30 Group risk management
Group risk management is a systematic assessment that addresses all kind of risks posing a potential threat to the business activities of the Group. It is the umbrella process for all other risk management activities throughout the Group. The risk assessment process is coordinated by the CFO; however, the ultimate responsibility is with the Board of Directors.
30.2 Risk assessment cycle
30.2.1 Initiation of risk assessment
The Group risk assessment cycle takes place every two years unless otherwise mandated by the Board of Directors or by a triggering event. A review during the intermediate year assesses the need for action.
In a first step, the Board of Directors determines the risk acceptance and appoints the risk assessment team. The risk acceptance defines which combinations of risk characteristics (probability and severity of damage) are acceptable and which are not acceptable for the Group. This definition is the basis for the risk classification (see below). The risk assessment team includes representatives from various functions and disciplines such as Finance, Quality & Regulatory, Advisory & Support, Operations and Internal Audit.
The risk assessment team follows the process that is presented below:
30.2.2 Risk identification
The risk assessment team conducts periodic workshops to identify potential risks in the following categories:
Furthermore, the risk assessment team considers the results of all other risk management activities within the Group:
Product-related risk management
IT risk management
Business risk management for significant business units and market units
30.2.3 Risk estimation and evaluation
Each of the identified risks is estimated and evaluated and finally classified to the following risk categories:
Acceptable risk: No further risk mitigation actions required.
Elevated risk: Further risk mitigation actions recommended. Requires justification and approval by the CFO if no further measures are taken.
Unacceptable risk: Further risk mitigation actions are strongly recommended. Requires justification and approval by the Board of Directors if no further measures are taken.
30.2.4 Risk reduction, risk report and approval
Risk reduction measures must be investigated and implemented for risks that are elevated or unacceptable, unless the risks are explicitly accepted by the risk assessment team.
As a result, the risk assessment team prepares a risk summary report containing all significant risks and measures taken. The final status of the risk assessment is reported to the Executive Management. The Board of Directors finalizes the risk assessment cycle with its approval. Risks remaining unacceptable must each be approved individually.
30.2.5 Risk control
Risk management is a dynamic process and forms a part of all planning and other activities of the Group. Within the process of ongoing risk control, members of the risk assessment team continuously collect information about risk factors and risk-related information. If any new potential elevated or unacceptable risk arises, it is brought immediately to the attention of the CFO.