Risk Management at Board Level E-Book

Vinay Kalia / Roland Müller

(Eds.)

Risk Management at Board Level

A Practical Guide for Board Members

Vinay Kalia

Roland Müller

Editors

Risk Management at Board Level

A Practical Guide for Board Members

3rd edition

HAUPT VERLAG

For my beautiful and loving daughter Vinaya Melania

Vinay Kalia

For my unique and supportive wife Barbara

Roland Müller

3. Auflage: 2019

2. Auflage: 2015

1. Auflage: 2007

Bibliografische Information der Deutschen Nationalbibliothek

Die Deutsche Nationalbibliothek verzeichnet diese Publikation in der Deutschen Nationalbibliografie;

detaillierte bibliografische Daten sind im Internet

über http://dnb.dnb.de abrufbar.

ISBN Print: 978-3-258-08124-3

ISBN E-Book: 978-3-258-48124-1

Alle Rechte vorbehalten.

Copyright © 2007 Haupt Bern

Jede Art der Vervielfältigung ohne Genehmigung des Verlages ist unzulässig.

Satz und Layout: Die Werkstatt Medien-Produktion GmbH, D-Göttingen

Book printed in Austria

www.haupt.ch

eBook-Herstellung und Auslieferung: Brockhaus Commission, Kornwestheimwww.brocom.de

Foreword by the Editor of this Series

Professor Martin Hilb

Board of Directors (BoD) effectiveness is currently one of the few subjects that are topical for both research and practice globally. In this series, our International Center for Corporate Governance presents the results of studies conducted by its partners.

Our approach to Board of Directors (BoD) effectiveness is based on the following guiding principles:

• Keep it situational;

• Keep it strategic;

• Keep it integrated;

• Keep it controlled.

This edition, presented by our two partners Dr.oec. HSG Vinay Kalia (who wrote his doctoral thesis on the subject of Risk Management on the Board of Directors (BoD) and Executive Board (ExB) level under my supervision) and Prof. Dr.iur. Roland Müller fits into the last principle, «keep it controlled».

Keeping it controlled includes auditing, Risk Management, communication, compliance and evaluation on the Board of Directors (BoD) level.

One result of the Board evaluations we conducted in many organisations is that Risk Management on the board level is an area for development.

A single error alone never lets a company collapse. The cause often lies in the lack of an effective and systematic Risk Management function at the Board of Directors (BoD) level. It should be noted that:

• The new phase in Risk Management started in the 1970s with the growth of credit Risk Management;

• The Risk Management approach in the 21st century takes a holistic view of all risks concerning a company;

• The New York Stock Exchange (NYSE), through its Securities Exchange Commission (SEC), sponsored legislation such as the Sarbanes Oxley Act (SOX) to put additional and mandatory pressure on companies to manage risks on the operational and Board of Directors (BoD) levels and provide totally transparent information to shareholders;

• The financial crisis of 2008 triggered regulatory developments (Mifid, FATCA etc.) that have reinforced the need for and interest in Risk Management and its importance will continue to increase in the foreseeable future;

• Essentially, small and medium companies (SMEs) and very small companies feel that Risk Management does not have any meaning for them. However, Risk Management can be implemented even in such companies both on operational and Board of Directors (BoD) levels with great effectiveness and added value for the company.

Effective Boards need both: Members with profound entrepreneurial spirit and Risk Management know-how. This will decide if companies are the masters or victims of change.

