Risk map on a whole new scale

There are currently armed conflicts on five continents. China, the USA and Russia are battling for economic influence at all levels and the EU is in free-fall. These facts show us that the solid foundations of past days are now obsolete, no longer exist or are getting lost in a multi-polar and increasingly digital world. Companies have to survive this disordered age. This is no easy task, as the previous RiskNET Summit in Hohenkammer near Munich in October illustrated. The risk map has always been big but now it’s getting bigger and has to be consulted every day – on a whole new scale.

There is one constant that is evident in this global arms race in the economic, military and polit-ical environments – risk management. There is a greater need than ever for risk managers to act as navigators and keep their organisations on course in a world full of imponderables. They set out the cornerstones, act as internal advisers, scrutinise existing structures and adjust them where necessary. We have put together a photo spread from the risk management industry’s get-together at the RiskNET Summit. As the old saying goes, a picture (sometimes) says more than a thousand words.

Talking of pictures. The picture is not so positive when it comes to the public impact of supervi-sory boards. Why is that? In our interview, Prof. Manuel René Theisen, Emeritus Professor of Business Management at Ludwig-Maximilian University, Munich, provides an insight into what is often a hidden world. By their very nature, the role and function of a supervisory board are not familiar to the general public from personal experience or observation. Even if their company has a supervisory board, most employees have little awareness of its existence, much less of the names or duties of its members. The image of the supervisory board is shaped by the press and their re-porting to an extreme extent. And in some cases this image has been damaged or trashed. It is not unusual for supervisory board members to be actively contributing to further ruination of their own profession’s reputation.

But they are not alone there. They take their place alongside the host of politicians who are work-ing on dividing the world with new protectionism, barriers and tariffs. These are uncertain times in a world full of risks.

We hope you enjoy reading the new FIRM issue in peace.We hope you will stick with us in the coming year.

Merry Christmas and a Happy New Year from the FIRM editorial team. Yours,

Frank Romeike, Editor in Chief and member of the FIRM board

PUBLISHED BYGesellschaft für Risikomanagement und Regulierung e.V.

Walther-von-Cronberg-Platz 16 D 60594 Frankfurt am Main

Phone: +49 69 87 40 20 00 Fax: +49 69 87 40 20 09 Internet: www.firm.fmE-mail: info@firm.fm

Editorial team: Frank Romeike (V.i.S.d.P.), Andreas Eicher E-mail: redaktion@firm.fm

Published: 10 x per year as an insert in RISK MANAGER magazine

CONTENTS

1 EDITORIAL

2 RISKNET SUMMIT 2018

13 INTERVIEW

firm Frankfurt Institute for Risk Management and Regulation

2

RiskNET Summit 2018

New era with at least three stress tests

Anyone involved in risk management sets out on a journey. At least if they really want to find out more about their own business and organisational environment or themselves. This is the only way to look for and, most importantly, find opportunities for future actions. On 23 October 2018, more than 100 risk managers from different industries, the academic world and the public sector, set out on a journey of their own. Their desti-nation: The two-day RiskNET Summit at Schloss Hohenkammer near Munich. Frank Romeike, initiator of the RiskNET Summit, started the “journey through the world of risk management” by looking at the major desti-nations – in other words the cornerstones of our risk management world. These success factors are organi-sation, methods and tools, processes, and culture.

More than 100 participants at the RiskNET Summit 2018

Issue 10/2018

3

All four areas are affected by robotics and smart machines. It is clear that artificial intelligence (AI) and robotics are advancing in all are-as of work and life. And experts believe that they will turn everything upside down.

Robots learn, AI beats people

In his keynote speech: “Smart machines – New security require-ments in the age of artificial intelligence”, Dr. Ulrich Eberl, future researcher and author, took a journey into the world of what is al-ready feasible and highlighted possible future scenarios. The actions that are currently possible include running, gripping, speaking, listening, seeing, reading and analysing. And even more important-ly – robots are capable of learning. Robots learn. Robots are already going to school and learning from people. They learn by observation, imitation and reward – whether it’s shooting a bow and arrow or playing the piano. Eberl said: “Today’s best robots can serve guests, load the dishwasher, drill holes, steer cars, climb over boulders or speak in the UN building.”

