Risk Management in Connection with Acquisitions Using the Example of the TÜV NORD Group

The legislator has left open the operationalizat ion of the risk management system in enterprises; they are not compelled to implement a certain standard approach. Therefore enterprises are using different types of risk management systems. Aim of the paper is to describe the development of risk management system and main princip les of TÜV NORD and also TÜV SÜD – who has been using its risk management system for more than 10 years and which was implemented by the authors. It has been constantly developed by authors collaboration further and complemented by new insights, gained from world -wide implemented acquisitions. The concept of the risk management system must assure that all relevant risks that might affect an enterprise especially in connection with acquisitions and not only with operational business are identified. Therefore a systematic process, which will be exp lained in the paper, has been chosen by the authors to provide the risk identification with a definit ion of the risk levels and the risk fields. It can be expected that in the future the economic significance of a mean ingful risk management – especially in light of the technology development in connection with increasing of complexity, the globalisation of the industry and therefore the legal requirements – as a value-oriented instrument in the management of an enterprise will further increase.


Introduction
The TÜV NORD Group is a g lobally active enterprise with mo re than 10,000 emp loyees that provides testing services (TÜV SÜD Group: mo re than 16,000 emp loyees) [1]. Through its holding enterprise, TÜV NORD A G, the TÜV NORD Group has in recent years acquired enterprises at home and abroad to hold its ground against competitors in a consolidating market. Against the background of the increasing internationalisation and globalisation of the testing services market in wh ich TÜV NORD Group is operating and the growing economic co mp lexity and ever greater competitive pressure, we need to take entrepreneurial risks to enable us to be commercially successful.
According to the management consulting and auditing firm KPM G, risk "no longer just means the occurrence of an unfavourable event which risk, ideally, is reduced by control measures, minimised by redundant systems or otherwise hedged against.
Today, risk has become a measure of the uncertainty of forecasts and planned development", so that risk management has gained strategic importance [2].
The aim of a well functioning and proactive risk management system has to be the systematic determination and assessment of and reporting on all risks of anenterprise.
Subsequently, the fundamentals of the risk management system as well as the organisation and arrangement of the TÜV NORD Group added with informat ion of the TÜV SÜD Group should be presented by the authors before the risk management concerning acquisitions is expanded upon.

Local Germanand Examples for International Regulations Concerning Risk Management
In recent years, national laws and requirements or recommendations by professional associations regarding the introduction of risk management systems have been issued in many countries. In Germany, provisions fro m the newly decreed control and transparency in business act (KonTraG) have been incorporated into the stock corporation act (Section 91 (2) Akt G) "according to which the board of management of a public limited enterprise has to take suitable action -in particular introduction of a monitoring system -to ensure that any development jeopardising the continued existence of the enterprise will be detected at an early stage" [3]. In addition to the stock corporation act, the provisions are also anchored in Sections 289 and 317 of the German Co mmercial Code (HGB) [4]. In 2002, the KonTraG was supplemented by the German Co rporate Governance Code, which gave it addit ional substance [5]. Moreover, additional regulations have been issued most recently such as the German Accounting Law Modernizat ion Act (BilMo G) or the 8th EU Enterprise Law Directive (Directive on Statutory Audit) wh ich also have an effect on the risk management system to be set up in anenterprise [6]. According to this, the board of management of a public limited enterprise is obligated to report on existing risks and, now also, chances in the annual report to the annual financial statements. Moreover, an effect on other forms of enterprise such as the private limited enterprise is assumed [3].
In the context of their annual audits, public accountants have to examine the effectiveness of the risk management system and provide information about the system in the auditor's report.
The prevailing legal opinion is that the risk management system has to extend to all subsidiaries world-wide if they may be the origin of any development which endangers the parent enterprise [3]. Against this background, it becomes clear that the current world-wide acquisitions of enterprises by the TÜV NORD Group jointly with its holding enterprise TÜV NORD A G may have a considerable influence on the risk management.
The rules regarding risk management have also been made clearly stricter internationally. For instance, the Sarbanes-Oxley Act (SOA or SOX) has been adopted in the U.S [8].Its objective is to imp rove the precision and reliability of accounting in formation that is reported to investors [9]. The SOA applies to all enterprises traded on an American stock exchange, includ ing their world -wide subsidiaries. Furthermore in the UK the ru les of risk management are based on the Cadbury Committee's Code of Best Practice for the financial matters [10]. Moreover the Financial Security Act rules the control of risk management in France [11]. As an interim conclusion, it can be drawn: A enterprise's risk management has globally gained much importance in recent years.

