Next Article in Journal
Enterprise Risk Management and Earnings Management: Accrual-Based and Real Activities Evidence from Chinese Listed Firms
Previous Article in Journal
Deep Sequential Learning with Adaptive Sampling for Macro-Financial Yield Curve Prediction
Previous Article in Special Issue
Weighted Average Cost of Capital in Declining Interest Rate Environments (Part II): Qualitative Expert Research
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
JRFM
Volume 19
Issue 5
10.3390/jrfm19050338
jrfm-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Perspective

The Core Ideas of Enterprise Risk Management in the Age of Artificial Intelligence (AI): 10 Theses

by
Werner Gleißner
1,2
1
FutureValue Group AG, Obere Gärten 18, 70771 Leinfelden-Echterdingen, Germany
2
Faculty of Business and Economics, TUD Dresden University of Technology, 01062 Dresden, Germany
J. Risk Financial Manag. 2026, 19(5), 338; https://doi.org/10.3390/jrfm19050338
Submission received: 26 March 2026 / Revised: 22 April 2026 / Accepted: 23 April 2026 / Published: 8 May 2026
(This article belongs to the Special Issue Advancing Corporate Valuation: Integrating Risk and Uncertainty)
Browse Figures
Versions Notes

Abstract

Today, there is often a fundamental misunderstanding of what risk management actually entails. The ten theses presented in this conceptual article summarize research and practical experience from a contemporary perspective on how a modern, decision-oriented risk management should be understood and how such a system can be supported by artificial intelligence (AI).

1. Introduction

The following presentation of the core ideas of risk management is based on the current state of research in business economics on the potential and benefits of risk management and takes into account the minimum legal requirements that have been specified and further developed in recent years.
This article is intended as a complement to established risk management frameworks and textbooks on Enterprise Risk Management and takes into account the new possibilities offered by artificial intelligence (AI; for an overview of relevant frameworks see, e.g., Nocco & Stulz, 2022; McShane, 2017; Kaplan & Mikes, 2012, 2016; Aven, 2016; Stein & Wiedemann, 2016; Beasley & Branson, 2022; Fraser et al., 2021; Hardy & Saunders, 2022). To date, the existing literature does not provide a clear and structured summary of all central concepts of modern risk management that is to be understood as the strategic management of companies in a world characterized by an uncertain future. Moreover, many representations of Enterprise Risk Management still lack essential concepts and methods required for decision-oriented risk management.
The value contribution of modern risk management (see McShane et al., 2011, as well as Kürsten, 2006) arises not only from the reduction in the probability of severe crises, but in particular from the improvement in the quality of entrepreneurial decisions, for example, regarding investments or product innovations (see Arrfelt et al., 2018; Farrell & Gallagher, 2019; McShane et al., 2011; Gleißner, 2019, with an overview of the benefits of risk management). In addition to the systematic identification and appropriate quantification of risks, this requires (1) a risk aggregation with reference to corporate planning to determine the total risk scope and (2) the linkage of the aggregated total risk scope with capital cost rates and corporate value as a decision criterion.
Existing risk management concepts do not address this issue. Even where decision-oriented risk management is discussed, the literature lacks an extension of risk management frameworks to include risk aggregation and the linkage to corporate value as a benchmark of the return-risk profile (the decision value; see Matschke & Brösel, 2021, as a decision criterion in a value-based risk management). Conversely, it can also be observed that the Corporate Finance literature does not establish a connection to the results of risk analysis from risk management, which would in turn require risk aggregation (see, for example, the corporate finance literature on Culp, 2002; Graham & Harvey, 2001; Tirole, 2006; Vernimmen et al., 2022, which do not address the linkage between total risk scope and capital structure (equity requirement) as well as cost of capital; cf. Gleißner, 2023a, for a classification). This gap is closed by the present article, which outlines a framework for modern risk management that incorporates established concepts and addresses the shortcomings identified above.
To date, a particular challenge appears to be that many of these concepts are perceived as relatively complex and resource-intensive. In the future, Enterprise Risk Management will increasingly be supported by artificial intelligence. Accordingly, the final section—prior to the summary, conclusions, and outline of further research needs—discusses the emerging opportunities as well as the limitations and restrictions associated with the use of artificial intelligence.
The concept outlined in this paper and its core ideas are not intended as an alternative to established ERM frameworks such as COSO ERM (COSO, 2017). Many of the requirements articulated in these long-standing frameworks are already well developed in both the literature and practice and are therefore not revisited here. Rather, the core ideas presented are intended to complement and further advance existing standards, particularly COSO ERM (COSO, 2017).

2. Relevant Sections

2.1. Requirements for Risk Management, Fields of Research, and Related Literature

Building on established considerations in Enterprise Risk Management (cf. the foundational studies on Hunziker, 2019), this article draws on current research to outline a consistent framework expressed through ten core ideas. It summarizes the current state of research and at the same time serves as a guideline for practical further development of risk management.
Particular attention is devoted to the especially important methods addressed here, such as risk aggregation and the “bridge” from total risk scope to value-based management. For practical implementation and for securing acceptance of risk management at the executive level, such an integrated concept is essential in order to clarify its relevance for the company’s sustainability and its connection to other areas, such as Corporate Finance and Management Accounting.
This article is innovative in that, against the background of established considerations in Enterprise Risk Management (ERM), it systematizes research fields and methods that have so far received limited attention. Some aspects have already been addressed separately in the literature. However, they are revisited here because they are essential for the overall concept (e.g., the joint consideration of opportunities and threats (risks) as a basis for decisions).
In addition to concepts and studies that primarily focus on risk management, the article also incorporates research findings from strategic management, particularly on sustainably successful and resilient companies. Furthermore, insights from recent capital market research are integrated. In examining the relationship between corporate risk and financial performance, this research considers the risk of return and probability of insolvency, rather than—as is common in large parts of capital market research—using the risks of a company’s shares as a proxy, which can, for example, be expressed in the beta factor of the CAPM (Capital Asset Pricing Model, see Koller et al., 2025).
A particular concern in formulating the ten systematically structured core ideas of a modern risk management was to incorporate—alongside the internationally well-established considerations in Enterprise Risk Management (ERM)—concepts that were primarily developed in Germany and that, due to their legal background, have often been published mainly in German.
Unlike in other countries, such as the United States, legal requirements in Germany have, since 1998, necessitated the development of methods enabling the assessment of a company’s total risk scope. With the enactment of the so-called Control and Transparency Act (KonTraG, 1998) and, subsequently, the Act on the Stabilization and Restructuring Framework for Enterprises (StaRUG; cf. Weitzmann, 2021) in 2021, German companies were obliged in particular to identify at an early stage potential “developments that could jeopardize the company’s viability,” i.e., severe crises.
Since such developments generally result from combination effects of risks and require consideration of the company’s future risk-bearing capacity (equity base and profitability), concepts for simulation-based risk aggregation (via Monte Carlo simulation) were developed in both research and practice. This approach links corporate planning with appropriately quantified individual risks in order to determine the total risk scope, which in turn enables the derivation, for example, of the equity requirement or risk-appropriate capital cost rates for value-oriented corporate management.
Risk analysis and risk aggregation are thus positioned as a fundamental foundation of Corporate Finance (Gleißner, 2023a), because
  • Equity and liquidity requirements can be calculated;
  • The risks inherent in financing itself (e.g., potential covenant violations) are taken into account.
The “decision-oriented” approach of risk management (Winter, 2007; DIIR- und RMA-Arbeitskreis “Interne Revision und Risikomanagement”, 2022) pursued in COSO ERM (COSO, 2017) has also become mandatory in Germany through the Business Judgment Rule (§ 93 German Stock Corporation Act; see Graumann et al., 2009; Crawford & Jabbour, 2024; Graumann et al., 2009). The theoretical foundations for linking risk management and value-based management were likewise developed primarily in the German-speaking academic context (see, e.g., Matschke, 1973, 1979; Hering, 1999; Olbrich et al., 2015).
The so-called investment-theoretical valuation approaches were developed as a counter position to the neoclassically influenced financing-theoretical valuation doctrine on which the CAPM is based, and they do not require the assumption of a perfect capital market. In recent years, these approaches have been further developed—under simplifying assumptions—into the so-called semi-investment-theoretical valuation approach, which forms the bridge between the risk analyses of risk management on the one hand and entrepreneurial decisions on the other (see Ernst, 2022; Dorfleitner & Gleißner, 2018; Ernst & Kamarás, 2023; Blatter et al., 2024; Gleißner et al., 2025).
It is precisely these approaches that enable the idea of decision-oriented risk management formulated in COSO ERM (COSO, 2017), which constitutes a central aspect of modern risk management. Risk management can contribute to sustainability only if information about risks is adequately incorporated into pending management decisions. Enabling this integration is the task of risk-adequate valuation (see Gleißner, 2019).

