Risk Management in Companies – Top or Flop?

Risk management – Desirable, but not mandatory?

Risk management is part of the duty of care of a company’s top management. It is not an optional nice-to-have, but a leadership responsibility anchored in law.

According to Article 716a of the Swiss Code of Obligations, the board of directors has overall supervision over those entrusted with managing the company, particularly regarding compliance with laws, statutes, regulations, and directives. This automatically involves risks, since no company can or wants to fully comply with all internal and external requirements at all times, without dispute and with full traceability. One reason is that many laws and regulations are phrased at a very high, general level and allow for considerable interpretation and flexibility in implementation.

According to SECO’s SME portal, risk management includes all activities involved in identifying, assessing, and addressing risks – whether strategic, financial, or operational in nature. What’s essential is: Act rather than react.

Universal core aspects of good risk management:

• Systematically identify and prioritize risks
• Clearly assign responsibilities
• Plan, implement, and monitor measures
• Continuously monitor and improve

All well and good – but preferably without the cyber stuff?

Many companies have traditionally focused their risk management on areas such as finance, operations, and compliance. That made sense for a long time: the biggest threats came from markets, production, supply chains, or human resources. But with ongoing digitalization, the rules of the game have changed. Processes today are more automated, interconnected, and dependent on IT systems and cyberspace (e.g., webshops, partner integrations). This not only increases efficiency but also complexity – and with it, risk.

Cyber risks are no longer a fringe issue. A successful attack can paralyze production, sales, or even entire business models. The cost of such incidents rivals that of traditional risks. So, anyone focusing solely on financial or operational risks is missing a crucial part of modern corporate risk.

Modern risk management must necessarily include IT or cyber aspects. For example, using the ICT minimum standard, a company’s cyber resilience can be analyzed in a standardized way.

Whether IT and cyber risks are integrated into existing risk management or handled via a separate information security management system (ISMS) is not what matters most. What’s important is that risks are analyzed comprehensively and assessed in relation to each other. Only then will risk management remain complete, up-to-date, and relevant to the business.

Risk management tool? But I’ve got excel.

Sure – Excel is flexible, familiar, and usable for simple risk overviews. But as soon as multiple people need to collaborate, versions are created, and measures need to be tracked, Excel reaches its limits. Transparency, traceability, and consistent data maintenance fall by the wayside.

Modern risk management needs more than spreadsheets. It needs structure, traceability, and clear responsibilities. That’s where fortControl comes in – a solution developed to enable especially Swiss SMEs to build and operate an ISMS – quickly, simply, and professionally.

With fortControl, risk management becomes:

• Traceable: Every change, assessment, and decision is documented and auditable.
• Collaborative: Teams, external partners, and consultants work on the same data simultaneously and in a structured way.
• Efficient: Tool-supported processes for assessments and risk analysis. Filters and dashboards immediately show where action is needed.

👉 How do I build an efficient ISMS? Read “in 8 steps to an ISMS”

‍