Internal risk reporting

from Wikipedia, the free encyclopedia

The internal risk reporting (or the internal risk reporting) serves enterprise for recording and transmission of information on opportunities and risks in report form and is aimed at internal decision makers.

description

Classification in the risk management system

The risk management system is set up by risk management with the help of the company-specific risk policy and strategy and, if possible, is to be integrated into the internal processes of a company in order to be able to transfer the findings of the risk management into concrete measures.

The risk management system consists of a risk management process made up of the following four areas: risk identification, risk assessment, risk control and risk monitoring.

Internal risk reporting serves the company to document the entire risk management process and supports the process across all phases. Furthermore, the internal risk reporting represents part of the risk communication , which in turn is a mandatory prerequisite for the functionality of a risk management.

Risk controlling is responsible for providing information to risk management and for ensuring risk reporting in the company by using existing reporting channels. Risk controlling thus has the essential function of preparing risk management decisions using the methods and instruments it provides.

Differentiation from external risk reporting

Internal risk reporting differs from external risk reporting in particular in terms of the density of information, the frequency with which it is carried out and the addressees to be reached.

The latter represent the company's internal decision-makers in internal risk reporting, while the addressees of external risk reporting are e.g. B. investors, shareholders, banks, suppliers or the state.

Internal risk reporting is carried out much more frequently than external reporting, as risk management a. must react quickly to acute and sudden risks. External reporting, on the other hand, is only linked to the annual and quarterly reports and is therefore not carried out that often.

The information density of the two risk reports differs in that the internal risk reporting provides detailed and addressee-related information to the company's internal decision-makers so that the correct control measures can be taken. External risk reporting, on the other hand, communicates the risks externally in an aggregated form. From this it can be deduced that internal risk reporting provides the basis for external risk reporting.

Tasks and objectives of internal risk reporting

As part of risk controlling, internal reporting partly pursues or supports the same goals . In general, the aim is to improve the information in the corresponding company areas so that they can achieve the overarching company goals in unison. To this end, attempts are made to optimize and support the internal test processes. By increasing transparency, the employees responsible can better assess and assess the extent and impact of the prevailing risks. The aim is to make all employees aware of how to deal with risks consciously . This supports planning tasks in other internal areas as well as decision-making processes in general.

Internal risk reporting is intended to develop an internal warning system for the early detection of risks . Risks that have occurred should not only be contained quickly, but trends relevant to both risks and opportunities should be identified in good time.

From a purely economic point of view, the aim is also to reduce risk costs (and the associated costs of capital).

In order to achieve these goals, the following internal reporting tasks can be summarized: By providing suitable risk-relevant information, the report supports decision- making (ex ante) for the addressee . For this purpose, the information must be collected in advance, processed in a suitable form and then distributed in a targeted manner. In addition, reporting (ex-post) has both a documentation function for the risk positions and a control function. All data is collected in a central location and continuously checked depending on limits.

Design of internal risk reporting

Internal risk reporting requirements

To fulfill the above Functions, the following requirements are placed on internal risk reporting:

  • Integration into the existing reporting system : In order to use synergies from the existing reporting system as well as to make the risk information available without restriction for the decision-making of the top management, an integration of the risk reporting into the existing reporting system is necessary.
  • Materiality : Only material risks are to be reported in the risk report. The scope and level of detail of the risks depend in particular on the information requirements of the addressee to be reached.
  • Timeliness : In order to be able to close gaps between target and actual risk positions of the individual company sub-areas as quickly as possible, as well as at the overall company level, the reporting must be made to the higher-level management as early as possible. Risks that occur suddenly should be communicated as part of ad hoc reporting.
  • Flexibility : The internal risk reporting should be adaptable to changed risk situations in the company. Furthermore, reports should be further developed over the course of time due to changing information requirements or better information provision.
  • Accuracy : Risks are primarily differentiated according to the way they are described. Quantifiable risks should be differentiated in terms of their accuracy using ranges and scores. Qualitative risks, on the other hand, should be quantified as far as possible, taking into account information costs.
  • Profitability : The expected economic benefit of the risk reports should be greater than the effort involved in creating and using them.
  • Completeness : The completeness of the risk reporting depends on the addressees to be reached. At the sub-area level, all information from the sub-area level is to be recorded; at the overall company level, the information from the overall company perspective.
  • Uniformity : Uniform reporting should be guaranteed with the aim of uniform communication on the one hand and the comparability of risks between different organizational units on the other. In addition, a uniform report form and structure facilitates the further processing and aggregation of risk information at a higher management level.