2.2. Benefits and Barriers of Risk Management: An Overview

Every entrepreneurial activity is associated with opportunities and threats (risks). The success of a company therefore largely depends on its ability to manage uncertainty, i.e., existing opportunities and risks. Risk management is necessary because the future cannot be predicted with certainty. Consequently, opportunities and risks may lead to deviations from corporate planning.
Better information about these risks can lead to improved entrepreneurial decisions and, thus, to greater sustainability. If the future cannot be foreseen with certainty and the consequences of decisions are uncertain, management as a whole should be understood as risk management. Conscious and systematic management of opportunities and threats should therefore be pursued throughout the company—across all employees and functional areas.
Risk management is an integrated process encompassing all functional areas and involving the identification, quantification, aggregation, control, and monitoring of risks that may trigger deviations from defined targets. Above all, risk management entails making decisions on the basis of the results of risk analysis. The following section briefly outlines selected areas of research that form the foundation for the development of these frameworks (see Ittner & Keusch, 2017; Kraus & Litzenberger, 1973).
Empirical studies demonstrate the benefits companies derive from improving their risk-return-profile—an outcome that can be regarded as the result of effective risk management, regardless of its specific organizational implementation (see Smithson & Simkins, 2008).
Despite the obvious relevance of risks (e.g., as causes of corporate crises), they are often not considered systematically in practice. Psychologists attribute this to a fundamental issue: individuals tend to avoid dealing with the topic of “risk” and frequently assess potential damage only after a risk has materialized.
For example, risk research highlighted the danger of pandemics well before the first lockdown related to the COVID-19 pandemic (German Bundestag printed paper (German Bundestag, 2013)), and increasing geopolitical risks that ultimately culminated in the war in Ukraine had been evident since at least 2014. However, these risks were largely ignored by decision-makers in politics and the corporate sector.
Some entrepreneurs even regard an intensive examination of risks as an obstacle to the realization of entrepreneurial opportunities (for further reading see Braumann, 2018). However, successful entrepreneurship is characterized by a consistent weighing of opportunities and threats (risks). Entrepreneurship without risks is inconceivable. Successful entrepreneurs and managers do not necessarily take fewer risks; rather, they avoid allowing the total risk scope to exceed the company’s risk-bearing capacity—its equity base and liquidity reserves—which could adversely affect the rating and ultimately increase the probability of insolvency.
Risk management can therefore make a significant contribution to improving planning reliability and safeguarding the company’s long-term viability (“safeguarding the future”).
The problem is reinforced by the fact that essential methods required for decision-oriented Enterprise Risk Management—such as risk aggregation based on corporate planning—have received limited attention in the literature (see Gleißner & Berger, 2024).