But future researcher Eberl thinks that the field for smart machines is much broader, as the example of autonomous driving cars shows. The pace of development is very rapid. Back in 2011 Watson, the IBM system, beat the champions on “Jeopardy” (US TV quiz show). And this year, AI beat people at understanding texts for the first time. Eberl said: “If the task is precisely defined, today’s computers are unbeatable.” Other applications include predictive maintenance, where computers can analyse machines to identify and eliminate any irregularities. It’s a major advantage to intervene before a ma-chine fails. When asked where the journey will go next, Eberl cited increasing computing power and also reflective responses. What do increasing robotics and AI mean for jobs? Eberl believes that routine activities in offices will be automated. These include finding texts, images or videos, and outsourcing support functions.

The main jobs affected will be bank advisers, legal assistants, bro-kers, warehouse workers and bus or taxi drivers. Creative profes-sions, researchers and social professions will be less affected. What

High-level interaction was the focus once again this year.

Humanoid robot Nao welcomed participants to the RiskNET Summit 2018.Mathieas Kohl, Drägerwerk, in conversation with Dr. Stefan Pieper, Océ.

firm Frankfurt Institute for Risk Management and Regulation

4

Because of the constant increase in IT security threats, ratings for IT security are be-coming an important component of cyber defence for leading companies, according to Patrick Steinmetz from BitSight.

Panel discussion on the theme of the GDPR featuring Patrick Steinmetz (BitSight), Samuel Brandstätter (avedos), Martin Kreuzer (Munich Re) and DI DDr. Manfred Stallinger (calpana).

Hendrik F. Löffler, Chairman of the Funk Stiftung“The General Data Protection Regulation slightly reduces the paper tiger”, explained Dr. Manfred Stallinger from calpana business consulting.

Martin Kreuzer from Munich Re says that data protection can be a competitive advantage for companies.

Samuel Brandstätter, Founder and CEO of avedos GRC GmbH.Petra Reindl, Managing Director of Sixtus Werke Schliersee GmbH.

Issue 10/2018

5

does this mean for education systems? Two thirds of today’s chil-dren will work in jobs that do not exist yet. Ulrich Eberl cites the examples of teachers for machines or AI trainers.

Supervisory board member: Job from hell or a blessing?

Prof.Manuel René Theisen, Emeritus Professor of Business Man-agement at Ludwig-Maximilian-University Munich and one of the best known corporate governance experts, gave a presentation en-titled “Supervisory board member: Job from hell or a blessing?”. He pointed out that the supervisory board and, specifically, the chair-man as its representative, is often only mentioned when it comes to suspected contributory negligence in business crises or accusa-tions of misconduct in office. The term “job from hell” primarily refers to the perceived increased liability risks and more intensive legal access authority, particularly in respect of the private assets of neglectful supervisory board members.

Manuel René Theisen talked about the changed framework: A change of generation is underway on supervisory boards. There is a growing awareness that it is a profession and not an honorary position. “Successfully leading companies in international compe-tition has always presented both opportunities and risks. Critically scrutinising these activities as a supervisory board is a constant challenge and calls for dedicated and experienced people. Theisen calls it a “job from hell with future prospects”.

Dr. Stefan Pieper, Executive Director and Risk and Compliance Management Officer at Océ, devoted his speech to the theme of setting up an integrated “Enterprise Risk Management” system at Océ. He focused on appropriate organisation as a solid foundation for the entire system. Océ has been part of the Canon Group since 2010 and is one of the world's leading companies in the field of digital printing and document management products. “Risk man-agement at Océ involves aligning corporate leadership with risk and compliance obligations based on an integrated overall concept,” Stefan Pieper said. The risk management steering committee is responsible for setting up and coordinating the overall concept. A system consisting of roles, responsibilities and processes ensures appropriate implementation of measures as part of the relevant operational procedures.

Compliance and entrepreneurship

The presentation by Petra Reindl, Managing Director of Sixtus Werke Schliersee GmbH, posed the central question of “Is compliance a threat to entrepreneurship?” Her unequivocal answer is “Yes”. Reindl’s journey led from observance of standards and laws to the criminal code, which hangs like the sword of Damocles over com-panies and their directors. SMEs in particular are suffering from excessive bureaucracy and the increasingly impenetrable jungle of standards and authorities. Reindl cited sharing of business data as an example of liability. “No business data that is sensitive or confi-dential can be shared. This includes data relating to purchase and

Interaction with delegates – Stefanie Koloska, Manager Internal Audit & Risk Management at TOM TAILOR.

Rüdiger Koppe, OTL a.D.,spoke on risk management in aviation.

