Home

Internal

Deutsch|English

Insights – Make Way for E-Invoicing! The Future of Invoicing » |

Worldwide

Risk management system: Recognizing and managing risks at an early stage

Every successful corporate strategy is characterized by taking advantage of available opportunities and only taking risks if they are economically and socially justifiable.

Managing risks is one of the core tasks of corporate management and is therefore essential for sustainable corporate development. At the same time, risk management is one of the central requirements that owners, investors and lenders, as well as employees, place on the company and its management.

A functioning risk management system that identifies, analyzes and evaluates risks in the relevant markets and at the company's locations worldwide at an early stage and thus lays the foundations for effective risk management measures is one of the most important tasks of corporate management. Digitalization, globalization, climate change and political crises are having a more complex and “disruptive” effect, meaning that risks need to be identified, assessed and managed more quickly.

Key issues of risk management

How likely is a certain risk?
How high could a potential loss be?
What risk management measures are possible, effective and cost-efficient?

Answering the core questions of risk management is both a prerequisite for profitable corporate growth and a requirement of stakeholders for modern corporate governance.

A risk management system is mandatory for all companies

It is the responsibility of the company management to define the necessary measures and thus elements of effective risk management in the company. The establishment and monitoring of the risk management system is an entrepreneurial decision at the organizational discretion of the company management, through which you comply with the general organizational and due diligence obligations.

Only the risk early warning system of stock corporations, which is a key aspect of a company's risk management system alongside risk analysis, risk assessment and risk control, is subject to explicit statutory regulation in Germany.

Section 91 (2) AktG instructs the Management Board to take appropriate measures and, in particular, to set up a monitoring system. This is intended to identify developments that could jeopardize the continued existence of the company at an early stage. The German legislator had not previously seen the need for a fundamental regulation for companies of other legal forms. However, the need for improvement has been emphasized by all stakeholders, particularly in the German SME sector.

With the entry into force of the Stabilization and Restructuring Framework Act (StaRUG) in January 2021, the legal basis for the requirement of appropriate risk management should now be in place.

Section 1 StaRUG standardizes the obligation to set up a crisis early warning system. For the first time, there is now a legal requirement for legal representatives of companies of all legal forms to set up a risk early warning system.

The legislator has deliberately refrained from explicitly regulating how companies of other legal forms must structure their risk management system. The type and scope of the measures to be set up depend on the individual risk situation of the respective company and are at the organizational discretion of the board of directors or management.

Requirements for an effective risk management system

Holistic and cost-optimized risk management requires that all processes for managing risks in the company are linked.

The “Internal Control - Integrated Framework” of the “Committee of Sponsoring Organizations of the Treadway Commission (COSO-ERM)”, last updated in June 2017, and ISO 31000:2018 provide a conceptual basis.

They provide valuable assistance when it comes to implementing a systematic approach or the target concept for auditing and thus monitoring the risk management system.

The tasks and objectives of risk management include the transparent presentation of risks in the company, the fulfillment of rights and obligations (compliance) without exceptions and the inclusion of ongoing results in the corporate decision-making process.

The structural and procedural organization of the risk management system must be integrated into the internal control system as far as possible and linked to the compliance management system.

Click to enlarge

There is still no consensus on the question of which measures are required for the assessment of risks. However, the StaRUG will give this question a new dynamic in the future, as the early detection of crises and risks requires the (quantitative) assessment and aggregation of the company's risks in order to be able to regularly determine the company's risk exposure.

In addition to early crisis detection, the systematization of risk management measures and their review by the auditor in the context of financing helps to improve the credit rating and thus reduce the cost of financing. This is because a functioning risk management system creates confidence among lenders as well as shareholders and investors.

The voluntary audit of the risk management system supports the management and supervisory bodies in fulfilling their general duties of care. This ensures compliance with legal requirements and avoids penalties or even personal liability for board members.

The audit of the risk management system is not unnecessary bureaucracy, but a suitable aid to sustainable corporate governance.

Our service for you: Design and audit of the risk management system

We advise you on the design and implementation of an effective risk management system and audit your existing system for appropriateness and effectiveness in accordance with the IDW PS 981 auditing standard.

In doing so, we focus on the general legal environment, including special statutory regulations, IT security and tax law. Tailored to the specifics of your industry, our service includes tax optimization (Tax CMS), money laundering prevention and the implementation of a data protection management system (DSMS) as components of your risk management system.

Our risk management system takes into account both legal and tax aspects as well as the business aspects of your company.

The aim of the audit of the risk management system in accordance with IDW PS 981 is to determine the extent to which your company has taken precautions through the establishment of a risk management system to identify, assess, control and monitor in good time any significant strategic and operational risks that may prevent the achievement of the defined objectives of the risk management system.

The subject of the audit is the company's statements on the risk management system, which are usually documented in the risk management manual.

On the one hand, the audit enables an assessment of whether the regulations of the risk management manual are appropriately presented in accordance with the applied principles of the risk management system. Secondly, it assesses whether these regulations are suitable for identifying, assessing, managing and monitoring the main risks in good time with sufficient certainty and whether they were effective during the audited period.

For companies that are systematizing their risk identification, analysis, assessment and control measures for the first time or expanding and improving their existing risk management system, it may be appropriate to engage an auditor to audit the measures implemented to date as part of an adequacy audit during the development, introduction, modification or expansion of the system (IDW PS 981, para. 24).

The IDW PS 981 audit standard expressly provides for such a project-related audit of the risk management system and does not constitute involvement in the development or establishment of a risk management system, which would exclude the auditor from a subsequent audit of the effectiveness of the risk management system due to the independence requirements.

If significant deficiencies in the risk management system presented in the risk management manual are identified during the audit, it is compatible with the position of the auditor to make recommendations on the necessary regulations for the design of an appropriate risk management system.

Contact us if you would like to find out more about our services in the areas of risk management, early risk detection, internal auditing and corporate compliance. We will be happy to help you.

Further topics from the GRC service line

Compliance Management System (CMS) »

Corporate Governance »

Internal Control System (ICS) »

Internal Audit »

Forensic Services »

« Back to the overview of our audit consulting services

Contact

Contact Person Picture

Steffen Freytag

Partner

+49 911 9193 2220

Send inquiry