A look at current practice often reveals a dilemma in traditional risk management in companies. On the operational side of a business we find more mechanistic risk management – using standardized risk models and risk management processes for preselected standard risks. On the strategic side of business management we find corporate governance, although this only has a rudimentary focus on integrated risk management. In many cases, the two functions are totally isolated from one another. As a result, risks that threaten the company, occur at the interface between the company and its environment, are increasingly networked and develop their own dynamics, can fall through the net.
Risk governance attempts to close this gap and therefore aims to establish stakeholder-based risk management from a strategic perspective. We spoke to Prof. Arnd Wiedemann and Prof. Volker Stein (both from the University of Siegen) about risk governance, a genuine risk culture and the future of the risk map.
What do you understand by risk governance?
Wiedemann: It is primarily about managing business risks in response to the question: "What has to be done to prevent unforeseen risk events from suddenly occurring that could jeopardise the survival of the company?". Therefore, risk governance is first of all a basic philosophy and involves establishing stakeholder-based risk management from a strategic perspective throughout the company. Risk governance is closely linked to a company's strategic business model, as the business model represents the relevant stakeholders and their goals and interests – and if their interests are not consistent with the company's own interests, risk positions arise that are difficult to predict. At this strategic level, risk governance aims to achieve proactive risk management from the inside out. At the same time, all risky decisions are subject to the standards of good corporate governance, enabling clear ethical signals to be sent to stakeholders in terms of risk-related sustainability.
Stein: Risk governance goes beyond the scope of both traditional risk management and corporate governance, whose focus is less on business risks than on risks associated with management of the business.
Does risk governance differ from the GRC approach, i.e. an integrated and holistic approach to organization-wide Governance, Risk and Compliance?
Stein: Companies of all kinds deal with risks in a huge range of areas. Banks are particularly exposed as their business model explicitly addresses risk transformation and therefore section 25a of the German Banking Act (KWG) states that operational risk management is mandatory. Its purpose is to identify, analyse, control, and monitor risks associated with the business model. From the more strategic perspective of corporate governance, the key aim is to avoid risks resulting from a lack of corporate management quality, lack of compliance with rules, intransparency, and a lack of sustainability. Compliance is closely linked to the governance concept and focuses on ensuring compliance with statutory regulations and internal company guidelines.
Wiedemann: In this sense, risk management and corporate governance/compliance each seem to have a clear focus and thus a practical division of tasks. However, it can be demonstrated that insular specialisation in the two areas causes a lack of integration and they can easily drift apart, resulting in deficiencies that impact on risk behaviour and have the potential to jeopardise the success of the business model. GRC merely represents a general concept that is intended to guarantee that a company complies with its internal and external requirements and that efficiency and effectiveness are increased through appropriate coordination routines. By contrast, risk governance is primarily driven by content. That is why we put the link to the stakeholders prominently in the foreground and talk about a new way of thinking.
What specific tasks are involved in risk governance for companies?
Stein: Risk governance involves four key tasks. Firstly, the ongoing (re) design of risk models to ensure that risk perception, prioritisation and aggregation keep pace with environmental changes and there are alternative risk models to choose between. Secondly, systematic determination of model risks to make the risks arising from the models themselves transparent and to rule out errors in risk models as far as possible. Thirdly, research and development on risk issues so that no academic and methodological developments are missed, linking these to the specific context of the company and also taking into account the opportunity element of the risks. Fourthly, advising corporate management on risk issues, so that they can manage their risky market response process and are able to incorporate the large amount of risk-related information from risk governance into their decisions.
Why do you believe that in many companies – from DAX-listed corporations to SMEs – risk management is seen as a necessary evil and is frequently reduced to merely a documentation exercise? In other words, does methodologically sound risk management play an insignificant role in corporate management?
Wiedemann: Firstly, risk management is a term that has negative connotations as users of the service perceive it as something that limits entrepreneurial freedom. Secondly, to date risk management has not managed to clearly communicate its benefits. You cannot say that risk management is not methodologically sound. But it rarely has a true strategic relevance at present. We have brought risk governance into the discussion, but it cannot and is not intended to replace risk management. However, risk governance can contribute to making the benefit of operational risk management visible at a strategic level.
Empirical studies unequivocally show that strategic risks normally destroy company value. But strategic risks tend to be neglected in commercial risk management. Do you agree?
Stein: That's right. But it is hardly surprising because risk management is a very specific operational task and uses mechanistic processes. Traditional risk management primarily uses standardised risk models based on standard risk management processes for preselected standard risks. In today's open business systems, risks are more complex, networked and ambiguous than ever, which means that risk management inevitably lags behind. The risks change more quickly than risk management can, so it can ever only act reactively.
In a world of disruptive change and geopolitical uncertainty, what do you think are the key business risks?
Wiedemann: We believe there are four issues that risk governance specifically needs to address: firstly, complexity – more than ever, companies have to think about the risks of increasing networking; secondly self-reinforcement – the mathematical rule that the maximum risk is the sum of the individual risks no longer applies; thirdly real time – not least due to social media, risks can occur with no prior warning; fourthly the tsunami effect of risks – if you fail to act promptly, you will be overrun.