Mountain bike adventurer Harald Philipp.

firm Frankfurt Institute for Risk Management and Regulation

6

selling prices, production, turnover, costs, general business plan-ning, investments and capacity.”

The Sixtus boss sees increased complexity in the compliance en-vironment as a major stumbling block. It is already at a high level and is increasing all the time. Large companies also have dedicat-ed departments to deal with the issue of compliance on a daily basis. Small and medium-sized companies simply lack the resourc-es to do this. With all the pitfalls, Reindl emphasises ten deadly sins that senior managers would be better avoiding. They include incorrect insurance when setting up, exceeding liability limits or non-compliance, as well as accounting, taxation and social insur-ance contribution issues. Petra Reindl concluded by quoting Warren Buffett: “It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you’ll do things differ-ently.”

Focus on GDPR

During the podium discussion on the General Data Protection Regulation (GDPR), participants provided a wealth of insights and perspectives. Where is the journey heading? Is the GDPR just a paper tiger or does it provide identifiable added value for compa-nies? “The General Data Protection Regulation slightly reduces the paper tiger”, explained Dr. Manfred Stallinger from calpana business consulting. Furthermore, data protection can actually be a compet-itive advantage for companies. This is the opinion of Martin Kreuzer from Munich Re. Unfortunately, many companies were too late in starting to get to grips with the issue and as a result there is a sig-nificant need for improvement.

Any attempt to circle the wagons when it comes to data protection and information security is doomed to failure, according to those involved in the discussion. Samuel Brandstätter from avedos GRC thinks it is unrealistic for a company to retreat into a bunker in our digital world. Brandstätter said: “You can protect yourself. But at-tacks and threats can’t be prevented.” The focus needs to be on taking a proactive approach to the issue. Continuous monitoring can provide valuable services. The central question is: Where are the weaknesses in the system?

The issue of data protection has to be actively addressed. Frank Romeike described data protection management as part of the DNA. It is clear that even the best technology is useless if an employee clicks on everything on the Internet or in their e-mail correspond-ence. “People are often the weakest link in the chain”, added Martin Kreuzer. Manfred Stallinger posed a simple but crucial question: Against what are we actually trying to protect ourselves? This includ-ed looking at why we actually want to safeguard ourselves against possible risks. Patrick Steinmetz from BitSight sees numerous weaknesses in the network. For him, it is all about creating process-es and making improvements on the issue of information security in the medium to long term.

Risk management for flying and cycling

“Aviation is all about risk management”, argues Rüdiger Koppe, OTL a.D. and Managing Director SRI Strategic Risk Institute. For example, air traffic control is the nervous system of aviation. Koppe believes that standards and procedures are crucial. Training is a complex combina-tion of theory and practice. “We are looking for people who can con-sistently perform their duties under stress”, says Koppe. Culture, people and teamwork are the key themes in aviation. Everyone knows what they have to do. Koppe said: “You work hand in hand.” All errors are logged and evaluated and fed back through the entire organisation. Along with experience, variables that contribute to good situational awareness include well-developed cognitive ability, and high perception speed and accuracy. According to Koppe, the key features of modern aviation are excellent and, at the same time, extremely reliable tech-nology. Procedures and standards have to be coordinated as effective-ly as possible. Human intuition and a well-developed error culture are also important in preventing aviation accidents.

Intuition and enjoyment are also important elements of mountain bike rides. “Mountain biking has never been about competition, but about enjoyment and having experiences as a group”, explained Harald Philipp, mountain bike adventurer. And that’s why he has a good handle on risks. For him, the focus is on the community. Philipp said: “Sharing experiences and jointly tackling a challenge. Biking as a group brings you together.” For the bike adventurer, the allure of risk is all about moving out of your comfort zone. “If you never push the bound-aries of your own comfort zone, over time the bubble you’re in will start to shrink”, said Philipp. He has always consciously looked for his risks in sport, and sets great store in gut feeling. If something doesn’t feel right, he doesn’t do the ride or he walks. So what does all this have to do with risk management? “We’ve all had times in our lives when flow played an important role”, Philipp argued. As an adult, we lose the concept of playing. But adopting a more play-based approach to everyday problems is important, and everyone should preserve it. One of his mottoes is: “It’s never too late to enjoy a happy childhood.” Flow means balance – on every journey.

