Rules for managers and controllers

The ability to appropriately weigh up opportunities and hazards (risks) is a critical success factor in business. To a significant extent, a company's success depends on the quality of its managers' decisions. In this context, risk management is one of the fundamental tasks of every single manager and is a key element of good "corporate governance".

Sound preparation for business decisions must involve weighing up the expected returns and opportunities ("upside risk") against the associated risks ("downside risk"). The initial task in risk management is appropriate risk identification, evaluation and aggregation and this is a prerequisite for optimising risk management and provision of appropriate information to underpin sound management decisions.

It is a truism that companies have to take risks to create value. However, a company's success depends to a significant extent on taking the "right" risks ("upside risks"). Managing risks also means developing the right strategies and using them as a basis for defining effective and efficient business processes, within the framework of "good" corporate governance.

What can risk managers learn from shipbuilders?

Every captain knows that ships are specially designed for the days when storms are raging and huge waves are tossing ships around like toys. Therefore, the dominant  strategy must be: You should be able to survive any conceivable storm. However, at the same time it is essential to address the issue of how control of the ship (business processes) needs to be organised in stormy times in order for the ship to stay functional.

It is important to emphasise that companies who rely on "business intuition", "gut feeling" and reactive control systems find it increasingly difficult to understand and analyse the complexity of their risk map. The ability to manage risks and take adequate account of them in business decisions is one of the key competences of consistently successful entrepreneurs and is an essential element of "good corporate governance".

Risk management as a fundamental management task

The Anglo-Saxon region was very early to incorporate internal monitoring systems into the mandatory framework for business management and reporting. The main reason for this is that in Anglo-Saxon countries the anonymous capital market players play a greater role than in many other nations. In this context, the capital market has a major interest in ensuring sufficient transparency of future opportunities and risks, as well as the quality of "corporate governance". Based on the recommendations of the "Committee of Sponsoring Organizations of the Treadway Commission" (COSO Report 1992) and the Cadbury Committee in the United Kingdom (Cadbury Report 1992), a risk management and control concept was established. According to the COSO recommendations, "internal control" is based on five linked components: Management environment, risk assessment, control activities, information, communication and monitoring. The COSO risk management approach was the first comprehensive and integrated method to incorporate a proactive risk analysis and management process alongside business processes and corporate objectives. 

Corporate management as a basis

"Corporate Governance" can also be referred to as "corporate administration" or "corporate management". The "Organisation for Economic Co-operation and Development, OECD" defines corporate governance as the "interrelationships between all stakeholders directly and indirectly involved in institutional decision making… determined by the institutional framework and the regulatory environment " or as a "structure of relationships and corresponding responsibilities in a core group consisting of shareholders, board members and managers that effectively supports the necessary competitive activities to achieve the primary objective of any company", which is viewed as the generation of long-term returns. 

In Germany, Austria and Switzerland, discussions relating to corporate governance have mainly focused on two objectives:

  • Definition of a behavioural framework in the form of a "Code of Best Practice" for management bodies, particularly in terms of the interaction between management and monitoring bodies in a joint stock company.
  • Increasing the attractiveness of Germany, Austria and Switzerland as locations for national and international investors. In Germany, for example, this can be achieved by increasing the transparency in the dualistic corporate administration system. This will generally promote trust in companies' management and monitoring among international and national investors, customers, employees and the general public.

Many elements of corporate governance have already been codified in law in Germany in the past. Various trade, company and capital market laws set out legal parameters. Even before the "Corporate Sector Supervision and Transparency Act" (KonTraG) came into force, the tasks of a board (see Companies Act (AktG) § 76 Para. 1) included setting up a supervision and risk management system, identifying developments that could jeopardise the company's survival and taking appropriate organisational measures. The German Companies Act, Commercial Code, Securities Trading Act, Stock Exchange Act, Co-Determination Act, Coal, Iron and Steel Industry Co-Determination Act 1951 and the Works Constitution Act all include elements of good corporate governance. The "German Corporate Governance Codex" (DCGK) is essentially a summary of the statutory regulations for corporate management and supervision in stock market listed companies. The primary aim of the legislation was to make corporate managers more sensitive to the issue of identifying opportunities offensively but in a controlled way.

