Vinay Kalia / Roland Müller
(Eds.)
Risk Management at Board Level
A Practical Guide for Board Members
Risk Management at Board Level
A Practical Guide for Board Members
3rd edition
HAUPT VERLAG
For my beautiful and loving daughter Vinaya Melania
Vinay Kalia
For my unique and supportive wife Barbara
Roland Müller
3. Auflage: 2019
2. Auflage: 2015
1. Auflage: 2007
Bibliografische Information der Deutschen Nationalbibliothek
Die Deutsche Nationalbibliothek verzeichnet diese Publikation in der Deutschen Nationalbibliografie;
detaillierte bibliografische Daten sind im Internet
über http://dnb.dnb.de abrufbar.
ISBN Print: 978-3-258-08124-3
ISBN E-Book: 978-3-258-48124-1
Alle Rechte vorbehalten.
Copyright © 2007 Haupt Bern
Jede Art der Vervielfältigung ohne Genehmigung des Verlages ist unzulässig.
Satz und Layout: Die Werkstatt Medien-Produktion GmbH, D-Göttingen
Book printed in Austria
www.haupt.ch
eBook-Herstellung und Auslieferung:
Brockhaus Commission, Kornwestheim
www.brocom.de
Foreword by the Editor of this Series
Professor Martin Hilb
Board of Directors (BoD) effectiveness is currently one of the few subjects that are topical for both research and practice globally. In this series, our International Center for Corporate Governance presents the results of studies conducted by its partners.
Our approach to Board of Directors (BoD) effectiveness is based on the following guiding principles:
• Keep it situational;
• Keep it strategic;
• Keep it integrated;
• Keep it controlled.
This edition, presented by our two partners Dr.oec. HSG Vinay Kalia (who wrote his doctoral thesis on the subject of Risk Management on the Board of Directors (BoD) and Executive Board (ExB) level under my supervision) and Prof. Dr.iur. Roland Müller fits into the last principle, «keep it controlled».
Keeping it controlled includes auditing, Risk Management, communication, compliance and evaluation on the Board of Directors (BoD) level.
One result of the Board evaluations we conducted in many organisations is that Risk Management on the board level is an area for development.
A single error alone never lets a company collapse. The cause often lies in the lack of an effective and systematic Risk Management function at the Board of Directors (BoD) level. It should be noted that:
• The new phase in Risk Management started in the 1970s with the growth of credit Risk Management;
• The Risk Management approach in the 21st century takes a holistic view of all risks concerning a company;
• The New York Stock Exchange (NYSE), through its Securities Exchange Commission (SEC), sponsored legislation such as the Sarbanes Oxley Act (SOX) to put additional and mandatory pressure on companies to manage risks on the operational and Board of Directors (BoD) levels and provide totally transparent information to shareholders;
• The financial crisis of 2008 triggered regulatory developments (Mifid, FATCA etc.) that have reinforced the need for and interest in Risk Management and its importance will continue to increase in the foreseeable future;
• Essentially, small and medium companies (SMEs) and very small companies feel that Risk Management does not have any meaning for them. However, Risk Management can be implemented even in such companies both on operational and Board of Directors (BoD) levels with great effectiveness and added value for the company.
Effective Boards need both: Members with profound entrepreneurial spirit and Risk Management know-how. This will decide if companies are the masters or victims of change.
St. Gallen/ Switzerland, January 2019
Martin Hilb
Chairman of the Board Foundation (www.icfcg.org) and its Swiss Board School at the IMP of the University of St. Gallen
Foreword by the Authors
Dr.oec. HSG Vinay Kalia
Prof. Dr.iur. Roland Müller
In the last few years, the world has been transformed by a string of developments which have raised the risk awareness and have moved Risk Management into the centre of attention, at the governance level of all corporations, regulators, public sector institutions and non-governmental organisations. Some of those developments need to be highlighted:
• The major financial crisis of 2008 sparked off many discussions about governance and control of operational risk in financial institutions, like the «too big to fail» discussion. These discussions were intensified by an increasing interest and control stake on the part of the regulators, which is often being criticised as «over-regulation». In the past, internal control systems and compliance activities focussed mainly on financial and legal issues, whereas now they also encompass other risks such as IT security or fraud risks, in order to provide senior decision makers with appropriate risk data;
• Black Swan events such as large scale cyber threats, war, nuclear or natural catastrophes have become more frequent and devastating, even more so as the world has become increasingly interdependent and complex. Such Black Swan events bear unforeseeable and uncontrollable risks. This has substantiated the need for organisations to be prepared for risk, to be «resilient» and focused on Business Continuity Management (BCM);
• Social risks such as the demographical development, migration, religious and national conflicts or resource allocation now directly affect the businesses and their response to such issues, accentuated by the ethical and cultural diversity;
• Large firms have several projects ongoing that are large enough to be firms on their own, either in terms of size or complexity. Thus a lot is at stake financially and existentially for the firm («trillion is the new billion»). These firms have increasingly felt the need for project Risk Management as it enables both self-governed process management and information escalation.