Constant factor in risk management: Geopolitical risks

There is one constant factor in risk management, and that is geo-politics. The heading could be: The world is living through uncertain times – on every continent. Professor Günther Schmid, formerly of the German intelligence service, opened the second day of the RiskNET Summit 2018 by looking at the geopolitical risk map. In Günther Schmid’s words, geopolitics is enjoying a renaissance. In the last ten years, we have experienced a series of geopolitical crises greater than any Schmid has seen before. Geopolitics is not dead; in fact, it’s more alive than ever.

Günther Schmid’s diagnosis is: “We are living in a new era with three stress tests.” Clear cracks can be seen in the world order. Our age

Issue 10/2018

7

High-level speakers and attentive listeners and discussion participants at the RiskNET Summit.

Harald Philipp in conversation with Frank Romeike, Managing Director and founder of the RiskNET competence network.

Dr. Stefan Pieper, Executive Director and Risk and Compliance Management Officer at Océ, a Canon Group company.

AI meets AI.

Over two days, more than 100 delegates discussed current issues from the world of risk management.

firm Frankfurt Institute for Risk Management and Regulation

8

Martin Kreuzer, Head of Corporate Underwriting for Cyber Risks at insurance company Munich Re.

A constant at the RiskNET Summit: Professor Günther Schmid, formerly of the Ger-man intelligence service, provided an overview of the geopolitical risk map.

Hendrik F. Löffler, Chairman of the Funk StiftungTim-Benjamin Bohmfalk, Head of Risk and Compliance Management at EDEKA AG. Jens Schauffert, Risk Manager at EDEKA Handelsgesellschaft Nord.

Prof. Manuel René Theisen, Emeritus Professor at Ludwig-Maximil-ian University, Munich.

Dr. Ulrich Eberl, industrial physicist, future researcher and scientific journalist, transported delegates into the world of smart machines in the age of artificial intelligence.

Issue 10/2018

9

is characterised by a non-polar world that no longer has any rules. Trump is testing the democratic system – as far as it will go. That is the first stress test. Trump’s approach to diplomacy is marked by inexperience and lack of professionalism. The US President is saying goodbye to the community of values in the west. The whole world is an arena in the battle between powerful players. The US President is permanently in battle mode. Every day, Trump uses Tweets to communicate directly to the people. There is no dependability, just disruptive politics. According to Schmid, politics is being pursued with a wrecking ball. But geopolitical expert Schmid thinks that China does not share the general opinion of Donald Trump. They actually think Trump is pursuing a rational policy.

Testing the world order and technical sovereignty

Russia, China and the USA are testing the strength and resilience of the world order. This is the second stress test. “All three players enjoy a high concentration of power”, says Schmid. But their power is not sufficient to achieve all of their goals. Nevertheless, they have global destructive power.

Stress test three: China is constantly testing its position in the world – especially against the USA. China is pursuing a hundred year project. It is intending to use technology and digitalisation to gain complete control over the population. Schmid calls it a technolo-gy-based world. “China has a strategy, we have none”, he said, quoting Sigmar Gabriel. China is investing in Greece, Hungary and Serbia, thus intruding on the EU’s sphere of influence. The huge inequality within China will be an Achilles heel for the state. The growth rate is also a risk for China. The country needs eight percent growth, while the actual figure is currently just 6.5 percent. We are witnessing a battle for technological supremacy and for political systems, being waged by the USA and China. This conflict will have

a massive impact on the world. The USA is retreating as a global force for order, but it retains its position as a world power. No oth-er power is willing to step up to replace the USA as a new force for order. Another important issue is the inexorable flow of migrants, particularly originating from Africa. This is an issue that plays only a very minor role in German politics.

“We are facing a major change of strategy in development cooper-ation”, predicts Schmid on this issue. The pressure for change in German foreign policy is also growing. We live on an island of bliss. We have to say farewell to this island and embark on a journey into the unknown. But without a crisis, there is no chance of looking for new horizons.

Attacks, terrorists, cyber trends

In his talk on the theme of cyber risks, Martin Kreuzer, Head of Corporate Underwriting for Cyber Risks at the insurance company Munich Re, highlighted how cyber attacks can have an influence on an insurance company. The focus is on the question of asset values. The range of risks is huge, covering everything from cyber crime to cyber war to cyber terrorism and hackers. The motivation behind attacks is also varied – it can be money, pleasure, ideology or polit-ical.