Contents of the internal risk reporting

The addressees to be reached have a significant influence on the structure of the internal risk reporting - both in terms of formal requirements and the content of the report. Another factor influencing the content of the report is the methodological skills of the addressees. For this reason, internal risk reports differ both within the various hierarchy levels of a company and from company to company.

First of all, the risk report should contain all the information that the higher management level can use to support decision-making. Essentially, the following aspects must be taken into account:

  • Type, influencing factors and timing of significant risks
  • Hazard potential of the individual risks
  • Interdependencies between individual risks
  • Risk prevention suggestions
  • risk mitigation measures taken
  • The extent of the company's overall risk

Various instruments are available to the company to present the report content, which are explained in more detail below.

Internal risk reporting instruments

Risk identification sheets

A risk identification sheet (also: risk recording sheet) is an aid for recording risks. It thus represents the basis for reporting, as it fulfills the task of collecting information. The individual risks are listed individually in tabular form and described along three process steps of risk management, risk identification, assessment and control. As much information as possible is collected in the identification sheets at the beginning, which then forms the basis for further instruments and internal reporting in general. These are, for example, existing cause-effect relationships, the probability of occurrence, the amount of damage or intervention thresholds.

Risk matrix

Risk matrices are suitable for contrasting individual risks in order to compare them and to derive suitable measures. They are a widespread instrument in strategic risk controlling and are used in reporting because of their clarity. The representation in a 9-field matrix is ​​widespread, on which the probability of occurrence is shown in the abscissa direction and the amount of damage is shown on the ordinate when the risk occurs. This requires a suitable assessment of the risks in advance. The individual positions can then be assigned to certain risk classes depending on the position in the matrix. Measures and avoidance strategies can then be derived for each risk class.

Risk portfolios (risk maps)

At the beginning it should be noted that the terms risk portfolio and risk map are differentiated in the literature. A distinction is often made as to whether the method classifies risks on a qualitative dimension and is intended for operational business units (risk map) or whether it maps risks quantitatively and for strategic levels (risk portfolio). Therefore, the presentation should focus on the similarities.

Individual risks are summarized in a table in an overview. Risks that are relevant to the business unit are only shown (operational level) or summarized in an aggregated form to maintain clarity (strategic level). The three process steps of the risk management process of risk identification, assessment and control are summarized in this form of representation. The risk map thus fulfills the documentation task and it becomes clear that a separate risk map can be created in a company for each business unit or operational sub-area.

When drawing up a risk map, it is important to note which addressees it is addressed to. The conflict of objectives between clarity by aggregating the information and the level of detail of the information must be resolved. In this context, the level of detail is indirectly proportional to the level of the company hierarchy.

Since risk maps are regularly used in internal reports, they have to be updated again and again. New risks are added or existing ones are re-evaluated. This ensures that the respective addressee receives the latest information and can make a time comparison due to the standardized structure. Risk maps therefore convince with their structured form of presentation. Due to the mapping of individual risks, however, the causal interdependencies of these risks must also be taken into account with this instrument.

Risk cards

Risk-Card (simple)

This form of presentation adopts elements of the instruments already mentioned and combines them to form an overview of individual risks per business unit. This type of summary is a decision support tool at both a strategic and an operational level.

Statements for risk identification, assessment and evaluation are made in tabular form for each risk. In addition, the cause-and-effect relationships are described and effects for the operational unit as well as for the entire company are defined. For better classification and comparability, the risk is still mapped in a risk matrix.

Balanced Chance & Risk Card

An opportunity and risk map meets the requirement to include opportunities in the reporting in order to derive suitable measures and decisions. This instrument aggregates risk-relevant data and relates it to other strategic company data. The following information categories are compiled in an overview: Strategic goals, key figures & indicators, risk data and associated measures. The common target is the company value, which can change both positively and negatively due to the identified opportunities and risks. The great advantage of using this instrument is that the strategic planning (e.g. annual planning) can be checked regularly during the reporting cycle through the link with the opportunities and risks.

