Speaker: Prof Dr Gerald Spindler (Göttingen)
Moderator: RA Dr Philipp Süss (Munich)
Prof Spindler announced his intention to cover the various regulatory requirements through to the contractual design of IT projects. By way of introduction, he presented some important regulations.
The legal basis for risk management arises from Section 91 of the German Stock Corporation Act (AktG) as a general duty of management. This provision contains a pronounced obligation for risk management. Specific manifestations of this general duty are the Sarbanes Oxley Act (SOX) and the German Accounting Law Modernisation Act (BilMoG). The BilMoG serves to implement the so-called ‘Audit Directive’ and the so-called ‘Amendment Directive’. Prof Spindler recommended close cooperation between auditors and consulting lawyers as an important consequence.
The Business Judgement Rule also has an influence on risk management. This gives companies entrepreneurial room for manoeuvre when making decisions. However, the prerequisite for making decisions is that a sufficient information base is available. For IT, this means not only IT management but also business management.
Prof Spindler went on to explain the background to Basel II and Solvency II. This means that more stringent requirements are now to be applied to the review of the company’s risk exposure, the so-called qualitative control of the borrower. In addition, the assessment of operational risk, i.e. all risks within a company, including IT systems, is also required. Furthermore, minimum requirements for risk management arise from the BaFin circular of May 2007, which is aimed at credit institutions, and the circular of January 2009, which is aimed at the insurance industry.
Referring to the wording of the MaRisk provisions, Prof Spindler assigned a dual role to IT with regard to IT and risk management. The internal task is to identify IT-relevant risks, such as inadequate rights management or software malfunctions.
Prof Spindler suggested various concrete measures as possible means within the framework of internal IT and risk management: Early conversion of software, change requests, ‘compliance with law’ clauses, customisation clauses depending on rating evaluations. The speaker cited the fact that the long-term availability of data may not be guaranteed as a particular problem. However, from the insurance industry’s point of view, this is essential. Solutions include the acquisition of the source code, escrow agreements or archiving with the help of open source codes.
With regard to ‘external’ risk management, Prof Spindler emphasised that a mirror-image risk assessment based on the IT project risks is required as part of the assessment of risks at the customer. The main problem for the speaker was the concrete enforceability of IT risk management.