Implementation

Now that the essential principles and directives have been drawn up, the concept of risk management needs to be elaborated upon.

Principles and directives are drawn up throughout the project to summarize all decisions and procedures. These documents are approved by the company's managers and senior executives. Employees then use the documents as guidance when managing the company's risks.

The measures defined in the Risk-Management Process phase have now been implemented. A key component is the constant monitoring of implementation and the accompanying report, both of which are the responsibility of the risk manager. Periodic summaries of all the risks must be made and sent to the company's senior executives and board of directors, including the status of the measures implemented.

Communication in the management report

The new legal provisions (art. 961c, CO) require companies to append a risk assessment to the management report.

The information about the risk assessment must indicate the difference between the risk-assessment procedure and the risks themselves.

This information concerns the procedure and structure of the risk assessment and, potentially, risk management. It is supplemented by a report on the measures relating to the risks identified. It is a good idea to address the following points in the report:

	General comments	Detailed information
Procedure	Completion of the risk assessment and, where applicable, the risk-management procedure	Details on the procedure, such as: frequency of the risk assessment assessment methods use of the risk environment
Structure	General comments on the breakdown of responsibilities	Details on the structure, such as: responsibilities (e.g. positions/departments) report outline of the framework conditions
Measures	General comments on the measures defined for the risks identified, particularly on those with an influence on the financial report	Details on the measures adopted, such as: report on the internal-control system information on the measures of risk management, law/compliance, procedures, insurance, etc.

General comments

Detailed information

Procedure

Completion of the risk assessment and, where applicable, the risk-management procedure

Details on the procedure, such as:

frequency of the risk assessment
assessment methods
use of the risk environment

Structure

General comments on the breakdown of responsibilities

Details on the structure, such as:

responsibilities (e.g. positions/departments)
report
outline of the framework conditions

Measures

General comments on the measures defined for the risks identified, particularly on those with an influence on the financial report

Details on the measures adopted, such as:

report on the internal-control system
information on the measures of risk management, law/compliance, procedures, insurance, etc.

General information on risks deemed by the board of directors to be absolute priorities.
Additional information on the main specific risks identified that have an impact on the annual financial statements.
Additional information on the main specific commercial risks.

Companies subject to a limited review can restrict their report to general comments on their risk-assessment procedure.

Companies subject to the ordinary review must publish a detailed presentation of their risk-assessment procedure and provide information about the risks identified.