IDW PS 340: Audit of the Early Risk Detection System
Frank Romeike | RiskNET – The Risk Management Network
“If the ship is on the wrong course, it is not enough to change the captain – you have to change the course.” The scenario described by the Czech writer Pavel Kosorin is a reflection for many companies. To put it casually, it could also mean: If the business is not running, the managing director has to go. That’s the deal.
Modern Risk Management Strategies
Many companies and their leadership teams often overlook the need for important changes within their organizations, especially when faced with growing risks. Risk landscapes are becoming increasingly complex and unwieldy, offering only limited guidance for risk managers.
Risks nowadays range from global politics and climate change to economic instability. This should be a wake-up call for business leaders to start preparing their organizations better for tough times ahead. After all, it is not wise to wait until you are in the middle of a storm to build a lifeboat.
To avoid heading blindly into uncertain waters, companies will have to shift towards modern risk management practices.
Quantitative Methods, Compact Information
The plan should be simple: Changing course. Moving away from judgment-based risk management and shifting toward quantitative data. This means saying goodbye to colorful risk matrices and subjective assessments, and instead using numbers and facts to evaluate and manage risks.
The Head of Product Line GRC & Managing Director of GBTEC Austria, Samuel Brandstätter, describes the reason for this change of course: “We have been observing for some time that a purely qualitative assessment is no longer sufficient for many companies, and the trend is increasingly moving towards quantitative methods, often in preparation for simulation methods."
This insight emerged from many discussions with executives and supervisory board members: that risks for for them only become relevant and tangible when assessed quantitatively. "To do that effectively, I need to present information on risk capacity in a clear and concise way," says Brandstätter. And he adds: “That's why following the path set out by IDW PS 340 and its requirements for risk management makes a lot of sense."
This new approach, outlined in the updated standard IDW PS 340 n.F., now puts a stronger focus on quantitative methods to audit early risk detection systems. According to statements from the German Institute of Public Auditors (IDW), the standard details the "basic elements of an early risk detection system, drawing on elements developed for setting up and reviewing risk management and compliance management systems."
Additionally, the IDW now highlights the "responsibilities of a company regarding risk capacity and risk aggregation." Brandstätter views this not just as a regulatory matter but as a way to significantly improve communication among risk owners, management, and the supervisory board.
Demystifying Simulation
GBTEC already integrated a simulation engine into BIC GRC back in 2019. The comprehensive GRC software allows for the integrated representation of various GRC scenarios. A major advantage, as emphasized by GBTEC, is that “medium to large businesses and corporations can cut down on their workload significantly while also streamlining GRC processes..”
The company draws on over 15 years of experience in real-world GRC project implementations, including work with very large corporations. Brandstätter talks about the simulation engine: “We're trying to demystify simulation because too many risk managers still perceive it as overly complex. To simplify things, we create specific use cases that meet the requirements of IDW PS 340.”
Thanks to these tried-and-tested examples, introducing quantitative risk assessment under IDW PS 340 becomes much easier. This is beneficial for large organizations with complex setups and small companies alike, as they can easily dive into quantification with ready-to-use standard solutions.
Early Detection and Risk Aggregation
To meet the auditing standard IDW PS 340 under § 317, para.4 HGB, it is crucial to have clear insights into "net risks" and focus on the importance of reviewing one's early risk detection system. In a "Joint Statement," experts conclude: "The main task of an early risk detection system - the core of risk management - is to spot 'existence-threatening developments' early (§ 91, para.2 AktG).
To achieve this, it is important to clearly define what constitutes an 'existence-threatening development.' According to IDW PS 340: “Detecting existence-threatening developments early requires identifying rare extreme risks and aggregating risks through stochastic simulation due to their non-additivity.” The idea behind "stochastic scenario simulation" is to determine the likely outcomes or targets for randomly chosen factors, helping to simulate potential future scenarios. This data aids in defining preventive or reactive measures.
The model used for determining the target variables is deterministic, meaning that once parameters are set, targets are clearly defined. The advantage of stochastic scenario simulation lies in its quick and straightforward determination of results.
Less Complexity, More Options
Given the growing challenge of resource scarcity and the increasingly complex nature of risks, it is clear that medium-sized companies need to improve their approach to risk management. Brandstätter points out, "Unlike larger corporations, medium-sized businesses often don't have in-house auditors or consultants who can develop tailored strategies before seeking outside help." This is where GBTEC comes in, aiming to develop standardized solutions to bring these companies up to speed with industry best practices.
Brandstätter adds, "Our goal is to empower medium-sized businesses to see results in their risk management efforts within days." GBTEC offers a range of ready-made solutions covering everything from managing enterprise risks to ensuring data protection and business continuity.
Looking ahead, GBTEC is focused on helping medium-sized companies continuously improve their risk management strategies. "By gradually expanding their solutions, companies can elevate the maturity of their risk management processes," Brandstätter explains. This approach allows companies to navigate uncertainties while staying firmly in control of their operations. Embracing modern risk management means exploring new opportunities and charting new territories with confidence.
Get to Know our Risk Management Software BIC Enterprise Risk
Join our webinar on "Opportunity and risk simulation with BIC Enterprise Risk" including topics such as risk aggregation and capacity. Plus, discover BIC Enterprise Risk, our user-friendly risk management solution that meets all industry standards.
How Much Risk Can Your Company Handle?
Discover how to efficiently aggregate and simulate risks and opportunities using BIC Enterprise Risk (available in German).
BIC Enterprise Risk
BIC Enterprise Risk is our intuitive, fast-to-implement standardized solution that fulfills leading standards.
GBTEC Software AG
Gesundheitscampus-Süd 23
44801 Bochum
Germany
Further Information
Career
Webinars & Events
Videos
Podcast
Newsletter