Risk management and management control systems
Similarities and differences
©2013
Academic Paper
30 Pages
Summary
The purpose of every for-profit organization is to earn profit, to secure its existence and to meet stakeholders' expectations, but every company is also confronted with certain risks. Some are easy to handle, others are existence-threatening. The accumulation of global economic crises, frauds, and financial scandals, but also terrorist attacks and failures in large computer systems, shows that businesses face greater challenges than before and verifies the importance of risk management. Hence, companies have to implement risk management systems and processes to identify, assess and treat risks. Many of these risks and problems are externally given, but some also result from the misconduct of a company's managers and employees. This leads to the need of systems that help to control employees and managers and ensure that they behave in the firm's sense. These systems are called management control systems. But what is more effective and efficient in supporting the company to reach its goals, risk management or management control systems? There is a research gap concerning this question. Thus, the resulting questions are as follows: What exactly is risk management? What exactly is a management control system? What are the similarities and differences? Is it possible to combine both to reach a kind of perfect control system for businesses? This book is intended to answer these questions.
Excerpt
Table Of Contents
1.
Introduction
The objective of every for-profit organization is to earn profit, to secure its existence
and to meet stakeholders' expectations, but every company is confronted with certain
risks. Some are easy to handle, others are existence-threatening. This makes it difficult
to achieve these objectives. The accumulation of global economic crises, frauds, and
financial scandals, but also terrorist attacks and failures in large computer systems,
shows that businesses are faced with greater challenges than before and how important
it is to manage risks. Hence, companies have to implement risk management systems
and processes to identify, assess and treat risks, and so to create transparency over the
risk situation and to plan for the future. Many of these risks and problems are externally
given, but some also result from the misconduct of a company's managers and em-
ployees. However, owners and managers of a business are not always the same, and
growing businesses need to employ more and more people to bring the company to suc-
cess, but employees do not always behave in the company's aim
sometimes intended,
sometimes unintended (this subject is often described through the so called principal
agent theory
1
). This leads to the need of systems that help to control employees and
managers and ensure that they behave in the firm's sense. These systems are called
management control systems.
But what is more effective and efficient in supporting the company to reach its goals,
risk management or management control systems? There is a research gap concerning
this question. Thus, the resulting questions are the following ones: What exactly is risk
management? What exactly is a management control system? Which are the similarities
and differences of both? Is it perhaps possible to combine both to reach a kind of perfect
control system for businesses? This paper is intended to answer these questions.
It is structured into four sections as follows. Section 1 gives a short introduction to the
subject, states the research questions and contains the outline of this paper. Section 2
introduces the theoretical background of both, risk management and management con-
trol systems, i.e. definitions, processes and different understandings are introduced. Sec-
tion 3 can be seen as the core of the paper, because it focuses on the legal framework
and the relation between risk management and management control systems. It first
describes issues concerning rules and legislations, then compares risk management and
management control systems directly. Section 4 summarizes all key findings and an-
swers to the questions above and shows areas for future research.
1
For a brief description of the principal agent theory see: Tirole, 2001, pp. 1-2.
1
2.
Theoretical background
This chapter contains the theoretical background of the paper and focuses on the basic
theory of risk management and management control systems. It first gives an introduc-
tion to the terms of risk and risk management and describes the risk management
process. Then it provides a closer look at management control systems, i.e. definitions,
purposes, and different understandings.
2.1.
Risk management
2.1.1.
Risk definition and classification
The starting point for handling risks in a company is a clear definition of risk, and defin-
ing risks is fundamentally for an effective risk management practice which I will refer
to in the next subchapter.
The origin of the term risk is presumably the Italian word risco which can be translated
with danger or responsibility. Risk definitions vary widely in literature, and so no gen-
erally accepted definition has emerged, either in theory or in practice. Nevertheless, risk
is a common word which always has something to do with uncertainty and events and
their consequences in the future. Some define risks as "potential events that could influ-
ence the achievement of the organization's objectives" (Doody, 2009, p. 17), others say
"a risk is the effect of uncertainty on objectives" (Meyer et al., 2011, p. 2). A common
definition describes risk as the possibility of deviation of a future event from an origi-
nally anticipated event (see Cottin & Döhler, 2013, pp. 1-2), thus risk can be both posi-
tive and negative deviation. Negative deviation often means risk of damage or loss, and
positive deviation means opportunities. In practice risk is usually defined "as the com-
bination of the probability of an event and its consequences" (IRM, 2002, p. 2).
Since we understand now what is meant by risk, we can have a closer look at the differ-
ent types of risk. One can subdivide these into internal and external risks (see Diede-
richs, 2012, pp. 55-57). Internal risks relate to operational business processes and result
from entrepreneurial acts. External risks affect the entire company and can be seen as
risks from the corporate environment or from society.
Risks can be categorized in many different ways, but according to Diederichs one can
classify internal risks as follows in figure 1. The significance of particular types of risk
varies from company to company.
2
2
For further information see: Nevries & Strauß, 2008, pp. 106-111.
2
Figure 1: Exemplary risk categorization
3
2.1.2.