Organisation of the Risk Management System of the TÜV NORD Group
The legislator has not defined the operationalization of the mandatory risk management system in the enterprises, i.e. enterprises are not taught to implement a certain standard set [12]. Accordingly, different shapes of risk management systems are installed in the enterprises. The TÜV NORD Group has been using its risk management system, which was implemented fro m the authors for mo re than ten years. The system has been continuously developed and supplemented by knowledge gained from the global acquisition measures.
Organisation and structure of TÜV NORD Group's risk management system are exp lained below fro m the authors, before we will deal with the risk management in connection with acquisitions. A clear organisation of the risk management system is absolutely essential for the smooth and efficient working of the system. The duties and responsibilit ies of the corporate divisions and individual enterprises and their mutual relationships in the context of the risk management system must be clearly laid down in order to avoid possible lack of clarity with respect to areas of competence or of overlaps. A successful risk management system is based on the smooth interplay between all those involved. The TÜV SÜD Group has also implemented a risk management system since years [13].
Against this background, an open corporate culture should prevail in which each emp loyee detects risks at its workplace and reports them to the relevant risk manager.
The figure below shows all those involved in TÜV NORD Group's risk management system: The specific areas of competence will be dealt with below.

Risk Owners
As those responsible for the business process also at the TÜV SÜD Group, the boards of management, managers, department heads and project managers etc. of the enterprises of the TÜV NORD Group are the risk owners. The risk owners main tasks include especially the following (see also chapter 4): •Identificat ion of risks and documentation on a record form •Analysis of the risks with respect to occurrence probability and probable level of damage •Determination, quantification and monitoring of implementation of the countermeasures •Electronic trans mission every three months of the record form fo r the identification of risks to the competent risk manager of the enterprise •Where relevant, ad hoc reporting up on newly identified risks or existing risks in the case of major changes

Risk Managers of the Enterprises
The responsibilities of the risk managers cover in particular the following: •Implementation of the rules for risk management system and coordination of the recording of risks in the enterprise.
•Consideration of individual risks which cancel one another out or which are cu mulative.
•Check whether the record forms have been co mpleted and electronic t ransmission of the signed forms to the risk manager of the business unit.
•In the case of so-called ad hoc report ing, passing on of the relevant informat ion.
•Acting as contact for the auditors, risk manager of the business unit, supervisory board / advisory council of the enterprise.

Risk Managers of the Business Units
The risk managers of the business units are responsible for the business unit with the follo wing major tasks: •Controlling and discussion of the reports first with the risk manager and second with the member of the management board responsible for the business unit.
•Integration of newly founded or newly acquired enterprises into the risk management system by arrangement with the risk manager of the TÜV NORD Group.

Risk manager of the TÜV NORD Group
The main tasks of the risk manager of the TÜV NORD Group include the following: •Establishing and further developing of the rules for the risk management system.
•Regular check o f the individual risks fro m the group`s point of view.
•Su mmary of the reports fro m the business units to form an overall report and acting as contact for the auditors.

Management Board of the TÜV NORD Group
The management board also at the TÜV SÜD Groupis responsible for ensuring that risk assessment standards are laid down and that a watch is kept on whether necessary countermeasures for risk control have been taken [13]. It informs the supervisory board on a regular or ad hoc basis in a brief report o f any major risks or risks which are a vital threat to the enterprises continued existence.

Internal Auditing and external audi tors of the TÜV NORD Group
An important part of internal auditing measures focuses also at the TÜV SÜD Group on the workab ility of the internal controlling system and the risk management system [13]. In the context of the risk management system, the task of internal audit ing as a supervisory body independent of the process is to check the group-wide application of the risk management system and, in acenterpriseing audits, the efficiency and appropriateness of the measures of the risk management system.
According to German law, the auditors have to check whether a risk management system exists in the enterprise and the system basically meets the requirements of adequate and orderly corporate governance.

The Risk Management Control Cycle of the TÜV NORD Group
The figure below shows the risk management control cycle: Figure 2. Risk management control cycleSource: Own diagram following [14] The indiv idual elements of the risk management control cycle, which was implemented by the authors, do not stand in isolation but are based on one another and exercise a mutual influence such that they can be shown in the form of a control cycle. This control cycle is constantly passed through in every enterprise of the TÜV NORD Group. The control cycle ensures that a standard and systematic method of identification, assessment, control and communication of risks is applied throughout the enterprise. The TÜV SÜD Group has also implemented a risk management process to report all the risks every three months [13].To ensure permanent functioning and integration of the control cycle in the corporate control system, it is necessary to have an appropriate organisation, including monitoring of the control cycle. The individual elements, the organisation of the control cycle and the related tasks are described in detail below.

