Gauch, Kevin (2024)
Risk Disclosure and Related Assurance Services.
Technische Universität Darmstadt
doi: 10.26083/tuprints-00028838
Dissertation, Erstveröffentlichung, Verlagsversion
Kurzbeschreibung (Abstract)
Companies are exposed to various risks in their day-to-day business that can affect their financial performance, competitiveness, and long-term profitability. Trends such as globalization and rapid technological development are changing the dynamics of and uncertainties faced by companies and increasing the likelihood of crises. The COVID-19 pandemic, the Wirecard scandal, and cyberattacks are just a few recent examples. Therefore, companies must deal with risks in a structured manner using a risk management system. However, the approaches used are not standardized. Although risk management standards guide how to structure them, they still need to be customized for each company. Common risk strategies range from risk reduction and risk transfer to the avoidance of certain business activities. For example, a risk can be transferred to insurance companies or reduced by voluntary assurance of the risk management system. With the introduction of the Financial Market Integrity Strengthening Act, risk management systems have become mandatory for listed companies in Germany. In the United States, a risk management system is not mandatory, although this is the case for an internal control system for financial reporting. Due to the high relevance of risk management systems, companies can voluntarily implement risk management system assurance to verify the effectiveness and appropriateness of the system. This can ensure that risks are adequately managed, while also sending a positive signal to stakeholders. However, it is not the mere implementation of the risk management system that is crucial, but also the communication of the risks and measures that the company intends to take to manage them. By disclosing risk-related information, managers can demonstrate their risk management capabilities and thus reduce information asymmetries between the company and its stakeholders. In addition, risk-related information is of major interest to stakeholders, as it enables them to more effectively assess the company’s risk exposure. In addition to mandatory risk disclosure and risk-related information, companies tend to supplement this with voluntary information. Given the relevance of risk disclosure and related assurance services, this dissertation deals with these topics in two main chapters. The first five studies deal with the spectrum of risk disclosure, whereas the last two address the impact of assurance services. The first study examines risk disclosure in the German capital market. For this purpose, the annual reports of HDAX companies from the 2018, 2019, and 2020 fiscal years were examined, using qualitative content analysis. The study focused on the volume of disclosure, the reported risk categories and individual risks over the period mentioned. The results indicate that the number of individual risks published increased significantly. Currency and cyber risks in particular were discussed frequently. Companies and stakeholders can use the results to identify best practices in risk disclosure. For legislators, the results offer guidance for further statutory regulation. The second study examines the determinants of risk disclosure using regression analysis. Again, the annual reports of HDAX companies between 2018 and 2020 were used as the data base. The determinants were identified for the volume of risk disclosure, individual risks, and risk management measures. The results contribute to recognizing the influencing factors, which can help investors make informed decisions. The third study examines textual dissimilarity in risk disclosures and its determinants in the US capital market from 2005 to 2022, with a sample of 29,070 company-year observations. The results provide empirical evidence that risk disclosure is regularly updated only to a limited extent, except for unforeseen events such as the financial crisis or the COVID-19 pandemic. Concerning the determinants, it is evident that risk variables and audit-specific variables, in particular, influence textual dissimilarity. The fourth study describes a qualitative content analysis of HDAX companies for the 2019 fiscal year regarding disclosures on risk management systems. The results indicate rather heterogeneous reporting. An average of 6.52 of 8 basic components of the IDW assurance standard IDW AsS 981 were reported. However, only a few companies disclose that they have oriented towards a risk management standard. Notably, only four companies state that they have voluntarily assured their risk management system. Although the results indicate high reporting quality, best practices for reporting can also be identified, which also provides indications for statutory regulations. The fifth study is dedicated to the disclosure of IT risks. Due to increasing digitalization and technological trends, considering new types of risks, such as IT risks, is of particular interest. A qualitative content analysis was used to evaluate the 2020 annual reports of DAX and MDAX companies. The results also demonstrate heterogeneous reporting. Notably, only 25 of the 90 companies follow international standards, while only twelve have been certified. Cyber insurance is rarely mentioned. This study also indicates best practices in reporting on IT risks and can serve as a basis for the regulator to initiate further standardization of risk disclosure. The sixth study examines the voluntary assurance of risk management systems with an experiment. For this purpose, 145 German bankers were asked whether or not they trust in the risk management system, loan granting, willingness to invest, and to recommend investing in a hypothetical company. For this purpose, the assurance itself, the assurance providers, and the assurance level were manipulated. The results indicate that voluntary assurance significantly increases trust in the risk management system, the probability of a loan being granted, and the willingness to invest and investment recommendations. However, neither the auditor provider nor the assurance level play a decisive role in the participants’ decision, so it can be stated that the mere presence of an assurance is sufficient. From a regulatory perspective, introducing a mandatory assurance of risk management systems could be considered. In addition, our results show that companies can benefit directly from voluntary assurance, as this can increase the chances of obtaining financing. Also using an experiment, the seventh study examines voluntary cybersecurity assurance and the purchase of cyber risk insurance. For this purpose, 100 non-professional investors were asked about their willingness to invest. The presence of assurance and the presence of cyber insurance were manipulated. An additional experiment varied the assurance provider. The experimental results indicate positive perceptions of a voluntary cybersecurity audit and cyber insurance. Non-professional investors are more willing to invest in a company if it has engaged an assurance or has purchased insurance against cyber risks. In contrast, the specific assurance provider is irrelevant to our participants, revealing that the mere existence of the assurance is considered sufficient. From a regulatory perspective, introducing a mandatory cybersecurity assurance and/or mandatory cyber risk insurance could be considered, due to the high relevance of cyber risks. The results also demonstrate that companies can benefit directly from voluntary assurance, as this could increase equity financing.