Multi-dimensionality of internal risk reporting

The multi-dimensional nature of internal risk reports is first shown in the possible breakdown by functions, regions and segments. A function-specific risk report can be determined based on the “value chain of the company” and divided into primary and secondary functions. The region-specific risk report, on the other hand, provides information on the geographic origin of risks. If the risk report is broken down into different segments, this report shows in which business unit or in which business area the risks exist. The interdependencies of the risks between the individual business areas should also be taken into account, so that a company portfolio is created that is compatible with the company's overall risk position.

The risks can be further broken down into one-off risks, business risks and strategic risks. One-time risks are, for example, production downtime risks or force majeure risks. Business risks can include B. Currency risks or the delay in the introduction of a new product. Strategic risks can include a. the emergence of substitutes can be understood through a technological leap.

The link between different dimensions can be shown in the following matrix:

Hierarchy levels of internal risk reporting

The reporting hierarchies differ depending on the structure and size of the company. As each report recipient has a different information requirement and should not be flooded with information, the information requirement must first be analyzed. An increasing risk aggregation can be observed with an increasing reporting hierarchy. In this context, a so-called “reporting pyramid” is also used, as several risk reports are combined into one company risk report as part of the bottom-up consolidation. Thanks to the drill-down options, the lower hierarchy levels receive feedback on their risk positions and an assessment of their decisions. As a rule, three hierarchy levels can be mapped in the company:

Level 1: Lower management level or operational units

The employees of the lower management level or the operational units are responsible for the systematic and regular collection of the necessary risk information. They should have a strong understanding of risk and carry out regular controls as part of their work processes and limit the risk that specified goals are not achieved. Any deviations found above the individually defined materiality limit are to be included in the report. Compared to the higher-level management, the operational level primarily needs detailed and rather qualitative statements about the causes of risk. The processing and documentation of the risks is usually done with the help of risk recording sheets, which in turn can be summarized in risk portfolios and risk inventories. After the risk report has been drawn up, it is forwarded to the higher-level management.

Level 2: Middle management or central risk management

Middle management or central risk management is the recipient and the author of risk reports at the same time. As the recipient of the report, it first collects all risk information from the operational level and decides on suitable risk management measures. As the report writer, middle management performs an appropriate aggregation of risks for top management. These can be z. B. can be represented by highly condensed reports in the form of a balanced chance & risk card. Top-down, middle management is responsible for implementing the objectives set by top management. On the one hand, it informs subordinate hierarchy levels about changes to the risk information to be collected and about changes to the departmental goals in the company.

Level 3: top management

The top management is the primary addressee of risk reports and is responsible for the entire risk management as well as for the monitoring of the lower hierarchical levels. It uses the risk reports for the cross-divisional control of risk management. For this purpose, all risks across all dimensions are summarized in a company risk report. As the highest decision-making body, top management is responsible for structuring risk reporting and for setting materiality limits. These can be absolute quantities, e.g. B. the sum of the expected damage values ​​of a business unit, as well as relative values, e.g. B. the value at risk in relation to the portfolio value. Furthermore, the top management reports to the supervisory board or advisory board if necessary. This represents the control body of a company and should be informed about the monitoring measures and their effectiveness.

The information and communication channels for internal risk reporting can be summarized as follows:

Frequency of internal risk reporting

Standard reporting

Risk reports are regularly drawn up at predetermined, fixed time intervals. For better comparability of the points in time and the representation of changes in individual risks over time, these regular reports have a systematic and recurring form. Both the complete risk inventory and special individual risks are considered.

Standard reports fulfill the tasks of regular documentation. The frequency depends on the individual risks in the report itself and can appear in the form of daily, weekly, monthly or quarterly reports.

Ad hoc reporting

The creation of an ad hoc report is triggered by a special event. This event is either the occurrence of the risk itself, whereby the company then fulfills its documentation obligations, or the reaching of a previously defined limit value (also: trigger or threshold) to identify the risk and the associated triggering of countermeasures. The trigger also ensures that the recipients of the internal risk report only receive relevant and pre-selected information. Since this form of report is urgent, it is created in parallel to the standard reports. This greatly shortens the time between the event and the finished report. The frequency thus depends on the event and does not show any regularity.

Application problems in practice and approaches to optimization

Internal risk reporting as part of a functioning risk management system is a systematic and firmly anchored process step. The reporting requires the information from the risk management process, processes it in relation to the target group and communicates it further in the form of a report. This not only ties up personnel and time resources, but also requires the previous implementation of the process steps described.