St. Gallen/ Switzerland, January 2019

Martin Hilb

Chairman of the Board Foundation (www.icfcg.org) and its Swiss Board School at the IMP of the University of St. Gallen

Foreword by the Authors

Dr.oec. HSG Vinay Kalia

Prof. Dr.iur. Roland Müller

In the last few years, the world has been transformed by a string of developments which have raised the risk awareness and have moved Risk Management into the centre of attention, at the governance level of all corporations, regulators, public sector institutions and non-governmental organisations. Some of those developments need to be highlighted:

• The major financial crisis of 2008 sparked off many discussions about governance and control of operational risk in financial institutions, like the «too big to fail» discussion. These discussions were intensified by an increasing interest and control stake on the part of the regulators, which is often being criticised as «over-regulation». In the past, internal control systems and compliance activities focussed mainly on financial and legal issues, whereas now they also encompass other risks such as IT security or fraud risks, in order to provide senior decision makers with appropriate risk data;

• Black Swan events such as large scale cyber threats, war, nuclear or natural catastrophes have become more frequent and devastating, even more so as the world has become increasingly interdependent and complex. Such Black Swan events bear unforeseeable and uncontrollable risks. This has substantiated the need for organisations to be prepared for risk, to be «resilient» and focused on Business Continuity Management (BCM);

• Social risks such as the demographical development, migration, religious and national conflicts or resource allocation now directly affect the businesses and their response to such issues, accentuated by the ethical and cultural diversity;

• Large firms have several projects ongoing that are large enough to be firms on their own, either in terms of size or complexity. Thus a lot is at stake financially and existentially for the firm («trillion is the new billion»). These firms have increasingly felt the need for project Risk Management as it enables both self-governed process management and information escalation.

The above illustrates that Risk Management has in the last years become even more important than before and many formal and material changes have occurred.

Our objective for the first edition of this book was to present readers with a practical understanding of risk and Risk Management, with all its facets and topics, providing real life examples, tools, guidelines and checklists to manage them.

The book has been used and appreciated by practitioners, especially by board and senior management members who participated in board governance seminars. This because the developments discussed above are on their minds and agendas very often. Their questions raised to the authors and the discussions resulting from them have been reflected in the second edition. Moreover, all context and contents of the book have been updated. Further thought has been given to the discussion of Risk Management as a «system» rather than theme, to Compliance, Internal Controls (section II.3) and to the establishment of the right Risk Management culture (IV.9).

To complement and reflect on the emerging Risk Management needs for today, three guest authors were invited to enrich the book with their subject matter expertise.

• Lee Howell, presents in chapter V how the phenomenon of uncontrollable risks and black swan events can be understood and practically managed by firms;

• Peter Jonker, in chapter VI, explains why fraud and corruption risks are different from all other risk categories and what is required to keep the firm away from serious risks and damage related to them;

• Stephan Döhler, in chapter VII, sheds light on the project Risk Management where the success of big or vital projects has a significant influence on the health and wellbeing of the firm.

A special word of thanks to them for sharing their experience and thoughts. Special thanks to Mark Macus for reviewing the first edition of the book and providing valuable inputs for improving and updating the new edition. Finally, we highly appreciate Martina Schedler and Beat Gyger for working tirelessly in providing the final shape to the manuscript.

It is our sincere hope that this book benefits readers, especially Directors of the Board as well as Executive Managers, in embracing the new risk landscape and empower them with the help of a practical tool-kit to create a systematic and effective Risk Management.

St. Gallen / Switzerland, January 2019

Vinay Kalia / Roland Müller

Table of Contents

Foreword by the Editor of this Series

Foreword by the Authors

Table of Contents

Abbreviations

I.

Introduction

1.

General Overview

2.

Importance of Risk Management

a)

Help for Company

b)

Bank Rating

c)

Insurance

3.

Role of Board Members in Risk Management

a)

Risk Management as a Part of Good Corporate Governance

b)

360° Direction and Control

c)

Setting the Tone of Risk Management

d)

Dealing Effectively with Strategic Issues

e)

Fostering Openness and Creativity

f)

Guidelines and Policies for Risk Management

g)

Serious and Extraordinary Decisions

h)

Supervision of the Company Performance Versus Strategy

i)

Organisation and Structure of Risk Management

4.

Definitions and Concepts

a)

Definition of Risk and Security

b)

Definition of Risk Controlling

c)

Definition of Risk Management

d)

Definition of Emergency Management

e)

Definition of Crisis Management

f)

Definition of Operational Risk Management

g)

Concept of Value-at-Risk

h)

Concept of a Risk Map

i)

Concept of Business Continuity Management (BCM)

5.