Martin Kreuzer used the example of cyber terrorist Junaid Hussain to outline the career of a cyber criminal from “script kid” to terrorist. His measurable success was demonstrated by a social media cam-paign in advance of the IS attack and the taking of the Iraqi city of Mosul. With a digital bombardment on social networks, Hussain prepared the ground for IS (ISIS). The main motives for cyber ter-rorism lie in communication, propaganda, recruitment and ultimate-ly cyber attacks.

Michael George from the Cyber Alliance Centre in Bavaria.Isabelle Göllner, Chief Risk Officer, Hensoldt Sensors GmbH.

firm Frankfurt Institute for Risk Management and Regulation

10

Both ISIS and Al Qaeda showed great media expertise in their ex-ternal communications. This included a dedicated media centre, a foundation and high-quality publications. In Germany, the intelli-gence authorities estimate that there are around 20,000 public pages dealing with Jihadism. With “kybernetiq”, terrorists are pub-lishing their own magazine in German, with a very professional layout and content. A look at the global map shows that the USA, Russia, North Korea and China lead the way on the issue of “cyber warfare”. Looking ahead, Kreuzer highlighted where he thinks the journey will go in terms of cyber warfare and terrorism. As well as taking advantages of weaknesses in the Internet of Things, it will increasingly be about mobile attacks (including mobile device locks), manipulation of social bots or attacks on critical infrastruc-ture such as the energy supply.

“Fighting against digital data thieves” was the title of the talk by Michael George from the Cyber Alliance Centre in Bavaria. Actors on the net are always assessing how far they can get with cyber at-tacks – from young people to professional hackers. The security situation affects all areas of public and business life.

The current situation is somewhere between a constant flood of information on security warnings and total disinterest. Espionage is the world’s second oldest profession and is changing. Digitalisa-tion is making this possible and, because of networking, involves totally new risk areas. “For the automotive industry, IT security has a totally different meaning than before”, George explained. The hazards are linked to a militarisation of the Internet. Cyberspace needs to be better protected. According to George, a lack of unity on the international stage is preventing this. The security expert pointed out that intelligence services use the Internet as their initial source of information about a person. Cyber attacks involving peo-ple are particularly successful.

As an example, George cited CIO fraud, which aims to take money out of companies. When it comes to specific trends, he identifies infrastructure and providers rather than direct attacks. In George’s opinion, attacks on routers in the network are another, as is the human “factor” as a target for attack.

One of the main trends in defence is the search for new strategies. The basis for current strategies is to reduce the time between an attack and its discovery. It takes around 200 days before companies notice an attack. New methods are needed, such as analyses or new tools, and above all confidence in the Bavarian state intelligence authority. Unfortunately, in many cases this is lacking. Affected companies are often fearful that the attack will become public.

Aggregation, simulation and getting employees on board

Tim-Benjamin Bohmfalk, Head of Risk and Compliance Manage-ment at EDEKA AG, took visitors on a journey into the inner work-ings of a retail group. In his talk on “Quantitative methods in risk management and corporate management practice” he explained how risks are identified within the company. According to Bohmfalk, typical failings in risk identification include quantifying the overall risk position purely by adding together individual risks or fixed provisions. What should the solution look like? The answer lies in using a description of risks based on scenarios and distribution functions, with a focus on breadth. EDEKA identifies the overall risk using stochastic scenario simulation. Bohmfalk recommends re-cording individual risks and backing them up with figures. Aggre-gation and simulation using good software is also important, as is clear assessment of the results.

Jens Schauffert, Risk Manager at EDEKA Handelsgesellschaft Nord, spoke about setting up a risk management system in a real world

Jürgen Weiß, Head of Central Process Management, Munich Airport.Prof. Josef Scherer from Deggendorf Technical University.

Issue 10/2018

11

Workshop: Risks and opportunities in the context of digitalisation – Public sector.

Interactive scenario analysis and business games during the break-out sessions.

Workshop: Risks and opportunities in the context of digitalisation – Automotive.

business. Schauffert used the risk management roadmap to illus-trate the individual elements and phases – from orientation to the roll-out phase. Risk manager Schauffert particularly emphasised the orientation phase and the importance of putting forward looking risk management on a sound footing. In addition to standards, this includes studying literature and also analysing the network and addressing the issue of training. Jens Schauffert thinks it is impor-tant when introducing a risk management system to start by select-ing a pilot and growing from there. This involves training for depart-mental managers and specific risk management training. “The key is to get colleagues on board”, explains Schauffert with reference to the training at EDEKA. There is also software training to explain the structure of the tools and how to record risks. Ultimately, the crucial factor is that employees can record risks independently. This is

followed by final agreement with the departmental management, as senior managers must be familiar with their own risks, says Schauffert in summary.

