Insurance | 23 January 2019

Prediction is very difficult, especially about the future.” Managers are faced with the consequences of this aphorism on a daily basis. Even diligent management inevitably means taking risks.

Both statutory as well as contractual liability provisions entail that managers increasingly focus on documentation exercises in order to mitigate risks. For the same reason, risk management systems are constantly refined so as to identify and differentiate risks and reflect these in internal risk and process control systems to allow for quantification and planning. Yet, often it is the risk of (supposed) “fat-tails” that jeopardise businesses and trigger issues of manager liability.

This article examines, primarily from an Austrian perspective, which standard of care directors and officers owe when it comes to quantifying a business’ risks and, subsequently, to providing for adequate safeguards or mitigation measures against those risks.

Duty to Establish an Internal Control or Risk Management System?

Incorporated companies (‘Kapitalgesellschaften) are under a legal duty to establish an Internal Control System (“ICS”). Specifically, this means that directors and officers have to safeguard the establishment of rules and methods ensuring the company’s financial stability, proper accounting and compliance with corporate policy.

The establishment of a – more elaborate and complex – Risk Management System (“RMS”), under Austrian law, is mandatory only for banking institutions, insurance and re-insurance undertakings as well as for some areas of business, for which special sector-specific provisions exist (e.g. investment funds). Thus, on the face of it, there appears to be no (statutory) duty to establish a Risk Management System for all incorporated companies (as opposed to the general duty to establish an ICS, see above). Yet, risk management is an integral component of any internal monitoring or control system. To that effect, the Austrian Corporate Governance Codex (ÖCGC) requires – for the undertakings it applies to – the establishment of a viable RMS (cf rules 9, 69 et seq ibid.).

The concept of risk management, ultimately, does not stem from corporate law but is rather generally considered to be a core task of business management and thus rooted in (micro-) economic rather than legal concepts. As a consequence, from a business administration point of view, the establishment of a tailor-made RMS can be regarded as the expected standard in terms of diligent and modern business management. International standards such as those of the ISO 31000 family can provide guidance when creating Risk Management Systems.

Establishment and Contents of a Risk Management System

In light of the fact that the legislator did not regulate the necessary basic form and minimum content of Risk Management Systems, the relevant parameters are to be drawn from strategic business insights. In this regard, the term “risk“ does not have a strictly negative connotation. In fact, it also includes the taking of entrepreneurial chances in order to realise the potential advantages of the management decision. The goal of any risk management is to avoid situations that could jeopardise the business and, at the same time, to focus on those opportunities that best match the strategic business goals. In this respect, Risk Management Systems are supposed to serve as means to ensure a certain amount of stability. The idea is not, however, to eliminate all risk or to constantly act on the presumption of a worst-case analysis as this would paralyse entrepreneurial behaviour altogether.

Hence, as a first step, one has to identify the company’s individual willingness and ability to take risks. In this regard, effective risk management requires a detailed, case by case analysis of any and all risks arising out of the business activities carried out. This exercise is necessary even in cases where – due to an increased willingness to take risks – certain risks are eventually disregarded in the planning of the desired risk control. Once the entirety of risks has been identified, their individual connections and possible reciprocal relationships have to be established.

Before deciding on the appropriate means and measures to control or steer the risks identified and quantified as relevant, an in-depth risk assessment and risk analysis is to be carried out. This enables an undertaking’s management to identify the extent and probability of harm or damage that certain individual risks may cause. Based on these cost-benefit findings, directors and officers can make informed decisions on tackling undue risks and controlling tolerable or even viable risks. Potential risk management measures include (i) the general avoidance of risk (discontinuation of risk-prone business activities), (ii) the reduction of risk (quality inspections), (iii) the reduction of potential damage amount (hedging of price risks), (iv) the decision to bear the risk (when sufficient equity or liquidity is available) as well as (v) transferring the risk to a third party (e.g by way of taking out insurance).

In order for the RMS to function and have a lasting effect, the steps outlined above have to be checked and repeated on a regular basis.

Effects of the Business Judgement Rule on the Establishment of Risk Management Systems

According to the Business Judgement Rule (“BJR“) a decision taken by a director or officer is considered to have been in line with the general requirement of acting with the care of a prudent businessman if the decision is made ”on an informed basis, in good faith, and in the honest belief that their actions are in the corporation’s best interest”.

Where a decision taken fulfils the criteria of the Business Judgement Rule but eventually turns out to be detrimental, the responsible directors or officers will – as a general rule – be exempt from liability. Austrian law explicitly sets forth this rule for private limited companies (‘Gesellschaft mit beschränkter Haftung’ or ‘GmbH’) and public limited companies (‘Aktiengesellschaft’ or ‘AG’).

Consequently, obtaining sufficient data first and only then making an (informed) decision is quintessential for avoiding liability. However, the Business Judgement Rule can only provide for a safe harbour to the extent that the decision is not contrary to statutory provisions, stipulations in the articles of incorporation or basic principles of business administration.