Corporate Objecti ves / Success Factors
The corporate objectives and strategies form the basis for a systematic risk management system. The process of establishing the objectives and communicating should be systematic and in real t ime. This will ensure that for all divisions and hierarchical levels criteria will be defined which can serve as the basis for the identificat ion of risks.

Identification of Risks
The notion of identificat ion of risks must ensure that all relevant risks wh ich have or may have an impact on anenterpriseare logged.
To ensure a complete record of all relevant risks, it is necessary to adopt a systematic procedure to identify them. For this purpose, risk levels have been defined, taking account of different risk fields {Additional detailed explanations see chapter 5 [7,15,20]}.

Assessment of Risks
After the risks have been identified, an assessment must be conducted. The main aim o f the assessment is to h ighlight the relevant potential risks. The assessment of the effects should if appropriate be made precise by means of economic calculations on the basis of mathematical-statistical methods [6]. Where quantification is not possible in an exceptional case, only a qualitative description of the risk is made (e. g. threatening damage to the enterprise image). The risks identified are assessed with reference to the two dimensions of occurrence probability and level of damage.

Occurrence Probability
The occurrence probability of the risk indicates the estimated expectation that the risk identified will arise. The occurrence probability indicates how probable the occurrence of a risk is, wh ile it says nothing about the possible time of risk occurrence. To support the estimate of occurrence probability, the probability classes defined below were formed by the authors: •Probability class "Low"0 to 25% •Probability class "Moderate"25 to 50% •Probability class "High"50 to 75% •Probability class "Very h igh"75 to 100%

Level of Da mage
The rating of the level of damage represents the anticipated impact after the emergence of the risk on the situation in the respective enterprise in respect of the result. The level of damage is basically assessed following the principle: •Vital treat more thanhalf the equity capital of the enterprise •Major more than one third tohalf the equity capital of the enterprise •Significant more than one sixth toone third of the equity capital of the enterprise •Perceptible zero toone sixth of the equity capital of the enterprise

Gross and Net Evaluation
When assessing risks, a distinction is drawn between gross and net evaluation. The evaluation levels are defined by the fact that, in the gross evaluation, the measures already taken by the enterprise to control and deal with the identified risk are not considered in the assessment. The net evaluation, on the other hand, highlights the remaining hazard potential (residual risk) once the measures established have been considered. To obtain a better assessment of the countermeasures, both methods are applied to assess the risk. The establishment of effective countermeasures is another component of risk control which has to be imp lemented by the operative management o f anenterprise. On the basis of the risk analysis, the existing risk management measures are to be highlighted and their impact assessed by the controlling department in consultation with the respective risk owners. In particular where there is a high residual risk, it may be necessary to establish what further action is necessary. The countermeasures have to be stated mo re precisely by means of costs and the definition of deadlines.

Risk Class
The hazard potential of a risk can be presented in the form of a t wo-dimensional matrix made up of the occurrence probability and probable level of damage. To avoid deceptive accuracies, risk classes are projected by allocation to the following categories: The risk classes are intended to indicate the risk potential for the respective enterprise. Risk class AA was formed to provide an overview of the top risks fo r anenterprise. These risks are of the highest priority. Like the risks of class A, they invariably require additional and real-time measures to cope with risk, where such measures are economically appropriate and justifiab le. Risks of class B must be regularly monitored. Furthermore preparations must at least be made for additional necessary measures. Risks of class C must be consciously monitored so that the first signs of a rising potential risk can be detected at an early stage.

Risk Control and Risk Communicati on
Control consists of monitoring and in the case of risks additionally of overco ming. The logging as described above serves primarily to ensure transparency in the situation of the respective enterprise. It forms the basis for a co mprehensive control of the risks. The establishment of effective countermeasures and the monitoring of risk-related factors with a view to early detection are other components of risk control which have to be implemented.Reporting in the risk management system on a quarterly basis at every enterprise and also the TÜV NORD and TÜV SÜD Group must ensure that the competent decision-makers are notified early in a systematic form of the risks that exists.

