Adrian Leonard asked Christoph Urban, Siemens plc's group director of finance, about the organisation's enterprise risk management

How does enterprise risk management work at Siemens UK?
CHRISTOPH URBAN We have a global risk management approach, but when discussing our strategy it is vital to understand our decentralised structure. We have groups within Siemens UK with worldwide responsibility, and groups with regional responsibilities. But they all work together in a matrix environment. All of our risk management efforts are in line with what we are doing in Germany; we cannot operate in isolation. In our corporate office [in Munich] we have a department that works with the shared services department here, which in turn works closely with the insurance department.

We also have a legal framework to operate within. Siemens AG has to comply with German legislation on control and transparency of risk. It requires an effective system of risk management. Since Siemens AG is now also listed on the New York Stock Exchange, we have to follow US GAAP guidelines, as well as UK guidelines on this specific matter. On top of that, for Siemens plc, comes the Turnbull guidance. But all of this is positive. If there are any good practice guidelines we see from institutions, we try to match those as well.

How does your risk management process operate in practice?
CHRISTOPH URBAN We have a single risk management standard at work. Within this, we like to have a common understanding of the topic, and to ensure that the local risks get into the global risk picture. We talk about risk on a global basis, on a Siemens AG basis. To go from local to global, you have to have good reporting in place. Risk reporting comes through the business units to the Group shared services departments, to head office in Munich. Risk management practice guidelines come the other way.

If you talk globally at the Siemens AG level, their perspective of risk is different from ours, and from the business units, for example in terms of volume. Siemens AG might be concerned with risks from e50m to e100m. At the Group level the threshold may be e10m, while my businesses might say that the five most important risks they face might be e500,000. But the industries and business they are active in are very different. The risk thresholds are different in big project business and in product business.
What are the goals of the risk management programme?
CHRISTOPH URBAN The main targets are probably not much different from those in other organisations: greater levels of transparency, and encouraging the managers who run the businesses where the risk comes up – there are about 40 in the UK – to have good risk management procedures in place. The risk management process has to become routine within those businesses, because all our business is local. We want to avoid any nasty surprises, especially surprises that involve the bottom line. But part of the process is to report on opportunities as well, because wherever there are risks, there are opportunities.

What is the risk hierarchy within the organisation?
CHRISTOPH URBAN Ultimate responsibility for risk within Siemens AG lies purely with the chief executive, but we are very decentralised. The managing directors and finance directors at the helm of each of the business units are responsible when we talk about risk management. That is the right way to attack it: responsibility for risk has to lie where the businesses are being managed. Those people, of course, have to ensure that they try to avoid risks before they come up. Contractual risks is a good example: they have to analyse contracts and carry out proper due diligence to ensure that they do not run into risk through contract. In some companies we have a risk review board, which takes care of existing risks, or reviews risks that may arise, perhaps when we talk about new contracts. And we have implemented a process so that these procedures are audited by our internal audit team. That means managers know that they have to work on risk management, ensure they have it in place, and take remedial action where necessary.

How does that translate into risk management practice?
CHRISTOPH URBAN In 1999 we began to roll out a new risk management approach, which we introduced through a series of workshops. But it is an evolutionary process, and will be amended every year. It is being audited annually by both our internal and external auditors. They look into the risk management procedures and processes in place to ensure they cover everything, but I think we have a good process in place now.

The workshops drew people from all parts of our business, and we made sure that every business unit sent participants. They had to run through a number of risk questions and scenarios, then discuss how to assess risks, their impact, and their probability, and what risk handling measures would be appropriate. That is how we created risk awareness, and a knowledge of where risk comes from, particularly in contracts, and on the products side. We would go through all possible sources of risk, discuss them in a structured way, then discuss them with people from other businesses within Siemens.

What was the result?
CHRISTOPH URBAN It has been a successful exercise. We ended up with a reporting system which shows us where the risks are. We try to assess their potential financial impact, and then discuss measures to mitigate risk. The workshops were of particular value, because of the input from different group businesses. The risks in a sales operation are totally different from risks to the entire value chain, from research and development to production and through to sales. But I don't think awareness will come with a one-off event. We have to repeat things, and we are trying to improve all the time.

Does conventional insurance play a role?
CHRISTOPH URBAN Whatever can be insured, we will insure, but some of the big risks, such as guarantee issues, cannot be insured. Our approach is a little bit different here. The big emphasis is on avoiding risk, so we do not run into it. For example, when a Siemens company does a bid, we do proper due diligence and try to find out where potential contractual risks could arise. If we acquire a company, our due diligence effort goes through all possible aspects of acquired risk, including, for example, the security of the IT network and processes.

Another aspect is pooling. We have a risk-reporting process which goes through our shared services department. They analyse all risk, and whenever they can, they pool it, and talk to insurers to see if it can be insured. But that is not easy, especially in the current environment.

What kind of risk gets the greatest priority?
CHRISTOPH URBAN Blue-sky risk is not something we want to hear about. We look at down to earth risks, say the failure of the launch of a product. We manage financial risk on a constant basis. Every business unit is forced to look at every kind of financial risk. If it is a currency risk, they have to hedge it, at least 70% to 80%, according to corporate guidelines. We have terms of reference or strict guidelines for almost everything – currency risk, environmental risks, health risks – our room to manoeuvre is pretty narrow. The guidelines come from Munich, and are constantly being reviewed, because a business does not stand still. This is what internal audit is all about; they check that these guidelines are followed.

Can you sum up your risk management philosophy?
CHRISTOPH URBAN It is not about big things or about magic. You must run the business properly. You must understand that in business there is always a certain level of entrepreneurial risk. You will never run a company without risks, but there are certain things you can do to minimise the amount.

SIEMENS
Siemens is one of the largest and most successful communications, electronics and electrical engineering companies in the world. In the UK, Siemens plc, with over 17,000 employees and annual turnover in excess of £2.35bn, has businesses operating in the fields of information and communications, automation and control, power, transportation, medical, components, lighting, domestic appliances, financial services, and research & development.

A combination of acquisitions and organic growth has seen Siemens triple its turnover in the UK in the last decade. Over the last two years, acquisitions have led to over 3,000 new employees joining Siemens in the UK while new orders have increased by 65%.

  • Number of UK employees: 17,369*
  • Amount spent on R&D: £39.8m*
  • Turnover: £2,354.5m*
  • Exports: £316.8m*
  • New orders: £3,342.7m*

    (*Figures taken from the Siemens UK Annual Review 2001.)

  • Topics