Therefore, in the given context, it is necessary to distinguish between compliance with basic principles of risk management (identification, evaluation and controlling of risks) on the one hand and their implementation on the other hand. Directors and officers are – as a consequence of their obligation to exercise the care of a prudent and diligent manager – obliged to adhere to these principles. This, in turn, means that reliance on the Business Judgement Rule is not possible if these principal duties are neglected.

However, directors and officers have a certain discretion when deciding which instruments and measures are to be implemented in order to mitigate and control the various risks identified. The same level of discretion applies with regard to the chosen method of risk evaluation. This creative freedom is limited in the sense that outdated or completely unorthodox methods may not be taken into account.

The extent to which risk management is to be implemented as well as the choice of instruments to be applied will depend on factors such as (i) the size, complexity and economic capacity of the business, (ii) the specifics of the market in which it operates, and (iii) any specific factors, such as a shortage in liquidity.

Summing up, the establishment of an appropriate Risk Management System is obligatory for all undertakings. Directors and officers are, however, relatively free in deciding on the methods of identifying and assessing risks as well as on which means and instruments to implement in order to control the respective risks. In order to avoid liability in light of the principles of the Business Judgement Rule, each director or officer concerned has to be able to prove that the decision in question was taken on an informed basis, i.e. based on a thorough risk analysis.

Is there a Duty to Insure?

The materialisation of risks often results in deviations from an undertaking’s economic planning (e.g. loss of profits, unexpected expenses) One method of counterbalancing these discrepancies is to take out insurance. This, in essence, transfers the insured risks to a third party with the goal to minimise, and if possible, to fully balance any future losses.

From a strictly statutory point of view, this approach is optional for most companies doing business in Austria. Austrian law – except for certain particular business activities and risks – does not provide for a general obligation to take out business liability insurance or any other form of (pecuniary damage) liability insurance such as Directors and Officers Liability Insurance (“D&O insurance”). If, in economic terms, this form of risk management is the most appropriate solution, obtaining adequate insurance coverage should be considered.

The decision whether to take out insurance and, subsequently the choice of insurance product can and should be based on the findings of the risk analysis already carried out. Thus, the potential extent of loss and occurrence probability will have to be evaluated against the background of insurance premiums. This deliberation process should also consider the differences between the various insurance products available on the market (or individually customised insurance solutions) e.g. in terms of sum insured, deductibles and coverage exclusions as well as, more generally, other ways of loss mitigation. Where, however, the materialisation of a certain high-stake risk has the potential to endanger the economic existence of an undertaking, management is obliged to ensure adequate insurance coverage even where other (less effective) means of minimising risk are more affordable.

It should be noted that not all risks are insurable for legal or factual reasons and that it does not necessarily make sense to obtain coverage for each and every risk regardless of the costs. Risk mitigation by way of taking out insurance is only advisable when it comes at a commercially reasonable price (cost-benefit analysis).

In a nutshell, there is no general (legal) duty to obtain insurance coverage. However, the standard of care of a prudent and diligent manager requires directors and officers to review, for all risks identified as relevant, the financial reasonableness of obtaining insurance coverage.

D&O Insurance – The Panacea Insurance Policy?

Directors and Officers Liability Insurance policies are often presumed to be some kind of “super-insurance” addressing all business risks. Consequently, one might expect that D&O insurance policies were to also cover situations in which the responsible directors and officers consciously failed to ensure risk-adequate insurance coverage for a certain hazard or contingency (thus providing insurance coverage for risks not insured). This conclusion can of course not be drawn. It goes without saying that the D&O insurer will not compensate losses accrued as a result of management’s conscious or even deliberate failure to manage the risk in question (or, all the more, where management did not provide for risk control mechanisms at all). Additionally, one has to keep in mind that the typical D&O policy merely covers pecuniary losses (‘Vermögensschäden) and generally excludes indirect losses, e.g. those resulting from personal or material damage (‘unechte or ‘abgeleitete Vermögensschäden).

All the same, the popularity of D&O insurance remains high, inter alia owing to the fact that most D&O products offer a fairly reasonable, cost-effective protection against risks that were previously unknown (despite a thorough risk analysis). The presence of D&O coverage as an addition to an existing control system – be it an ICS or an RMS – enables an undertaking’s directors and officers to act more freely in reaching business decisions by reducing the impact of liability risks.


Based on the above illustrations, every executive is obliged to not only see to the establishment of an effective Risk Management System but also to intervene appropriately where (considerable) risks are in fact identified. Directors and officers may, on the other hand, decide at their own discretion on the exact means and methods to implement as well as on whether to obtain insurance coverage for certain risks.

Legal Briefing


  • Philipp Strasser, Partner, Vavrovsky Heine Marth Rechtsanwalte GmbH

    Philipp Strasser


  • Jan Philipp Meyer, Attorney at Law, Vavrovsky Heine Marth Rechtsanwalte GmbH

    Jan Philipp Meyer

    Attorney at Law

Insurance | 24 September 2018

The European Union’s new data protection regime – the General Data Protection Regulation (EU) 2016/679 (“GDPR”), which replaced its 20-year-old predecessor – attracted international attention even beyond the EU’s borders in recent months. In fact, few other instruments of secondary European Union law have been more widely received and discussed than the GDPR. The reasons behind this increased public interest for this regulation are manifold. [Continue Reading]

Dispute resolution | 18 June 2018

Vienna, 18 June 2018. Vavrovsky Heine Marth welcomes international arbitration expert Anne-Karin Grill as a new partner of the firm. Anne-Karin is accompanied by fellow arbitration lawyer Stéphanie Caligara, who is a member of the Paris Bar. Their move marks a decisive step forward for the thriving dispute resolution practice of Vavrovsky Heine Marth.