Pragmatic and sound implementation of risk management

In her talk, Isabelle Göllner, Chief Risk Officer at Hensoldt Sensors GmbH, outlined the development of enterprise risk management (ERM) and an internal control system (ICS) when setting up a company. Hensoldt Holding is a multi-national armaments compa-ny based in Germany. It was established in 2017 out of former divi-sions of Airbus Defence and Space to develop sensor technology for the defence, security and aerospace sectors. When setting up

firm Frankfurt Institute for Risk Management and Regulation

12

the ERM and ICS system, a lean method based on the pull principle was adopted. The pull principle involves “pulling” products – from a customer perspective – through production, rather than pushing them into production with planning specifications. This method has been transferred to corporate risk management, primarily in order to focus attention on the value chain.

“Our objective is process-based optimisation of the company’s service provision as a group”, said Jürgen Weiß, head of central process management at Munich airport. The links between the content of regulatory and legal requirements also demand an inte-grated and integrative system. In this regard, the risk management process was also simplified and supports the overall system with (semi)automated workflows.

Prof. Josef Scherer from Deggendorf Technical University spoke about digital transformation and the responsibility of management and risk officers in the light of supreme court decisions. “As data processing systems grow in popularity, we can identify a trend away from natural human, holistic thinking towards bureaucracy and narrow-minded thinking,” said Josef Scherer. When it comes to management systems, we have not yet got as far as genuine net-worked thinking and working. By using human workflow manage-ment systems, artificial intelligence, quantum chip technology, people may – after thousands of years – have succeeded in adapting their “written” and management systems based on bureaucratic, analogue “civil servant organisational thinking” to the real net-worked world. In the “second cognitive revolution”, homo sapiens has to compete with artificial intelligence algorithms. That brings us back to smart machines.

In October 2016, the British physicist Stephen Hawking set out a worst case scenario in which artificial intelligence could destroy or transform society. At the opening of the Centre for the Future of Intelligence at the University of Cambridge last year, Hawking said: “I believe there is no deep difference between what can be achieved by a biological brain and what can be achieved by a computer[...] It therefore follows that computers can, in theory, emulate human intelligence – and exceed it. Artificial intelligence research is now progressing rapidly Recent landmarks such as self-driving cars, or a computer winning at the game of Go, are signs of what is to come.” That brings us back to the new era, which will see everything turned upside down.

Creative process: Coming up with opportunities and risks from the perspective of a disruptive and digital provider.

Dr. Anette Köcher (RiskNET) moderated the “Risk and Opportunities in the context of digitalisation – Retail” workshop.

Imag

e so

urce

s: S

tefa

n H

eigl

/ R

iskN

ET G

mbH

.

Issue 10/2018

13

Risk management is an increasingly important and professionalised management toolInterview with Prof. Manuel René Theisen, co-founder and managing editor of “The Supervisory Board”, is Emeritus Professor of Business Management at Ludwig-Maximilian University Munich.

FIRM Editorial: In our over-regulated world and in the conflicting fields of compliance, legislation and entrepreneurship, being a member of a supervisory board might not always be an enviable position. What would you advise people who still want to give it a go?Manuel René Theisen: Supervisory board member is not a job you can train for. In Germany, and in almost all comparable countries and corporate governance models, the people charged with monitoring do so as a “secondary position”, whatever that might mean in detail and in different circumstances. So “being a supervisory board mem-ber” is predominantly a supplementary activity, which is why any ad-vice to take on this exciting additional responsibility depends at least as much on where you come from – professionally and personally – as where you are aiming to get to. Things are different for those who are attempting to establish themselves as “full time” supervisory board members – generally after a long management career. In the circum-stances outlined, taking on a supervisory board position – after very detailed assessment of course – does not appear to be that much of a risk. Anyone who is familiar with business knows that you don’t get anything without taking a risk.

FIRM Editorial: So it’s not just a job from hell, as you recently called it at the RiskNET Summit?Manuel René Theisen: The expression “job from hell” is a quotation from the business press, deliberately over-exaggerated and only relat-ed to the few – but of course very widely reported in the media – cas-es of extreme demands and very difficult conditions. However, it is correct that any job in business, including that of a supervisory board position, can make extreme demands in individual situations, and there is no question of it being a “quiet job” or a “retirement position”.