Risk management as an obligation

The Companies Act § 91 Paragraph 2 (resulting from the overriding Corporate Sector Supervision and Transparency Act) stipulates that the board has to take suitable measures, in particular to set up a monitoring system, so that developments that jeopardise the company's survival will be detected in good time:

"The board has to take suitable measures, in particular to set up a monitoring system, so that developments that jeopardise the company's survival will be detected in good time"

The preamble to the act states that this stipulation is not creating a new management task, merely giving special emphasis to an existing obligation [see Romeike 2008, p. 6 and BT paper 13/9712, p. 15]. 

There is no equivalent to Companies Act § 91 Paragraph 2 in the laws governing limited companies or partnerships. However, the preamble explicitly refers to a "ripple effect" for other forms of organisation. The intensity of this ripple effect depends on the size and complexity of the relevant corporate structure. The wording of the act does not use the term "risks". Instead, it refers to "developments jeopardising the survival of the company". According to legislators, developments that could jeopardise the survival of the company include transactions fraught with particular risk, irregularities in accounting and violations of legal regulations that have a significant impact on the company or group's asset, financial and profit position. In addition, Companies Act § 93 Paragraph 1 requires due care in business management, including evaluation and management of risks that could jeopardise the survival of the company. A similar regulation can be found in the German Commercial Code § 347 Paragraph 1 ("Any person who has an obligation to show due care to another party due to a transaction that is a commercial transaction on one side, must show the due care and diligence of a prudent businessman").

In addition to industry-specific legislation (Insurance Supervision Act, Banking Act etc.) the German Corporate Governance Codex (DCGK) stipulates that a risk management system must be established. It contains a series of regulations dealing with risk management. 

Risk management is a management task and may not be neglected by the board of a joint stock company (stock market listed or not) or by the corresponding bodies in other forms of company.

Verification criteria for the "Business Judgement Rule"

Management that fails to introduce a comprehensive and preventive risk management system, yet claims to be acting in a proper and conscientious manner as defined in Companies Act § 93 Paragraph 1 Sentence 1, is exposed to increased pressure to justify this failure and potential personal liability should a risk occur [see Lorenz 2008, p. 27].

To assess personal liability of the bodies in practice, the "Business Judgement Rule" (BJR) is used (see Companies Act § 93 Paragraph 1 Sentence 2). This "rule for commercial decisions" is based on the Principles of Corporate Governance published by the American Law Institute in 1994 and German case law established at the highest judicial level in the Federal Supreme Court (BGH). In its judgement of 21st April 1997, the BGH decided that an executive always has a certain amount of scope in terms of the commercial decisions to be taken. The body is not then subject to personal liability if it is sufficiently well informed and has made a justifiable decision in the best interests of the company.

The BJR thus defines behaviour by a board or other bodies in a company that excludes liability and complies with its obligations. There is no violation of obligation if the following criteria are met:

  • Decisions are legally based ("mandatory decisions"): In compliance with legal, statutory, employment contract or affiliation decision obligations, the intention off the BJR is not to provide scope for illegal behaviour. Therefore, the BJR concentrates on commercial decisions that, because they relate to the future, are characterised by uncertainty, risks and non-litigable assessments.
  • Good faith: Decisions must be made ex ante (in this context, events that occur later, which could not yet have been known at the time of the decision, are disregarded) in good faith and for the  benefit of the company.
  • Action without special interests and inappropriate influences: Board action must not be influenced by conflicts of interest, external influences or direct self-interest. The board must therefore act impartially and without influence. 
  • Action for the benefit of the company: Decisions must be intended to achieve a long-term improvement in the profitability and competitiveness of the company and its products / services. This requirement is not met if a performance bonus that brings the company no future benefit is granted at a later date. If the risk associated with the decision was assessed in a completely irresponsible manner, the "reasonable" criterion is not met. 
  • Action based on appropriate information: Commercial decisions are frequently based on instinct, experience, imagination and a feeling for future developments, which cannot be replaced by objective information. Thus, on the one hand the courage to take commercial risks should not be eliminated but on the other hand rashness and improvidence should not be encouraged. Information reasonably considered to be appropriate is thus used as a basis. Information cannot be all-encompassing, but has commercial aspects. In this context, the board should primarily identify risks in the context of the company's risk-bearing capacity and incorporate them into the decision-making process.

In terms of procuring and evaluating information, and the decision as to whether and how to implement a measure, the recognised latest scientific and technical knowledge must always be taken into account. If the decision maker deviates negatively from this recognised knowledge, this could represent a violation of obligations, or at least to a reversal in the burden of proof to the detriment of the manager. The central thesis is that a diligent and proper manager must be familiar with the "basics" of applicable commercial, technical and legal tools, methods and current knowledge, in order to be able to actually assess their appropriate use. This know-how represents a key component of the "appropriate information" defined in the BJR.

