Implementation: Principles to adopt to reduce risk

Now that the essential principles and directives have been drawn up, the concept of risk management needs to be elaborated upon. 

Principles and directives are drawn up throughout the project to summarize all decisions and procedures. These documents are approved by the company's managers and senior executives. Employees then use the documents as guidance when managing the company's risks.

The measures defined in the Risk-Management Process phase have now been implemented. A key component is the constant monitoring of implementation and the accompanying report, both of which are the responsibility of the risk manager. Periodic summaries of all the risks must be made and sent to the company's senior executives and board of directors, including the status of the measures implemented. 

Communication in the management report

The new legal provisions (art. 961c, CO) require companies to append a risk assessment to the management report.

The information about the risk assessment must indicate the difference between the risk-assessment procedure and the risks themselves.

This information concerns the procedure and structure of the risk assessment and, potentially, risk management. It is supplemented by a report on the measures relating to the risks identified. It is a good idea to address the following points in the report:

  General comments Detailed information
Procedure Completion of the risk assessment and, where applicable, the risk-management procedure

Details on the procedure, such as:

  • frequency of the risk assessment
  • assessment methods
  • use of the risk environment
Structure General comments on the breakdown of responsibilities Details on the structure, such as:
  • responsibilities (e.g. positions/departments)
  • report
  • outline of the framework conditions
Measures General comments on the measures defined for the risks identified, particularly on those with an influence on the financial report Details on the measures adopted, such as:
  • report on the internal-control system
  • information on the measures of risk management, law/compliance, procedures, insurance, etc.
  • General information on risks deemed by the board of directors to be absolute priorities.
  • Additional information on the main specific risks identified that have an impact on the annual financial statements.
  • Additional information on the main specific commercial risks.

Companies subject to a limited review can restrict their report to general comments on their risk-assessment procedure.

Companies subject to the ordinary review must publish a detailed presentation of their risk-assessment procedure and provide information about the risks identified.

Table. Example of a possible publication of a risk evaluation process


Last modification 07.05.2021

Top of page