Based on my experience in conversations with risk managers, Topics such as risk culture and the acceptance of the risk management system are usually their top concerns.
Common questions include:
- "How can I achieve plausible and accurate risk assessments and not just the urgent release two days after the deadline?"
- “How do I keep track of the implementation status of agreed measures?”
- “How can I report my risks to my board without acting as the bearer of bad news?”
The recent revision of the auditing standard IDW PS 340 has caused a heated debate around topics such as risk-bearing capacity and risk aggregation. Simply put, these debates focus on the methodology of the risk management system and the degree of importance for using quantitative approaches.
The publication of the IDW PS 340 n.F. in late June will result in a number of effects on the existing early warning systems previously certified by the auditor. Most companies will face changes in their methodology as the key phrase “threat to the continued existence” makes a critical difference.
The ability to conclude on this and to perform regular analysis, requires a reconciliation between the risk-bearing capacity and the current overall risk exposure. Another important aspect in this context is the aggregation of risks beyond the grouping of risk types. Furthermore, the tracking of the defined mitigating measures must be strengthened.
A recently published Deloitte study confirms the need for action within companies, as more than a third of the study participants did not possess complete understanding of the resulting changes. In fact, only about half of those surveyed consider the new requirements to already be fulfilled by their current procedures.
Expert opinions suggest a certain discrepancy between these requirements, their underlying scientific approaches and the degree of implementation of these concepts in the companies. The time frame is challenging: Companies starting their financial year on January 1, 2021 will have their early warning system for that audited against the revised audit standard.
Alyne offers a versatile package that facilitates achieving the required adjustments:
- Holistic overall risk inventory: An extensive Control Library, out-of-the-box templates, Control requirements and interlinked risks are all available within Alyne. Using these templates, a gap analysis can be carried out with ease on relevant subject areas. Based on the results, risks are reflected by criticality and can then follow the risk management process. Various evaluation options as well as the popular heat map are available to get a quick overview of the risks.
- Qualitative and quantitative risk assessments: Risk assessments can be conducted based on qualitative scales (e.g. critical impact / almost certain entry) with the option of recording a financial Assessment separately. Alyne’s Risk Loss Estimate Calculator guides risk owners with higher accuracy in risk loss estimation, by asking a selection of questions to quantify risk, based on the FAIR Model, and returning an estimated financial loss from the answers provided.
- Consideration of risk-bearing capacity / risk appetite:
As a central element, graphs are displayed in real time to depict both the risk appetite (usually derived from the risk-bearing capacity) and the current overall risk exposure. These graphical representations take into account mitigating measures, illustrated along a timeline which reflects the measures’ due dates.
- Documentation and tracking of measures: There are two ways to record mitigating measures: They can either be freely recorded, or created based on a Control from Alyne’s Control Library. In addition, responsibilities and deadlines are captured and it is possible to include granular activities that can be individually marked as complete. Any number of automated reminders can be configured with the possibility to alert individual users at any time. Depending on the degree of implementation, the risk reduction of the measure affects the overall risk situation.
- Determining of the overall risk exposure by aggregation: Leveraging Alyne’s integrated Monte Carlo simulation, the values of approved individual risks are aggregated to an overall position, allowing you to visualise results in a matter of seconds. Powered by massively scalable serverless infrastructure, the graphical representation displays the potential risk loss distribution and shows the Value at Risk (VaR), the number of iterations and the selected distribution function.
Alyne customers are well equipped to meet the new requirements. Overall, it remains to be seen to what extent the changes in risk management systems, driven by the IDW PS 340 n.F. will prove themselves in the sense of the questions mentioned in the beginning. However, a comprehensible and coherent assessment and aggregation of risks – and embedding the idea of risk-bearing capacity in the company's governance mechanisms – can only contribute to the greater acceptance of risk managers’ efforts.