“Prediction is very difficult, especially about the future.” Managers are faced with the consequences of this aphorism on a daily basis. Even diligent management inevitably means taking risks.
Both statutory as well as contractual liability provisions entail that managers increasingly focus on documentation exercises in order to mitigate risks. For the same reason, risk management systems are constantly refined so as to identify and differentiate risks and reflect these in internal risk and process control systems to allow for quantification and planning. Yet, often it is the risk of (supposed) “fat-tails” that jeopardise businesses and trigger issues of manager liability.
This article examines, primarily from an Austrian perspective, which standard of care directors and officers owe when it comes to quantifying a business’ risks and, subsequently, to providing for adequate safeguards or mitigation measures against those risks.
Duty to Establish an Internal Control or Risk Management System?
Incorporated companies (‘Kapitalgesellschaften’) are under a legal duty to establish an Internal Control System (“ICS”). Specifically, this means that directors and officers have to safeguard the establishment of rules and methods ensuring the company’s financial stability, proper accounting and compliance with corporate policy.
The establishment of a – more elaborate and complex – Risk Management System (“RMS”), under Austrian law, is mandatory only for banking institutions, insurance and re-insurance undertakings as well as for some areas of business, for which special sector-specific provisions exist (e.g. investment funds). Thus, on the face of it, there appears to be no (statutory) duty to establish a Risk Management System for all incorporated companies (as opposed to the general duty to establish an ICS, see above). Yet, risk management is an integral component of any internal monitoring or control system. To that effect, the Austrian Corporate Governance Codex (ÖCGC) requires – for the undertakings it applies to – the establishment of a viable RMS (cf rules 9, 69 et seq ibid.).
The concept of risk management, ultimately, does not stem from corporate law but is rather generally considered to be a core task of business management and thus rooted in (micro-) economic rather than legal concepts. As a consequence, from a business administration point of view, the establishment of a tailor-made RMS can be regarded as the expected standard in terms of diligent and modern business management. International standards such as those of the ISO 31000 family can provide guidance when creating Risk Management Systems.
Establishment and Contents of a Risk Management System
In light of the fact that the legislator did not regulate the necessary basic form and minimum content of Risk Management Systems, the relevant parameters are to be drawn from strategic business insights. In this regard, the term “risk“ does not have a strictly negative connotation. In fact, it also includes the taking of entrepreneurial chances in order to realise the potential advantages of the management decision. The goal of any risk management is to avoid situations that could jeopardise the business and, at the same time, to focus on those opportunities that best match the strategic business goals. In this respect, Risk Management Systems are supposed to serve as means to ensure a certain amount of stability. The idea is not, however, to eliminate all risk or to constantly act on the presumption of a worst-case analysis as this would paralyse entrepreneurial behaviour altogether.
Hence, as a first step, one has to identify the company’s individual willingness and ability to take risks. In this regard, effective risk management requires a detailed, case by case analysis of any and all risks arising out of the business activities carried out. This exercise is necessary even in cases where – due to an increased willingness to take risks – certain risks are eventually disregarded in the planning of the desired risk control. Once the entirety of risks has been identified, their individual connections and possible reciprocal relationships have to be established.
Before deciding on the appropriate means and measures to control or steer the risks identified and quantified as relevant, an in-depth risk assessment and risk analysis is to be carried out. This enables an undertaking’s management to identify the extent and probability of harm or damage that certain individual risks may cause. Based on these cost-benefit findings, directors and officers can make informed decisions on tackling undue risks and controlling tolerable or even viable risks. Potential risk management measures include (i) the general avoidance of risk (discontinuation of risk-prone business activities), (ii) the reduction of risk (quality inspections), (iii) the reduction of potential damage amount (hedging of price risks), (iv) the decision to bear the risk (when sufficient equity or liquidity is available) as well as (v) transferring the risk to a third party (e.g by way of taking out insurance).
In order for the RMS to function and have a lasting effect, the steps outlined above have to be checked and repeated on a regular basis.
Effects of the Business Judgement Rule on the Establishment of Risk Management Systems
According to the Business Judgement Rule (“BJR“) a decision taken by a director or officer is considered to have been in line with the general requirement of acting with the care of a prudent businessman if the decision is made ”on an informed basis, in good faith, and in the honest belief that their actions are in the corporation’s best interest”.
Where a decision taken fulfils the criteria of the Business Judgement Rule but eventually turns out to be detrimental, the responsible directors or officers will – as a general rule – be exempt from liability. Austrian law explicitly sets forth this rule for private limited companies (‘Gesellschaft mit beschränkter Haftung’ or ‘GmbH’) and public limited companies (‘Aktiengesellschaft’ or ‘AG’).
