Risk governance

Risk governance is the penetration of a company with risk control geared towards the various target groups ( stakeholders ) from a strategic point of view. Risk governance bridges the gap between operational risk management and strategic corporate governance. The aim of risk governance is to continuously check the business model of a company for risk threats, to adjust it if necessary and in this way to make it sustainably risk-resistant.

description

Risk control problem

Risk governance refers to the responsible management of risks at the company level. While strategies imply the conscious assumption of risk in order to achieve profit in market competition, it is at the same time necessary that risks taken, but also unforeseen, do not exceed the existing risk-bearing capacity.

The dilemma of risk-related corporate management is that neither “traditional” risk management nor corporate governance are sufficiently successful in recognizing risks threatening the company, anticipating their effects on the business model in good time and immediately initiating the necessary adjustments to existing and future strategies. On the one hand, risk management, which is more operationally and mechanistically oriented in its basic system, often applies standardized risk models and risk management processes (following international standards for risk management such as ISO 31000 or COSO ERM) to pre-selected standard risks and deals with risks largely in isolation from one another and therefore not in the overall strategic context. On the other hand, corporate governance fails when it comes to risk management, as although it is intended to ensure comprehensive compliance by the company management with regard to the company as a whole and thus strategic risk minimization, it is, however, only rudimentarily geared towards business risks and, moreover, is often in the fulfillment of formal regulatory requirements and exhausted in the exclusion of liability risks. As a result, there are two separate special functions in companies, which do not always succeed in adequately taking into account the increasingly networked risks that cross company boundaries in the business model.

philosophy

Risk governance offers a way out of the dilemma described by ensuring proactive control of all corporate risks from a higher level. Risk control related to the entire company and its target groups (owners, banks, cooperation partners, customers, suppliers, employees, the public, etc.) is introduced as a fundamental principle for all decisions in the company. This coincides with the legal requirements on the duty of care to which company management is subject, not least due to the " Law on Control and Transparency in the Corporate Sector" (KonTraG): The management board of a stock corporation or the management of a GmbH are obliged to take suitable measures to prevent developments that could endanger the continued existence of the company can be recognized at an early stage. In addition, they must publish statements about the company's risks in the management report and have the auditor check the existence and operation of the risk early warning system. Risk Governance addresses these requirements.

The philosophy of Risk Governance is "the penetration of the company with a stakeholder-oriented risk control from a strategic point of view". The connection to the business model becomes clear here, because the relevant stakeholders with their goals and interests are mapped in the business strategy. Risk governance strives for proactive risk management from within the company. At the same time, risk governance is indirectly committed to the norms of good corporate governance, so that clear ethical signals can be sent to the stakeholders with regard to risk-related sustainability.

tasks

To ensure that a company's business model is not threatened by unanticipated risks, risk governance establishes the relationship between the various risks and the business model using four tasks:

The first task is the design of risk models that represent the business model in a suitable form. It is important to determine the type of risk perception, prioritization and aggregation against the background of the specific stakeholder conditions. The focus is on proactively oriented risk models, because these enable management to better perceive both current risks and potential risks.
The second task is the determination of model risks , i.e. the identification of incorrectly designed models, for example invalid measurement regulations or typical application cases, as particular dangers for the business model. To this end, the risk models are regularly related to the specific changing application context and subjected to stress test scenarios in order to ensure their functionality over the long term and to permanently recontextualise the risk management. This is not done systematically by corporate governance or risk management.
The third task is research and development in risk topics. Here, progress in content and methodology in risk research and practice is systematically sought as a driver for model development and adapted to the specific risk situation of the company.
The fourth task is to advise company management on risk issues, i.e. how they use the risk information for business process design. This requires the systematic forwarding of risk management-related information to the top of the company. By expanding their ability to dynamically influence the market reaction process, risk governance makes a significant contribution to fulfilling the legislator's expectations with regard to the comprehensive duty of care of the management.

process

The implementation of risk governance does not primarily take place as a new formal structure in the company - whereby a project organization as a risk governance committee is most likely - but is incorporated into the decision-making processes of all operational functions.