The above illustrates that Risk Management has in the last years become even more important than before and many formal and material changes have occurred.
Our objective for the first edition of this book was to present readers with a practical understanding of risk and Risk Management, with all its facets and topics, providing real life examples, tools, guidelines and checklists to manage them.
The book has been used and appreciated by practitioners, especially by board and senior management members who participated in board governance seminars. This because the developments discussed above are on their minds and agendas very often. Their questions raised to the authors and the discussions resulting from them have been reflected in the second edition. Moreover, all context and contents of the book have been updated. Further thought has been given to the discussion of Risk Management as a «system» rather than theme, to Compliance, Internal Controls (section II.3) and to the establishment of the right Risk Management culture (IV.9).
To complement and reflect on the emerging Risk Management needs for today, three guest authors were invited to enrich the book with their subject matter expertise.
• Lee Howell, presents in chapter V how the phenomenon of uncontrollable risks and black swan events can be understood and practically managed by firms;
• Peter Jonker, in chapter VI, explains why fraud and corruption risks are different from all other risk categories and what is required to keep the firm away from serious risks and damage related to them;
• Stephan Döhler, in chapter VII, sheds light on the project Risk Management where the success of big or vital projects has a significant influence on the health and wellbeing of the firm.
A special word of thanks to them for sharing their experience and thoughts. Special thanks to Mark Macus for reviewing the first edition of the book and providing valuable inputs for improving and updating the new edition. Finally, we highly appreciate Martina Schedler and Beat Gyger for working tirelessly in providing the final shape to the manuscript.
It is our sincere hope that this book benefits readers, especially Directors of the Board as well as Executive Managers, in embracing the new risk landscape and empower them with the help of a practical tool-kit to create a systematic and effective Risk Management.
|
St. Gallen / Switzerland, January 2019 |
Vinay Kalia / Roland Müller |
Table of Contents
Foreword by the Editor of this Series
Foreword by the Authors
Table of Contents
Abbreviations
|
I. |
Introduction |
||
|
1. |
General Overview |
||
|
2. |
Importance of Risk Management |
||
|
a) |
Help for Company |
||
|
b) |
Bank Rating |
||
|
c) |
Insurance |
||
|
3. |
Role of Board Members in Risk Management |
||
|
a) |
Risk Management as a Part of Good Corporate Governance |
||
|
b) |
360° Direction and Control |
||
|
c) |
Setting the Tone of Risk Management |
||
|
d) |
Dealing Effectively with Strategic Issues |
||
|
e) |
Fostering Openness and Creativity |
||
|
f) |
Guidelines and Policies for Risk Management |
||
|
g) |
Serious and Extraordinary Decisions |
||
|
h) |
Supervision of the Company Performance Versus Strategy |
||
|
i) |
Organisation and Structure of Risk Management |
||
|
4. |
Definitions and Concepts |
||
|
a) |
Definition of Risk and Security |
||
|
b) |
Definition of Risk Controlling |
||
|
c) |
Definition of Risk Management |
||
|
d) |
Definition of Emergency Management |
||
|
e) |
Definition of Crisis Management |
||
|
f) |
Definition of Operational Risk Management |
||
|
g) |
Concept of Value-at-Risk |
||
|
h) |
Concept of a Risk Map |
||
|
i) |
Concept of Business Continuity Management (BCM) |
||
|
5. |
Risk Management Standards |
||
|
a) |
Committee of Sponsoring Organisations (COSO) Framework |
||
|
b) |
Sarbanes Oxley Act 2002 |
||
|
c) |
ISO 31000 & 31010 (Risk Management & Risk Assessment) |
||
|
d) |
ISO 19600 (Compliance) |
||
|
II. |
Development of Risk Management |
||
|
1. |
Overview of the Development Stages |
||
|
2. |
Risk Management and Corporate Governance |
