| Abstract: |
Companies are exposed to various risks in their day-to-day business that can
affect their financial performance, competitiveness, and long-term
profitability. Trends such as globalization and rapid technological
development are changing the dynamics of and uncertainties faced by companies
and increasing the likelihood of crises. The COVID-19 pandemic, the Wirecard
scandal, and cyberattacks are just a few recent examples. Therefore, companies
must deal with risks in a structured manner using a risk management system.
However, the approaches used are not standardized. Although risk management
standards guide how to structure them, they still need to be customized for
each company. Common risk strategies range from risk reduction and risk
transfer to the avoidance of certain business activities. For example, a risk
can be transferred to insurance companies or reduced by voluntary assurance of
the risk management system. With the introduction of the Financial Market
Integrity Strengthening Act, risk management systems have become mandatory for
listed companies in Germany. In the United States, a risk management system is
not mandatory, although this is the case for an internal control system for
financial reporting. Due to the high relevance of risk management systems,
companies can voluntarily implement risk management system assurance to verify
the effectiveness and appropriateness of the system. This can ensure that
risks are adequately managed, while also sending a positive signal to
stakeholders. However, it is not the mere implementation of the risk
management system that is crucial, but also the communication of the risks and
measures that the company intends to take to manage them. By disclosing
risk-related information, managers can demonstrate their risk management
capabilities and thus reduce information asymmetries between the company and
its stakeholders. In addition, risk-related information is of major interest
to stakeholders, as it enables them to more effectively assess the company’s
risk exposure. In addition to mandatory risk disclosure and risk-related
information, companies tend to supplement this with voluntary information.
Given the relevance of risk disclosure and related assurance services, this
dissertation deals with these topics in two main chapters. The first five
studies deal with the spectrum of risk disclosure, whereas the last two
address the impact of assurance services. The first study examines risk
disclosure in the German capital market. For this purpose, the annual reports
of HDAX companies from the 2018, 2019, and 2020 fiscal years were examined,
using qualitative content analysis. The study focused on the volume of
disclosure, the reported risk categories and individual risks over the period
mentioned. The results indicate that the number of individual risks published
increased significantly. Currency and cyber risks in particular were discussed
frequently. Companies and stakeholders can use the results to identify best
practices in risk disclosure. For legislators, the results offer guidance for
further statutory regulation. The second study examines the determinants of
risk disclosure using regression analysis. Again, the annual reports of HDAX
companies between 2018 and 2020 were used as the data base. The determinants
were identified for the volume of risk disclosure, individual risks, and risk
management measures. The results contribute to recognizing the influencing
factors, which can help investors make informed decisions. The third study
examines textual dissimilarity in risk disclosures and its determinants in the
US capital market from 2005 to 2022, with a sample of 29, 070 company-year
observations. The results provide empirical evidence that risk disclosure is
regularly updated only to a limited extent, except for unforeseen events such
as the financial crisis or the COVID-19 pandemic. Concerning the determinants,
it is evident that risk variables and audit-specific variables, in particular,
influence textual dissimilarity. The fourth study describes a qualitative
content analysis of HDAX companies for the 2019 fiscal year regarding
disclosures on risk management systems. The results indicate rather
heterogeneous reporting. An average of 6.52 of 8 basic components of the IDW
assurance standard IDW AsS 981 were reported. However, only a few companies
disclose that they have oriented towards a risk management standard. Notably,
only four companies state that they have voluntarily assured their risk
management system. Although the results indicate high reporting quality, best
practices for reporting can also be identified, which also provides
indications for statutory regulations. The fifth study is dedicated to the
disclosure of IT risks. Due to increasing digitalization and technological
trends, considering new types of risks, such as IT risks, is of particular
interest. A qualitative content analysis was used to evaluate the 2020 annual
reports of DAX and MDAX companies. The results also demonstrate heterogeneous
reporting. Notably, only 25 of the 90 companies follow international
standards, while only twelve have been certified. Cyber insurance is rarely
mentioned. This study also indicates best practices in reporting on IT risks
and can serve as a basis for the regulator to initiate further standardization
of risk disclosure. The sixth study examines the voluntary assurance of risk
management systems with an experiment. For this purpose, 145 German bankers
were asked whether or not they trust in the risk management system, loan
granting, willingness to invest, and to recommend investing in a hypothetical
company. For this purpose, the assurance itself, the assurance providers, and
the assurance level were manipulated. The results indicate that voluntary
assurance significantly increases trust in the risk management system, the
probability of a loan being granted, and the willingness to invest and
investment recommendations. However, neither the auditor provider nor the
assurance level play a decisive role in the participants’ decision, so it can
be stated that the mere presence of an assurance is sufficient. From a
regulatory perspective, introducing a mandatory assurance of risk management
systems could be considered. In addition, our results show that companies can
benefit directly from voluntary assurance, as this can increase the chances of
obtaining financing. Also using an experiment, the seventh study examines
voluntary cybersecurity assurance and the purchase of cyber risk insurance.
For this purpose, 100 non-professional investors were asked about their
willingness to invest. The presence of assurance and the presence of cyber
insurance were manipulated. An additional experiment varied the assurance
provider. The experimental results indicate positive perceptions of a
voluntary cybersecurity audit and cyber insurance. Non-professional investors
are more willing to invest in a company if it has engaged an assurance or has
purchased insurance against cyber risks. In contrast, the specific assurance
provider is irrelevant to our participants, revealing that the mere existence
of the assurance is considered sufficient. From a regulatory perspective,
introducing a mandatory cybersecurity assurance and/or mandatory cyber risk
insurance could be considered, due to the high relevance of cyber risks. The
results also demonstrate that companies can benefit directly from voluntary
assurance, as this could increase equity financing. |