For small and medium-sized enterprises (SMEs), these processes are often too complex, too time-consuming or there is a lack of sufficient personnel capacities. Instead of a risk management system including regular reporting, risks are often recorded unsystematically by management and only rarely communicated internally.

Furthermore, problems can arise during the transmission of information that disrupt risk communication. In addition to simple transmission errors (e.g. language barriers or printing errors), the information received can be misinterpreted or the recipient does not accept it. The openness of the corporate culture and the education of the entire workforce about the risk management system by those responsible can help minimize problems (disruptive factors). The communication of the risks in clear and understandable language as well as the preparation of complex relationships for the purpose of the addressee support the success of the risk report.

Risk management (including risk reporting) is just one of several management processes in the company. It must therefore be integrated into existing management processes and coordinated with them, as there are mutual dependencies. For example, internal risk reports should be aligned with established reporting processes. In addition, it must be ensured that the risk reporting system is also subject to dependencies, as internal reports, for example, form the basis for external risk reporting. The prevailing corporate culture (including risk culture) determines the acceptance of internal reports or can be influenced by the quality of the report. Such interdependencies within a management process or at the corporate level should be taken into account in order to successfully integrate new processes, optimize existing ones and remove obstacles.

literature

  • Becker, Janker, Müller: The optimization of risk management as an opportunity for medium-sized companies, in: DStR 2004, margin no. 1578.
  • Hans-Christian Brauweiler: Risk management in companies. Springer Gabler, Wiesbaden 2015, ISBN 978-3-658-07720-4 .
  • Anton Burger, Anton Burchart: Risk Controlling. Oldenbourg Verlag, Munich 2002, ISBN 3-486-25849-4 .
  • Marc Diederichs: Risk management and risk controlling: Risk controlling - an integral part of a modern risk management concept. (= Controlling practice). 3. Edition. Vahlen, Munich 2012, ISBN 978-3-8006-4222-9 .
  • Bogna Filipiuk: Transparency in risk reporting. 1st edition. Gabler, Wiesbaden 2008, ISBN 978-3-8349-1389-0 .
  • Werner Gleißner: Fundamentals of risk management. 3. Edition. Vahlen, Munich 2017, ISBN 978-3-8006-4952-5 .
  • T. Günther, K. Smirska, F. Schiemann, S. Weber: Optimization of the risk management system using the example of the R. Stahl Technologiegruppe, in: Controlling, 21st year (2009), issue 1, pp. 48‐56.
  • PwC: Company-wide risk management, PwC 2000.
  • Wolfgang Lück, Oliver Bungartz: Risk Reporting of German Companies, in: Der Betrieb, 2004, Issue 34, pp. 1789–1792.
  • Ottmar Schneck: Working aids for risk documentation. in: Risk Management and Risk Controlling. Haufe-Lexware GmbH & Co. KG, Munich 2011, ISBN 978-3-648-01918-4 .
  • Katarzyna Smirska: Optimization of a risk management system in medium-sized companies. 1st edition. Books on Demand GmbH, Norderstedt 2009, ISBN 978-3-8391-0844-4 .
  • Ottmar Schneck: Risk Management: Basics, Instruments, Case Studies. Wiley-VCH, Weinheim 2010, ISBN 978-3-527-50543-2 .
  • Ute Vanini: Risk management basics, instruments in corporate practice. Schäffer-Poeschel-Verlag, Stuttgart 2012, ISBN 978-3-7910-3126-2 .