If all operational functions are permeated with risk governance, the respective actors, in addition to their technical tasks, take on the role of contributing to increasing the risk resilience of the corporate business model. This is done through the systematic integration of risk governance ideas into the process of the operational function: The respective risk models are deliberately described; the model risks associated with them are determined; innovations from the general occupation with risk control are related to the specific operational function; Perceived risks and possible business model effects are communicated to the management. Furthermore, it is ensured that the decisions of the operational function correspond to the general risk culture of the company and that the top executives consciously use the "tone from the top" in their exemplary behavior in the context of their employee and stakeholder communication.

At the management level, it is necessary that they continuously check the company's business model for risk threats, adapt it if necessary and in this way make it sustainably risk-resistant. This implies questioning goals, milestones, resources, incentives and future expectations, among other things. Even if it is difficult to break out of the strategic path dependencies associated with them with regard to future, but also and especially current strategies, it is precisely this "dynamic capability" that allows the reconfiguration of target systems, the reallocation of resources and the reorientation of incentive systems.

Use

Risk governance does not replace corporate governance or risk management, but rather forms a bridge between the two and increases their effectiveness. Risk governance makes a functional contribution to the success of a company by supporting its sustainability and risk-bearing capacity: Companies that implement risk governance review their business models continuously and proactively for all possible risks and thus prevent the company from entering a risk management system. Routine mode expires.

At the same time, the company management becomes more competent with regard to its strategic risk decisions, so that risks, in particular from the area of management failure, are reduced. A sustainable risk culture - that is, a collective orientation towards principles such as caution, transparency and responsibility in dealing with risk - is strengthened in the company.

history

The term risk governance comes from policy advice with the aim of controlling systemic macro risks, for example in the areas of health, energy generation, critical infrastructure, cybersecurity, environmental pollution and future mobility. The International Risk Governance Council (IRGC) has particularly adopted this social risk map . The International Risk Governance Center, a cooperation between the IRGC and the University of Lausanne, has been in existence since 2016 and specializes in managing risks associated with new technologies. Some societies such as the Society for Risk Analysis, which deals with risk governance in relation to key technologies such as nanotechnology, synthetic biology or biomaterials and the regulation of the associated health and safety risks, are also in this tradition. The actors here are primarily governments and - also supranational - government organizations, civil society organizations, as well as academic institutions and private companies.

The specific focus of risk governance on the corporate risk map was set by a research group at the University of Siegen . In this way, risk governance has also been made available for controlling systemic micro-risks.

Differentiation from Enterprise Risk Management

The Enterprise Risk Management (ERM) is expanding the traditional risk management in terms of a company-wide, holistic or strategic risk management and is - seen as a business response to the increasing external pressure than the reproach a more comprehensive risk control of the "traditional" risk management - an alternative to the Risk Governance and to overcome corresponding criticisms. As a further development of risk management, ERM measures all risks at company level as an aggregated overall risk, centralizes risk management and takes a proactive approach. Three constitutive features are in the foreground: the process concept of the ERM, the localization of the risk analysis centrally at the overall company level and the comparison of the determined overall risk with the willingness of the company to take risks. The primacy of risk management over governance aspects continues to exist, with some governance aspects in the ERM making an instrumental contribution to improving the risk management system itself by regulating its control more consciously.

In contrast to risk governance, ERM integrates operational and strategic risk control requirements through the conceptual strengthening and expansion of traditional risk management to include governance-related elements - which, conversely, also means that ERM is still essentially a risk management system. In risk governance, operational and strategic risk control requirements are linked via the conceptual gap between risk management and corporate governance through their action-oriented interlocking in the company management - which, conversely, means that risk governance is breaking new ground.

application

Companies

Risk governance is ideal for large companies because it is clearly management-oriented and provides the necessary link between the outward-looking stakeholder orientation and the inward-looking corporate management with an explicit risk focus.

Especially for small and medium-sized enterprises (SMEs), risk governance opens up new perspectives in strategic risk control: Against the background of the specific disadvantages and advantages of SMEs over large companies, such as restrictions in resource allocation, structural smallness, greater flexibility and more informal institutionalization, risk governance is conceptual so flexible that it can provide individual solutions for SMEs in different stages of development. It is precisely this flexibility that is their particular strength: The scope of risk governance is scalable with regard to the needs of the company. For companies with a well-developed quantitative risk management system, the focus of risk governance will tend to be on the meaningful connection between corporate governance and risk management. Companies that are rather skeptical of quantitative risk management in terms of their size or their preferences can use risk governance to interlink the already qualitatively assessed risks more specifically with the business model.

