Risk management is a continuous process that identifies and evaluates risks with regard to the goal. There are several areas in which risk management can be applied. The financial risk management focuses on the management of financial risks, the project risk management on the risk management in the realization of large projects.
1. Technical risks: The aforementioned “technical” risks still exist today, but they have become more complex because the workflows and performance processes have become more complex and have to be dealt with more quickly. At many points in the processes there is an interface or media breaks (for example: from telephone to paper to electronic input) where errors can easily occur. However, the disruptions and hazards now referred to as operational risks form only part of the risks to be considered today.
2. Market risks: Companies today have to operate “closer to the markets” and are therefore naturally more exposed to price fluctuations there. Market risks can be seen in the raw materials sector, currency parities, the valuation of investments and securities and obligations. Counterparty risks are virtually related. They arise because contracting parties fail or orders can be canceled.
3. Systemic risks: In addition, the lean and decentralized structures required today mean that the company is increasingly exposed to risks that lie in the "system" that links many institutions with one another. Here the risks lie in the economic and fiscal environment, in the laws (product liability), in possible technological leaps and in the dependence on other institutions, which in turn could also be directly or indirectly burdened by risks, so that the company is like a chain of Dominoes could be knocked down.
4. Strategic risks: Due to the increasing dynamism in business life, the globalization and the intensification of competition, "strategic" risks then have a higher priority than before. This is influenced by the fact that companies today should be able to react more quickly and that they carefully weigh possible flexibility with the cost advantages of rigid processes. With everything, the counterplay of competitors must be taken into account when considering strategic risks.
Second, portfolio theory has taught us how financial markets work: For the assumption of certain risks, so-called systematic risks, a premium can be expected as a return advantage. That is why there is a trade-off between returns and security.
On the other hand, a premium must be worked out for the passing on of systematic risks. Therefore the calculation bases for products and for projects have to be revised. An imputed, risk-based surcharge, labeled with capital costs, is to be provided.
Since some of the risks, the unsystematic risks, can be diversified, a portfolio view is appropriate. Companies must be viewed as a portfolio, the components of which are the individual business units or projects and plans. Each of these parts is in turn exposed to different types of risk: operational risks, financial risks, systemic risks and so on. Due to the planning consolidation as a portfolio, risk management becomes the task of the highest decision-making level. It therefore has an inseparable effect on the overall management and planning of the company.
Profitability can no longer be controlled and assessed without taking the risk into account; the trade-off must constantly be weighed up between return and security.
This task cannot be carried out separately for the individual parts of the company, a portfolio view is necessary. Is now the development of the financial markets for Derivatives If you consider a partial hedge, then it becomes obvious: Risk management requires a comprehensive view and has become the task of top management. It can no longer be delegated to a person who, together with an insurance agent and a nose for accidents, undertakes a factory tour.
Just as the financial perspective and the idea of increasing value have permeated management today, risk management also requires precise organization across all levels.
Undoubtedly, the merging, integrating portfolio view, justified on the basis of the financial risks, speaks in favor of organizing risk management as a top-down process. Risk management as a purely top-level matter, often required, cannot, however, be implemented. A lot of data and information is collected in the areas and at lower levels of the hierarchy.
In addition to the formal organization, a risk culture must be developed here that makes everyone in the company aware of the risks. The information collected peripherally must then be given to a central entity in a bottom-up process.
A balance between the central and the decentralized elements of risk management must therefore be striven for through the formal organization and cultural aspects. In all of this, risk management must not develop a life of its own, detached from the other management systems, as it were as a new reporting and decision-making structure.
Risk controlling is embedded as seamlessly as possible in the overall controlling. Risk management is an integral part of the management system and the organization and is interlinked with it.
The legislator emphasizes the importance of risk management. All corporations (with the exception of the small corporation) must also address “the risks of future development” in the management report (Section 289 (1) HGB); The same applies to the group management report (Section 315 (1) HGB). The law on control and transparency in the corporate sector of April 30, 1998 (KonTraG) affects listed stock corporations and companies of comparable complexity.
The board of directors should take measures, in particular to set up a monitoring system, in order to identify developments endangering the continued existence of the company at an early stage. Monitoring is to be understood as an ongoing process with accompanying documentation and reporting. The term system requires the methodical, orderly, planned approach to monitoring.
The continued existence is to be assessed with regard to bankruptcy portfolios, whereby a possible accumulation and chaining of individual risks is to be assumed. Dangerous developments arise primarily from business risk, errors, incorrect assessments, incorrect accounting and violations of legal regulations. The early detection should take place in good time so that it is still possible to react.