Anne-Karin Grill is an experienced international arbitration lawyer specializing in commercial dispute resolution and alternative dispute resolution (ADR) and advises clients in arbitration proceedings in accordance with the rules of key arbitration institutions (ICC, VIAC, LCIA, DIS, SCAI, etc). She also has an excellent track-record in advising international clients in investor-state arbitrations conducted under both the ICSID and UNCITRAL Rules. In addition to advocating for her clients’ interests before international tribunals, Anne-Karin regularly serves as (sole) arbitrator and acts as CEDR accredited mediator in multi-jurisdictional commercial disputes.

From 2015 through 2018, Anne-Karin Grill was a partner at the Vienna office of Schoenherr, an international law firm active in Austria and the CEE/SEE region. There, she was a driving force behind the consolidation of the firm’s international arbitration practice. Legal directories rank Anne-Karin Grill amongst the leading Austrian arbitration experts – most recently Who’s Who Legal and Global Arbitration Review who recognized her as a “Future Leader in International Arbitration” and who described her as “a strong presence that cannot go unnoticed.” Anne-Karin Grill studied at the Université Catholique de Louvain-la-Neuve and is a graduate of the University of Vienna (Mag. iur., 2001) as well as of Georgetown University (M.A. International Security Studies, Fulbright Fellow, 2004).

Stéphanie Caligara joins Anne-Karin Grill at Vavrovsky Heine Marth

Together with Anne-Karin Grill, former Schoenherr associate Stéphanie Cligara moves to Vavrovsky Heine Marth: Stéphanie, who is a member of the Paris Bar, has worked for leading international arbitration firms at their offices in Geneva, Paris and Vienna. She read law at Jean Moulin Lyon III University as well as at Leiden University. Also, she holds a Masters’ degree (LL.M.) from the Graduate Institute of International Studies in Geneva. In 2014, she received a study grant from UCLA School of Law and was awarded the Masin Family Academic Award to reward her for her academic achievements.

Expansion of Vavrovsky Heine Marth’s Dispute Resolution Practice

„Anne-Karin Grill is a well-respected colleague with a wealth of international experience. We are very happy to welcome her as a partner at Vavrovsky Heine Marth. Anne-Karin combines legal competence with a great sense for dispute resolution matters – be it in respect of the effective pursuit of a claim before a state court, be it in respect of alternative dispute resolution through arbitration or mediation proceedings. She is a great asset for our firm”, says Nikolaus Vavrovsky, partner at Vavrovsky Heine Marth. „Stéphanie Caligara will help us to further broaden the foundation of our firm’s dispute resolution practice – a very pleasant and certainly welcome reflection of the successful past years.“

“Vavrovsky Heine Marth stands for a dynamic dispute resolution practice. The prospect of advancing the firm’s arbitration practice both at the domestic and international level together with Nikolaus Vavrovsky appeals to me. I take up the challenge with verve and enthusiasm and look forward to working with my new team“, says Anne-Karin Grill.

Vavrovsky Heine Marth has earned recognition as a leading address in Austria in the field of dispute resolution by leading legal directories. Nikolaus Vavrovsky (International Arbitration), Dieter Heine (Complex Commercial Litigation) and Philipp Strasser (Insurance Litigation) advise clients on conflict prevention and management strategies and act as legal counsel before domestic and international courts as well as arbitral tribunals.

About Vavrovsky Heine Marth

Vavrovsky Heine Marth is a corporate law firm with offices in Vienna and Salzburg. A team of more than 50 professionals offers support to corporates as well as private clients on all aspects of commercial life. The focus areas of the firm’s legal advisory business are dispute resolution as well as real estate and construction. The firm’s Salzburg office focuses on insolvency and restructuring and is a go to address for private clients. As an exclusive member of ALLIURIS, Vavrovsky Heine Marth offers its clients access to over 450 legal professionals around the globe.

More information available at

For further information please contact:

Vavrovsky Heine Marth Rechtsanwälte
Dr. Irina Bernert, PR & Marketing
T +43 664 889 290 99

Press Release


International Comparative Guides | 12 December 2017

Austrian law regards directors and officers as fiduciaries of their respective company (or rather: its shareholders). This is because, as a basic principle, executives do not usually manage their own assets but rather assets belonging to third parties.

[Continue Reading]

International Comparative Guides | 31 August 2017

While Warranties and Indemnities Insurance (“W&I Insurance”) has long since been anchored in Anglo-American transactional practice, this type of insurance has only recently gained importance in continental Europe and, in particular, on the Austrian market.

[Continue Reading]