Risk Management Standards

a)

Committee of Sponsoring Organisations (COSO) Framework

b)

Sarbanes Oxley Act 2002

c)

ISO 31000 & 31010 (Risk Management & Risk Assessment)

d)

ISO 19600 (Compliance)

II.

Development of Risk Management

1.

Overview of the Development Stages

2.

Risk Management and Corporate Governance

a)

Overview of ERM and Corporate Governance Interdependence

b)

The Cadbury Report

c)

The Combined Code and Hampel Report

d)

The Turnbull Report

e)

The King II & King III Reports

f)

The Basel Committee Reports

3.

Risk Compliance

a)

Establishing of the Compliance Function at the Executive Level

b)

Guidelines for Compliance Management System

c)

Elements of a Compliance Management System (CMS)

III.

Driving Forces of Risk Management in Switzerland

1.

General Overview

2.

Law as a Driving Force

a)

Importance of Several Regulations

b)

Swiss Code of Obligations

c)

Bank Regulations

d)

German Law for Control and Transparency (KonTraG)

3.

Institutional Investors

4.

Impact of US Developments

5.

Press

6.

Others

IV.

Risk Management Implementation

1.

General Overview

2.

Objective Setting

a)

SWOT-Analysis

b)

Risk Management Policy

c)

Risk Management Guidelines/ Directives

d)

Risk Management Handbook

3.

Risk Identification

4.

Risk Assessment and Prioritisation

5.

Risk Analysis

a)

Key Drivers Analysis/ Root Cause Analysis

b)

Suitable Actions to Respond to the Key Drivers

6.

In-depth Risk Analysis

a)

Quantification of Risks

7.

Action Planning

8.

Monitoring, Reporting and Supervision

9.

Culture

10.

Tools

11.

Timeline and Cost of Risk Management Implementation

V.

Uncontrollable Risks and Corporate Governance

1.

Defining Uncontrollable Risks

a)

Complicated Systems

b)

Complex Systems

2.

Complex Systems Shaping Current Economic Landscape

3.

Era of Black Swan Events (BSE)

4.

Uncontrollable Risks and Boards

VI.

Managing Fraud and Corruption Risks

1.

Problem Overview

a)

Clarity of Norms

b)

Risk of Being Caught

c)

Difficulty to Discuss

d)

Intentional Act

2.

Who are Involved?

a)

Red Flags

b)

Departments Involved in Fraud Cases

3.

Common Forms of Corruption

a)

Gifts and Entertainment

b)

Facilitation Payments and Bribes

c)

Kick-backs and Overbilling Schemes

d)

Bid-rigging and Price Fixing

e)

Use of Agents

f)

Political Support and Charitable Contributions

4.

Managing the Risk of Fraud and Corruption

a)

Effective Compliance Programs

VII.

Risk Management of Major Projects

1.

Why Risk Management of Projects at Board Level?

2.

Risk Management Guidelines

3.

Project Management Handbook

4.

Project Credit Demand Report to the Board of Directors

5.

Final Major Project Credit Demand Report (Closing of Internal Credit Line)

6.

Reporting of Major Projects to the Board of Directors (Guidelines)

a)

Definition of a Major Project

b)

Standard Major Project Report to the Board of Directors

7.

Aggregated Risks of a Company in Relation to Major Projects

a)

Group Risk Report to the Board of Directors

b)

Risk Inventory

c)

Risk Inventory for Major Projects

8.

Communication in Major Projects

9.

External Risks for Major Projects

10.

Decision-making to Minimise or Mitigate Risk of Major Projects

VIII.

Summary and Guidance for Practice

1.

Summary

a)

Key Messages

b)

Organisation at Board Level

c)

Organisation at the Management Level

d)

Risk Management in the Company

e)

Managing Uncontrollable Risks

f)

Managing Fraud and Corruption Risk

g)

Risk Management of Major Projects

2.

