Tying good governance to good risk management

As companies continue to navigate rough seas regarding the current economic realities, good governance remains crucial for company success and investor valuations. One element of good governance often staying below the radar is how a well-balanced risk management approach sets the path for growth and resilience. Every company faces risks it must deal with. One key task of good management is therefore not the bound-to-fail attempt to eliminate strategic and operational risks, but establishing processes to effectively manage risks and minimize their potential adverse effects on the corporation. Under the two-tier German board structure, both the management board (Vorstand) and supervisory board (Aufsichtsrat) have to discharge certain control and oversight duties. These duties and effective ways to handle them are outlined in this article. 

What an adequate risk management system looks like 

The cycle of good risk management looks as follows: 

1. Identifying all relevant risks: Every business must ascertain all strategic and operational risks it is confronted with in its business operations. The range of risks spans from market risk, competitive risk and liquidity risk to regulatory risk and compliance risk. Interesting side note: the nonbinding German Corporate Governance Code recommends that risk management systems should also cover sustainability-related objectives.
2. Setting the appropriate risk appetite: Company leadership must determine the organization’s overall risk appetite as well as the appropriate risk tolerance for every identified risk area. The Financial Stability Board defines the general risk appetite from the perspective of global financial institutions as “the aggregate level and types of risk an [financial] institution is willing to assume within its risk capacity, in line with its business model, to achieve its strategic objectives.” Risk capacity refers to the maximum level of risk in light of capital base, risk management and control capabilities, and regulatory restraints. Dependent on the strategic corporate objectives, the board will decide to either follow a more risk-averse or risk-hungry approach. 
3. Gross risk determination: Next, the gross risk is calculated by taking each risk separately and assessing the likelihood and impact of a risk scenario. Possible mitigation measures are not included at this stage. Businesses will generally develop uniform internal metrics to standardise the procedure and ensure comparability. Companies should generally include quantitative and qualitative factors to assess risks not only based on pecuniary considerations but also on potential reputational and strategic concerns. Based on such a comprehensive assessment of the respective risk, the gross risk can be determined. At this point, it is already possible to determine whether the gross risk (i.e. the risk without taking mitigation measures into account) is within the scope of the risk appetite, thus not requiring any further measures. However, the gross risk will usually be higher than the respective risk appetite, meaning that the control measures already implemented or yet to be implemented need to be examined more closely.
4. Integrating control measures: Subsequently, remedial and control measures that reduce the gross risk are factored in. The company’s existing monitoring and compliance systems that control specific risks are examined and then assessed for their impact on the gross risk. Internal metrics are needed to establish consistent procedures and results for all risk areas. The internal control measures will lower the initial gross risk, leaving the company with the remaining residual risk.
5. Comparison of residual risk and risk appetite: The residual risk and predefined risk appetite are then compared to evaluate whether they are on the same level. Should the residual risk exceed the risk appetite, additional mitigation measures will need to be taken to ensure compliance with the risk appetite. All in all, the implementation of specific measures must ensure that the comprehensively assessed residual risk remains within the limits of the predefined risk appetite.
6. Continuous supervision and cyclical re-evaluation of the risk appetite: Lastly, it must be taken into account that risk management is a continuous process due to changes in business operations, the evolving risk landscape and lessons learned from compliance cases. Thus, the relevant risks affecting the relevant company must be reviewed periodically and on an ad hoc basis in the event of specific circumstances. The risk appetite must be reconsidered and redefined to meet current demands and align with adjustments in the corporate strategy. The described cycle of good risk management must then be repeated.

Management boards must identify risks and set the risk appetite

Due to the strong impact of strategic risk determinations on the company’s business operations and financials, it is one of the management board’s core tasks to assess all business-related risks and define the corporation’s adequate risk appetite. Therefore, the board must identify all crucial business risks and set up the structures to evaluate, monitor and manage them by means of an effective risk management system. The board must receive regular updates to fulfil its oversight duty and stay informed on current risk developments. Just as important as making risk management decisions is the board’s obligation to record and document their deliberations to be able to prove that they fulfilled their fiduciary duties.

For listed companies, Sec. 91(3) of the German Stock Corporation Act expressly stipulates that the board must put in place a suitable and effective risk management system in relation to the scope of business activities and its risk situation. This rule takes the existing duties­—which require all companies to assess and monitor at least significant business risks—even further and requires the risk management system of a public company to encompass all identified business risks and adequate control measures.

Ongoing reporting and monitoring duties by the management board

Even if the board has divided its responsibilities and entrusted a board committee to deal with a particular risk issue, this does not relieve the non-committee board members of their duties; the principle of the management board’s joint responsibility remains intact. Every board member must therefore oversee the work of their peers around the table and stay up-to-date on all company-relevant hot topics. The company’s risk and compliance department ought to regularly report to the management board and provide updates on important issues and key risk topics. The management board is also obliged to regularly report to the supervisory board and keep them informed on all important business operations. 

The supervisory board’s risk-related duties

In order to adequately fulfil their duty of oversight, the supervisory board must continuously check the management board’s actions for their legality and expediency. With regard to risk management assessments, the supervisory board has the obligation to convince itself that management is aware of and addressing all corporate risks. 

The supervisory board’s role is not limited to backwards-looking scrutiny, but also includes forward-looking strategic assessments. It must therefore ensure that it receives adequate, timely, and comprehensive information by the management board to have a sufficient overview of all issues related to risk scenarios and risk assessments. In case certain risk areas are causing ongoing turmoil within the firm and the supervisory board has grounds to believe it is not being fully informed, the level of required oversight increases and the supervisory board must examine the details of the existing risk management structures more closely. It has the right to request reports from the management board for these reasons. 

(Audit) Committee Oversight

German law stipulates that supervisory boards are free to form committees to efficiently organize themselves. These committees may even adopt resolutions for the supervisory board as long as those resolutions do not deal with core supervisory tasks as those matters must be resolved by the entire supervisory board. The German Corporate Governance Codex requires companies to establish an audit committee that oversees the effectiveness of the risk management system. While the formation of an audit committee is definitely best practice, an increasing number of boards are taking it even further and forming more specialised committees, e.g., cyber-risk, or ESG committees. This puts a particular focus on these topics and helps to ensure that the risks associated with these issues are all identified and addressed appropriately. Dependent on the individual company risk profile and the relevance of topics such as cybersecurity for mission critical organizational goals, this approach could serve as a blueprint for more businesses across the aisle. While the formation of a committee makes the committee members liable for the fulfilment of the committee’s task, the remaining supervisory board members retain their duties of due selection of committee members and oversight of the committee’s work. All board members are required to check decisions prepared by a committee at least for plausibility before voting on them. 

Good governance requires well-considered risk management efforts

A well-balanced risk management strategy is central to business success. Top management must therefore devote sufficient time to risk management and ensure it is complying with its management duties. As risk management is an ongoing duty, the management board must continuously stay on top of the issue. The supervisory board, on the other hand, has the duty to oversee the adequacy of the management board’s exercise of their powers. This requires both corporate bodies to rise to the challenge as adequate risk management is becoming increasingly multi-layered and complex. Increased regulatory requirements in the international arena, geopolitical tensions, new risks, particularly in the area of cybersecurity and, last but not least, recent developments in the area of ESG are making the risk landscape more and more diverse. Since every company must make business decisions that entail risks, they are well advised to proactively and continuously address their own constantly evolving risk landscape with the necessary expertise. The formation of specific task forces and committees, for example, can help to address new risk clusters with due care.