3. Discussion: Ten Core Theses of Modern Risk Management

In addition to financial sustainability (Gleißner et al., 2022) and a robust strategy, a company’s ability to manage risks is crucial to its viability, i.e., its capacity to survive over the long term (see Gleißner, 2023b). Accordingly, criteria for assessing the performance of risk management are of great importance when evaluating future viability (see Gleißner, 2022, pp. 677–682 for some basic ideas).
Decision-oriented Enterprise Risk Management requires, first, a clear understanding of the concept of risk. Second, it must be primarily oriented toward early crisis detection. Third, it must be established as an integral component of corporate management, with a focus on Corporate Finance, Management Control, and strategic management. Fourth, it requires appropriate procedures for the quantitative valuation and aggregation of risks with reference to corporate planning, as well as their linkage to value-based management. Fifth, it requires organizational anchoring to ensure that all employees take risk management into account within the scope of their activities.
These concepts, which are examined in greater depth below, should be fully developed before considering support through artificial intelligence (cf. Section 5).
  • Thesis 1: Understanding Risk as a Potential Deviation from Plan (Opportunities and Threats)
Entrepreneurship is inherently associated with uncertainty, i.e., risks. If the future cannot be predicted with certainty, risks may lead to deviations from corporate planning. Accordingly, the starting point for the analysis of risks is corporate planning.
Risk is the generic term encompassing opportunities and threats (risks), i.e., possible positive and negative deviations from the plan. The joint consideration of opportunities and threats is essential because only together do they provide the relevant information required for management decisions. Risks are thus the causes of deviations from the plan and determine overall planning reliability and planning uncertainty.
  • Thesis 2: Using Risk Management to Measure Insolvency Risk and Support Crisis Prevention
The extent to which a company’s viability is threatened in the future is reflected in the probability of a crisis and in the probability of insolvency, as well as in its future rating. Calculating the implications of existing risks for the future rating—that is, assessing the company from a creditor perspective—is necessary in order to identify developments that may endanger the company as a going concern.
Risk management thus provides the foundation for early crisis detection and crisis prevention, since crises are the result of materialized risks. Determining the probability of insolvency, which depends on the total risk scope and the company’s risk-bearing capacity (equity base and liquidity), enables the timely initiation of appropriate countermeasures to avert crises and safeguard the company’s viability; in Germany, for example, regulated by law by §1 StaRUG. This is precisely what is required by the “Principles of Proper Planning” (Grundsätze ordnungsgemäßer Planung, GoP 3.0), which were updated in 2022 (Exler et al., 2023).
  • Thesis 3: Effective Risk Management as a Prerequisite for a Robust and Resilient Company
The ability to manage uncertainty (risks), alongside a robust strategy (see Gleißner, 2023b) and financial sustainability (see Gleißner et al., 2022), constitutes the third building block for securing a company’s long-term viability (“robust company”; see Figure 1). On the state of research, see Pinkwart et al. (2022); Radicz et al. (2022), Buyl et al. (2022).
Risk management measures contribute to optimizing the risk-return-profile and must be assessed with regard to their costs and their effects on the total risk scope (optimization of risk costs). A fundamental improvement in the risk-return-profile typically requires a strategic adjustment on the path toward becoming a “robust company” and achieving resilient value creation (see Ayyub, 2014; Buchner et al., 2021; Pinkwart et al., 2022).
Such a strategy avoids critical dependencies, ensures a high risk-bearing capacity, provides a high degree of flexibility, and builds on core competence that sustainably secures competitive advantage (pricing power) in as many attractive markets as possible (see Gleißner, 2023b).
High financial sustainability is achieved when (Figure 2):
  • The company realizes long-term real growth, i.e., the real growth rate g > 0 (and, in the medium term, the after-tax return on equity exceeds the growth rate in order to prevent a decline in the equity ratio);
  • The risk-based probability of insolvency (p) is low;
  • The risk of return—e.g., expressed by the coefficient of variation V of profits—is low and considered acceptable by the owners;
  • The company’s return on capital exceeds its cost of capital (k) (see Thesis 8), i.e., the return meets risk-appropriate performance requirements (for the calculation, cf. Gleißner, 2019; as well as Ernst & Gleißner, 2023; Gleißner & Ernst, 2023; Gleißner et al., 2025).
The empirical findings of Gleißner et al. (2022) for the European stock market show that companies with high financial sustainability are less risky and, at the same time, achieve significantly positive risk-adjusted excess returns over the long term (the excess returns range between 3.7% and 6.5% per year, depending on the portfolio weighting and the models used for risk adjustment). They are also more resilient during periods of crisis (Günther et al., 2020).
The probability of insolvency (p), the coefficient of variation in profits (VC), and the cost of capital (c) derived from it depend on the company’s total risk scope. Risk mitigation measures—and thus risk management—accordingly influence financial sustainability. The calculation of the risk of return by means of risk analysis and risk aggregation (see Theses 3.4–3.6) therefore constitutes a core task of risk management.
  • Thesis 4: Risk Management as a Cross-Functional Function.
As a cross-functional activity within the company, risk management encompasses the systematic identification (see Thesis 5), quantification (see Thesis 6), aggregation (see Thesis 7), mitigation, and monitoring of risks. The objective is to create transparency with regard to the total risk scope, in particular in order to identify at an early stage any developments that may jeopardize the company’s viability.
In this way, the required risk-bearing capacity—i.e., equity base and liquidity—can be determined as a function of the total risk scope. Economic value creation arises in particular when the implications for expected future cash flow on the one hand, and for risk and rating on the other, are assessed at an early stage in the preparation of management decisions (Internationaler Controller Verein, 2021).
This approach is referred to as integrative and decision-oriented risk management (Rieg et al., 2025). Through decision-preparatory risk analysis, a company can ensure that it assumes the appropriate risks, i.e., risks that are matched by adequate returns (as discussed below; cf. Thesis 8). In real imperfect capital markets characterized by rating and financing constraints, it is possible to increase expected cash flow while simultaneously reducing the total risk scope (see, e.g., Budd, 1993; Gleißner, 2019; Arrfelt et al., 2018).
  • Thesis 5: Risk Analysis Must Systematically Address All Risk Fields (e.g., Geopolitical and Sustainability Risks)
The identification of all material risks (cf. Figure 3) is essential and is ensured through a clear focus on the most important risk fields and a hierarchical process of risk analysis (based on Gleißner, 2022, pp. 158–159, and complementary Hunziker, 2019; Rieg et al., 2025; Romeike & Hager, 2020).
The five risk categories shown in Figure 3 are briefly explained below.
Operational risks are risks related to value creation processes and supporting processes. These risks include, in particular, events that may disrupt value creation or supporting processes (cf. the literature on value chain risks and organizational resilience Pedell & Renzl, 2021; Pinkwart et al., 2022). This category therefore comprises, for example, potential production outages (see, e.g., Eiser et al., 2012) due to machinery breakdown, fires in manufacturing facilities, cyberattacks on IT systems, fraud cases, and liability claims, e.g., resulting from the delivery of defective products. This category also includes sustainability risks (see ESG: ecological, social, governance).
The second category of risks comprises planning and financial risks. In contrast to the first group, these are generally not individual risks characterized by a specific probability of occurrence and an uncertain impact (cf. Section 5). Rather, planning and financial risks arise from uncertain assumptions underlying corporate planning and may materialize in the form of positive or negative deviations from planned values (i.e., they typically represent both opportunities and threats (risks)).
These risks can be identified systematically by capturing all uncertain assumptions in corporate planning (planning premises). This category includes, for example, uncertainty regarding demand growth rates, maintenance costs, or collectively agreed wage increases, as well as raw material price risks, exchange rate risks, and interest rate risks (on financial risks, see, e.g., van den Boom, 2020, for an overview, and Hull, 2023).
The three remaining categories of risks relate to three distinct types of strategic risks. Located in the middle (third) ring are strategic risks that arise directly from the company’s own strategy and its key success potentials (cf, e.g., Christensen et al., 2011). Such risks endanger the company’s long-term sustainability because they threaten essential success potential—such as core competence or competitive advantage.
These categories therefore include, for example, risks such as the potential loss of a distinctive core competence in research and development (e.g., due to the departure of key personnel) or the potential loss of pricing power if the positive perception of the company’s brand deteriorates.