Risk Management in Connection with Acquisitions
In the last six years, the TÜV NORD Group has made 28 acquisitions. 17 of the enterprises purchased are headquartered in Germany and 11 abroad. Due to the acquisitions, the number of emp loyees has increased from more than 2,000 to more than 10,000. At the same time period the TÜV SÜD Group also has acquired 28 enterprises [17]. As soon as an acquisition is completed, integration of the enterprise into the TÜV NORD Group and thus into the risk management system begins. In connection with the integration, numerous workshops are held and the responsible emp loyees of the acquired enterprise are comprehensively trained. The processes of the risk management system has to be implemented at the acquired enterprises. Against the background of new knowledge and experience gained in connection with the expansion of the TÜV NORD Group, the risk management is continuously developed and extended.
However, in order not to have to register unknown or unforeseen risks in the context of the integration of acquired enterprises into the risk management system, a risk analysis should be performed in the context of the acquisition process. However, risk analysis is different fro m operational risk management, in particular with regard to its project character and informat ion basis (publicly availab le information and informat ion provided by the target enterprise) [17]. Risk analysis should include the most important elements of risk management, i.e. risk identification and risk evaluation, and can be integrated into the due d iligence process. A due diligence procedure also should be carried out for each acquisition. {According to Section 11 of the US Securities Act of 1933, brokers reproached for having withheld important information from investors were able to relieve themselves from personal liability by the defence of due diligence. To do this, they had to prove, among other things, that as a consequence of an appropriate investigation they had reasonably believed that all information published had been true and no essential information had been omitted [18]}.
The aim of due diligence has to be the identification of all risks of anenterprise and their subsequent minimisation or inclusion into the calculation of the enterprise value. A due diligence procedure can be div ided into the fo llo wing areas: basic, strategic, financial, marketing, hu man resource, legal, tax, environ mental, organisational and IT due diligence [19].In a due diligence process the enterprises can also cooperate with external advisors such as auditing and law firms to perform due diligence checks and risk analyses.
In the following, the authors will deal with issues of risk management or risk analysis in the acquisition processes which are of great importance for every enterprise. For this background to ensure a complete record of all important risks, it is necessary to adopt a systematic process to identify them, wh ich was developed and imp lemented fro m the authors in the TÜV NORD Group in the last years to reduce the risks concerning acquisitions. For this the issues will be classified by external and internal influences on the enterprise (see Figure below). With regard to the risk levels and risk fields established, all the relevant risks must be identified, measured and describe as precisely as possible.

External Infl uences on the Enterprise
At the "global environment" risk level, in particular the issues of macroeconomic development, technological development and polit ical-legal develop ment are of very great importance for every enterprise and also to the TÜV NORD Group. Furthermore the issues of socio-cultural and ecological development are to consider.
Macroeconomic development in particular includes cyclical risks which find expression in the fluctuation of economic variables (e.g. gross domestic product) of a national economy and foreign currency and inflation risks [15]. To enable the assessment of such risks for a country in which an acquisition is planned publicly availab le informat ion provided by financial or research institutions can be used. The country-specific risk potential is estimated on the basis of this data.
In its assessment of the technological develop ments and the associated technological risks, the TÜV NORD Group usually relies on own Know-How wh ich is supplemented by publicly available studies. Where own Know-How does not exist because the acquisition is made to set up a new business division, enterprises often cooperates with external advisors who prepare expert reports on the further technological development of the market in question. On this basis, the risk potential is estimated.
Political-legal risks identified byenterprisesbasically are the following {Additional detailed exp lanations see [15]}: •Fiscal risks: Fiscal measures by governments may present a risk to enterprises.
•Transfer risks: Govern ments may make retransfer of invested capital, e.g. in the form o f distribution of profits, difficult.
•Expropriation and terroris m risks •Corruption risks: Regular publication of country rankings provides an overview wh ich likewise is very important to enterprises due to the corporate governance and compliance obligations.
•Legal risks: These may be the lack of basic conditions for quality, liability and p rotection risks or the general jurisdiction.
In the context of an acquisition pro ject, the political-legal risks are also determined, analysed, assessed and compiled.
Central to the risk field socio-cultural developments are circu mstances and changes in demographic features (e.g. age structure) or social values, attitudes and norms (e.g. attitudes to the environment).
Ecological develop ments arising fro m the explo itation of fin ite resources or changed environmental and climat ic conditions (e.g. environmental disasters) may represent risks for anenterprise.
At the "competitive environ ment" risk level, the competitors, suppliers and customers issues are often of great relevance to enterprises. Therefore, a detailed analysis of the co mpetitor, supplier and customer situation in a country is performed in the context of the acquisition p rocess. For instance, the general price, service and quality level of testing services, the possibility of new customers entering (entry barriers) or the customers' market power and payment behaviour are analysed in connection with this.