Risk Management Practice Today

a)

Integrated ERM

b)

Decision-Making Under Time Pressure

c)

Whistleblowing

d)

Checklists

e)

Small and Medium Companies

f)

Managing Impediments

g)

Self-Appraisal

h)

Keep it Simple

Epilogue

Bibliography

Appendices

Editors

List of Appendices

Appendix 1:

Checklist for Implementing Enterprise Risk Management

Appendix 2:

Example of a Risk Management Policy

Appendix 3:

Example of Internal Regulations for Risk Committee

Appendix 4:

Example of a Risk Identification Form

Appendix 5:

Questionnaire for IT Risks

Appendix 6:

Example of a Whistleblowing Policy Document

Appendix 7:

ERM Self-Appraisal Questionnaire

Appendix 8:

Guidance for FO2RDEC Analysis

Appendix 9:

Job Description for Head of Risk Management/ CRO

Appendix 10:

Example of an Individual Risk Assessment

Appendix 11:

Insurance Check List for BoD

Appendix 12:

Generic Collection of Master Risks

Appendix 13:

Scenarios of the RESIST Methodology

Appendix 14:

Examples of Anti-Corruption Controls

Appendix 15:

Practical Guidance for the BoD on Uncontrollable Risks

Appendix 16:

Elements of a Code of Conduct

List of Figures

Figure 1:

Corporate Risk Management (CRM) Framework

Figure 2:

360° Overview by Risk Radar

Figure 3:

Risk and Security

Figure 4:

Four Main Types of Risk

Figure 5:

[email protected] Concept

Figure 6:

The Classical Risk Map

Figure 7:

Example of a Risk Map

Figure 8:

Business Continuity Management Umbrella

Figure 9:

COSO Enterprise Risk Management Framework

Figure 10:

Relationship Between Principles, Framework and Process

Figure 11:

Flowchart of a Compliance Management System

Figure 12:

Evolution of Risk Management

Figure 13:

Spiral Approach to Risk Management at Board Level

Figure 14:

Governance, Risk and Compliance Management System (GRC)

Figure 15:

Relationship Between Various Risk Management Processes

Figure 16:

Forces Fostering Better Risk Management in Switzerland

Figure 17:

ERM Conceptual Framework

Figure 18:

Risk Classification

Figure 19:

FMEA Works at All Levels

Figure 20:

Risks Listed Based on FMEA Workshop

Figure 21:

Risk Map

Figure 22:

Example of a Key Driver/ Root-cause Analysis

Figure 23:

Measures Listed Based on FMEA Workshop

Figure 24:

Measure Matrix

Figure 25:

Risks Gradually Reduce

Figure 26:

Key Strategies to Manage Risks

Figure 27:

Example of a Periodic Trend Analysis

Figure 28:

ERM Implementation Overview

Figure 29:

Globalisation and Systemic Risk

Figure 30:

Natural Disasters & Technological Disasters Events

Figure 31:

Turning Black Swans into White Swans

Figure 32:

Interconnectedness of Main Risks

Figure 33:

Interconnectedness of Specific Risks

Figure 34:

Occurrence of Code of Conduct Violations

Figure 35:

The Fraud Triangle

Figure 36:

Behavioral Red Flags Displayed by Perpetrators

Figure 37:

Departments Most Likely Involved in Non-Compliance Cases

Figure 38:

The Fraud Tree

Figure 39:

Elements of Fraud Risk Management Framework

Figure 40:

Impact of Hotlines

Figure 41:

Risk Reporting Line of a Major Project

Figure 42:

Reporting Line of a Credit Demand Report for a Major Project

Figure 43:

Example of the Organisational Structure of a Major Project

Figure 44:

Organisation of a Standard Major Project Report (Reporting Line)

Figure 45:

The Global Risks Landscape 2013

Figure 46:

Integrated Risk Management

Figure 47:

Perrow’s Dilemma in Management

List of Tables

Table 1:

Mistakes and Deficiencies at Board Level

Table 2:

