The duty of holistic corporate management

The duty of holistic corporate management

Practice is the best teacher. In today’s environment—where politicians, institution leaders, and physicians have all become “risk managers”—concepts like proactive risk indicators, incidence rates, and reproduction numbers have entered everyday conversation. As diverse measures are proposed, it becomes clear that the right risk strategy is complex and multi-layered. Risks relate to controls, but risks are also deeply interconnected.
COVID-19 shows how protecting public health is tightly linked to the economic future of entire industries, personal livelihoods, and even education.Effective risk control in one domain can create major challenges—or existential threats—in another. Leaders must weigh interests, analyze opportunities and risks, and make decisions that keep the “enterprise” on track. Even if success can only be assessed years later, it’s already evident that risk management must take a holistic view. The answer is neither “protect life at any cost” nor “absolute freedom and self-responsibility.” Goal-aligned risk management is nuanced.

See the Whole Picture

Practitioners, auditors, and advisors have long argued for a holistic view of risk. Risk management and experts across disciplines must work together to stay capable and competitive. Flexible solutions should be integrated across functions and processes to enable an end-to-end perspective. Simple, Excel-based risk lists and backward-looking “reporting islands” rarely serve the purpose. Too many white—or grey—swans are mislabeled as black and used as excuses for missing risk management. Human error, biases, and siloed views drive strategic mistakes at all levels. Crises reveal how prepared an organization—or a state—really is to manage uncertainty.

Key Questions for Readiness

• Are responsibilities, accountabilities, and authorities clearly defined?
• Are processes and procedures documented?
• Is there reliable data to support decisions?
• Are response measures prepared, or does panic set in once it’s too late?
• Do systems enable cross-location, cross-function collaboration and prevent manual, costly workarounds?

Risk avoidance and opportunity-taking must be embedded in daily routines at every level. Missteps by individuals can have massive consequences for the whole. We need a pervasive, appropriate, and widely accepted risk culture as the foundation of effective risk management. Only with trust in leadership can strategy, objectives, performance, and continuity be sustained.

Integrated Risk Management: Making Complexity Manageable

In complex systems, decisions always carry risk—and often must be made fast. Direct and indirect effects can’t always be modeled with sufficient accuracy. Mistakes are inevitable, and critics will always claim after the fact that they knew better. Still, directors’ duties and legal requirements remain, including §§ 91 and 93 AktG, and the revised IDW PS 340.

Risk-Based Thinking Across Standards

• ISO 9001:2015 (Quality Management): risk-based thinking for product and process quality.
• ISO 45001 (Occupational Health & Safety): eliminate hazards and reduce OH&S risks.
• ISO/IEC 27001 (Information Security): threats across confidentiality, integrity, availability.
• ISO 22301 and BSI 100-4 (Business Continuity): continuity in emergencies and crises.
• ISO 19600 / IDW PS 980 (Compliance): risk-based compliance management.

Too many organizations treat these systems as silos with different risk methods. Controls overlap, and reports on likelihood and impact often conflict. Buzzwords and early warning indicators add no value if the process ends in an Excel list. The pressure to act has never been higher. Complexity is not the same as complicated. Connect the essentials, standardize where possible, and manage end-to-end with system support. A risk-based approach focuses on what matters and reduces complexity. Good solutions don’t have to be complicated.

How Integrated Risk Management Works

Integrated risk management (IRM) assesses risk impacts across the entire organization and across management functions. It provides a structured, systematic way to deal with hazards and their causes. Risks are not abstract—they have concrete causes and manifest across processes, systems, products, suppliers, supply chains, projects, infrastructure, and finance.

Link Causes to Enterprise Impact

Linking risk causes to impacts on processes, systems, operations, products, vendors, supply chains, projects, infrastructure, and financials is essential. Combine this with linking actions to accountable units in procurement, logistics, sales, and administration. This strengthens the enterprise, prevents loss events, and reduces impact.

Benefits of a Unified GRC Platform

• Redundant effort is eliminated.
• Clear role models enable enterprise-wide risk analysis and ownership.
• Actions are standardized and implemented across the organization.
• Employee and business unit adoption increases.
• Executives and boards get cockpit overviews of GRC initiatives.
• Implementation status of actions is transparent.
• Duties under good governance and directors’ care are met.
• Organizational failure is avoided.

Methods to Tame Complexity

Combine methods “like a Lego set”: simple simulations, questionnaires, Monte Carlo, risk aggregation, and interdependency analysis. Integrate internal and external data streams and third-party feeds. Standardized models and patterns speed best-practice adoption and integration with existing policies. With modern software, implementing an integrated risk management system can be straightforward. One solution, one platform.

Source

Originally published on risknet.de. This piece was translated into English with GPT-5. The thoughts are the author’s—any odd turns of phrase are the machine’s.