The fourth category of risks (the second outer ring) comprises risks arising from the industry environment (Budd, 1993). This group includes, for example, critical dependencies on individual customers or suppliers, the potential market entry of new competitors, or significant revenue losses due to substitute products.
It also encompasses potentially disruptive strategies (Hamel, 1996) and innovative business models of competitors resulting from new technologies, as well as risks arising from unfavorable industry conditions (e.g., declining demand or a loss of differentiation capabilities).
The outer ring ultimately captures risks that transcend individual industries and have substantial effects on a large number of companies within the overall economy. Such risks arise, for example, from technological trends (such as digitalization and artificial intelligence; see Casey & Souvignet, 2020). Of particular relevance are also geopolitical (Caldara & Iacoviello, 2022) and macroeconomic risks that may lead to severe crises. In addition to pandemics, this category includes a potential large-scale power outage (“blackout”), a currency crisis, or an inflation and interest rate crisis.
The identification of all material risks cannot be achieved through a simple brainstorming approach. As the above structure of risk categories illustrates, different categories require distinct risk identification methods. Operational performance risks, for example, require an analysis of the value chain. Strategic risks arising from threats to key success potentials can only be identified if the essential success potentials—and thus the core elements of the strategy—are first clearly defined and then systematically examined for potential threats. Planning and financial risks are identified by systematically analyzing uncertain planning premises within corporate planning.
  • Thesis 6: All Risks Are Appropriately Quantifiable.
All material risks of the company should—and, assuming adequate expertise, can—be described by means of appropriate probability distributions (e.g., by specifying the minimum, most probable, and maximum values of a planning item).
Even in the case of so-called event-oriented risks, a description based solely on the probability of occurrence and the expected loss amount is insufficient. In the case of uncertain planning premises—e.g., regarding raw material and energy prices, exchange rates, or demand growth rates—this is self-evident.
Indeed, even event-driven risks, such as the possibility of a cyberattack or a technical malfunction, have uncertain implications. In addition to specifying the probability of occurrence (or the distribution of occurrence frequency), a realistic range of possible loss impacts must also be defined (e.g., through the parameters of a triangular or Beta-PERT distribution) in order to avoid spurious precision.
An appropriate description of risks generally requires multiple probability distributions. Even in the case of so-called event-oriented risks that materialize within a given period with a certain probability or frequency, the impact remains uncertain. This can be addressed by specifying, for such a risk (such as the possibility of losing a legal dispute), a probability of occurrence and a probability distribution describing the impact (e.g., minimum, most probable, and maximum values for a triangular or Beta-PERT distribution; cf. Figure 4).
If event-oriented risks may occur more than once per year, a probability distribution for the frequency of occurrence is required (e.g., a Poisson distribution).
For the quantification of a risk, one may draw on historical loss events that have actually occurred, on industry benchmark values, or on internally developed (realistic) loss scenarios, which must then be described precisely. Bayesian statistics also enables the quantification of risks when only limited data are available (see Wieczorek & Nickert, 2023).
In order to compare risks with respect to their significance, the magnitude of a risk is expressed by a risk measure R(…) (e.g., standard deviation, Value-at-Risk, Expected Shortfall, or Range Value-at-Risk; see Righi & Müller, 2023; Hull, 2023). The Value-at-Risk (VaR) can be interpreted as the equity requirement.
The coefficient of variation, as a risk measure, indicates the extent of typical deviations from planned values as a percentage of a planning position, i.e., the degree of planning reliability (standard deviation/expected value).
The quantification of risks is not only necessary for prioritizing risks. It is particularly essential because many of the results derived from risk analysis and subsequent risk aggregation (see Thesis 7) are quantitative indicators. Only through risk quantification can the equity requirement and liquidity requirement—constituting the necessary risk-bearing capacity—be determined (see Gleißner, 2023a, on the linkage between risk, financing, and valuation).
Moreover, requirements for a risk-adequate profit/return are quantitative in nature. The assessment of whether an insurance premium for hedging a specific risk is appropriate likewise requires a quantification of risks (cf. Thesis 6); for a guideline, see Gleißner (2019), and Rieg et al. (2025).
It is essential that risk quantification does not impose unrealistic requirements on the available information. The quantification of risks should make transparent and comprehensible use of the best available information (see Sinn, 1980; Holton, 2004; Gleißner, 2019). If extensive empirical studies or historical data are not available for a particular risk, a subjective expert estimate (Hengmith & Licht, 2022) is also appropriate. Such an expert estimate can achieve a high level of quality provided that the expert explains and documents the derivation of the assessment.
Even if no realization of a specific risk has been observed within a known historical period, plausible ranges for the probability of occurrence can still be determined (see Höse & Huschens, 2022a, 2022b).
Imperfect information, such as missing or incomplete historical loss data, does not constitute a fundamental obstacle to sound risk quantification. The objective is to use the best available information in a transparent and comprehensible manner, including well-justified subjective expert estimates, provided that the associated uncertainty is appropriately disclosed.
Bayesian statistics is particularly relevant in this context, as it explicitly accounts for imperfect information and enables the systematic updating of initial assessments as new data become available (see Wieczorek & Nickert, 2023). For risk management, this implies a continuous learning process in the quantification of opportunities and threats (risks).
Bayesian statistics provides a consistent framework for handling imperfect information. An initial risk assessment (the prior) is systematically updated as new information becomes available, allowing risks to be quantified even with limited data and refined over time. For each level of information, an appropriate method of risk quantification exists.
If no information is available regarding the probability of an unobserved event, it must be assumed to lie between 0% and 100%, which can be represented by a beta distribution or a uniform distribution. If, however, it is known that an event has not occurred over a defined period—such as ten years—a plausible upper bound for its probability can be derived (see further Höse & Huschens, 2022a, 2022b).
  • Thesis 7: Risk Aggregation as the Key Technology in Risk Management
From the risk inventory alone, it can only be inferred which individual risks, in isolation, may endanger a company’s viability. Since serious crises typically result not from single risks but from the combined effects of multiple risks, risk aggregation constitutes the key technology in modern risk management (see Börner et al., 2023). And developments that jeopardize the company as a going concern within the meaning of § 91 (2) of the German Stock Corporation Act (AktG) and § 1 of the German Act on the Prevention of Restrictive Practices (StaRUG).
In order to assess the magnitude of the total risk scope (equity requirement) and thus the degree to which the company’s viability is endangered by the totality of risks (probability of insolvency), risk aggregation is required, as it captures the combination effects of multiple individual risks. Without risk aggregation, the central legal requirements under the German Control and Transparency Act (KonTraG, § 91 German Stock Corporation Act) and § 1 StaRUG (Act on the Stabilization and Restructuring Framework for Enterprises) cannot be fulfilled. These provisions require the early identification of potential “developments that could jeopardize the company’s viability.” Such developments generally arise from the combination effects of individual risks and their impact on the company’s rating and financial covenants, which may trigger loan termination and, consequently, imminent illiquidity within the meaning of German insolvency law. Risk aggregation determines the total risk scope by calculating a large, representative number of possible risk-related future scenarios (Monte Carlo simulation, see Grisar & Meyer, 2015, 2016).
Risk aggregation is conducted with reference to corporate planning. It integrates traditional corporate planning with the company’s risks and provides the expected development of cash flow and profit/return on average, as well as planning reliability (“bandwidth planning”, see Figure 5).
Within risk aggregation, the quantified risks are embedded in the context of integrated corporate planning, i.e., it is explicitly specified which risk may cause deviations in which planning position. By means of Monte Carlo simulation, a large and representative number of possible risk-related future scenarios is then calculated and analyzed.
Risk aggregation enables, in particular, statements regarding:
  • The total risk scope, expressed by a risk measure, e.g., Value-at-Risk (VaR) or Expected Shortfall, or the equity requirement (RAC: risk-adjusted capital);
  • Planning reliability (e.g., expressed by the coefficient of variation) and the magnitude of potential deviations from planned values;
  • The probability of insolvency or another indicator of “endangerment probability” (cf. Thesis 2), i.e., the probability of a crisis (e.g., the violation of minimum requirements regarding the future rating);
