Risk management: Legal basis and standards

Risk management at the legal level is essential for guarding against bankruptcy or a company failing. Here is an explanation.

Over the last decade, we have seen the spectacular collapse or failing of organizations such as U.S. energy company Enron, Parmalat—the Italian food group—and even Swissair. This led to the strengthening of risk management at the legal level.

The Sarbanes-Oxley Act, which entered into force in 2002, and the German law on control and transparency in corporate governance (known as KonTraG) were implemented as a result of these events.

In Switzerland, amendments were added to the Code of Obligations (CO). Moreover, risk management also now applies to directives on workplace health and safety and products.

According to Swiss law, companies that are subject to ordinary audits must:

  • provide information in their annual report on the performance of a risk assessment (Art. 961c CO)
  • show that there is an internal control system for the internal audit body, which must draw up a written report on this issue, among others, which is to be submitted to the general meeting (Art. 728a and 728b CO)

Who has to do what?

Sole proprietorships and general and limited partnerships are not legally obliged to draw up an annual report or to provide information on risk assessments. However, all other companies must draw up an annual report with the required information if they exceed two of the three following thresholds in two successive fiscal years (Art. 727 CO):

  • CHF 20 million
  • Revenue: CHF 40 million
  • Number of employees: 250

There is, however, an exception: if the company exceeds the limits specified above but is part of a group that uses the consolidated accounting method in accordance with a recognized reporting standard, and if a qualified minority does not require this information, the company shall not be obliged to provide information on the risk assessment (Art. 961d CO).


Last modification 27.02.2020

Top of page