Individual evidence

  1. a b c Ute Vanini: Risk Management Basics, Instruments of Corporate Practice . Schäffer-Poeschel-Verlag, Stuttgart 2012, p. 210 .
  2. ^ Anton Burger, Anton Burchart: Risk Controlling . Oldenbourg Verlag, Munich 2002, p. 27 f .
  3. Marc Diederichs: Risk management and risk controlling: Risk controlling - an integrated part of a modern risk management concept . 3. Edition. Vahlen, Munich 2012, p. 13 .
  4. Bogna Filipiuk: Transparency of Risk Reporting . Gabler, Wiesbaden 2008, p. 42 .
  5. Werner Gleißner: Fundamentals of Risk Management . 3. Edition. Vahlen, Munich 2017, p. 430 f .
  6. a b c Ute Vanini: Risk Management Basics, Instruments of Corporate Practice . Schäffer-Poeschel-Verlag, Stuttgart 2012, p. 211 .
  7. ^ A b Hans-Christian Brauweiler: Risk management in companies . Springer Gabler, Wiesbaden 2015, p. 2 .
  8. ^ A b Anton Burger, Anton Burchart: Risk Controlling . Oldenbourg Verlag, Munich 2002, p. 175 f .
  9. ^ Anton Burger, Anton Burchart: Risk Controlling . Oldenbourg Verlag, Munich 2002, p. 179 .
  10. Marc Diederichs: Risk management and risk controlling: Risk controlling - an integrated part of a modern risk management concept . Vahlen, Munich 2012, p. 171 .
  11. Ute Vanini: Risk Management Basics, Instruments in Corporate Practice . Schäffer-Poeschel-Verlag, Stuttgart 2012, p. 214 .
  12. Marc Diederichs: Marc Diederichs: Risk management and risk controlling: Risk controlling - an integral part of a modern risk management concept . 3. Edition. Vahlen, Munich 2012, p. 175-178 .
  13. a b T. Günther, K. Smirska, F. Schiemann, S. Weber: Optimization of the risk management system using the example of the R. Stahl technology group . In: Controlling . tape 21 , no. 1 , 2009, p. 52 .
  14. ^ Hans-Christian Brauweiler: Risk management in companies . Springer Gabler, Wiesbaden 2015, p. 8-11 .
  15. ^ A b Anton Burger, Anton Burchart: Risk Controlling . Oldenbourg Verlag, Munich 2002, p. 183 f .
  16. ^ A b Anton Burger, Anton Burchart: Risk Controlling . Oldenbourg Verlag, Munich 2002, p. 184-186 .
  17. a b Marc Diederichs: Risk management and risk controlling: Risk controlling - an integrated part of a modern risk management concept . 3. Edition. Vahlen, Munich 2002, p. 183-185 .
  18. Marc Diederichs: Risk management and risk controlling: Risk controlling - an integrated part of a modern risk management concept . 3. Edition. Vahlen, Munich 2012, p. 186-195 .
  19. a b Marc Diederichs: Marc Diederichs: Risk management and risk controlling: Risk controlling - an integral part of a modern risk management concept . 3. Edition. Vahlen, Munich 2012, p. 173 .
  20. ^ Anton Burger, Anton Burchart: Risk Controlling . Oldenbourg Verlag, Munich 2002, p. 187 .
  21. Marc Diederichs: Risk management and risk controlling: Risk controlling - an integrated part of a modern risk management concept . 3. Edition. Vahlen, Munich 2012, p. 169 .
  22. Ute Vanini: Risk Management Basics, Instruments in Corporate Practice . Schäffer-Poeschel-Verlag, Stuttgart 2012, p. 214 .
  23. ^ Anton Burger, Anton Burchart: Risk Controlling . Oldenbourg Verlag, Munich 2002, p. 176 .
  24. ^ PwC (Ed.): Company-wide risk management . 2000, p. 23 .
  25. a b c Ute Vanini: Risk Management Basics, Instruments of Corporate Practice . Schäffer-Poeschel-Verlag, Stuttgart 2012, p. 214 f .
  26. a b PwC (Ed.): Company-wide risk management . 2000, p. 21 .
  27. Marc Diederichs: Risk management and risk controlling: Risk controlling - an integrated part of a modern risk management concept . 3. Edition. Vahlen, Munich 2012, p. 169-171 .
  28. ^ A b Hans-Christian Brauweiler: Risk management in companies . Springer Gabler, Wiesbaden 2015, p. 8 .
  29. ^ Anton Burger, Anton Burchart: Risk Controlling . Oldenbourg Verlag, Munich 2002, p. 177 .
  30. ^ Anton Burger, Anton Burchart: Risk Controlling . Oldenbourg Verlag, Munich 2002, p. 47 .
  31. Becker, Janker, Müller: The optimization of risk management as an opportunity for medium-sized companies . In: DStR . 2004, p. 10 f .
  32. Marc Diederichs: Risk management and risk controlling: Risk controlling - an integrated part of a modern risk management concept . 3. Edition. Vahlen, Munich 2012, p. 196-198 .
  33. ^ Wolfgang Lück, Oliver Bungartz: Risk reporting of German companies . In: The company . No. 34 , 2004, pp. 1789-1792 .