  • The risk-appropriate capital cost rate for value-oriented corporate management (cf. Thesis 9).
  • Thesis 8: Risk Management Supports Value-Based Management.
The weighing of expected returns and risks on the basis of a performance benchmark is achieved through the key figure “enterprise value” (“decision value”; see Matschke et al., 2010; Matschke & Brösel, 2021 as well as Hering, 1999), which serves as a performance benchmark (see Gleich, 2021).
In this context, value represents a performance benchmark that integrates (1) the expected magnitude, (2) the risk, and (3) the timing of a cash flow into a single measure. This key performance indicator (KPI) can be calculated on the basis of the aggregated risk of return, using expected planning values and capital cost rates that are commensurate with the level of risk. It can therefore be used, for example, to compare different strategic options for action (“strategy valuation”).
With such a risk-adequate, simulation-based company valuation (for an overview of the current research on this topic, see Pálka et al., 2025), it is possible to consistently incorporate both the risk of return and the probability of insolvency into company valuation and value-based corporate management (see Rappaport, 1997). Unlike valuation approaches based on the CAPM (cf. Matschke & Brösel, 2021; Gleißner & Ernst, 2023), this method does not assume a perfect capital market and explicitly takes rating and financing constraints into account, which may ultimately lead to insolvency (cf. on the methodology Gleißner, 2019, as well as Dorfleitner & Gleißner, 2018).
Discounting interest rates are not derived—via the beta factor (see Fama & French, 2015, on the lack of ability to explain stock returns and Dempsey, 2013; Fernández, 2013, 2017; Schildbach, 2022; Rossi, 2016)—from historical fluctuations in a company’s stock returns (or those of a peer group), as is customary under the CAPM. Instead, they are determined on the basis of the company’s own risk analysis and risk aggregation (see Ernst & Gleißner, 2022; cf. also Behringer & Gleißner, 2021; Rieg & Gleißner, 2022). In this way, the firm’s internal information regarding existing opportunities and threats (risks) is incorporated.
In addition to the systematic identification and quantification of risks, the methodological foundation of this approach is risk aggregation using Monte Carlo simulation (cf. Thesis 7); for this reason, it is referred to as a simulation-based company valuation (see Gleißner & Ernst, 2023, with an example; Ernst, 2022; Ernst & Gleißner, 2023; Gleißner & Ernst, 2023; Dorfleitner & Gleißner, 2018, to the basics). A major advantage of this method is that existing opportunities and threats (risks) can be consistently reflected in (a) expected values of cash flow and (b) risk-adequate discounting interest rates (capital cost rates).
A larger total risk scope leads to greater deviations from planned values (and thus a higher equity requirement), which in turn implies higher required profit/return and therefore higher discounting interest rates (see Koller et al., 2025, for the fundamentals and, for a more advanced discussion, Gleißner, 2023a, who considers capital market imperfections and financing constraints).
Valuation equations and the corresponding discounting interest rates can be derived using the so-called semi-investment-theoretical valuation approach. In addition to specifying the relevant alternative investment opportunities (e.g., government bonds and a stock market index), this approach requires only one restrictive assumption: two payments at the same point in time have the same value if they are identical in terms of expected value and the chosen risk measure (e.g., standard deviation or Value-at-Risk; see Dorfleitner & Gleißner, 2018; Dorfleitner, 2022).
Based on this valuation approach, risk-adequate discounting interest rates can be derived.
In particular, when the frequently used (e.g., in the CAPM) standard deviation serves as the risk measure—i.e., R C F ~ = σ C F ~ —Equation (1) can be solved for the value V(CF) of the cash flows in period t with respect to the capital cost rate (c) (see Gleißner, 2019; Gleißner & Ernst, 2023):
V 0 C F t ~ = E C F t ~ 1 + c t = E C F t ~ λ t σ · σ C F t ~ · d 1 + r f t ,
from which the cost of capital (c) can be derived.
c = 1 + r f 1 λ t σ · σ C F ~ t E C F ~ t · d t 1 = 1 + r f 1 λ t σ · V C C F t ~ · d t 1 ,
For any t, under the assumptions of (i) a (time-invariant) interest rate rf for the risk-free alternative investment and (ii) a log-normally distributed return r ~ m ~ L N ( μ m ; σ m ) of an empirical market portfolio, the risk price can be expressed as (the parameters μm and σm are not the expected value and standard deviation of the return, but the parameters of the log-normal distribution (see also Gleißner, 2022; Dorfleitner & Gleißner, 2018; Dorfleitner, 2022):
λ t σ = e t · μ m + t · σ m 2 2 ( 1 + r f ) t e t · μ m + t · σ m 2 2 · e t · σ m 2 1 ,
In particular, for t = 1, the following applies:
c = 1 + r f 1 λ σ · σ C F ~ E C F ~ · d 1 = 1 + r f 1 λ σ · V C C F ~ · d 1 ,   with
λ σ = M a r k e t   r i s k   p r e m i u m σ r ~ m = E r ~ m r f σ r ~ m ,   with
The ratio of the risk of the payment, σ C F ~ , to its expected value, E C F ~ , is the coefficient of variation, E C F ~ , which has already been discussed in the context of financial sustainability (cf. Section 3). The parameter λ t represents the benchmark of the profit-risk-profile of the alternative investments (the “market price of risk”). The risk diversification factor d indicates the proportion of risks that is relevant for the valuation subject, taking into account its diversification opportunities (cf. Gleißner & Ernst, 2023, with an example).
In this context, risk aggregation constitutes the bridge between risk analysis and value-based corporate management as well as company valuation.
In addition, it is advisable to incorporate the probability of insolvency into every risk-adequate valuation of companies or projects. The insolvency risks measurable through a company’s probability of insolvency influence both the expected value and the timing of cash flows (see for the basics Saha & Malkiel, 2012; Franken et al., 2020).
Insolvency risks must be taken into account when determining the expected value for each period in the detailed planning phase and, beyond that, they act in the continuation phase similarly to a “negative growth rate.” They do not imply a finite lifetime of the company; rather, they imply a finite expected value of its lifetime.
Given a constant probability of insolvency p across all periods, the expected lifetime is L = 1/p years. Furthermore, the probability of insolvency leads to a divergence between contractual cost of debt and the effective cost of debt, which must be considered when determining the Weighted Average Cost of Capital (WACC) (cf. Baule, 2019).
  • Thesis 9: Risk Management Must Be Organized in an Integrative Manner.
A company’s risk management should, as far as possible, build on existing and proven management systems—such as management accounting and control (controlling), corporate planning, quality management, treasury, or project management.
Often in conjunction with the further development of the management accounting system (Hamann et al., 2022) (controlling), this leads to an integrated value-oriented corporate management approach (“integrative risk management”). The objective is to enable corporate management to better account for the uncertainties of a future that cannot be predicted with certainty when making decisions, thereby promoting the company’s long-term sustainability.
Traditional GRC (Racz et al., 2010) approaches—governance, risk, and compliance—are usually insufficient in this respect. Indeed, GRC systems (Governance, Risk and Compliance) aligned with a compliance-oriented mindset may even hinder the further development of risk management due to their rather restrictive risk culture, which tends to interpret risks primarily as errors to be avoided (see Gleißner & Ulrich, 2025).
Decision-oriented risk management is based on corporate planning and supports the preparation of management decisions (as outlined above). It therefore requires, in particular, a close linkage with the Management Control System (MCS; see Berger & Gleißner, 2018). This linkage between risk management and the Management Control System is more important than linking risk management, for example, with compliance systems.
The objective should be a form of risk management that integrates all management systems explicitly or implicitly dealing with risks. Extending the traditional GRC approach to include (management) control, the acronym GRC2 can be used: Governance, Risk, Compliance, and Control (see Corporate Planning and Management Accounting).
Ideally, integrative risk management ultimately encompasses all activities of the company that involve risks and includes all employees. This forward-looking guiding principle is briefly outlined in the concluding tenth thesis.
  • Thesis 10: All activities with uncertain effects should also be considered part of risk management.
Opportunities and threats (risks), including those arising from the uncertain impact of the company’s own activities and decisions, should be adequately taken into account in the normal course of day-to-day business (“embedded risk management”; see Gleißner & Berger, 2024). This is accompanied by an integrative approach to strategic management that explicitly incorporates uncertainty and aims to safeguard and continuously enhance the company’s long-term sustainability and viability.
In addition to the business economics concepts outlined in this article, such risk management also requires an appropriate corporate culture (see Kunz & Heitz, 2021; Pan et al., 2020). Specifically, this implies an open risk culture (Sheedy & Griffin, 2017; Crawford & Jabbour, 2024; Vanini & Rieg, 2021). An open and conscious approach to risks among as many employees as possible is a key prerequisite. If every activity within the company that entails uncertain consequences is also understood as part of risk management, then every employee—and particularly every manager—is also a risk manager. In this sense, all management is risk management.