||
|
a) |
Overview of ERM and Corporate Governance Interdependence |
||
|
b) |
The Cadbury Report |
||
|
c) |
The Combined Code and Hampel Report |
||
|
d) |
The Turnbull Report |
||
|
e) |
The King II & King III Reports |
||
|
f) |
The Basel Committee Reports |
||
|
3. |
Risk Compliance |
||
|
a) |
Establishing of the Compliance Function at the Executive Level |
||
|
b) |
Guidelines for Compliance Management System |
||
|
c) |
Elements of a Compliance Management System (CMS) |
||
|
III. |
Driving Forces of Risk Management in Switzerland |
||
|
1. |
General Overview |
||
|
2. |
Law as a Driving Force |
||
|
a) |
Importance of Several Regulations |
||
|
b) |
Swiss Code of Obligations |
||
|
c) |
Bank Regulations |
||
|
d) |
German Law for Control and Transparency (KonTraG) |
||
|
3. |
Institutional Investors |
||
|
4. |
Impact of US Developments |
||
|
5. |
Press |
||
|
6. |
Others |
||
|
IV. |
Risk Management Implementation |
||
|
1. |
General Overview |
||
|
2. |
Objective Setting |
||
|
a) |
SWOT-Analysis |
||
|
b) |
Risk Management Policy |
||
|
c) |
Risk Management Guidelines/ Directives |
||
|
d) |
Risk Management Handbook |
||
|
3. |
Risk Identification |
||
|
4. |
Risk Assessment and Prioritisation |
||
|
5. |
Risk Analysis |
||
|
a) |
Key Drivers Analysis/ Root Cause Analysis |
||
|
b) |
Suitable Actions to Respond to the Key Drivers |
||
|
6. |
In-depth Risk Analysis |
||
|
a) |
Quantification of Risks |
||
|
7. |
Action Planning |
||
|
8. |
Monitoring, Reporting and Supervision |
||
|
9. |
Culture |
||
|
10. |
Tools |
||
|
11. |
Timeline and Cost of Risk Management Implementation |
||
|
V. |
Uncontrollable Risks and Corporate Governance |
||
|
1. |
Defining Uncontrollable Risks |
||
|
a) |
Complicated Systems |
||
|
b) |
Complex Systems |
||
|
2. |
Complex Systems Shaping Current Economic Landscape |
||
|
3. |
Era of Black Swan Events (BSE) |
||
|
4. |
Uncontrollable Risks and Boards |
||
|
VI. |
Managing Fraud and Corruption Risks |
||
|
1. |
Problem Overview |
||
|
a) |
Clarity of Norms |
||
|
b) |
Risk of Being Caught |
||
|
c) |
Difficulty to Discuss |
||
|
d) |
Intentional Act |
||
|
2. |
Who are Involved? |
||
|
a) |
Red Flags |
||
|
b) |
Departments Involved in Fraud Cases |
||
|
3. |
Common Forms of Corruption |
||
|
a) |
Gifts and Entertainment |
||
|
b) |
Facilitation Payments and Bribes |
||
|
c) |
Kick-backs and Overbilling Schemes |
||
|
d) |
Bid-rigging and Price Fixing |
||
|
e) |
Use of Agents |
||
|
f) |
Political Support and Charitable Contributions |
||
|
4. |
Managing the Risk of Fraud and Corruption |
||
|
a) |
Effective Compliance Programs |
||
|
VII. |
Risk Management of Major Projects |
||
|
1. |
Why Risk Management of Projects at Board Level? |
||
|
2. |
Risk Management Guidelines |
||
|
3. |
Project Management Handbook |
||
|
4. |
Project Credit Demand Report to the Board of Directors |
||
|
5. |
Final Major Project Credit Demand Report (Closing of Internal Credit Line) |
||
|
6. |
Reporting of Major Projects to the Board of Directors (Guidelines) |
||
|
a) |
Definition of a Major Project |
||
|
b) |
Standard Major Project Report to the Board of Directors |
||
|
7. |
Aggregated Risks of a Company in Relation to Major Projects |
||
|
a) |
Group Risk Report to the Board of Directors |
||
|
b) |
Risk Inventory |
||
|
c) |
Risk Inventory for Major Projects |
||
|
8. |
Communication in Major Projects |
||
|
9. |
External Risks for Major Projects |
||
|
10. |
Decision-making to Minimise or Mitigate Risk of Major Projects |
||
|
VIII. |
Summary and Guidance for Practice |
||
|
1. |
Summary |
||
|
a) |
Key Messages |
||
|
b) |
Organisation at Board Level |
||
|
c) |
Organisation at the Management Level |
||
|
d) |
Risk Management in the Company |
||
|
e) |
Managing Uncontrollable Risks |
||
|
f) |
Managing Fraud and Corruption Risk |
||
|
g) |
Risk Management of Major Projects |
||
|
2. |
Risk Management Practice Today |
||
|
a) |
Integrated ERM |
||
|
b) |
Decision-Making Under Time Pressure |
||
|
c) |
Whistleblowing |
||
|
d) |
Checklists |
||
|
e) |