Overview of Common Constructs of Risks

Table 3:

Timeline of Risk Management Implementation

Table 4:

Costs of Implementation of Risk Management Year 1

Table 5:

Costs of Implementation of Risk Management after Year 1

Table 6:

Black Swan Event Theory

Table 7:

Two Frameworks for Studying Human Error

Table 8:

Essentials of Enterprise Risk Management for Different Scale Companies

Abbreviations

ACFE

Association of Certified Fraud Examiners

ADR

American Depositary Receipt

AIRMIC

Association of Insurance and Risk Managers

ALARM

National Forum for Risk Management in the Public Sector

BCM

Business Continuity Management

BoD

Board of Directors

BSC

Balanced Scorecard

BSE

Black Swan Events

CCO

Chief Compliance Officer

CEO

Chief Executive Officer

CFO

Chief Financial Officer

CG

Corporate Governance

CHF

Swiss Franc

CMS

Compliance Management System

CO

Swiss Code of Obligation

COSO

Committee of Sponsoring Organisations

CRO

Chief Risk Officer

EBIT

Earnings Before Interest and Taxes

EBITDA

Earnings Before Interest, Taxes, Depreciation, and Amortisation

EM

Environmental Management

ERM

Enterprise Risk Management

ExB

Executive Board

FATCA

Foreign Account Tax Compliance Act

FATF

Financial Action Task Force

FCA

British Financial Conduct Authority

FCPA

Foreign Corrupt Practices Act

FDI

Foreign Direct Investment

FERMA

Federation of European Risk Management Association

FMEA

Failure Mode and Effects Analysis

FTE

Full-Time Equivalent

GDP

Gross Domestic Product

GPS

Global Positioning System

GRC

Governance, Risk Management and Compliance

HR

Human Resources

HRO

High Reliability Organisation

ICFR

Internal Control on Financial Reporting

ICS

Internal Control System

IRM

Institute for Risk Management

ISO

International Organisation for Standardisation

IT

Information Technology

KPI

Key Performance Indicators

LIBOR

London Interbank Offered Rate

MIS

Management Information System

MPN

Measure Priority Number (MPN)

NYSE

New York Stock Exchange

OECD

Organisation for Economic Co-operation and Development

PCAOB

The Public Company Accounting Oversight Board

QM

Quality Management

RESIST

Resisting Extortion and Solicitation in International Transactions

RIMS

Risk and Insurance Management Society

RM

Risk Management

RPN

Risk Priority Number

SAQ

Swiss Association for Quality

SARS

Severe Acute Respiratory Syndrome

SEC

The Security and Exchange Commission

SME

Small and Medium Enterprise

SOX

Sarbanes Oxley Act

SWIFT

Society for Worldwide Interbank Financial Telecommunication

SWOT

Strengths, Weaknesses, Opportunities, Threats

SWX

Swiss Stock Exchange

UK/ U.K

United Kingdom

UN

United Nations

US/ U.S.A.

United States of America

USD

United State Dollars

VaR

Value-at-Risk

WEF

World Economic Forum

I.

Introduction

1.

General Overview

Risk Management is not a new idea or concept. There were forms of Risk Management at all times and for all kinds of scenarios that had to be managed by man. Risk Management implies that actions are taken to anticipate, minimise or mitigate risks from imminent or future events, with the goal to master and control them.

In an enterprise quite a number of individuals work together. This circumstance creates not only a common goal and interest but also a shared destiny and shared risks, which again leads to a need for increased control to manage such risks. The performance of an enterprise has direct or indirect effects not only on the employees but also on the owners (shareholders), customers, suppliers, and other stakeholders. And in turn that network of interest groups also influences the company, which bears additional risks. Therefore, a company must be aware of all such mutual impacts and risks. It is held accountable and expected to take corresponding actions.