What are the reasons why corporate management is frequently unable to see the forest for the trees when it comes to risk?
Wiedemann: A popular phrase goes: If it's not broke, don't fix it. Corporate managers – including risk managers – are happy if a system is running and processes are settled and are functioning well. This leads to a tendency to be satisfied with the status quo. Risk governance calls for explicit proactiveness. To stay with the metaphor, risk governance offers corporate management a viewpoint from which they can get an overview of the forest and any new trees that have grown up, rather than being on the ground engrossed in operational issues and only able to see the familiar trees around them.
In the German-speaking region, we have a tendency to ignore the issue of "opportunities" and "upside risks" in our analysis. Is this mainly due to the negative connotations of the term risk in the sense of danger?
Stein: If you were to conduct a general survey on what a "risk" is, the majority of ordinary people would definitely say "something dangerous". Of course, what we do is risky. But provided companies incorporate risks into their calculations, if they should occur they no longer represent a danger as provision has been made for them in advance. However, the reverse is also true: what we don't do is risky. It is clear that if a risk actually occurs, the expected result will be impaired and disappointment and annoyance are automatic responses. But a company cannot, should not and does not want to avoid or protect against every single risk: without risk there is no opportunity. Therefore, it is important not to look at a company's risk bearing capacity from just one side, but to always consider the risk/return ratio. Risk minimization certainly increases security but it is only a liberal dose of risk taking that opens up business opportunities. Risk governance does both of these things. It actively searches for previously unforeseen risks and simultaneously links them to the company's value creation at a strategic level.
What role does a "genuine risk culture" play in the context of risk governance?
Wiedemann: If we look at the most recent "scandals" threatening the existence of companies in the German economy, they have their roots less in misguided business strategy than in an inadequate risk culture, which has enabled decentralised misconduct to occur, ultimately resulting in consequences that threaten the company's existence. The risk culture expresses the entirety of the standards, attitudes and behaviours in a company in terms of risk awareness, willingness to take risks, risk management and the associated controls. The risk culture, which includes the management culture, the perceived responsibility of employees, open communication and critical dialogue, influences management and employee decisions in their day-to-day work and therefore has a direct impact on the risks they take. It should certainly come as no surprise that it is a central result of risk governance. In an initial benchmark study last year, we investigated the level of development of risk management and implementation of risk governance tasks in German regional financial institutions (savings banks and cooperative banks). We were able to demonstrate that performance of the four risk governance tasks outlined not only has a positive impact on risk culture, but ultimately also improves business effectiveness and thus results in sustainable profitability.
How can sharing of knowledge between academics and professionals be improved? In other words, why does it often take so long for research results to be used by the industry?
Stein: It's a familiar pattern that companies only really take decisive action once a crisis has already occurred. But we don't want things to get to that point – that is why we as academics always offer mental frameworks that we are convinced could bring companies long-term benefits. Risk governance is one such mental framework, which particularly emphasises taking a forward-looking view. For example, as one of the risk governance tasks we specifically address the issue of research and development, as the first step towards change is for companies to recognise their own possible management deficiencies and blind spots. But companies have to want to do this. In times when digitalisation is strengthening and accelerating all possible processes, it makes even less sense to only be wise after the event.
Wiedemann: We are explicit in saying that risk governance is first and foremost a philosophy. It expresses a particular mindset and demands on oneself. As academics, we will also make every effort to highlight to companies the specific relationship between risk governance and their value creation, in order to eliminate their fears and build enthusiasm.
Finally, we'd like you to gaze into your crystal ball. Which developments will bring the biggest changes to the risk map in the coming years, and what will you be doing to help shape these developments?
Wiedemann: The new features of risks that we highlight – namely the increasing complexity of risks, the self-reinforcing effects, the real time problem and the Tsunami risk – are likely to bring about the most significant changes in the risk map in the future. The more networked companies, media, economy and society are, the more networked risks will be. We want to support this change process. We have set up the website www.riskgovernance.de as an information and discussion platform. We also organise regular meetings and conferences to drive the discussion forwards. In 2017, the 5th annual Risk Governance Conference will be held in Siegen. The main theme will be "Roles and Actors in Risk Governance".
[The questions were asked by Frank Romeike, chief editor of the competence portal RiskNET as well as responsible chief editor of the magazine RISIKO MANAGER]
Univ.-Prof. Dr. Arnd Wiedemann holds the chair in financial and bank management at the University of Siegen. His research fields include bank management, financial risk management for companies and local government debt and interest management.
Univ.-Prof. Dr. Volker Stein holds the chair in human resource management and organisation at the University of Siegen. His research includes strategic human resource management, intercultural management, valuation of human capital and management of universities.
The pair initiated the interdisciplinary Risk Governance research group at the University of Siegen. In addition, they are founding directors of the Business School at the University of Siegen, which offers an Executive MBA programme and management training with a special focus on SMEs.