4. Enhancing Enterprise Risk Management with Artificial Intelligence Support

When enhancing Enterprise Risk Management in line with the ten theses outlined above, it is natural to examine the extent to which artificial intelligence can provide support—particularly generative AI and Large Language Models (LLMs) such as OpenAI, GPT-5.3, Gemini, or Perplexity. Numerous implementation possibilities exist, which are briefly outlined below; at the same time, limitations and constraints must be carefully considered.
The potential applications of AI in risk management are highly diverse. These include, for example, the analysis of internal text sources for risk identification, data analysis and forecasting, the quantification of risks through appropriate probability distributions for frequencies and loss magnitudes, support for scenario development and stress testing, as well as data preparation, summarization, risk communication, and documentation.
Examples of the practical application of artificial intelligence in risk management include the following:
  • Assessment of the status quo: Analysis of the existing risk management system based on written documentation such as annual reports or risk management manuals.
  • Analysis of internal text sources for risk identification: Machine learning methods analyze internal reports, incident reports, documents, and internal policies to identify, for example, the causes of realized deviations from plan or losses. These always indicate the occurrence of a risk.
  • Data analysis and forecasting: AI can be used to generate quantitative forecasts (e.g., ARMA/GARCH models, multiple regression models), including the quantification of potential deviations from these forecasts (risk quantification).
  • Quantification of risks using appropriate distributions for frequencies and loss magnitudes: Machine learning estimates the frequency and severity of future losses based on historical data and additional information (such as a “prior”). This enables better-founded parameter estimation for risk quantification and continuous updating (Bayesian learning process).
  • Assessment of the quality of risk analyses: Systematic evaluation of conducted risk analyses or complete decision proposals that include risk analyses by AI systems.
  • Support for scenario development and stress testing: Generative AI helps to formulate consistent scenario descriptions based on transparent assumptions (e.g., for the detailed analysis of market-strategic risks).
Data preparation, summarization, risk communication, and documentation: AI generates structured summaries or action lists from underlying materials.
However, when applying AI to business economics tasks such as those described above, several important boundary conditions must be taken into account. AI systems must be managed differently from traditional software tools (Wood, 2025).
Common issues that must be taken into account include, for example:
  • Incomplete or inaccurate analyses (e.g., “hallucinations”);
  • Technical instabilities;
  • Computational errors;
  • Incomplete storage or unintended truncation of analyses or output texts;
  • Data security risks arising when confidential information is provided to AI systems such as Gemini or ChatGPT.
Unlike a programmed (deterministic) algorithm (i.e., software based on “hard code”), the results produced by an AI system are not reliably reproducible. Even minor changes—for example, in the prompt, the specific AI model used, or the input data provided—may lead to substantially different outcomes. One cannot assume that the output of an AI system is per se “correct.” Rather, it reflects a probabilistic assessment shaped by patterns frequently observed in the training data and by what a typical user might expect as an answer—both of which may be flawed.
However, the fact that AI systems can produce errors does not constitute an argument against their use. Human task performance likewise frequently results in errors, particularly when individuals lack sufficient time or the necessary domain expertise.
Despite the limitations outlined above, the use of AI is, in many cases, at least as a complementary tool, highly beneficial. Artificial intelligence is capable of processing large volumes of data efficiently and can support—even partially substitute for—human effort in time-constrained and analytically demanding tasks.
As a consequence, demanding tasks—such as risk aggregation based on corporate planning to determine the total risk scope, or the preparation of entrepreneurial decisions through simulation-based valuation—will typically require “hybrid” solutions. These arise from an intelligent combination of (see Figure 6):
  • AI systems (particularly at the input and output stages, i.e., in data preparation and interpretation), with specific methodological knowledge—e.g., regarding the quantification of risks—provided through prompts (RAG, Retrieval-Augmented Generation);
  • Software based on algorithms that encode business economics expertise (e.g., planning logic combined with Monte Carlo simulation for risk aggregation and rating models);
  • Human experts, particularly for (1) adapting and finetuning AI systems and (2) ensuring the quality assurance of outputs.
Artificial intelligence can thus support the implementation of the requirements of modern risk management outlined above. However, it will not replace human expertise or specialized software, for example, for Monte Carlo simulation.

5. Conclusions, and Future Directions

The ability to manage opportunities and threats (risks) is a key success factor when the future of the company and its environment cannot be predicted with certainty. Integrative, decision-oriented risk management contributes to crisis prevention, safeguards ratings and financing, and enables the risk-adequate assessment of investment alternatives or projects. Figure 7 summarizes the key development paths.

Summary, Implications for Practice, and Need for Further Research

Building on the ten ideas outlined above, further research needs can be identified. A major implementation challenge in many companies appears to be the availability of risk-related data. The provision of appropriate data and standardized approaches to the quantification of risks therefore seems essential. Techniques for quantifying risks—even in situations with limited data availability—are provided by Bayesian statistics.
As outlined in this paper, recent research has already provided the business economics methods required to further develop risk management along the lines described in Section 3 (e.g., methods for translating the results of risk aggregation into cost of capital for value-based management). However, substantial gaps remain with regard to the practical implementation of these methods within companies, representing important avenues for future research.
In particular, future research should focus on identifying barriers—such as psychological and organizational factors—that may hinder the further development of Enterprise Risk Management in line with the ideas presented (Hiebl, 2024). Such insights would enable the derivation of practice-oriented guidelines to support the implementation of decision-oriented risk management.
Further research is also needed on how to measure the economic benefits of such developments in a simple and practical manner for companies, thereby strengthening both their academic relevance and practical applicability. In addition, the use of artificial intelligence is likely to gain increasing importance in the further development of Enterprise Risk Management. However, it should be emphasized that AI is particularly useful for data preparation and communication support. Core components of Enterprise Risk Management—such as the planning-based risk aggregation presented in this article—are not performed by AI systems, but by hard-coded software systems.
At the same time, the practical relevance of the core ideas outlined in this paper is readily apparent. The requirements for modern decision-oriented risk management can be used as a structured framework to systematically assess the current implementation within a company (e.g., in the form of a maturity model). Based on this assessment, corporate management can derive concrete and prioritized measures for the further development of Enterprise Risk Management. This results in a structured development agenda and a concrete project plan aimed at enhancing the company’s capability to manage risks.
From a practical perspective, it should also be noted that current software systems for corporate planning and risk management (without individual customization) generally do not support the calculations described here, making individual programming often necessary. What would be desirable are software systems that, based on integrated corporate planning, support risk aggregation (Monte Carlo simulations) and facilitate the direct evaluation of simulation results (e.g., by calculating the equity requirement for financing decisions and deriving risk-appropriate capital cost rates, for example, for investment valuation).
Overall, risk management supports the central entrepreneurial task of conducting a well-founded weighing of expected profit/return and risks before major decisions are made, for example, by calculating a performance benchmark (such as enterprise value) on the basis of the company’s internal risk information. It creates the prerequisites for the development of crisis-resistant “robust companies” with sustainably successful strategies (Gleißner, 2023b). In this sense, all corporate management should also be understood as risk management.

Funding

This research received no external funding.

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

No new data were created or analyzed in this study. Data sharing is not applicable to this article.

Conflicts of Interest

The author Werner Gleißner declares no conflicts of interest. He is employed by FutureValue Group AG and holds a position on Dresden University of Technology. The author declares that the research was conducted in the absence of any commercial or financial relationships that could be construed as a potential conflict of interest.

Abbreviations

The following abbreviations are used in this manuscript:
AIArtificial Intelligence
CAPMCapital Asset Pricing Model
COSO Committee of Sponsoring Organizations of the Treadway Commission
ERMEnterprise Risk Management
GoPGrundsätze ordnungsgemäßer Planung, German Principles of Proper Planning
LLMLarge Language Model
MCSManagement Control System
StaRUGGesetz über den Stabilisierungs- und Restrukturierungsrahmen für Unternehmen; German Act on the Stabilization and Restructuring Framework for Enterprises
WACCWeighted Average Cost of Capital