Collecting and systematically analysing its risks and measures taken to handle them may be called the process of Risk Management, or just simply Risk Management. Complex and wide-ranging as it may have become, Risk Management is not meant to be a bureaucratic and control-focused exercise in its own right. It should be an integrated yet all-embracing process that increases awareness, understanding and handling of impacts and risks in and around the company. Not least to increase certainty and reliability of the future for a large number of individuals, especially in times of volatility and instability. It goes without saying that not only big companies but also medium and even small firms need Risk Management, though the depth of analysis, formality of processes, organisation and resource allocation may vary according to size, complexity and risk exposure in a given business.

Risks are all around and well known to many and yet they are often recognised as such too late, so that neither enough time nor adequate measures are available to prevent them from materialising in their full potential or to minimise the damage for the company. A good top management should aim to recognise risks at an early stage and should try to minimise the most dangerous amongst them through adequate strategic or tactical measures. Consciously or unconsciously every enterprise management pursues Risk Management but the endeavour should be to optimise the risk measures overall. Appendix 1 outlines an Enterprise Risk Management Implementation Check List. It provides a good overview of what Enterprise Risk Management entails and which key phases are involved in establishing organisation-wide in an effective and efficient way.

In article 716a of the Swiss Code of Obligation (CO) under number 1, the ultimate direction of the company is assigned to the BoD. In connection with these tasks, the BoD also has the untransferable and unalienable duty to avoid unnecessary risks and minimise inevitable risks in order to guarantee the existence and the advancement of the enterprise. Not surprisingly, since 2008 article 663b CO includes an obligation for all companies to comment on their risk assessment in the notes to the annual financial statement.

To be able to compare the efficiency of Risk Management between different companies, a certain standard is necessary with regard to the following points:

• Terminology with regard to the use of concepts;

• Risk Management implementation process;

• Organisational structure of Risk Management;

• Objective of Risk Management.

Such standards were introduced in the UK after comprehensive accounts on the subject by different professional associations such as the Institute for Risk Management (IRM), the Association of Insurance and Risk Managers (AIRMIC), and the National Forum for Risk Management in the Public Sector (ALARM). The Federation of European Risk Management Associations (FERMA) and other similar initiatives have tried hard to translate the standards into practice, so that organisations and enterprises could compete within this framework.

Governance, Risk Management and Compliance are increasingly referred to collectively as «GRC»1, with the corporate functions being linked conceptually:

«Activist shareholders, institutional investors and policymakers look to these activities as crucial means for improving business ethics, enhancing the observation of legal norms, and deterring firms from engaging in unsafe or unsound practices. Regulators encourage companies to upgrade their activities in these areas; if companies do not comply, the regulators find ways to force them to do so.»2

The terms Enterprise Risk Management (ERM) and Corporate Risk Management (CRM) are often used interchangeably in research literature. Yet the use of the term «corporate» acknowledges the nexus between governance, Risk Management and compliance in a corporate context. (See Figure 1).

Figure 1: Corporate Risk Management (CRM) Framework

Source: Lee Howell

Some of the most common reasons cited for Risk Management are that it helps the company with several issues such as:

• Formulate and develop a strategy that responds to major risks;

• Make the company risk profile transparent with respect to stakeholders;

• Assure shareholders and stakeholders that risks have been assessed and managed;

• Put in place sound early warning systems;

• Ensure that the firm is sustainable (for example, protecting it from existence-threatening situations);

• Have appropriate Risk Management solutions and control measures in place;

• Safeguard reputation and goodwill;

• Continuously increase the value of the company through proactive Risk Management;

• Standardise terminology and processes relating to risk across the organisation;

• Adhere to both old and new laws relating to risk.

Companies have an ongoing need for capital and in the Swiss economic environment banks are one of the main creditors for the company. Before issuing loans to firms banks want to analyse their risk profile and Risk Management profile. The ratings of the companies are increasingly based on how they manage their risks. A good rating helps to get easier access to capital at favourable rates, which reduces the cost of doing business. There are several organisations, like Standard and Poors, that provide credit ratings for companies.

