Decision preparation

The preparation of decisions in the context of risk management describes the creation of a data basis, which is formed by risk identification , quantification and aggregation and its subsequent evaluation in the context of the company's risk-return profile as a whole. For a successful implementation that meets the requirements, standards such as the DIIR (German Institute for Internal Audit) auditing standard No. 2 or the IDW (Institute of Auditors) auditing standard 340 can be used .

General

Business decisions are usually made under uncertainty . In addition to economic goals such as sales or profit, goals related to the existing risk are required. For example, the decision maker can incorporate a minimum probability of achieving an economic target or a maximum range of fluctuation in his decisions.

Taking risks is an essential part of any business. Among other things, it is the task of the board of directors to promote the development of the company. If there are opportunities for a company, they should be seized. Too much risk aversion can the stand in the way and let development potential untapped. As a result, a middle path has to be struck in which both opportunities are used despite possible dangers and dangers are considered sensibly and included in decisions. Even if a decisive person has room for maneuver, he must consider the expected opportunities and threatening dangers and derive his decision from them. A course of action with predominant dangers must not be chosen. The corresponding legal requirements are noted in the Stock Corporation Act .

In addition to legal requirements, strongly integrated risk management and controlling also make economic sense. If risk management is integrated very well, duplication of work can be avoided, the management of opportunities and threats improved and the role of the supervisory board strengthened.

When evaluating alternative decisions, the risk of the decision and the resulting change in the overall risk must be considered in order to obtain an adequate data basis. First of all, the opportunities and dangers must be identified - these include strategic risks, extreme risks, unexpected events (e.g. property damage, fire damage) and possible changes in the planning assumptions. Then these risks have to be quantified. Using the quantitative information base, the risk aggregation can be carried out with the help of the Monte Carlo simulation . The result is a risk-adequate bandwidth planning.

In order to select the best alternative course of action, the risk-return profile of the alternatives must be considered in the overall context of the company. This possibility exists by considering the effects of the decision in relation to the following parameters, for example:

Yield
Risk (e.g. in the form of the coefficient of variation)
Cost of capital
Rating forecast (both for a course according to plan and a course for stress scenarios)
Value of the company

The profitability of an investment can be determined using your own imputed interest rate. This interest rate can be derived from the company's risk-return profile. This creates a risk interest rate that reflects reality. In addition, one circumvents both the assumptions required for the WACC (Weighted Average Cost of Capital) method of the perfect capital market , which does not exist in reality, and the problem that the data is taken from the past and not from the current risk situation.

In risk aggregation, particular attention should be paid to risk- bearing capacity , risk tolerance and risk appetite. Because illiquidity is the main reason for bankruptcies, attempts are made to prevent it by analyzing the risk-bearing capacity. Illiquidity often occurs as a result of violating covenants and downgrading ratings . The risk-bearing capacity describes the free risk capacities that are available to the company before the developments according to Section 91 AktG (Stock Corporation Act) are to be viewed as threatening the continued existence of the company. The risk tolerance is an internal, self-imposed threshold, usually expressed as a rating target, which must not be exceeded. The aim of the risk tolerance limit can be to make it possible to raise capital inexpensively through good ratings and to maintain investor confidence. The purpose of the risk appetite is to assess projects. The company analyzes whether the return on an investment is worth the associated risk.

Legal requirements

First of all, Section 91 AktG stipulated a system for recognizing developments that could endanger the existence of the company with regard to individual risks and combined effects. The focus of this law is on the consideration of risks at the current status.

This regulation, which is still in force, has been expanded by Section 93 AktG. In order to ensure planning taking into account the risks of the possible projects and investment opportunities, the members of the Board of Management are held personally liable. An appropriate information basis is required in Section 93 (1) AktG. In addition, Section 93 (2) AktG obliges the relevant board member to pay damages in the event of a breach of duty. If there is a suspicion of a breach of duty, the burden of proof lies with the board member. The inclusion of risks in the preparation of the decision is therefore legally mandatory.

