IDW PS 340: Audit of the early risk detection system

Frank Romeike | RiskNET – The Risk Management Network

“If the ship is on the wrong course, it is not enough to change the captain – you have to change the course.” The scenario described by the Czech writer Pavel Kosorin is a reflection for many companies. To put it casually, it could also mean: If the business is not running, the managing director has to go. That’s the deal.

From a quantitative change of course to a view of opportunities

What companies and their supervisory bodies neglect, however, is usually a fundamental change of strategy in the overall organisation. But in our times this would be quite appropriate – especially in view of the risk map of many companies.

If you open up this map, it becomes large, bigger and at the same time more unwieldy to use. It is therefore only of limited use for risk orientation. Among other things, this illustrates the range of risks – from geopolitics to advancing climate change to crisis-ridden economies.

For business leaders, this is reason enough to better prepare their own organisations for stormy times. After all, lifeboats should not be built in the storm. But to do so, the change of course in the direction of modern risk management is imperative in order not to sail straight into the biggest storm with open eyes.

Quantitative methods, compact information

The maneuver should therefore read: Ready to turn. The new goal is now called quantitative methods in risk management. The crew and the captain thus leave behind qualitative risk assessments with a colorful risk matrix and the level of the probability of occurrence, including risk accounting.

Zoom Icon

Samuel Brandstätter, Head of GBTEC Austria, describes the reason for such a U-turn: “We have been observing for some time that a purely qualitative assessment is no longer sufficient for many companies and the trend is increasingly moving towards quantitative methods, mostly in preparation for simulation procedures. The company was helped in this by many discussions with executive and supervisory boards.

According to Brandstätter, one insight gained from this is that risks only become relevant and tangible for the board of directors and supervisory board members when they can be assessed quantitatively. “That presupposes that I can convey the information on risk-bearing capacity in a compact form,” says Brandstätter. And he adds: “Therefore, the IDW PS 340, only makes sense in terms of what it now requires for risk management or the direction it is taking.”

partner icon

This can be observed, among other things, in the stronger focus on quantitative methods within the framework of the auditing standard IDW PS 340 for the audit of the early risk detection system of summer 2020 in accordance with § 317 Abs, 4 HGB.

According to the Institute of Public Auditors in Germany (IDW), among other things, the “basic elements of an early risk detection system have been clarified in line with the basic elements developed for the establishment and audit of risk management and compliance management systems”.
In addition, the “emphasis is on the obligations of a company with regard to risk-bearing capacity and risk aggregation”, the IDW continues. Brandstätter, however, not only focuses on the regulatory aspect. Rather, the IDW auditing standard ensures noticeably better communication between the risk owner and the management, and also between the management and the supervisory board.

Demystifying simulations

GBTEC had already integrated a simulation engine into its own risk management software BIC GRC Solutions in 2019. The holistic GRC software enables different GRC use cases to be mapped integratively. The advantage according to GBTEC: “Medium to large corporate and group structures benefit from a noticeably reduced workload with optimised GRC processes at the same time.” The company’s already more than 15 years of experience in dealing with complex GRC implementations from practical experience, including in very large corporate groups, is an advantage. Brandstätter explains the simulation engine: “We are trying to demystify simulation with it, because there are still too many risk managers who see the topic as too complex. To simplify the overall process, we design certain use cases that ultimately fulfil what IWD PS 340 requires.”

These existing best practice use cases make the introduction of quantitative risk assessment according to IDW PS 340 much easier. On the one hand, large organizations with complex structures benefit, but on the other hand, smaller companies that find an easy start in the world of quantification with the out-of-the-box standard solutions that can be used quickly.

Early detection and risk aggregation

To meet the audit standard IDW PS 340 according to § 317 Abs. 4 HGB, this also means clear consideration of “net risks” as well as risk management as part of the basic elements of a risk early warning system to be audited. A “Joint Statement” by various experts from January 2020 concludes: “The main task of an early risk detection system required by law – as the core of risk management – is to detect “developments that threaten the existence of the company” at an early stage (section 91 para. 2 AktG).

In order to fulfil this task, it is necessary to clearly define what such a ‘development threatening the existence of the company’ is.” And further according to § 317 Abs. 4 HGB: “The early detection of developments that threaten the existence of the company requires the identification of rare extreme risks and, due to the non-additivity of risks, risk aggregation (stochastic simulation).” The idea behind “stochastic scenario simulation” is to determine the corresponding result or target variables for randomly selected parameters via the corresponding correlations. In other words, to simulate potential future scenarios in order to learn from them or to define preventive or reactive measures.

The model used to determine the target variables is usually deterministic in nature, i.e. once the parameters have been set, the target variables are clearly determined. The advantage of using stochastic scenario simulation is that results can be determined quickly and easily.

Reduce complexity, gain options for action

Especially with regard to complexity, risk managers of medium-sized companies have a lot of catching up to do, partly because they lack the capacities. “SMEs don’t have auditors or consultancies in-house in advance who develop concepts tailored to their needs and with which they come to us,” Brandstätter explains. Conversely, for GBTEC this means working with more standards in order to put medium-sized companies in the same position as large corporations. The keyword is best practice approaches. Brandstätter says: “These approaches should enable risk managers in medium-sized companies to achieve a result within a few days.” With its standard solution, GBTEC offers a ready-made kit for this purpose – from enterprise risk management to data protection to business continuity.

Brandstätter sees this as a starting point. And yet GBTEC is thinking ahead, i.e. it has set the compass to the future. For medium-sized companies are enabled to expand the solution in the future with the help of the GBTEC solution. “Companies can expand the respective solution step by step and ultimately increase the level of maturity in the entire risk management process,” Brandstätter sums up. This allows companies to change course – while maintaining full control over their own “ship” and setting sail for the future. And that means discovering the terra incognita in the form of opportunities and modern risk management.

Get to know our risk management software BIC GRC

Join our webinar “How Much Risk Can Your Company Handle?” to learn more about risk aggregation and risk-bearing capacity from our GRC experts and see a real-world implementation live in our tool. Get to know BIC Enterprise Risk, our professional, prebuilt risk management solution that fulfills all leading standards out of the box.

How much risk can your company handle?

Discover the effective way to aggregate and simulate risks with BIC Enterprise Risk. (webinar in german)

Request webinar recording

Usability Icon

BIC Enterprise Risk

BIC Enterprise Risk is our intuitive, fast-to-implement standardized solution that fulfills leading standards.

Discover BIC Enterprise Risk

Value-based governance, risk and compliance management for your company's success

A professional GRC strategy builds the foundation for successful business management. BIC supports you with a unique combination of the latest technology, an intuitive user interface and fast implementation. That makes working with the BIC GRC Solutions so easy - in all GRC areas.

Expert information
Integrated GRC

The consolidation of the governance, risk and compliance areas provides decisive competitive advantages.

Product information
BIC Enterprise Risk

Build a foundation for a successful governance, risk and compliance strategy and cover all regulatory requirements.

Success Story
Deutscher Sparkassenverlag

The DSV Group relies on the integrated software platform BIC to dovetail the disciplines of Information Security, Risk Management and Control Management.

Product information
BIC Information Security

Protect your information and benefit from a standards-compliant ISMS with state-of-the-art technology.

Further resources on BIC GRC Solutions

Do you have any questions?

Do you have any questions about our products or services?
Our experts will gladly assist you and look forward to your request.

grc@gbtec.com+43 1 3670876 -0Contact form

Expand your knowledge with our e-learnings on BPM & GRC.

To the GBTEC Learning Hub