Introduction
Organizations today have to operate in an increasingly digitized, volatile, and complex business environment, which exposes them to a plethora of risks. To thrive in this rapidly evolving risk landscape, it is critical to understand the risks individually as well as how they are interconnected—only then will organizations have a holistic and peripheral view of their risk profile and gauge their potential impact. These capabilities, in turn, optimize operational efficiency, drive agility in business decisions and make them more risk-aware and data-driven, while boosting organizational preparedness for future risk events. If implemented properly, such a system can also help build confidence with regulators by providing the necessary documentation and evidence of the efficacy of controls, strong risk data governance, and issue reporting framework with clear lines of accountability. As such, a robust risk management system has become an absolute necessity for organizations today to aid their pursuit of business goals as well as overall enterprise governance and management.
It is against this background that the Institut der Wirtschaftsprüfer in Deutschland or the Institute of Public Auditors in Germany (IDW) revised the IDW PS 340 n.F. on the audit of the early risk detection system. Starting 01 January 2021, the revised standard is mandatory for all listed companies. A Joint Statement by experts states, “The legally required main task of a risk early warning system - as the core of risk management - consists [of] recognizing "developments that could endanger the existence of the company" at an early stage (Section 91 (2) AktG)… The early detection of developments threatening the existence of the company requires the identification of rare extreme risks and, due to the fact that risks cannot be added together, risk aggregation (Monte Carlo simulation).” (Google translated)
Click on link to read more about what is regulatory compliance and why it is important.
What the Revised Standard Entails
The new version focuses on the following aspects:
- Specification of the basic elements of an early risk detection system (Risikofrüherkennungssystems) based on the basic elements developed for setting up and testing risk management and compliance management systems (see IDW PS 980 and IDW PS 981)
- Emphasis on the obligations of a company in relation to risk-bearing capacity and risk aggregation
- Clarifications on the design of the measures in accordance with Section 91 (2) AktG for groups
- Clarifications on the consideration of "net risks" and on risk control as part of the basic elements of a risk early warning system to be checked
- Clarification of the company's documentation obligations, taking into account the case law that has been passed in the meantime
- Specification and emphasis that the audit is carried out by the auditor in accordance with Section 317 (4) of the German Commercial Code (HGB), taking into account the knowledge gained during the audit of the annual financial statements and the management report.
- Revision of the auditor's report:
- Further reporting with regard to identified deficiencies
- Additional requirements with regard to any necessary restriction or refusal of the declaration
What This Means for Companies
Adopting the revised standard would require companies to revamp their risk management program to ensure:
That, however, is easier said than done. According to a recent Deloitte survey of German companies, while there is a growing awareness of the benefits of a risk management system as an efficient corporate management tool, only 56% of those surveyed said that they were planning a revision of the risk management system to adapt to the standard. A considerable number of firms have simple and poorly coordinated measures, and more than half of the respondents said that they neither have a documented risk strategy, nor a concept for determining risk appetite.
The company identified the need to upgrade its risk and compliance management program which had become increasingly cumbersome, siloed, and inconsistent. The risk teams struggled to aggregate, reconcile, and report risk data from across the lines of the business. Without a real-time view of risks, leaders couldn’t make informed business decisions. The company chose MetricStream for its out-of-the-box Integrated Risk Solution, for its simplicity and robustness. With the implementation, the company successfully standardized risk and compliance processes, frameworks, and standards across the enterprise. MetricStream established a common risk taxonomy across the lines of the business, so that everyone could communicate in a harmonized manner. Meanwhile, comprehensive risk event forms had improved the quality of risk reporting. Looking at the data, stakeholders could easily identify the root causes of risk events, as well as common themes across the business.
How MetricStream Can Help
With the standard already in force, companies have to act now to adapt their risk management system to the new regulatory requirements. This is where MetricStream can help companies achieve compliance with the new standard in a seamless and streamlined manner while being resilient to future crises.
The MetricStream IDW PS 340 n.F. solution enables a structured and systematic approach towards managing organizational risks. Built on the MetricStream Platform, and supported by uniform risk assessment methodologies and standards, the solution gives organizations the ability to identify and report emerging risks, accurately understand risks, and gain clear visibility into the top risks they face. The “multi-dimensional organization structure” functionality helps model risk management programs based on organizational hierarchies. Multi-dimensional risk assessments and aggregation based on several qualitative and quantitative parameters can be performed to establish the organization’s risk profile. Real-time insights into risk management programs are offered through powerful analytics, advanced heat maps, reports, dashboards, and charts enabling organizations to make risk-informed decisions that optimize business performance.