Further literature:

  • Hauschka, C. E. (2010): Corporate Compliance – Handbuch der Haftungsvermeidung im Unternehmen [Handbook of Risk Avoidance in Companies], 2nd revised and extended edition, Munich 2010.
  • Lorenz, M. (2008): Einführung in die rechtlichen Grundlagen des Risikomanagement [Introduction to the Legal Principles of Risk Management], in: Romeike, F. (2008) Ed.]: Rechtliche Grundlagen des Risikomanagements [Legal Principles of Risk Management], Berlin 2008.
  • Moosmayer, K. (2010): Compliance -Praxisleitfaden für Unternehmen [Compliance - Practical Guidelines for Companies], Munich 2010
  • Organisation for Economic Co-operation and Development (2004): OECD Principles of Corporate Governance, Paris 2004.
  • German Corporate Governance Codex Government Commission (2013): German Corporate Governance Codex (published 13th May 2013).
  • Romeike, F. (2008): Rechtliche Grundlagen des Risikomanagements – Haftungs- und Strafvermeidung für Corporate Compliance [Legal Principles of Risk Management - Liability and Penalty Avoidance for Corporate Compliance], Berlin 2008.
  • Scherer, J. (2012): Good Governance und ganzheitliches strategisches und operatives Management: Die Anreicherung des „unternehmerischen Bauchgefühls“ mit Risiko-, Chancen- und Compliancemanagement [Good Governance and Integrated Strategic and Operational Management: Enriching "Commercial Gut Feeling" with Risk, Opportunity and Compliance Management], in: Corporate Compliance Journal (CCZ), Issue 6/2012, p. 201-211.
  • Schewe, G. (2005): Unternehmensverfassung. Corporate Governance im Spannungsfeld von Leitung, Kontrolle und Interessenvertretung [Corporate Governance with the Competing Forces of Management, Supervision and Special Interests], Berlin 2005.

RiskNET Intensiv-Seminare

Die Intensiv-Seminare der RiskAcademy® konzentrieren sich auf Methoden und Instrumente für evolutionäre und revolutionäre Wege im Risikomanagement. Die Seminare sind modular aufgebaut und bauen inhaltlich aufeinander auf (Basis, Fortgeschrittene, Vertiefung).

Seminare & Konferenzen

Neben unseren Intensiv-Seminaren und Webinaren, die im Rahmen der RiskAcademy angeboten werden, stellen wir Ihnen hier themen- und branchennahe Veranstaltungen vor.

SARS-Cov2 / Covid-19

Covid 19 pandemic: How do you assess the adequacy of policy measures?

total votes: 1853

  • Measures not risk stratified, not evidence-based, not proportionate and possibly not constitutional:
    1514 Stimmen
  • Measures are evidence-based, proportionate and the right way:
    246 Stimmen
  • I'm not sure:
    93 Stimmen

Neues aus der RiskNET Mediathek

Rückblick und Impressionen RiskNET Summit 2020

Interview mit Prof. Dr. Jürgen Döllner, Hasso-Plattner-Institut (HPI), Universität Potsdam

Interview mit Prof. Dr. Günther Schmid, vormals Bundesnachrichtendienst

Dialog zwischen Harald Philipp, Mountainbike Abenteurer und Frank Romeike, Gründer des Kompetenzportals RiskNET

Interview mit Dr. Markus Krall, Vorstand Degussa und Fachbuchautor

Interview mit Dr. Ulrich Eberl, Industriephysiker, Zukunftsforscher und Wissenschaftsjournalist zum Thema "Artificial Intelligence"

Interview mit Tamara Lunger über die Gratwanderung auf den höchsten Bergen der Welt

Interview mit Dr. Jochen Felsenheimer zur volkswirtschaftlichen Risikolandkarte und zu Risiken von Zombieunternehmen

Risk Academy

The seminars of the RiskAcademy® focus on methods and instruments for evolutionary and revolutionary ways in risk management.

More Information

The newsletter RiskNEWS informs about developments in risk management, current book publications as well as events.

Register now
Solution provider

Are you looking for a software solution or a service provider in the field of risk management, GRC, ICS or ISMS?

Find a solution provider