References

  1. Arrfelt, M., Mannor, M., Nahrgang, J. D., & Christensen, A. L. (2018). All risk-taking is not the same: Examining the competing effects of firm risk-taking with meta-analysis. Review of Managerial Science, 12(3), 621–660. [Google Scholar] [CrossRef]
  2. Aven, T. (2016). Risk assessment and risk management: Review of recent advances on their foundation. European Journal of Operational Research, 253(1), 1–13. [Google Scholar] [CrossRef]
  3. Ayyub, B. M. (2014). Systems resilience for multihazard environments: Definition, metrics, and valuation for decision making. Risk Analysis, 34(2), 340–355. [Google Scholar] [CrossRef]
  4. Baule, R. (2019). The cost of debt capital revisited. Business Research, 12(2), 721–753. [Google Scholar] [CrossRef]
  5. Beasley, M., & Branson, B. (2022). Global state of enterprise risk oversight. Available online: https://erm.ncsu.edu/library/article/2022-global-state-of-enterprise-risk-oversight (accessed on 19 March 2026).
  6. Behringer, S., & Gleißner, W. (2021). Unternehmensplanung als grundlage für die unternehmensbewertung—Die perspektive der wirtschaftsprüfer. WPg–die Wirtschaftsprüfung, 74(5), 857–864. [Google Scholar]
  7. Berger, T., & Gleißner, W. (2018). Integrated management systems: Linking risk management and management control systems. International Journal of Risk Assessment and Management, 21(3), 215–231. [Google Scholar] [CrossRef]
  8. Blatter, A. B., Ernst, D., & Lang, S. M. (2024). Diversification in business valuation. Journal of Business Valuation, 20(1), 1–28. [Google Scholar] [CrossRef]
  9. Börner, C. J., Ernst, D., & Hoffmann, I. (2023). Tail risks in corporate finance: Simulation-based analyses of extreme values. Journal of Risk and Financial Management, 16(11), 469. [Google Scholar] [CrossRef]
  10. Braumann, E. C. (2018). Analyzing the role of risk awareness in enterprise risk management. Journal of Management Accounting Research, 30(2), 241–268. [Google Scholar] [CrossRef]
  11. Buchner, M., Kuttner, M., & Mitter, C. (2021). Resilienz von familienunternehmen—Eine systematische literaturanalyse. BFuP, 73(3), 225–252. [Google Scholar]
  12. Budd, J. L. (1993). Characterizing risk from the strategic management perspective [Unpublished doctoral dissertation, Kent State University]. [Google Scholar]
  13. Buyl, T., Gehrig, T., Schreyögg, J., & Wieland, A. (2022). Resilience: A critical appraisal of the state of research for business and society. Schmalenbachs Zeitschrift für Betriebswirtschaftliche Forschung, 74(4), 453–463. [Google Scholar] [CrossRef]
  14. Caldara, D., & Iacoviello, M. (2022). Measuring geopolitical risk (International Finance Discussion Papers 1222r1). Board of Governors of the Federal Reserve System.
  15. Casey, E., & Souvignet, T. R. (2020). Digital transformation risk management in forensic science laboratories. Forensic Science International, 316, 110486. [Google Scholar] [CrossRef] [PubMed]
  16. Christensen, C. M., Matzler, K., & von den Eichen, S. F. (2011). The innovator’s dilemma: Warum etablierte unternehmen den wettbewerb um bahnbrechende innovationen verlieren. Vahlen. [Google Scholar]
  17. Committee of Sponsoring Organizations of the Treadway Commission. (2017). Enterprise risk management: Integrating with strategy and performance. Available online: https://www.coso.org/guidance-erm (accessed on 17 April 2026).
  18. Crawford, J., & Jabbour, M. (2024). The relationship between enterprise risk management and managerial judgement in decision-making: A systematic literature review. International Journal of Management Review, 26(1), 110–136. [Google Scholar] [CrossRef]
  19. Culp, C. L. (2002). Contingent capital: Integrating corporate financing and risk management decisions. Journal of Applied Corporate Finance, 15(1), 46–56. [Google Scholar] [CrossRef]
  20. Dempsey, M. (2013). The capital asset pricing model (CAPM): The history of a failed revolutionary idea in finance? Abacus, 49(S1), 7–23. [Google Scholar] [CrossRef]
  21. DIIR- und RMA-Arbeitskreis “Interne Revision und Risikomanagement”. (2022, February). DIIR revisionsstandard Nr. 2: Prüfung des risikomanagementsystems durch die interne revision (Version 2.1). Available online: https://www.diir.de/fachwissen/standards/diir-standards/ (accessed on 19 March 2026).
  22. Dorfleitner, G. (2022). On the use of the terminal-value approach in risk-value models. Annals of Operations Research, 313, 877–897. [Google Scholar] [CrossRef]
  23. Dorfleitner, G., & Gleißner, W. (2018). Valuing streams of risky cashflows with risk-value models. Journal of Risk, 20(3), 1–27. [Google Scholar] [CrossRef]
  24. Eiser, J. R., Bostrom, A., Burton, I., Johnston, D. M., McClure, J., Paton, D., van der Pligt, J., & White, M. P. (2012). Risk interpretation and action: A conceptual framework for responses to natural hazards. International Journal of Disaster Risk Reduction, 1, 5–16. [Google Scholar] [CrossRef]
  25. Ernst, D. (2022). Simulation-based business valuation: Methodical implementation in the valuation practice. Journal of Risk and Financial Management, 15(5), 200. [Google Scholar] [CrossRef]
  26. Ernst, D., & Gleißner, W. (2022). Paradigm shift in finance: The transformation of the theory from perfect to imperfect capital markets using the example of company valuation. Journal of Risk and Financial Management, 15(9), 399. [Google Scholar] [CrossRef]
  27. Ernst, D., & Gleißner, W. (2023). Total beta: A view from outside. The Value Examiner, 24(5/6), 4–14. [Google Scholar]
  28. Ernst, D., & Kamarás, E. (2023). Simulationsbasierte unternehmensplanung und unternehmensbewertung: Eine fallstudie für eine praxisgerechte umsetzung. Corporate Finance, 14(11/12), 282–292. [Google Scholar]
  29. Exler, M., Gleißner, W., Obersteiner, R., Presber, R., Redley, R., Werner, H., & Weyrather, C. (2023). Die neuen grundsätze ordnungsgemäßer planung—In der neuen version GoP 3.0 von 2022. Controller Magazin, 48(1), 70–74. [Google Scholar]
  30. Fama, E. F., & French, K. R. (2015). A five-factor asset pricing model. Journal of Financial Economics, 116(1), 1–22. [Google Scholar] [CrossRef]
  31. Farrell, M., & Gallagher, R. (2019). Moderating influences on the ERM maturity-performance relationship. Research in International Business and Finance, 47, 616–628. [Google Scholar] [CrossRef]
  32. Fernández, P. (2013). Are calculated betas worth for anything? Working Paper der IESE Business School. University of Navarra. [Google Scholar]
  33. Fernández, P. (2017). Is it ethical to teach that beta and CAPM explain something? Available online: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2980847 (accessed on 22 March 2026).
  34. Franken, L., Gleißner, W., & Schulte, J. (2020). Insolvenzrisiko und berücksichtigung des verschuldungsgrads bei der bewertung von unternehmen—Stand der diskussion nach veröffentlichung des IDW praxishinweises 2/2018. Corporate Finance, 11(3–4), 84–96. [Google Scholar]
  35. Fraser, J. R. S., Quail, R., & Simkins, B. (2021). Enterprise risk management: Today’s leading research and best practices for tomorrow’s executives. Wiley. [Google Scholar]
  36. German Bundestag. (2013). Bericht zur risikoanalyse im bevölkerungsschutz 2012. Bundesdrucksache, 17(12051), 5–6. [Google Scholar]
