Integrate risk management into management processes

Complexity is increasing; be it due to the internal process landscape or due to the requirements that are placed on companies from the outside (such as regulations and rules).

It is difficult to find one's way through this flood of data and to draw the right conclusions and develop strategies from the resulting wealth of information. Thus, systems for knowledge processing are becoming increasingly important. Risk management should also be integrated into these processes. However, this also gives rise to a number of questions.

The purpose of this article is to determine the extent to which business intelligence (BI) can support risk management (RM) at the executive level. Which risks are relevant for top management? Does it even need its own risk department?

Is it possible to manage risk using automated procedures alone? Wouldn't this be more objective than relying on the assessment of experts? Where can software products be used well and where are the limits of such applications? Which areas of application of risk management can be mapped with them?

Who does risk management?

RM is on everyone's lips. The impression arises that really almost everyone in the company is doing RM. Every department: Controlling, Security, Legal, Compliance, Business Development, IT, the project managers up to the CFO, CEO and the Board of Directors. Why do we need a separate RM and risk manager? All risks seem to be managed several times already. Or not?

With so much risk protection, one can understand if the opinion arises at management level that you can do just as well without your own RM.

Nevertheless, a precise distinction should be made between the risk awareness of individual departments and the task of an independent neutral RM.

A management process belongs to the management processes and influences and defines the core processes. This also includes risk management.

Automated RM - an alternative?

Buzzwords like Artificial Intelligence (AI) or "Large Scale Cyber Risk Management", Robotic Processes, etc. suggest that with the appropriate software installed, risks can be kept under control.

Some software solutions claim that management can immediately see the relevant KPIs or risk exposures in a "risk cockpit" at the click of a mouse. This sounds tempting, but requires a lot of effort and preparation.

And nothing works by itself. Ongoing operation requires maintenance, adaptation, further development and plausibility checks. After all, data cannot simply be taken over, but must be put into a meaningful context. Otherwise, the system used itself becomes a risk that suggests bogus accuracy.

"Every tool needs its fool" ; as it is so succinctly said in software circles. It is therefore important that someone is responsible for the maintenance of the tools and takes this task seriously. Without taking data maintenance and plausibility checks into account, a lot of data garbage can be generated. This phenomenon is taken up in the so-called GIGO phrase in computer science - "garbage in - garbage out". And finally, it should be possible to interpret the results correctly: "A fool with a tool is still a fool.

Anyone who has ever programmed knows about the principle that instructions in the form of machine code are needed to obtain a result from programs. A source of error lies already in the capture of the problem. What is the desired goal? The interpretation of the data already contains the next question: What is the significance of the results?

How well are the interfaces adapted to the existing IT landscape or to external sources (such as stock market prices, price curves) and how well does the system recognize input errors? There is a lot to analyze; even with standard software solutions.

This is not trivial. It becomes clear that information can be incomplete or incorrect, that changes and extensions are not always easily possible and may lead to high costs.

Errors in the systems can come from different areas: from the acquisition of the task, the program logic, the syntax, the interfaces to other systems, by input errors of the users up to hardware problems.

Even the most powerful computer systems are not immune to this. Digital transformation processes are expensive, but can also bring high added value if they are sensibly integrated into the company.

When does automation make sense? And when not?

Automation in RM is indispensable for handling large volumes of data, such as in the financial sector ("price forward curves ", "ratings", plausibility checks, etc.) or for internal control mechanisms. The mechanisms used are extremely important for areas such as liquidity management, FX management and financial monitoring.

The tools used can detect anomalies (for example in payment transactions), set "stop loss" mechanisms in motion and send out warnings.

But there are certainly limits to automation.

What does this mean for Corporate Risk Management (CRM)? The task of the Corporate Risk Manager is to bring the risks threatening the existence of the company to the attention of the top management and to map out measures for their management. This task includes the consideration of all risks; both operational risks and strategic risks. Expert interviews have proven to be extremely valuable and effective in determining the overall risk situation.

Although the data can certainly be captured in RM tools to perform simulations and analytical calculations, the degree of automation is low. Recording and describing risks is usually the responsibility of the risk manager or selected risk experts. It is more a matter of storing the relevant risks in an audit-proof manner, analyzing and preparing them, and generating a risk report.

RM requirements

The competence in RM is of course also significantly involved in the success of the risk process. The requirements (regulatory and economic) can differ greatly from company to company. Rigorous processing according to a pattern may just satisfy regulatory obligations, but apart from additional workload and frustration, it does not bring much to the operational units and the company management.

The art of the risk manager is to operate with meticulousness, astuteness, analytics and systematics on the one hand, and on the other hand to apply common sense and diplomacy. In-depth specialist knowledge, flexibility, stamina and a high level of frustration tolerance complete the requirements profile. Of course, the risk manager should also have integrity and loyalty and not be a willing recipient of orders. Finally, it is also important to have the ability to filter out the important dangers threatening the existence of the company from the abundance of information in a plausible manner and to document them.

Conclusion

Business Intelligence does not mean that everything can be mapped in standard processes. Particularly in the area of risk, company-specific dangers can arise that do not fit into a schema and can suddenly gain in importance due to a changed environment. The financial crisis with its devastating effects can of course be taken as an example here. But usually the effects are not so all-encompassing, but then affect only one company or one industry. BI does not only include the installation of a software solution, but also the ability of employees regarding collaboration, analysis and constant critical questioning, but also solution-oriented targeted action. In RM, the systems mean a great and partly indispensable support, if one is aware of the limits and dangers.

The performance of computer systems is constantly increasing; in this context, for example, there is the development of quantum computers, which, with their computing power, can make today's crypto methods obsolete in just a few years, since they can perform computing operations millions of times faster than conventional computers.

However, the challenge of drawing the right conclusions from such a wealth of information is also increasing. False certainties can cause great damage. The responsibility for strategic decisions and measures still lies with top management, and this will not be taken over by any supercomputer.