Typ des Eintrags: | Dissertation | ||||
---|---|---|---|---|---|
Erschienen: | 2024 | ||||
Autor(en): | Gauch, Kevin | ||||
Art des Eintrags: | Erstveröffentlichung | ||||
Titel: | Risk Disclosure and Related Assurance Services | ||||
Sprache: | Englisch | ||||
Referenten: | Quick, Prof. Dr. Reiner ; Ahsen, Prof. Dr. Anette | ||||
Publikationsjahr: | 11 Dezember 2024 | ||||
Ort: | Darmstadt | ||||
Kollation: | XXV, 65 Seiten | ||||
Datum der mündlichen Prüfung: | 29 November 2024 | ||||
DOI: | 10.26083/tuprints-00028838 | ||||
URL / URN: | https://tuprints.ulb.tu-darmstadt.de/28838 | ||||
Kurzbeschreibung (Abstract): | Companies are exposed to various risks in their day-to-day business that can affect their financial performance, competitiveness, and long-term profitability. Trends such as globalization and rapid technological development are changing the dynamics of and uncertainties faced by companies and increasing the likelihood of crises. The COVID-19 pandemic, the Wirecard scandal, and cyberattacks are just a few recent examples. Therefore, companies must deal with risks in a structured manner using a risk management system. However, the approaches used are not standardized. Although risk management standards guide how to structure them, they still need to be customized for each company. Common risk strategies range from risk reduction and risk transfer to the avoidance of certain business activities. For example, a risk can be transferred to insurance companies or reduced by voluntary assurance of the risk management system. With the introduction of the Financial Market Integrity Strengthening Act, risk management systems have become mandatory for listed companies in Germany. In the United States, a risk management system is not mandatory, although this is the case for an internal control system for financial reporting. Due to the high relevance of risk management systems, companies can voluntarily implement risk management system assurance to verify the effectiveness and appropriateness of the system. This can ensure that risks are adequately managed, while also sending a positive signal to stakeholders. However, it is not the mere implementation of the risk management system that is crucial, but also the communication of the risks and measures that the company intends to take to manage them. By disclosing risk-related information, managers can demonstrate their risk management capabilities and thus reduce information asymmetries between the company and its stakeholders. In addition, risk-related information is of major interest to stakeholders, as it enables them to more effectively assess the company’s risk exposure. In addition to mandatory risk disclosure and risk-related information, companies tend to supplement this with voluntary information. Given the relevance of risk disclosure and related assurance services, this dissertation deals with these topics in two main chapters. The first five studies deal with the spectrum of risk disclosure, whereas the last two address the impact of assurance services. The first study examines risk disclosure in the German capital market. For this purpose, the annual reports of HDAX companies from the 2018, 2019, and 2020 fiscal years were examined, using qualitative content analysis. The study focused on the volume of disclosure, the reported risk categories and individual risks over the period mentioned. The results indicate that the number of individual risks published increased significantly. Currency and cyber risks in particular were discussed frequently. Companies and stakeholders can use the results to identify best practices in risk disclosure. For legislators, the results offer guidance for further statutory regulation. The second study examines the determinants of risk disclosure using regression analysis. Again, the annual reports of HDAX companies between 2018 and 2020 were used as the data base. The determinants were identified for the volume of risk disclosure, individual risks, and risk management measures. The results contribute to recognizing the influencing factors, which can help investors make informed decisions. The third study examines textual dissimilarity in risk disclosures and its determinants in the US capital market from 2005 to 2022, with a sample of 29,070 company-year observations. The results provide empirical evidence that risk disclosure is regularly updated only to a limited extent, except for unforeseen events such as the financial crisis or the COVID-19 pandemic. Concerning the determinants, it