Internal Infl uences on the Enterprise
At the "enterprise internal" risk level, all issues are very important always in the case of acquisitions which are why during an acquisition process a due diligence check including a risk analysis for the enterprises to be acquired is carried out jointly with local public accountants and lawyers.
With regard to this, risks may result fro m anenterprise's strategy/corporate governance, e.g. with respect to questions of composition of the service portfolio, choice of location enterprise investments.
Risks in connection with human resources or cultural aspects are of the highest importance for all service related enterprisesbecause the business model is based on the provision of services by people, not machines. Accordingly, it is important for the management of enterprises to detect risks in connection with key persons (Know-Ho w carriers) at enterprises to be acquired and reduce them by contractually binding these key persons to the enterprise at least for a certain time. W ithout such agreements which serve to reduce the risk potential, an acquisition should usually not be performed.
Jointly with public accountants, the management of enterprises look for financial risks or risks with regard to the assets of the enterprise to be acquired. These may in particular be found in various items of the balance sheet such as the intrinsic value of receivables fro m customers or fixed assets (e.g. values of buildings, machines, technical installations and the equipment of the IT system), pension plans or risks arising fro m under-insurance.
External lawyers can be involved in particular in the determination of organisation risks or business process or project risks. Risks may concern the operational and the organisational structure or exist in the business processes along the value-added chain. There also may be risks in an individual current or future project, environ mental or quality management.
At the end of the acquisition process, all risks in connection with external and internal influences on the enterprise which have been identified have to be co mpiled and assessed. Based on these reports, the board of management and if existing the supervisory board of enterpriseshave to decide whether or not the acquisition will be made. In this way, there should be a close interlocking between the enterprisesrisk management and the acquisition management already prior to an acquisition. In the process, the methods and tools of risk management can be used as explained above. This procedure can prevent or greatly reduce unpleasant surprises in the form of new or hitherto unknown risks after the integration of an acquired enterprise into the risk management system of anenterprise which was also the case at the TÜV NORD Group.

Summary
As a consequence of the increased national and international legislation and requirements made by professional associations, ever more enterprises are obligated to install a meaningful risk management system. The organisation of the risk management has to meet the corporate requirements on risk management and be integrated in the corporate organisation.
In the context of the designing of the risk management processes, the enterprise-specific risks init ially have to be identified, analysed, assessed and communicated transparently.
This paper would in particular like to show that the close interlocking of different aspects of risk management with acquisition management in acquisition processes seams to be reasonable. Th is approach can prevent or considerably reduce unpleasant surprises in the form of hitherto unknown risks fo llo wing the integration of an acquired enterprise into an existing risk management system. Therefore a systematic process for indentifying all the risks during an acquisition process should be implemented in the enterprises. With such a systematic process -as explained fro m the authors in the paper -risks of an acquisition will be identified, valuated and finally can significantly be reduced. The main topics of such a systematic risk management process are: •Definit ion of the risk level (internal and external influences on an enterprise) •Definit ion of the risk fields •Systematic identificat ion of the risks •Valuation and co mmunication of the identified risks •Establishing suitable measures to reduce the risks of an acquisition In comparison with the competitors of the TÜV NORD Group (e.g. TÜV SÜD Group) the depreciation of assets fro m acquired enterprises during a t ime period fro m 2004-2010 was much lower also because of the systematic risk management process [16]. Furthermore as shown the profitability of enterprises could be increased.
Risk-oriented corporate management ensures anenterprise's continued existence. At the same time, it promotes achievement of the corporate goals to which the risk strategy can make an important contribution. However, this requires that all the employees of anenterprise are made aware of risk management issues.
Risk management is to be monitored and audited by the internal audit depart ment, the annual auditor and the supervisory board.
All in all, it is to be expected that the economic significance of meaningful risk management as a value-oriented tool of corporate management will continue to increase in the future in particular in acquisition processes especially because of: •Technology development in connection with an increasing of the comp lexity of enterprises and products •Worldwide g lobalisation of the industries •Influence of environmental aspects •Macroeconomical aspects for national economies (e.g. financial crisis in Europa) For this background new risks will be occur which have to be controlled through a systematic and well functioning risk management system.