The wording “appropriate information” in Section 93 (1) AktG does not require a complete information base. All that is required is a reasonable balance between the gain in knowledge and the costs of acquiring information.

The KonTraG (law on control and transparency in the corporate sector), which originated in 1998, was based on Section 91 AktG, which sets transparency requirements. With Section 93 AktG, it was then expanded to include assertiveness and decision-oriented risk identification. In addition, based on the experience of the economic and financial crisis, (threatening) illiquidity is viewed as a focus when identifying developments that threaten the company's existence.

In order to implement both §91 and §93 AktG as a company, the DIIR auditing standard No. 2 has been in use since November 2018. For the first time, this combines the core legal requirements of both paragraphs and can be used to review your own risk management and, if necessary, to make up for any omissions in the area of risk management.

implementation

In order to derive maximum economic benefit from the risk management in addition to the legal requirements, it is important to implement an implementation in the company's decision-making process in addition to the focus on the existing threat.

In general, with an appropriate risk culture, every employee should include all risks - i.e. positive and negative deviations from plan - in their planning when making a decision. It is especially important for senior management to understand themselves as part of risk management.

In order to be able to determine the risks of a decision realistically and effectively, a clear distribution of competencies is also required, which assigns the cause of risk and risk monitoring to different bodies.

The Controlling provides management with decision-relevant information base. In order to make this clear and understandable, a close cooperation between controlling and risk management is necessary. In order for risks to be mapped in a meaningful way, appropriate methods must be implemented and used in controlling. The aim is to prevent two separate and self-sufficient areas of the company.

The increased cooperation between the two areas includes interdisciplinary training as well as the use of a common IT solution or interfaces between two different programs. In addition to the consideration of risks in the information base for decisions, the risk assessment can also be strengthened through incentive and remuneration systems.

Specifically, the following questions should be clarified when making decisions of high relevance:

What is the starting point and what are the objectives for the decision?
Which options for action are possible?
What are the planned effects of the decision (forecast)?
What assumptions were made to prepare the forecast?
What opportunities and dangers (risks) does the decision entail?

Realistic mapping of risks is important when considering them. Since decisions are always made under uncertainty, it is important to acquire the risk information in advance.

Figure 1: Risk analysis and evaluation for decision preparation (source :)

The cycle shown in Figure 1 shows one possible basic course of a decision-making process. Starting from point A, it must first be determined whether a measure to improve the risk-return profile is possible. If this is the case, the associated risks must be analyzed. In order to examine the measure in the overall context of the company, the change in the company's risk-return profile including the decision must be examined using risk aggregation. From this it can be deduced to what extent the measure is useful and beneficial for the company. As a result, the measure can either be carried out or discarded. If no measure to improve the risk / return profile is possible, a risk analysis and aggregation must be carried out in order to keep the company's risk / return profile up to date. The risk management measure follows the risk aggregation. In general, it is important to optimize risks and not to minimize them in order to generate the highest possible return with the lowest possible risk. Individual risks should then be constantly monitored and the information passed on in order to include these new or changed risks in the next cycle of the cycle.

