Risk management is a peculiar management discipline! The meaning of risk management is immediately clear to everyone, early warning instruments required by law that must be proven - one side of the coin. Risk management is an integral part of the daily decision-making process, it is extremely diverse in instruments and applications - and thus it hardly seems possible to describe and implement the task of the risk manager - the other side of the coin.
What is risk management?
What happens in many companies when you ask about risk management? You will be referred to the risk manager, who pulls a thick risk report out of his pocket, in which all risks reported by the responsible managers are listed with potential and probability. In addition, measures are documented on how to deal with the risks.
So what is risk management? Asking regularly about the status of the implementation of measures as well as updating the list? Most auditors are satisfied with this - if risks are also viewed as opportunities!
But risk management is not done for the KonTraG (Law on Control and Transparency in Business) or the auditor. And if no benefit for the daily work is drawn from the valuable information, then this is more than regrettable!
Best practice: What is the right approach to risk management?
First of all, you have to acknowledge that risk management is a very multifaceted task for everyone involved, which goes far beyond the above mentioned risk inventory. Since the opportunities and risks are very diverse in nature and form, they also require differentiated treatment. We call this risk policy. The basis of this risk policy is the individual decision on how to deal with the risk. Some risks have to be eliminated by direct measures or measures have to be kept in place in case of emergencies. In the case of other risks, close monitoring makes sense or there are hedging instruments. Some risks must be countered with organizational measures.
Therefore, the list of measures mentioned is only a part of the answer to the handling of risks, since hopefully many of these measures lead to an inconspicuous, regular management of the risk - with the exception of strategic decision risks. However, these processes must also be regularly reviewed regarding their implementation - often a task of internal auditing.
But what actually happens if the risk does occur? Then it leaves its mark on the income statement and balance sheet! This obvious and seemingly trivial insight means two things:
Firstly, the person who makes an assessment of the risk potential must understand the subtleties of the income statement in order to be able to describe the risk. The risk manager must also translate the various risk positions to a common denominator. So if the sales department indicates the risk of an economic slump in sales for the most important customer with a drop in sales of 10% and the purchasing department indicates a delivery bottleneck with 2 weeks delay in the delivery of the key material, then the translation into an effect on earnings is anything but trivial - but that's exactly what it's all about. Who knows this arithmetic particularly well in a company?
Right! The controller. And secondly, the controller usually has to use the event that has occurred as a commentary for deviations from planned targets and pull it through the positions!
How can risk management be integrated into controlling?
There are two keys to good integration with Controlling. The first key is integrated corporate planning, because it helps setting and simulating the effects in the right place. This makes driver-based planning even more valuable!
The second key lies in the operational proximity of controlling to the specialist department. The controlling concept Measure, in which the department and not the controlling department comments on the figures, derives measures, etc., is the ideal approach also for the regular consideration of opportunities and risks.
With these two approaches, risk management becomes a task borne by everyone and the much-quoted risk list a "waste product".