Consequently, obtaining sufficient data first and only then making an (informed) decision is quintessential for avoiding liability. However, the Business Judgement Rule can only provide for a safe harbour to the extent that the decision is not contrary to statutory provisions, stipulations in the articles of incorporation or basic principles of business administration.
Therefore, in the given context, it is necessary to distinguish between compliance with basic principles of risk management (identification, evaluation and controlling of risks) on the one hand and their implementation on the other hand. Directors and officers are – as a consequence of their obligation to exercise the care of a prudent and diligent manager – obliged to adhere to these principles. This, in turn, means that reliance on the Business Judgement Rule is not possible if these principal duties are neglected.
However, directors and officers have a certain discretion when deciding which instruments and measures are to be implemented in order to mitigate and control the various risks identified. The same level of discretion applies with regard to the chosen method of risk evaluation. This creative freedom is limited in the sense that outdated or completely unorthodox methods may not be taken into account.
The extent to which risk management is to be implemented as well as the choice of instruments to be applied will depend on factors such as (i) the size, complexity and economic capacity of the business, (ii) the specifics of the market in which it operates, and (iii) any specific factors, such as a shortage in liquidity.
Summing up, the establishment of an appropriate Risk Management System is obligatory for all undertakings. Directors and officers are, however, relatively free in deciding on the methods of identifying and assessing risks as well as on which means and instruments to implement in order to control the respective risks. In order to avoid liability in light of the principles of the Business Judgement Rule, each director or officer concerned has to be able to prove that the decision in question was taken on an informed basis, i.e. based on a thorough risk analysis.
Is there a Duty to Insure?
The materialisation of risks often results in deviations from an undertaking’s economic planning (e.g. loss of profits, unexpected expenses) One method of counterbalancing these discrepancies is to take out insurance. This, in essence, transfers the insured risks to a third party with the goal to minimise, and if possible, to fully balance any future losses.
From a strictly statutory point of view, this approach is optional for most companies doing business in Austria. Austrian law – except for certain particular business activities and risks – does not provide for a general obligation to take out business liability insurance or any other form of (pecuniary damage) liability insurance such as Directors and Officers Liability Insurance (“D&O insurance”). If, in economic terms, this form of risk management is the most appropriate solution, obtaining adequate insurance coverage should be considered.
The decision whether to take out insurance and, subsequently the choice of insurance product can and should be based on the findings of the risk analysis already carried out. Thus, the potential extent of loss and occurrence probability will have to be evaluated against the background of insurance premiums. This deliberation process should also consider the differences between the various insurance products available on the market (or individually customised insurance solutions) e.g. in terms of sum insured, deductibles and coverage exclusions as well as, more generally, other ways of loss mitigation. Where, however, the materialisation of a certain high-stake risk has the potential to endanger the economic existence of an undertaking, management is obliged to ensure adequate insurance coverage even where other (less effective) means of minimising risk are more affordable.
It should be noted that not all risks are insurable for legal or factual reasons and that it does not necessarily make sense to obtain coverage for each and every risk regardless of the costs. Risk mitigation by way of taking out insurance is only advisable when it comes at a commercially reasonable price (cost-benefit analysis).
In a nutshell, there is no general (legal) duty to obtain insurance coverage. However, the standard of care of a prudent and diligent manager requires directors and officers to review, for all risks identified as relevant, the financial reasonableness of obtaining insurance coverage.
D&O Insurance – The Panacea Insurance Policy?
Directors and Officers Liability Insurance policies are often presumed to be some kind of “super-insurance” addressing all business risks. Consequently, one might expect that D&O insurance policies were to also cover situations in which the responsible directors and officers consciously failed to ensure risk-adequate insurance coverage for a certain hazard or contingency (thus providing insurance coverage for risks not insured). This conclusion can of course not be drawn. It goes without saying that the D&O insurer will not compensate losses accrued as a result of management’s conscious or even deliberate failure to manage the risk in question (or, all the more, where management did not provide for risk control mechanisms at all). Additionally, one has to keep in mind that the typical D&O policy merely covers pecuniary losses (‘Vermögensschäden’) and generally excludes indirect losses, e.g. those resulting from personal or material damage (‘unechte’ or ‘abgeleitete Vermögensschäden’).
All the same, the popularity of D&O insurance remains high, inter alia owing to the fact that most D&O products offer a fairly reasonable, cost-effective protection against risks that were previously unknown (despite a thorough risk analysis). The presence of D&O coverage as an addition to an existing control system – be it an ICS or an RMS – enables an undertaking’s directors and officers to act more freely in reaching business decisions by reducing the impact of liability risks.
Based on the above illustrations, every executive is obliged to not only see to the establishment of an effective Risk Management System but also to intervene appropriately where (considerable) risks are in fact identified. Directors and officers may, on the other hand, decide at their own discretion on the exact means and methods to implement as well as on whether to obtain insurance coverage for certain risks.