Individual evidence

↑ Hans-Ulrich Küpper et al .: Controlling: Concepts, tasks, instruments. 6th edition. Schäffer-Poeschel Verlag, Stuttgart 2013, ISBN 978-3-7910-3211-5 , p. 141.
^ Johannes Semler: Decisions and discretion in company law. In: Mathias Habersack (Ed.): Festschrift for Peter Ulmer on his 70th birthday on January 2, 2003 - [Reprint 2013]. De Gruyter, Berlin 2003, ISBN 978-3-11-087703-8 , pp. 627-642.
↑ Thomas M. Fischer et al: Controlling Basics, Instruments and Development Perspectives. Schäffer-Poeschel Verlag, Stuttgart 2012, ISBN 978-3-7910-2896-5 , pp. 486-487.
↑ ^a ^b Ute Vanini, Anna Leschenko: Degree of maturity of the integration of risk management and controlling An empirical study of German companies. In: Controller Magazin. 43rd Volume, No. 1, 2017, pp. 36–41.
↑ ^a ^b ^c Werner Gleißner , Ralf Kimpel: Examination of risk management and the new DIIR auditing standard No. 2. In: ZIR - Journal of Internal Auditing. 54th Volume, No. 4, 2019, ISSN 0044-3816 , pp. 148–159.
↑ ^a ^b ^c ^d ^e Werner Gleißner: Risk management 20 years after KonTraG: On the way to decision-oriented risk management. In: The company. Volume 71, No. 46, 2018, pp. 2769–2774.
↑ Werner Gleißner: Controlling and risk analysis when preparing top management decisions. In: Controller Magazin. Volume 40, No. 4, 2015, ISSN 1616-0495 , pp. 4–12.
↑ ^a ^b Werner Gleißner: Business Judgment Rule The new paradigm of decision-oriented risk management. In: GRC news. Volume 2, No. 4, 2019, ISSN 2616-4582 , pp. 148–153.
↑ Matthias Graumann, Jens Grundei: When do business decisions comply with the corporate law requirement of “adequate information”? In: Business Administration. Volume 71, No. 4, 2011, pp. 379–399.
↑ ^a ^b Werner Gleißner: Fundamentals of Risk Management. 3. Edition. Verlag Franz Vahlen Munich, Munich 2017, ISBN 978-3-8006-4952-5 , p. 472.
↑ Werner Gleißner: Controlling and risk analysis when preparing top management decisions. In: Controller Magazin. Volume 40, No. 4, 2015, ISSN 1616-0495 , p. 6.

[1] Hans-Ulrich Küpper et al .: Controlling: Concepts, tasks, instruments. 6th edition. Schäffer-Poeschel Verlag, Stuttgart 2013, ISBN 978-3-7910-3211-5 , p. 141.

[2] Johannes Semler: Decisions and discretion in company law. In: Mathias Habersack (Ed.): Festschrift for Peter Ulmer on his 70th birthday on January 2, 2003 - [Reprint 2013]. De Gruyter, Berlin 2003, ISBN 978-3-11-087703-8 , pp. 627-642.

[3] Thomas M. Fischer et al: Controlling Basics, Instruments and Development Perspectives. Schäffer-Poeschel Verlag, Stuttgart 2012, ISBN 978-3-7910-2896-5 , pp. 486-487.

[:0-4] Ute Vanini, Anna Leschenko: Degree of maturity of the integration of risk management and controlling An empirical study of German companies. In: Controller Magazin. 43rd Volume, No. 1, 2017, pp. 36–41.

[:1-5] Werner Gleißner , Ralf Kimpel: Examination of risk management and the new DIIR auditing standard No. 2. In: ZIR - Journal of Internal Auditing. 54th Volume, No. 4, 2019, ISSN 0044-3816 , pp. 148–159.

[:2-6] Werner Gleißner: Risk management 20 years after KonTraG: On the way to decision-oriented risk management. In: The company. Volume 71, No. 46, 2018, pp. 2769–2774.

[7] Werner Gleißner: Controlling and risk analysis when preparing top management decisions. In: Controller Magazin. Volume 40, No. 4, 2015, ISSN 1616-0495 , pp. 4–12.

[:3-8] Werner Gleißner: Business Judgment Rule The new paradigm of decision-oriented risk management. In: GRC news. Volume 2, No. 4, 2019, ISSN 2616-4582 , pp. 148–153.

[9] Matthias Graumann, Jens Grundei: When do business decisions comply with the corporate law requirement of “adequate information”? In: Business Administration. Volume 71, No. 4, 2011, pp. 379–399.

[:4-10] Werner Gleißner: Fundamentals of Risk Management. 3. Edition. Verlag Franz Vahlen Munich, Munich 2017, ISBN 978-3-8006-4952-5 , p. 472.

[11] Werner Gleißner: Controlling and risk analysis when preparing top management decisions. In: Controller Magazin. Volume 40, No. 4, 2015, ISSN 1616-0495 , p. 6.