What are the 3 types of risks

Risk management

Table of Contents

  1. Basics of risk management in companies
  2. Benefits of risk management for companies
  3. Legal significance of risk management
  4. Risk analysis, risk aggregation, risk management, risk monitoring

Basics of risk management in companies

Entrepreneurial action is not possible without risks, because the future and the effects of actions cannot be foreseen with certainty. The task of risk management is to use suitable methods to create transparency about the risk situation in the company (risk controlling) and to optimize the risk-return profile of a company (risk control). From the perspective of strategic management, this aims to create a robust company with an insolvency risk (or credit rating) that is acceptable for the owners and acceptable earnings volatility. From a controlling perspective, risk management helps create transparency about planning security and the reduction of plan deviations. The analysis of opportunities and dangers (risks) is a task in the preparation of business decisions and is necessary in order to be able to weigh the expected returns against the risks (risk-based evaluation of options for action, such as investments). Risk management is also understood as a management task that aims to ensure that all employees deal with risks in line with corporate goals (development of a risk culture).

In principle, risk management deals with all types of risks that can trigger deviations from the plan in a company, e.g. strategic risks, market risks, default risks as well as compliance risks and risks associated with the provision of services (operational risks).

For some types of risks (so-called risk fields), special risk management approaches have been developed, e.g. for interest rate and currency risks (financial risk management) or strategic risks (strategic risk management). Risk management subtasks are covered by corporate functions such as controlling, treasury or quality management.

Benefits of risk management for companies

The main task of risk management is to secure the existence of the company and thus to reduce the probability of insolvency (risk of insolvency, insolvency). It depends on the scope of the risk and also on the risk coverage potential (equity and liquidity) and earning power (see credit rating). The company risk and the probability of insolvency influence the cost of capital and the company value (company valuation). This makes risk management part of a value-based corporate management system.

A low probability of bankruptcy is in the interests of employees, customers and suppliers, which makes it easier to attract employees and build long-term relationships with customers and suppliers (reduction of indirect bankruptcy costs).

Risk management contributes to a better foundation of entrepreneurial decisions, because risk analyzes can be used to assess the implications of an option for risk and return. It also helps legal requirements, e.g. from labor and environmental law, to be adhered to as safely as possible and to optimize the costs of risk management (risk cost management).

Legal significance of risk management

The requirements for risk management in Germany are shaped by the Law on Control and Transparency in the Corporate Sector (KonTraG) from 1998 and the IDW standard based on it for testing the risk early warning system in accordance with Section 317 (4) of the German Commercial Code (IDW PS 340). The following requirement in Section 91 (2) AktG is central, with its impact on other corporations as well:

"The board of directors has to take suitable measures, in particular to set up a monitoring system, so that developments threatening the continued existence of the company can be recognized at an early stage."

Systematic and regular identification and quantification of risks (risk identification, risk quantification) is necessary to meet this requirement. Possible "developments that endanger the continued existence of the company" due to combined effects of individual risks must also be determined by risk aggregation.

With Section 93 AktG, the legislator also requires “appropriate information” for business decisions, so that the associated risks must be considered when preparing the decision (Business Judgment Rule).

There are also various other regulations, e.g. on risk reporting (German accounting standard, DRS 20) and industry-specific risk management regulations e.g. for banks, insurance companies and investment companies (such as MaRisk).

Important international standards for risk management are COSO Enterprise Risk Management (COSO ERM: 2017), the risk management standard ISO 31000: 2009 and the quality management standard ISO 9001: 2015, which supports the integration of quality and risk management.

Risk analysis, risk aggregation, risk management, risk monitoring

Subtasks of risk management are risk analysis, risk aggregation, risk monitoring, risk management and the preparation of risk information for business decisions (e.g. investment evaluation).

In the risk analysis, all essential individual risks, mostly structured according to risk fields, are systematically identified and described with regard to their probability of occurrence and quantitative effects. Risk quantification is the description of risks using a suitable probability distribution (e.g. normal or triangular distribution), with historical data (e.g. list of claims) or the frequency distribution from a Monte Carlo simulation. Risk quantification also includes specifying the extent of the risk using a risk measure such as standard deviation or value at risk. With the aggregation of the risks, the total scope of risk of a company can be calculated, e.g. expressed as equity or liquidity requirements to cover possible losses due to risk (value at risk). When the risks are aggregated in relation to corporate planning, a so-called bandwidth planning is created using Monte Carlo simulation, which shows the extent of possible deviations from the plan (risk aggregation).

The risk situation of a company is to be improved by means of risk management measures for risk control. These can aim to avoid risks, limit the amount of damage or reduce the probability of occurrence. It is also possible to transfer risks to insurance companies or the capital market market (e.g. hedging of commodity price risks with derivatives: hedging). Risks can also be transferred by drafting contracts with customers and suppliers. Fundamental changes in a company's risk position usually require a change in strategy and business model (strategic risk management, e.g. by building up new potential for success or reducing critical dependencies). An improvement in forecasting and early warning systems reduces unexpected deviations from the plan and thus the risk. An increase in the intensity of risk management usually leads to increasing costs (e.g. for additional insurance cover or redundant machines). The aim of a company's risk management activities is therefore not to minimize risk, but rather to achieve an optimal or at least “acceptable” risk position that does not exceed the upper risk limit specified by the company's management (“safety first”). Based on quality management, companies often use the PDCA cycle (Plan-Do-Check-Act) as a basis for the desired continuous improvement in risk management.

Since the risks change over time, continuous monitoring of the main risks in risk management is necessary in order to ensure transparency about the risk situation. According to the requirements of the KonTraG, the responsibility for the monitoring of the essential risks, the associated processes and communication channels should be clearly documented (see IDW PS 340 with recommendations).

The entirety of all tasks, regulations and bodies responsible for risk management is known as the risk management system and, in a broader sense, includes everything in the company that deals with risks. In a narrower sense, the term risk management system is only used for the organizational unit of a company that is expressly referred to as "risk management", "risk management" or "risk controlling" (and is, for example, headed by a risk manager or chief risk officer).

The entirety of all documentation on risk management is often referred to as a risk manual or risk guideline. Typical contents are e.g .:

  • Risk policy or risk strategy (goals and risk policy principles)
  • Description of the structure and process organization (responsibilities and processes, e.g. risk monitoring and risk communication),
  • Measures to promote an appropriate risk culture.

The organizational position of risk management is also often based on the “Three Lines of Defense model”. The first line is the operationally active employees and executives, from whom an adequate handling of risks is expected, which is monitored by the internal control system. The second line is risk management (in the narrower sense), which supports employees in dealing with risks (e.g. through coaching and specification of methods and tools) and prepares risk information for corporate management. The compliance system and controlling also belong to the second line. The "third line" is internal auditing, which also monitors risk management activities independently of the process (see DIIR auditing standard No. 2 of the German Institute for Internal Auditing e.V. (from November 2018)).

Many basic tasks for risk management can be efficiently covered by existing management systems. For example, by systematically recording uncertain assumptions in planning and budgeting by controlling, risks can be identified. More recent risk management standards, such as COSO ERM from 2017, therefore aim at integrated management systems and an integral, decision-oriented risk management.