As mentioned above, companies with good Risk Management gain cheaper access to capital. Solid Risk Management may also result in favourable deals or reduced premiums with insurance providers. One such example is that of the Swiss Post. According to Mr. Affolter, Head of Insurance Risk Management, the company has maintained its pre- September 11 premiums despite a perceived overall increase in the risk environment. He asserts that this has been possible only due to sound Risk Management practices. The assertion becomes even stronger when compared to the company’s competitors whose premiums have almost doubled in the same period.

This is indeed an important development as Risk Management now makes direct financial sense, contrary to the belief of many sceptics who felt Risk Management was just a cost centre and a bureaucratic exercise. Hence it has become indispensable to bring Risk Management and insurance calculations into a direct context. There is a range of aspects that should be considered thereby. You find an illustration of them in the Insurance Checklist in this book.

An example of Insurance Check List for BoD is provided in Appendix 11.

The International Center for Corporate Governance at the Swiss Board School at the IMP of the University of St. Gallen has established a Board Management School, where Directors of Boards (BoD) are professionally trained. Discussions with the participants of different courses have resulted in a list of 10 principal BoD mistakes and deficiencies (Table 1). If bankruptcies occur, more than one of these points are usually amongst the causes for the failure.

Table 1: Mistakes and Deficiencies at Board Level

Missing or insufficient Risk Management is listed here as one of the principal reasons for the failure of companies. It does not surprise that all above-listed defects root in Corporate Governance issues. If companies consistently collected and documented all risks linked to management failure, they would uncover and be aware of risks and could take action to prevent many errors at an early stage. Therefore, in the area of Corporate Governance, Risk Management assumes key significance for the Board of Directors (BoD). Some of the key responsibilities for the role of the Board of Directors (BoD) with regard to Risk Management are discussed in the following sections.

If the reasons for the failure of enterprises in the past decades are analysed, it can be clearly observed that often the Board of Directors (BoD) did not (or decided not to) recognise threatening risks and therefore did not initiate any measures to mitigate these risks. The resulting damage was hardly ever managed adequately, which in the end caused the fall of the enterprise. Thus financial risks are not the sole reason for failure. Strategic risks have also gained the attention of BoDs. They have not just been identified as risks but – like financial and operational risks – have been analysed in many respects. Corporate Governance risks should always be part of an integrated Risk Management concept of a firm. Figure 2 illustrates these risks as a «risk radar»:

Figure 2: 360° Overview by Risk Radar

Source: Kägi and Pauli (2003: 7)

In a similar way as described in the diagram above, the main «Risk Traps» at the board level have been further detailed by Prof. Dubs,3 who classifies the main risks for the board into the following four categories:

• Environment and Market;

• Planning and Culture;

• Finance and Costs;

• Legal and Compliance

The tone of Risk Management is set at the top of the organisation. When Risk Management is being established, it may be considered a costly, resourceconsuming and bureaucratic exercise. There is some truth in it, especially in corporate cultures where Risk Management is not «lived» by the organisation but is carried out to satisfy the Executive Board (ExB). In these cases Risk Management will fail to achieve its objectives. To reduce the likelihood of such an outcome, the Board of Directors (BoD) can be pro-active and request detailed information about risks, sticking to guidelines and policies (preferably championed at a senior level), and analysing the quality of Risk Management initiatives and their impact on the performance of the company. It is often reported that owing to time constraints and lack of resources, Risk Management discussions were cancelled or postponed. Hence it is important in the early days of establishing Risk Management in the organisation that the Executive Board (ExB) is fully committed and marks the importance of good Risk Management. Boards could address this challenge by defining Risk Management as a key contribution to company performance, rather than as the provision of information about poor performance.

Boards normally meet five or six times a year4 and have many issues to discuss in their meetings apart from risk-related issues. This allows only short discussions of the most critical and strategic issues. The board of Directors (BoD) must ascertain the categories into which risks will fall, and the level at which these risks will be dealt with in the company. In a workshop organised by the author with board members some years ago, it was pointed out that there should be a good understanding of the difference between risk issues and management issues in a company