Small and Medium Companies |
||
|
f) |
Managing Impediments |
||
|
g) |
Self-Appraisal |
||
|
h) |
Keep it Simple |
||
Epilogue
Bibliography
Appendices
Editors
List of Appendices
|
Appendix 1: |
Checklist for Implementing Enterprise Risk Management |
|
Appendix 2: |
Example of a Risk Management Policy |
|
Appendix 3: |
Example of Internal Regulations for Risk Committee |
|
Appendix 4: |
Example of a Risk Identification Form |
|
Appendix 5: |
Questionnaire for IT Risks |
|
Appendix 6: |
Example of a Whistleblowing Policy Document |
|
Appendix 7: |
ERM Self-Appraisal Questionnaire |
|
Appendix 8: |
Guidance for FO2RDEC Analysis |
|
Appendix 9: |
Job Description for Head of Risk Management/ CRO |
|
Appendix 10: |
Example of an Individual Risk Assessment |
|
Appendix 11: |
Insurance Check List for BoD |
|
Appendix 12: |
Generic Collection of Master Risks |
|
Appendix 13: |
Scenarios of the RESIST Methodology |
|
Appendix 14: |
Examples of Anti-Corruption Controls |
|
Appendix 15: |
Practical Guidance for the BoD on Uncontrollable Risks |
|
Appendix 16: |
Elements of a Code of Conduct |
List of Figures
|
Figure 1: |
Corporate Risk Management (CRM) Framework |
|
Figure 2: |
360° Overview by Risk Radar |
|
Figure 3: |
Risk and Security |
|
Figure 4: |
Four Main Types of Risk |
|
Figure 5: |
EBIT@RISK Concept |
|
Figure 6: |
The Classical Risk Map |
|
Figure 7: |
Example of a Risk Map |
|
Figure 8: |
Business Continuity Management Umbrella |
|
Figure 9: |
COSO Enterprise Risk Management Framework |
|
Figure 10: |
Relationship Between Principles, Framework and Process |
|
Figure 11: |
Flowchart of a Compliance Management System |
|
Figure 12: |
Evolution of Risk Management |
|
Figure 13: |
Spiral Approach to Risk Management at Board Level |
|
Figure 14: |
Governance, Risk and Compliance Management System (GRC) |
|
Figure 15: |
Relationship Between Various Risk Management Processes |
|
Figure 16: |
Forces Fostering Better Risk Management in Switzerland |
|
Figure 17: |
ERM Conceptual Framework |
|
Figure 18: |
Risk Classification |
|
Figure 19: |
FMEA Works at All Levels |
|
Figure 20: |
Risks Listed Based on FMEA Workshop |
|
Figure 21: |
Risk Map |
|
Figure 22: |
Example of a Key Driver/ Root-cause Analysis |
|
Figure 23: |
Measures Listed Based on FMEA Workshop |
|
Figure 24: |
Measure Matrix |
|
Figure 25: |
Risks Gradually Reduce |
|
Figure 26: |
Key Strategies to Manage Risks |
|
Figure 27: |
Example of a Periodic Trend Analysis |
|
Figure 28: |
ERM Implementation Overview |
|
Figure 29: |
Globalisation and Systemic Risk |
|
Figure 30: |
Natural Disasters & Technological Disasters Events |
|
Figure 31: |
Turning Black Swans into White Swans |
|
Figure 32: |
Interconnectedness of Main Risks |
|
Figure 33: |
Interconnectedness of Specific Risks |
|
Figure 34: |
Occurrence of Code of Conduct Violations |
|
Figure 35: |
The Fraud Triangle |
|
Figure 36: |
Behavioral Red Flags Displayed by Perpetrators |
|
Figure 37: |
Departments Most Likely Involved in Non-Compliance Cases |
|
Figure 38: |
The Fraud Tree |
|
Figure 39: |
Elements of Fraud Risk Management Framework |
|
Figure 40: |
Impact of Hotlines |
|
Figure 41: |
Risk Reporting Line of a Major Project |
|
Figure 42: |
Reporting Line of a Credit Demand Report for a Major Project |
|
Figure 43: |
Example of the Organisational Structure of a Major Project |
|
Figure 44: |
Organisation of a Standard Major Project Report (Reporting Line) |
|
Figure 45: |
The Global Risks Landscape 2013 |
|
Figure 46: |
Integrated Risk Management |
|
Figure 47: |
Perrow’s Dilemma in Management |
List of Tables
|
Table 1: |
Mistakes and Deficiencies at Board Level |
|
Table 2: |
Overview of Common Constructs of Risks |
|
Table 3: |
Timeline of Risk Management Implementation |
|
Table 4: |
Costs of Implementation of Risk Management Year 1 |
|
Table 5: |
Costs of Implementation of Risk Management after Year 1 |
|
Table 6: |
Black Swan Event Theory |
|
Table 7: |
Two Frameworks for Studying Human Error |
|
Table 8: |
Essentials of Enterprise Risk Management for Different Scale Companies |