is evident that risk variables and audit-specific variables, in particular, influence textual dissimilarity. The fourth study describes a qualitative content analysis of HDAX companies for the 2019 fiscal year regarding disclosures on risk management systems. The results indicate rather heterogeneous reporting. An average of 6.52 of 8 basic components of the IDW assurance standard IDW AsS 981 were reported. However, only a few companies disclose that they have oriented towards a risk management standard. Notably, only four companies state that they have voluntarily assured their risk management system. Although the results indicate high reporting quality, best practices for reporting can also be identified, which also provides indications for statutory regulations. The fifth study is dedicated to the disclosure of IT risks. Due to increasing digitalization and technological trends, considering new types of risks, such as IT risks, is of particular interest. A qualitative content analysis was used to evaluate the 2020 annual reports of DAX and MDAX companies. The results also demonstrate heterogeneous reporting. Notably, only 25 of the 90 companies follow international standards, while only twelve have been certified. Cyber insurance is rarely mentioned. This study also indicates best practices in reporting on IT risks and can serve as a basis for the regulator to initiate further standardization of risk disclosure. The sixth study examines the voluntary assurance of risk management systems with an experiment. For this purpose, 145 German bankers were asked whether or not they trust in the risk management system, loan granting, willingness to invest, and to recommend investing in a hypothetical company. For this purpose, the assurance itself, the assurance providers, and the assurance level were manipulated. The results indicate that voluntary assurance significantly increases trust in the risk management system, the probability of a loan being granted, and the willingness to invest and investment recommendations. However, neither the auditor provider nor the assurance level play a decisive role in the participants’ decision, so it can be stated that the mere presence of an assurance is sufficient. From a regulatory perspective, introducing a mandatory assurance of risk management systems could be considered. In addition, our results show that companies can benefit directly from voluntary assurance, as this can increase the chances of obtaining financing. Also using an experiment, the seventh study examines voluntary cybersecurity assurance and the purchase of cyber risk insurance. For this purpose, 100 non-professional investors were asked about their willingness to invest. The presence of assurance and the presence of cyber insurance were manipulated. An additional experiment varied the assurance provider. The experimental results indicate positive perceptions of a voluntary cybersecurity audit and cyber insurance. Non-professional investors are more willing to invest in a company if it has engaged an assurance or has purchased insurance against cyber risks. In contrast, the specific assurance provider is irrelevant to our participants, revealing that the mere existence of the assurance is considered sufficient. From a regulatory perspective, introducing a mandatory cybersecurity assurance and/or mandatory cyber risk insurance could be considered, due to the high relevance of cyber risks. The results also demonstrate that companies can benefit directly from voluntary assurance, as this could increase equity financing. |
||||
Alternatives oder übersetztes Abstract: |
|
||||
Status: | Verlagsversion | ||||
URN: | urn:nbn:de:tuda-tuprints-288382 | ||||
Sachgruppe der Dewey Dezimalklassifikatin (DDC): | 300 Sozialwissenschaften > 330 Wirtschaft | ||||
Fachbereich(e)/-gebiet(e): | 01 Fachbereich Rechts- und Wirtschaftswissenschaften 01 Fachbereich Rechts- und Wirtschaftswissenschaften > Betriebswirtschaftliche Fachgebiete 01 Fachbereich Rechts- und Wirtschaftswissenschaften > Betriebswirtschaftliche Fachgebiete > Fachgebiet Rechnungswesen, Controlling und Wirtschaftsprüfung |
||||
Hinterlegungsdatum: | 11 Dez 2024 13:09 | ||||
Letzte Änderung: | 18 Dez 2024 19:48 | ||||
PPN: | |||||
Referenten: | Quick, Prof. Dr. Reiner ; Ahsen, Prof. Dr. Anette | ||||
Datum der mündlichen Prüfung / Verteidigung / mdl. Prüfung: | 29 November 2024 | ||||
Export: | |||||
Suche nach Titel in: | TUfind oder in Google |
Frage zum Eintrag |
Optionen (nur für Redakteure)
Redaktionelle Details anzeigen |