Organizations today have to operate in an increasingly digitized, volatile, and complex business environment, which exposes them to a plethora of risks. To thrive in this rapidly evolving risk landscape, it is critical to understand the risks individually as well as how they are interconnected—only then will organizations have a holistic and peripheral view of their risk profile and gauge their potential impact. These capabilities, in turn, optimize operational efficiency, drive agility in business decisions and make them more risk-aware and data-driven, while boosting organizational preparedness for future risk events. If implemented properly, such a system can also help build confidence with regulators by providing the necessary documentation and evidence of the efficacy of controls, strong risk data governance, and issue reporting framework with clear lines of accountability. As such, a robust risk management system has become an absolute necessity for organizations today to aid their pursuit of business goals as well as overall enterprise governance and management.
It is against this background that the Institut der Wirtschaftsprüfer in Deutschland or the Institute of Public Auditors in Germany (IDW) revised the IDW PS 340 n.F. on the audit of the early risk detection system. Starting 01 January 2021, the revised standard is mandatory for all listed companies. A Joint Statement by experts states, “The legally required main task of a risk early warning system - as the core of risk management - consists [of] recognizing "developments that could endanger the existence of the company" at an early stage (Section 91 (2) AktG)… The early detection of developments threatening the existence of the company requires the identification of rare extreme risks and, due to the fact that risks cannot be added together, risk aggregation (Monte Carlo simulation).” (Google translated)
Click on link to read more about what is regulatory compliance and why it is important.
The new version focuses on the following aspects:
- Specification of the basic elements of an early risk detection system (Risikofrüherkennungssystems) based on the basic elements developed for setting up and testing risk management and compliance management systems (see IDW PS 980 and IDW PS 981)
- Emphasis on the obligations of a company in relation to risk-bearing capacity and risk aggregation
- Clarifications on the design of the measures in accordance with Section 91 (2) AktG for groups
- Clarifications on the consideration of "net risks" and on risk control as part of the basic elements of a risk early warning system to be checked
- Clarification of the company's documentation obligations, taking into account the case law that has been passed in the meantime
- Specification and emphasis that the audit is carried out by the auditor in accordance with Section 317 (4) of the German Commercial Code (HGB), taking into account the knowledge gained during the audit of the annual financial statements and the management report.
- Revision of the auditor's report:
- Further reporting with regard to identified deficiencies
- Additional requirements with regard to any necessary restriction or refusal of the declaration
Adopting the revised standard would require companies to revamp their risk management program to ensure:
That, however, is easier said than done. According to a recent Deloitte survey of German companies, while there is a growing awareness of the benefits of a risk management system as an efficient corporate management tool, only 56% of those surveyed said that they were planning a revision of the risk management system to adapt to the standard. A considerable number of firms have simple and poorly coordinated measures, and more than half of the respondents said that they neither have a documented risk strategy, nor a concept for determining risk appetite.
The company identified the need to upgrade its risk and compliance management program which had become increasingly cumbersome, siloed, and inconsistent. The risk teams struggled to aggregate, reconcile, and report risk data from across the lines of the business. Without a real-time view of risks, leaders couldn’t make informed business decisions. The company chose MetricStream for its out-of-the-box Integrated Risk Solution, for its simplicity and robustness. With the implementation, the company successfully standardized risk and compliance processes, frameworks, and standards across the enterprise. MetricStream established a common risk taxonomy across the lines of the business, so that everyone could communicate in a harmonized manner. Meanwhile, comprehensive risk event forms had improved the quality of risk reporting. Looking at the data, stakeholders could easily identify the root causes of risk events, as well as common themes across the business.
With the standard already in force, companies have to act now to adapt their risk management system to the new regulatory requirements. This is where MetricStream can help companies achieve compliance with the new standard in a seamless and streamlined manner while being resilient to future crises.
The MetricStream IDW PS 340 n.F. solution enables a structured and systematic approach towards managing organizational risks. Built on the MetricStream Platform, and supported by uniform risk assessment methodologies and standards, the solution gives organizations the ability to identify and report emerging risks, accurately understand risks, and gain clear visibility into the top risks they face. The “multi-dimensional organization structure” functionality helps model risk management programs based on organizational hierarchies. Multi-dimensional risk assessments and aggregation based on several qualitative and quantitative parameters can be performed to establish the organization’s risk profile. Real-time insights into risk management programs are offered through powerful analytics, advanced heat maps, reports, dashboards, and charts enabling organizations to make risk-informed decisions that optimize business performance.
