that the corporate responsibility initiative enjoys among the population. GRC experts around the world now agree that long-term corporate success is impossible without GRC management according to best practice, which is consolidated in international bodies of standards, can no longer be achieved.

In the age of ongoing digital networking, journalist networks and the automatic exchange of information within the framework of the MCAA, the world has not only moved closer together, but has also become more transparent: Breaches of the law can thus not only be very expensive, they are also more likely to be uncovered due to the growing international cooperation of the judiciary. In addition to the implemented system, a key element of a good GRC is the lived example of middle and senior management.

Jonas Vetter, lawyer at the Federal Finance Administration (FFA), presents the theme of the Control of federal companies The outsourcing of federal tasks to independent companies some 20 years ago was based on the core idea that these companies - freed from the administrative corset of the central administration - could provide their services more efficiently and in line with the market. Once the decision to outsource has been taken, the principles according to which the Federal Council exercises its responsibility as the controlling owner of these economically important units and manages them in the public interest must also be established.

The task is not trivial: it is not only a matter of reconciling sometimes conflicting objectives (basic services vs. shareholder value), but also of granting companies the entrepreneurial freedom they need for their sustainable success. In addition to a solid legal framework (long-term, static), the instrument of strategic goals is central: the Federal Council uses them to set dynamic targets for four years at a time, which the Board of Directors, as the supreme management body, must achieve, particularly with regard to performance, finances and personnel policy.

Risk management and compliance

Risk management and compliance have also gained importance in the management of federal enterprises. In the risk landscape, a distinction must be made between (1) risks borne by the Confederation as owner and guarantor of the basic services and (2) risks for which the enterprise itself is responsible on the basis of its tasks and objectives. They are managed accordingly by the RM of the Confederation or that of the enterprise.

However, since risks 2 can also have an impact on the Confederation itself, the Federal Council must take special precautions. Based on its control principles, however, it will not intervene in the competencies of the company. Rather, it obliges the Board of Directors with a strategic objective to ensure an appropriate RM system - in accordance with international standards. The achievement of the objectives will be verified by an independent audit. As I said: not trivial, but important.

"Is the Swiss Federal Audit Office (SFAO) allowed to conduct RM and compliance audits at the Confederation and federal companies?", Brigitte Christ led her presentation on the topic. Audit RM and CM systems - but how? with a malicious undertone. "No!" is the unequivocal answer of the Deputy SFAO Director, "it must!" Because the Financial Control Act (FCA, SR 614.0) sets out the criteria (Art. 5; e.g. regularity) and institutional areas (Art. 8; e.g. central federal administration) according to which the SFAO is to conduct audits. Based on this, in recent years it has conducted audits in the area of GRC on compliance management (CM) at RUAG (2016) and on risk management at Swiss Post and the Federal Administration (both 2018). In each case, the focus is on two areas: on the one hand, the audit of the RM and CM systems themselves, including their foundations ("second line of defence"), and on the other hand, the business areas in which the systems are put into practice and are thus intended to be effective. The latter is often difficult to ascertain, but so-called "rubber boot audits", i.e. on-site audits and direct discussions with the management level, are usually helpful. In terms of methodology, the SFAO relies on international standards (ISO, COSO) and the DIIR audit guidelines, on expert knowledge and growing experience in auditing RM/CM systems, and - never to be underestimated - on a good dose of common sense.

No more feel-good risk management! was the title of the last technical presentation with which Prof. Dr. Bruno Brühwiler, international risk expert and Managing Director of EuroRisk Ltd. programmatically outlined his information on the current further development of the RM set of standards: After the revision of the ISO 31000 standard was successfully completed in 2018, and in light of the success of the ONR 49000 series and the growing practical knowledge from RM consulting, it proved obvious to tackle the creation of a now certifiable RM standard within the framework of ÖNORM 4900. This was the conclusion reached by the working group consisting of a number of proven standards experts from Germany, Austria and Switzerland with experience and interests in risk management. The new standard has to meet various requirements: Firstly, it must specify binding requirements that can be clearly verified by independent experts and whose fulfilment - tailored to the format of the organisation - demonstrates the effectiveness of risk management. Secondly, it should include emergency, crisis and continuity management. Thirdly, the standard should support the ISO management system structure ("High Level Structure") and avoid duplication, e.g. between RM, CM or QM. Work on the new standard is well advanced; it is expected to be available as ÖNORM 4901 already in the second half of 2019.

www.netzwerk-risikomanagement.ch