Credit institutions

Companies in the financial sector are particularly exposed with regard to risk management, as their business model explicitly addresses risk transformation and Section 25a KWG therefore explicitly requires risk management. It is used to identify, analyze, control and monitor the risks associated with the business model. The link to the strategy is expressed in the budgets and limits for risk-bearing capacity and in the optimization of the risk / return ratio.

In the course of the publication of the SREP guidelines (Supervisory Review and Evaluation Process), which have been in force since 2016, by the European Banking Authority ( EBA), which specify its expectations of the risk behavior of credit institutions, the European Central Bank (ECB) explicitly introduced the term risk governance and made it a national review task Banking regulators made. The SREP concept is accordingly based on four pillars: the analysis of the business model, the assessment of the governance and control functions, the assessment of capital risks and the assessment of liquidity risks. In this way, all facets from which risks can arise for a credit institution are shown in full. Risk governance is explicitly addressed in the second pillar. The development status of risk governance in credit institutions has already been empirically examined.

literature

Volker Stein, Arnd Wiedemann (2016): Risk Governance: Conceptualization, Tasks, and Research Agenda, in: Journal of Business Economics 86 (8), pp. 813–836. doi : 10.1007 / s11573-016-0826-4
Arnd Wiedemann, Volker Stein (2017): Risk Governance - litmus test for the business model, in: Stefan Kirmße, Stephan Schüller (ed.), Current Development Lines in Financial Management - Part 1. Commemorative publication for the 60th birthday of Bernd Rolfes, Frankfurt am Main , Pp. 231-242.

Web links

Risk Governance website of the University of Siegen with a focus on business risk governance.
International Risk Governance Council (IRGC) website with a focus on systemic macro risks.
Website of the International Risk Governance Center (IRGC) of the École Polytechnique Fédérale de Lausanne with a focus on systemic risks of new technologies.
Society for Risk Analysis (SRA) website focusing on risk analysis and risk-related problem solving.

Individual evidence

↑ Volker Stein, Arnd Wiedemann: The risk lies in risk management . Ed .: Frankfurter Allgemeine Zeitung. April 7, 2016, p. 18 .
↑ RiskNET editorial team: Stakeholder- oriented risk management from a strategic point of view. RiskNET, January 25, 2017, accessed August 7, 2017 .

↑ ^a ^b Volker Stein, Arnd Wiedemann: Risk Governance: Conceptualization, Tasks, and Research Agenda . In: Journal of Business Economics . tape 86 , no. 8 , 2016, p. 813-836 , doi : 10.1007 / s11573-016-0826-4 .

↑ David J. Teece: Explicating Dynamic Capabilities. The Nature and Microfoundations of (Sustainable) Enterprise Performance . In: Strategic Management Journal . tape 28 , no. 13 , 2007, p. 1319-1350 , doi : 10.1002 / smj.640 .

^ Ortwin Renn: Risk Governance. Coping with Uncertainty in a Complex World . Earthscan, London / Sterling, VA 2008, ISBN 978-1-84407-291-0 .

↑ IRGC: Risk Governance Deficits: An Analysis and Illustration of Most Common Deficits in Risk Governance. January 4, 2004, accessed August 7, 2017 .

↑ IRGC: What is Risk Governance? 2015, accessed August 7, 2017 .

^ Robert E. Hoyt, André P. Liebenberg: Evidence of the Value of Enterprise Risk Management . In: Journal of Applied Corporate Finance . tape 27 , no. 1 , 2015, p. 41-47 , doi : 10.1111 / jacf.12103 .

^ Cican Simona-Iulia: Comparative Study between Traditional and Enterprise Risk Management - A Theoretical Approach . In: Annals of the University of Oradea, Economic Science Series . tape 23 , 2014, p. 276-282 .

↑ Mark Beasley, Don Pagach, Richard Warr: Information Conveyed in Hiring Teams of Senior Executives Overseeing Enterprise-wide Risk Management . In: Journal of Accounting, Auditing and Finance . tape 23 , no. 3 , 2008, p. 311-332 , doi : 10.1177 / 0148558X0802300303 .

