IDW PS 340: Audit of the early risk detection system

From a quantitative change of course to a view of opportunities


"If the ship is on the wrong course, it is not enough to change the captain – you have to change the course." The scenario described by the Czech writer Pavel Kosorin is a reflection for many companies. To put it casually, it could also mean: If the business is not running, the managing director has to go. That's the deal. What companies and their supervisory bodies neglect, however, is usually a fundamental change of strategy in the overall organisation. But in our times this would be quite appropriate – especially in view of the risk map of many companies. If you open up this map, it becomes large, bigger and at the same time more unwieldy to use. It is therefore only of limited use for risk orientation. Among other things, this illustrates the range of risks – from geopolitics to advancing climate change to crisis-ridden economies. For business leaders, this is reason enough to better prepare their own organisations for stormy times. After all, lifeboats should not be built in the storm. But to do so, the change of course in the direction of modern risk management is imperative in order not to sail straight into the biggest storm with open eyes.

Quantitative methods, compact information

The manoeuvre should therefore be: Clear to turn. The new goal is now called quantitative methods in risk management. The crew and the captain thus leave behind qualitative risk considerations with a colourful risk matrix and the level of probability of occurrence, complete with risk accounting. Samuel Brandstätter, founder and CEO, avedos GRC GmbH, describes the reason for such a U-turn: "We have been observing for some time that a purely qualitative assessment is no longer sufficient for many companies and the trend is increasingly moving towards quantitative methods, mostly in preparation for simulation procedures. The company was helped in this by many discussions with supervisory boards. According to Brandstätter, one insight gained from this is that risks only become relevant and tangible for supervisory boards when they can be assessed quantitatively. "That presupposes that I can convey the information in a compact form," says Brandstätter. And he adds: "From that point of view, IDW PS 340, in what it now demands or the direction it takesmakes sense."

This can be observed, among other things, in the stronger focus on quantitative methods within the framework of the new standard IDW PS 340 for the audit of the early risk detection system of summer 2020. According to the Institute of Public Auditors in Germany (IDW), among other things, the "basic elements of an early risk detection system have been clarified in line with the basic elements developed for the establishment and audit of risk management and compliance management systems". In addition, the "emphasis is on the obligations of a company with regard to risk-bearing capacity and risk aggregation", the IDW continues. Brandstätter, however, not only focuses on the regulatory aspect. Rather, the new standard ensures noticeably better communication between the risk owner and the management, and also between the management and the supervisory board.

Demystifying simulations

The Austrian company avedos had already integrated a simulation engine into its own risk management software "risk2value" in 2019. The holistic GRC software enables different GRC use cases to be mapped integratively. The advantage according to avedos: "Medium to large corporate and group structures benefit from a noticeably reduced workload with optimised GRC processes at the same time." The company's already more than 15 years of experience in dealing with complex GRC implementations from practical experience, including in very large corporate groups, is an advantage. Brandstätter explains the simulation engine: "We are trying to demystify simulation with it, because there are still too many risk managers who see the topic as too complex. To simplify the overall process, we design certain use cases that ultimately fulfil what IWD PS 340 requires."

Early detection and risk aggregation

To meet the audit standard, this also means clear consideration of "net risks" as well as risk management as part of the basic elements of a risk early warning system to be audited. A "Joint Statement" by various experts from January 2020 concludes: "The main task of an early risk detection system required by law – as the core of risk management – is to detect "developments that threaten the existence of the company" at an early stage (section 91 para. 2 AktG).

In order to fulfil this task, it is necessary to clearly define what such a 'development threatening the existence of the company' is." And further: "The early detection of developments that threaten the existence of the company requires the identification of rare extreme risks and, due to the non-additivity of risks, risk aggregation (stochastic simulation)." The idea behind "stochastic scenario simulation" is to determine the corresponding result or target variables for randomly selected parameters via the corresponding correlations. In other words, to simulate potential future scenarios in order to learn from them or to define preventive or reactive measures. The model used to determine the target variables is usually deterministic in nature, i.e. once the parameters have been set, the target variables are clearly determined. The advantage of using stochastic scenario simulation is that results can be determined quickly and easily.  

Reduce complexity, gain options for action

Especially with regard to complexity, risk managers of medium-sized companies have a lot of catching up to do, partly because they lack the capacities. "SMEs don't have auditors or consultancies in-house in advance who develop concepts tailored to their needs and with which they come to us," Brandstätter explains. Conversely, for avedos this means working with more standards in order to put medium-sized companies in the same position as large corporations. The keyword is best practice approaches. Brandstätter says: "These approaches should enable risk managers in medium-sized companies to achieve a result within a few days." With its standard solution, avedos offers a ready-made kit for this purpose – from enterprise risk management to data protection to business continuity. Brandstätter sees this as a starting point. And yet avedos is thinking ahead, i.e. it has set the compass to the future. For medium-sized companies are enabled to expand the solution in the future with the help of the avedos solution. "Companies can expand the respective solution step by step and ultimately increase the level of maturity in the entire risk management process," Brandstätter sums up. This allows companies to change course – while maintaining full control over their own "ship" and setting sail for the future. And that means discovering the terra incognita in the form of opportunities and modern risk management.


[ Source of cover photo: Adobe / Philip Steury ]
Risk Academy

The seminars of the RiskAcademy® focus on methods and instruments for evolutionary and revolutionary ways in risk management.

More Information

The newsletter RiskNEWS informs about developments in risk management, current book publications as well as events.

Register now
Solution provider

Are you looking for a software solution or a service provider in the field of risk management, GRC, ICS or ISMS?

Find a solution provider
Ihre Daten werden selbstverständlich vertraulich behandelt und nicht an Dritte weitergegeben. Weitere Informationen finden Sie in unseren Datenschutzbestimmungen.