FIRM Editorial: Supervisory boards do not exactly have the best public reputation. Why is that, and what can supervisory board members do to improve perception of themselves?

Manuel René Theisen: By their very nature, the role and function of a supervisory board are not familiar to the general public from personal experience or observation. Even if their company has a supervisory board, most employees have little awareness of its existence, much less of the names or duties of its members. The image of the supervisory board is shaped by the press and their reporting to an extreme extent. As a result, it's not really surprising that “supervisory board” frequently has a negative connotation, being linked to failure, collapse, passivity and carefree income. According to a recent public survey, more than half of respondents would not want to have a supervisory board member as a neighbour. However, the role and function of a supervisory board are predom-inantly those of an internally acting corporate body. Therefore, the external impact necessarily remains very limited apart from a few – mostly negative – exceptions. Like auditors, the media often portrays an image of failing fire-fighters, instead of making it abun-dantly clear that the supervisory board cannot – and indeed is not permitted to – get actively involved in any area of business opera-tions. Nevertheless, they do take on sole responsibility for selecting and recruiting suitable managers, and where necessary dismissing them.

FIRM Editorial: On the other hand, there are some supervisory board members who seem to do everything they can to maintain the poor reputation, seemingly putting their foot in it at every opportunity. Is this pure naivety or power games?Manuel René Theisen: In reality, some – mainly prominent – super-visory board chairmen repeatedly confuse their monitoring job with that of an active manager. These people have frequently been an ex-ecutive board member or even CEO of the same or a comparable company before taking on the supervisory board position. A classic case in the recent past is Mr Reitzle (Linde AG), who admitted himself that when he switched to the supervisory board he saw it merely as a change in his formal function, but he had never actually wanted to

firm Frankfurt Institute for Risk Management and Regulation

14

give up or even share his power. In situations like this, we see power struggles that are clearly detrimental to the company and, above all, to corporate governance. There needs to be less focus on the potential damage of these situations to the functioning of a “respectable” su-pervisory board and, in many cases, even to the company entrusted to it.

FIRM Editorial: According to your statements, there is a tendency to have a single board rather than a separation model. Can you briefly explain to our readers the differences and which model you think is more sustainable? Manuel René Theisen: Worldwide, there are two main competing corporate governance models. Alongside the continental European executive board / supervisory board model (executive board man-ages, supervisory board monitors: separation model), the board model, also known as the single-stage model, is very widespread in the English speaking world. In these companies, there is no organ-isational separation between active managers (executive members) and the monitoring members (non-executive members). They jointly make decisions that are important for the company – gen-erally in monthly meetings – and the executive members implement them as full-time managers in conjunction with other officers. Greater information and integration of non-executive supervisory members is seen as a major advantage of this model; the main disadvantage is the lack of a monitoring process that is separate from management decisions (personnel and organisational). The dispute about the potential advantages and disadvantages is as old as the models themselves. In practice, where there have always been comparable problems in terms of corporate governance in large companies, it should hardly come as a surprise that no really convincing qualitative advantages or disadvantages have been demonstrated.

FIRM Editorial: In terms of risk management and the increased lia-bility risks for supervisory boards, a key question is how can these risks be minimised?Manuel René Theisen: Every economist knows that risks cannot be avoided assuming you are aiming to achieve higher returns than a risk-free interest bearing investment. Risk management is an increas-ingly important and professionalised management tool, which can help the supervisory board to reduce its own monitoring risks and the associated personal liability. Nevertheless, when it comes to the su-pervisory board it is essential to add a warning that excessive trust in the risk management system can restrict the scope for autonomous action. The best risk management system for supervisory boards is and remains continuous, intensive and responsible performance of the assigned duties and a high level of commitment at all stages of a company.

FIRM Editorial: And what opportunities does this entail?Manuel René Theisen: The role of a supervisory board involves far more opportunities than risks, viewed across all potential mandates. Just think of the numerous medium-sized companies that have to manage a change of generation. In this case, supervisory boards have an exciting, not always easy but always demanding role – as sparring partners for active managers increasingly drawn from outside the original family, to ensure efficient and forward-looking corporate governance, to safeguard jobs and to deal with the international competitive advantages that frequently exist.