^ Sara A. Lundqvist: Why Firms Implement Risk Governance - Stepping Beyond Traditional Risk Management to Enterprise Risk Management . In: Journal of Accounting and Public Policy . tape 34 , no. 5 , 2015, p. 441-466 , doi : 10.1016 / j.jaccpubpol.2015.05.002 .

↑ EBA: Guidelines on Common Procedures and Methodologies for the Supervisory Review and Evaluation Process (SREP), EBA / GL / 2014/13. December 19, 2014, accessed August 7, 2017 .

↑ ECB Banking Supervision: SSM Priorities in 2016. 2016, accessed on 7 August 2017 .

↑ Arnd Wiedemann, Volker Stein, Julian Quast: Risk Governance - A regulatory requirement on the way to its specification . In: The Bank . No. 09 , p. 36-40 .

↑ Arnd Wiedemann, Volker Stein, Julian Quast: Benchmark study “Risk Governance in Regional Credit Institutions” 2016. Chair of Finance and Bank Management, University of Siegen, 2016, accessed on August 7, 2017 .

[1] Volker Stein, Arnd Wiedemann: The risk lies in risk management . Ed .: Frankfurter Allgemeine Zeitung. April 7, 2016, p. 18 .

[2] RiskNET editorial team: Stakeholder- oriented risk management from a strategic point of view. RiskNET, January 25, 2017, accessed August 7, 2017 .

[:0-3] Volker Stein, Arnd Wiedemann: Risk Governance: Conceptualization, Tasks, and Research Agenda . In: Journal of Business Economics . tape 86 , no. 8 , 2016, p. 813-836 , doi : 10.1007 / s11573-016-0826-4 .

[4] David J. Teece: Explicating Dynamic Capabilities. The Nature and Microfoundations of (Sustainable) Enterprise Performance . In: Strategic Management Journal . tape 28 , no. 13 , 2007, p. 1319-1350 , doi : 10.1002 / smj.640 .

[5] Ortwin Renn: Risk Governance. Coping with Uncertainty in a Complex World . Earthscan, London / Sterling, VA 2008, ISBN 978-1-84407-291-0 .

[6] IRGC: Risk Governance Deficits: An Analysis and Illustration of Most Common Deficits in Risk Governance. January 4, 2004, accessed August 7, 2017 .

[7] IRGC: What is Risk Governance? 2015, accessed August 7, 2017 .

[8] Robert E. Hoyt, André P. Liebenberg: Evidence of the Value of Enterprise Risk Management . In: Journal of Applied Corporate Finance . tape 27 , no. 1 , 2015, p. 41-47 , doi : 10.1111 / jacf.12103 .

[9] Cican Simona-Iulia: Comparative Study between Traditional and Enterprise Risk Management - A Theoretical Approach . In: Annals of the University of Oradea, Economic Science Series . tape 23 , 2014, p. 276-282 .

[10] Mark Beasley, Don Pagach, Richard Warr: Information Conveyed in Hiring Teams of Senior Executives Overseeing Enterprise-wide Risk Management . In: Journal of Accounting, Auditing and Finance . tape 23 , no. 3 , 2008, p. 311-332 , doi : 10.1177 / 0148558X0802300303 .

[11] Sara A. Lundqvist: Why Firms Implement Risk Governance - Stepping Beyond Traditional Risk Management to Enterprise Risk Management . In: Journal of Accounting and Public Policy . tape 34 , no. 5 , 2015, p. 441-466 , doi : 10.1016 / j.jaccpubpol.2015.05.002 .

[12] EBA: Guidelines on Common Procedures and Methodologies for the Supervisory Review and Evaluation Process (SREP), EBA / GL / 2014/13. December 19, 2014, accessed August 7, 2017 .

[13] ECB Banking Supervision: SSM Priorities in 2016. 2016, accessed on 7 August 2017 .

[14] Arnd Wiedemann, Volker Stein, Julian Quast: Risk Governance - A regulatory requirement on the way to its specification . In: The Bank . No. 09 , p. 36-40 .

[15] Arnd Wiedemann, Volker Stein, Julian Quast: Benchmark study “Risk Governance in Regional Credit Institutions” 2016. Chair of Finance and Bank Management, University of Siegen, 2016, accessed on August 7, 2017 .