Risk management definition, objectives and tasks
Knowing what the term of risk means, the next step is to clarify what is meant by risk
management (RM). Such as the term suggests, RM is a system for handling risks. CI-
MA's Official Terminology (2005) describes it as the "process of understanding and
managing risks that the entity is inevitably subject to in attempting to achieve its corpo-
rate objectives". A more detailed definition says: RM as a part of the company man-
agement represents the totality of organizational measures and processes that aims at the
identification, assessment, treatment, and monitoring of risks (see Diederichs, 2012, p.
13). First, this description expresses that RM has an accompanying guiding function,
and second, it includes the core of RM, namely the RM process which will be consi-
dered in the next subchapter.
According to Diederichs (2012, p. 12), the objectives of a RM system can be summa-
rized as follows (a long-term orientation is seen):
·
livelihood security of the company
·
assurance of future success
·
market appreciation of the company
·
avoidance or reduction of risk costs
To achieve these goals, certain tasks have to be perceived. Derived from the objectives,
one can formulate the following tasks of a RM system:
·
creation of a company-wide risk awareness including the definition of risk and
security objectives
3
Source: Diederichs, 2012, p. 56 [translated].
Natural
events
Political &
legal risks
Technological risks
Socio-cultural risks
Macroeconomic risks
Raising capital
Liquidity
Indeptedness
Management
quality
Organizational
structure
Staff
Planning
Information
technology
Sales system
Production
Logistics
Procurement
Financial
risks (internal
risks)
External
risks
Risks from
management &
organization
(internal risks)
Performance
risks (internal
risks)
Risk categories
&
Risk fields
3
·
timely identification of possible risks
·
analysis, evaluation and ongoing monitoring of the risk situation of the company
·
dealing with risks
In addition, it is important to mention that RM's task is not to keep risks as small as
possible or to eliminate them, rather a transparency on the risk situation should be estab-
lished (see Gleißner, 2011, p. 12). An elimination of risks would not allow any oppor-
tunities and would thus lead to entrepreneurial inactivity.
2.1.3.
Risk management process
Risk management is not a onetime project, but rather a continuous process that should
be run through. The RM process is often represented in the form of a cycle. In economic
literature this circulation model consists of three to six stages. For instance in Fraud risk
management (2009, pp. 19-21), Doody describes six steps included in the risk manage-
ment cycle and one previous step. The following steps should be taken:
Figure 2: The CIMA risk management cycle
4
Kajüter (2012, p. 114) depicts three main stages that are characterized through detecting
risks at an early stage (i.e. risk identification, risk assessment, and risk communication),
risk overcoming (i.e. risk regulation and risk control), and internal monitoring. One re-
cognizes that these three steps are less concrete than CIMA's risk management cycle,
but more or less they also contain the seven steps above. The literature is a broad con-
sensus that the main phases of the RM process are risk identification, risk assessment,
4
Source: Doody, 2009, p. 19.
Identify risk areas
Understand and
assess scale of risk
Develop risk
response strategy
Implement strategy
and allocate
responsibilites
Implementation
and monitoring of
controls
Review and refine
process and do it
again
Information
for decision
making
Establish risk
management group
and set goals
4
risk treatment, and risk monitoring (see Wall, 2003, pp. 457-471), thus in the following
the focus is on these four phases which will be described in detail.
The starting point of the RM process is risk identification which aims to provide an in-
formation basis for the next steps. In this phase that represents the most important one,
all significant risks must be fully identified and sorted according to specified categories.
If any important risks are not identified, they can lead to serious threats, so there are
certain necessary postulates that should be considered: completeness, currency, essen-
tiality and systematics.
5
There can be found several methods and instruments in litera-
ture for identifying risks. To capture risks one can use common methods like variance
analysis, workshops, brainstorming, interviews, organization plans, balances, check
lists, statistics, and visits, but special analysis methods that will be named in the follow-
ing are more efficient. They have been proved to be particularly useful.
6
A special method is Porter's value chain model which concentrates on the competitive
advantages of a company (see Porter, 1999, pp. 63-65). The basic idea consists of iden-
tifying relevant activities that the company is more competitive in than others, differen-
tiating them with regard to the end product in primary and secondary activities, and then
splitting them into individual activities to identify priority processes. In this way the
company can discover which processes are fraught with potential risks and should be
considered in more detail. Other methods that work in a similar way are given by event-
driven process chains, failure mode and effect analysis, and fault tree analysis.
7
While
using all these methods to identify risks one should always try to find a balance between
a complete and an economically meaningful risk detection.
In the next step identified risks need to be assessed which leads us to the phase risk as-
sessment. The aim is to find out the importance of the individual risks and to classify
them accordingly. A simple and common method of assessment is creating a risk map
or risk portfolio, which sets the possible impact of a risk against the corresponding like-
lihood of occurrence in a graphic.
8
At that, both impacts and likelihoods of occurrence
should either be qualitative or quantitative. If a quantitative analysis is not possible,
because too little information is available, one could grade risks in high, medium, and
low categories. Merchant and Van der Stede present a simple example in a case study
and use the following severity scale and likelihood scale:
5
See Diederichs, 2012, pp. 51-52; Kajüter, 2012, pp. 155-156.