FIRM Editorial: Effective risk management is a high discipline. There are four success factors: methods, organisation, process and “gen-uine risk culture”. From our perspective, the biggest shortcomings in practice can be found in having a “genuine risk culture” and the chosen “methods”. Effective risk management can significantly increase a company’s robustness. So why is risk management still treated so shabbily by many supervisory boards? Manuel René Theisen: I can’t assess the extent to which widespread shabby treatment of the issue of risk management in supervisory boards can actually be observed. However, it seems very relevant to me that the issue is particularly and primarily raised when it comes to personnel selection and executive board appointments. If and to the extent that a supervisory board fails to properly address the risk profile and risk responsibility of the managers it appoints, even the best risk management system will subsequently only be capable of carrying out running repairs.

FIRM Editorial: In recent years, auditors – through their association, the IDW – have published a series of auditing standards, including for auditing of compliance management systems (IDW EPS 980), auditing of risk management systems (IDW EPS 981), auditing of internal control systems (IDW EPS 982) and internal auditing sys-tems (IDW EPS 983). The primary target group for the standards are audit committees and supervisory boards in companies, and they enable them to have the effectiveness of the aforementioned sys-tems certified by a third party. That’s a high standard that only rarely withstands a practical test. For example, the risk management audit does not include whether risk identification has actually iden-tified all risks. Is it not true that audit committees and supervisory boards are really being sold an alibi certificate that is more style than substance? Do supervisory boards not have to exercise greater personal commitment? In Swiss companies, for example, there is a system where the head of risk management reports directly to the administrative board, who also appoint and pay them. Manuel René Theisen: This issue highlights a dilemma. The audi-tor and the experts from the auditing professions engaged are naturally much more intensively and consistently involved with all

Issue 10/2018

1515

auditing issues than even the most dedicated supervisory board member, even if they are a member of the audit committee in the company. I don't believe that this functional gap can be overcome with such a differentiated separation of functions. Instead, it is important for all (non-executive) supervisory board members to give much greater value to the expertise and any (additional) audits by experts but also that they have to be able to rely on them. The comparison with the Swiss (administrative board) model takes us back to the basic principles of the different corporate governance models. Switzerland uses a very flexible model – a mixture of the two models outlined previously. Therefore, the (monitoring) admin-istrative board can fall back on management tools to very different extents, as they all hold internal functions, like the cited “head of risk management”. I believe that the “price” for this includes a (consciously accepted) dilution of responsibilities. If you involve the head of risk management for the ongoing business manage-ment process in the monitoring activity, it is very difficult to subse-quently assert any non-compliance in business management at a later date.

FIRM Editorial: Would more women on supervisory boards enrich this male-dominated world and help to bring a change of perspec-tive?Manuel René Theisen: Discussions about quotas, whatever form they take, is a social policy issue. It cannot be properly considered with economic arguments alone. For this perspective, I always come back to the argument by the old master of business management, Erich Gutenberg: The right man or the right woman in the right position.

FIRM Editorial: Looking ahead, where does the supervisory board function have to develop, in terms of its content and the overall framework, to turn the job from hell we spoke about into a profes-sion with future prospects?Manuel René Theisen: I’m not a future researcher or a psychic. But because of my job I repeatedly ask myself the question of where will supervisory boards go in the future. On the one hand, I can imagine – inherent in the system – partial professionalisation of the job, which will reduce the sizes of the bodies to leave a “hard professional core”, but this approach will entail a partial departure from the idea of a non-executive supervisory board and some variations of co-determi-nation. On the other hand, it could be that the age in which econom-ic systems are led (and monitored) by people alone will be exposed to comparable disruptive developments as the entire industrial pro-cess. We have to consider the possibility of robots in the boardroom.

FIRM Editorial: What opportunities would risk managers – who should fundamentally possess analytical capabilities – then have to identify and evaluate opportunities and risks in a company?

Prof. Manuel René Theisen is the co-founder and man-aging editor of “The Supervisory Board” and Emeritus Professor in Business Management at Ludwig-Maximil-ian University Munich, where he held the chair in Gen-eral Business Management, Taxation and Tax Law until 2010.He is one of the best-known corporate governance ex-perts in Germany. His other research subjects include the principles and systems of business management monitoring, taxation of companies depending on legal form, tax burden on companies in international com-parison, taxation of affiliated companies, business man-agement issues in corporate business and academic works (methodology).

Manuel René Theisen: With reference to my previous explanations, the traditional job profile is changing and as such it is hard to draw any specific conclusions for the future. Supervisory boards are not just part of the digitalisation process as subjects; to at least the same extent they are objects of this trend. Everyone should be prepared for this risk and good risk managers can provide impetus and highlight the opportunities that arise.