6
See in addition: Romeike, 2005, pp. 17-32.
7
For further information see: Diederichs, 2012, pp. 62-64; Gleißner, 2011, pp. 66-68.
8
See Diederichs, 2012, pp. 92-94; Gleißner 2011, pp. 145-147; Kajüter, 2012, pp. 167-168.
5
Sev
erity
1
2
3
3
6
9
2
4
6
1
2
3
1 2 3
Likelihood
Severity scale
1 = Not significant
2 = Significant, but not material
3 = Material
Likelihood scale
1 = Unlikely to occur in the next 12 months
2 = Potential for minor occurrences in the next 12 months
3 = Minor occurrences happening now OR potential for significant
occurrences in the next 12 months
Figure 3: Risk Heat Map
9
In a risk map it is readily apparent which risks are significant, because the position of a
risk in the map shows its importance and the associated urgency of countermeasures,
thus it provides a clear presentation and classification/prioritization of risks. Concerning
quantitative and qualitative analyzes, many other methods can be used for assessing
risks, e.g. expectation values, distributions, scoring models, scenario technique.
10
Another common risk measure is value-at-risk (VaR) that can be defined as the (eva-
luated in monetary units) maximum loss of a risk position which will not be exceeded
with a given probability over a given period.
11
A similar measure is cash-flow-at-risk
(CFaR), the lowest cash flow which is reached at least with a given probability over a
given period (see Diederichs, 2012, p. 117). The biggest problem in this phase is the
absence of empirical values, so only estimates can be used and this can lead to faults.
Now that risks are identified, quantified and classified, it is time to think about how to
treat them. The assessed risks should be compared to the security objectives of the com-
pany and made manageable in the next phase which is named risk treatment. In eco-
nomical literature, mostly four action alternatives or treatment strategies are men-
tioned.
12
Inspired by this literature, the following frame can be composed:
Figure 4: Risk treatment strategies
13
9
Source: Merchant & Van der Stede, 2012, p. 593.
10
See Frenkel et al., 2000, p. 286; Gleißner, 2011, pp. 111-125.
11
See Oehler & Unser, 2002, p. 14; Spellmann & Unser, 1998, pp. 261-263.
12
See Diederichs, 2012, pp. 124-126; Gleißner, 2011, pp. 181-183; Kajüter, 2012, pp. 188-189.
13
In lean on to: Romeike, 2002, pp. 12-17 [translated].
Overall risk
Risk takeover
Risk transfer
Risk reduction
Risk avoidance
Residual risk
unidentified risks
identified risks
6
Risk avoidance reduces the probability of occurrence to zero by giving up certain eco-
nomic activities (e.g. risky businesses or technologies). This strategy should be applied
only in case of existential risks, because profit opportunities will be given up.
Risk reduction reduces the probability of occurrence or/and the impact to acceptable
levels by technical or organizational actions (e.g. IT security or outsourcing).
Risk transfer is a strategy for transferring risks to a third party that accepts the harm
through contractual arrangements (e.g. statements of insurance).
Risk takeover takes place when a company itself must bear the residual risk, because the
other strategies cannot exclude all risks completely. In this case the company needs
adequate capital resources and liquidity reserves.
The last step in the RM process is risk monitoring which includes reporting and com-
munication of risks. Responsible and decision-making departments should be informed
about the risk situation, and the risk report should be integrated into the standard report-
ing system, so that current developments can be reported. For efficient running a
framework needs to be established, i.e. risk responsible people, a reporting calendar,
and other important standards have to be chosen.
2.2.
Management control systems
2.2.1.
Definition and purposes
Trying to find a uniform definition of management control (MC) or management con-
trol system (MCS) is difficult, because books and articles written on management con-
trol use different definitions and have different understandings of what is important to
mention regarding this subject, but there is also a lot of overlap. The idea of MC and
MCSs can be described in the following way: "irrespective of the manager's focus [...]
the crucial question is how this manager gets his people to put his visions into practice.
So, he needs to think about the appropriate toolbox, i.e. various `systems' available to
influence people's behavior" (Malmi & Schäffer, 2013, p. 42). For that, performance
definition is the first thing one should work on, i.e. defining what needs to be done, then
measurements should come second, and the third thing to do is providing rewards (see
Kerr, 2004, p. 122). MC is the "core function of management" (Merchant & Van der
Stede, 2012, p. xii) and many examples of MC failures, e.g. thefts, frauds, unintentional
errors, show the importance of having good MCSs. MCs are necessary to reduce the
probabilities that employees will do something that is not in the company's interest.
7
Details
- Pages
- Type of Edition
- Erstausgabe
- Year
- 2013
- ISBN (PDF)
- 9783960675310
- ISBN (Softcover)
- 9783960670315
- File size
- 703 KB
- Language
- English
- Institution / College
- University of Dortmund – Fakultät für Wirtschaftswissenschaften, Junior Professorship Controlling
- Publication date
- 2016 (April)
- Grade
- 1,7
- Keywords
- Wirtschaftswissenschaften Controlling BWL Betriebswirtschaftslehre Risikomanagement Economics Risk Management Management Control System Managementkontrollsystem