  37. Gleich, R. (2021). Performance measurement—Konzepte, fallstudien, empirie und handlungsempfehlungen—Praktischer einstieg in die gestaltung und anwendung. Vahlen. [Google Scholar]
  38. Gleißner, W. (2019). Cost of capital and probability of default in value-based risk management. Management Research Review, 42(11), 1243–1258. [Google Scholar] [CrossRef]
  39. Gleißner, W. (2022). Grundlagen des risikomanagements (4th ed.). Vahlen. [Google Scholar]
  40. Gleißner, W. (2023a). Finanzwirtschaft und risiko—Finanzierung, kapitalkostenberechnung und investitionsbewertung mit methoden des risikomanagements. BFuP, 75(6), 598–619. [Google Scholar]
  41. Gleißner, W. (2023b). Uncertainty and resilience in strategic management: Profile of a robust company. International Journal of Risk Assessment and Management, 26(1), 75–94. [Google Scholar] [CrossRef]
  42. Gleißner, W., & Berger, T. (2024). Enterprise risk management: Improving embedded risk management and risk governance. Risks, 12, 196. [Google Scholar] [CrossRef]
  43. Gleißner, W., & Ernst, D. (2023). The simulation-based valuation of companies and their strategies—Classification, methodology and case study. The European Business Valuation Magazine, 2(2), 4–16. [Google Scholar]
  44. Gleißner, W., Günther, T., & Walkshäusl, C. (2022). Financial sustainability: Measurement and empirical evidence. Journal of Business Economics, 92(5), 467–516. [Google Scholar] [CrossRef]
  45. Gleißner, W., & Ulrich, P. (2025). Governance, risk, compliance and controlling: Institutional, cultural and instrumental interdependencies from a German perspective. Corporate Ownership & Control, 22(1), 41–52. [Google Scholar]
  46. Gleißner, W., Wolfrum, M., & Dorfleitner, G. (2025). M&A and the simulation-based valuation of companies with an uncertain exit price and special rights. Credit and Capital Markets, 58(1), 1–37. [Google Scholar] [CrossRef]
  47. Graham, J. R., & Harvey, C. R. (2001). The theory and practice of corporate finance: Evidence from the field. Journal of Financial Economics, 60(2–3), 187–243. [Google Scholar] [CrossRef]
  48. Graumann, M., Linderhaus, H., & Grundei, J. (2009). Wann ist die risikobereitschaft bei unternehmerischen entscheidungen “in unzulässiger weise überspannt”? BFuP, 61(5), 492–505. [Google Scholar]
  49. Grisar, C., & Meyer, M. (2015). Use of Monte Carlo simulation: An empirical study of German, Austrian and Swiss controlling departments. Journal of Management Control, 26(3), 249–273. [Google Scholar] [CrossRef]
  50. Grisar, C., & Meyer, M. (2016). Use of simulation in controlling research: A systematic literature review for German-speaking countries. Management Review Quarterly, 66(2), 117–157. [Google Scholar] [CrossRef]
  51. Günther, T., Gleißner, W., & Walkshäusl, C. (2020). What happened to financially sustainable firms in the corona crisis? NachhaltigkeitsManagementForum, 28(2), 83–90. [Google Scholar] [CrossRef]
  52. Hamann, P. M., Halb, A., & Günther, T. (2022). Meta-analysis of the corporate planning–organizational performance relationship: A research note. Strategic Management Journal, 43(13), 2717–2732. [Google Scholar] [CrossRef]
  53. Hamel, G. (1996). Strategy as revolution. Harvard Business Review, 74(4), 69–82. [Google Scholar]
  54. Hardy, M., & Saunders, D. (2022). Quantitative enterprise risk management. Cambridge University Press. [Google Scholar]
  55. Hengmith, K., & Licht, G. (2022). Objectification of subjective risk assessments. In C. Klein, A. Loßagk, D. Straßberger, & U. Walther (Eds.), Modern finance and risk management: Festschrift in honour of hermann locarek-junge (pp. 219–245). Springer. [Google Scholar]
  56. Hering, T. (1999). Finanzwirtschaftliche unternehmensbewertung [Habilitation thesis, University of Cologne]. [Google Scholar]
  57. Hiebl, M. R. W. (2024). The integration of risk into management control systems: Towards a deeper understanding across multiple levels of analysis. Journal of Management Control, 35(1), 1–16. [Google Scholar] [CrossRef]
  58. Holton, G. A. (2004). Defining risk. Financial Analysts Journal, 60(6), 19–25. [Google Scholar] [CrossRef]
  59. Höse, S., & Huschens, S. (2022a). Ereignisrisiko: Statistische verfahren und konzepte zur risikoquantifizierung. Springer. [Google Scholar]
  60. Höse, S., & Huschens, S. (2022b). The risk of the unseen. In C. Klein, A. Loßagk, D. Straßberger, & U. Walther (Eds.), Modern finance and risk management: Festschrift in honour of hermann locarek-junge (pp. 173–196). Springer. [Google Scholar]
  61. Hull, J. C. (2023). Risk management and financial institutions. Wiley. [Google Scholar]
  62. Hunziker, S. (2019). Enterprise risk management: Modern approaches to balancing risk and reward. Springer Gabler. [Google Scholar]
  63. Internationaler Controller Verein (Ed.). (2021). Entscheidungsvorlagen für die Unternehmensführung—Leitfaden für die Vorbereitung unternehmerischer entscheidungen (business judgement rule). Haufe-Lexware. [Google Scholar]
  64. Ittner, C. D., & Keusch, T. (2017). Incorporating risk considerations into planning and control systems: The influence of risk management value creation objectives. In M. Woods, & P. Linsley (Eds.), The Routledge companion to accounting and risk (pp. 150–171). Routledge. [Google Scholar]
  65. Kaplan, R. S., & Mikes, A. (2012). Managing risks: A new framework. Harvard Business Review, 90(6), 48–60. [Google Scholar]
  66. Kaplan, R. S., & Mikes, A. (2016). Risk management—The revealing hand. Journal of Applied Corporate Finance, 28(1), 8–18. [Google Scholar] [CrossRef]
  67. Koller, T., Goedhart, M., & Wessels, D. (2025). Valuation—Measuring and managing the value of companies. Wiley. [Google Scholar]
  68. Kraus, A., & Litzenberger, R. H. (1973). A state preference model of optimal financial leverage. The Journal of Finance, 28(4), 911–922. [Google Scholar] [CrossRef]
  69. Kunz, J., & Heitz, A. (2021). Banks’ risk culture and management control systems: A systematic literature review. Journal of Management Control, 32(4), 439–493. [Google Scholar] [CrossRef]
  70. Kürsten, W. (2006). Corporate hedging, stakeholderinteresse und shareholder-value. Journal für Betriebswirtschaft, 56(1), 3–31. [Google Scholar] [CrossRef]
  71. Matschke, M. J. (1973). Der entscheidungswert der unternehmung [Ph.D. thesis, University Cologne]. [Google Scholar]
  72. Matschke, M. J. (1979). Funktionale unternehmensbewertung, band II, der arbitriumwert der unternehmung. Gabler. [Google Scholar]
  73. Matschke, M. J., & Brösel, G. (2021). Business valuation—Functions, methods, principles. Springer Gabler. [Google Scholar]
  74. Matschke, M. J., Brösel, G., & Matschke, X. A. (2010). Fundamentals of functional business valuation. Journal of Business Valuation and Economic Loss Analysis, 5(1), 1–39. [Google Scholar] [CrossRef]
  75. McShane, M. K. (2017). Enterprise risk management: History and a design science proposal. The Journal of Risk Finance, 18(2), 137–153. [Google Scholar] [CrossRef]
  76. McShane, M. K., Nair, A., & Rustambekov, E. (2011). Does enterprise risk management increase firm value? Journal of Accounting, Auditing, and Finance, 26(4), 641–658. [Google Scholar] [CrossRef]
  77. Nocco, B. W., & Stulz, R. M. (2022). Enterprise risk management: Theory and practice. Journal of Applied Corporate Finance, 34(1), 81–94. [Google Scholar] [CrossRef]
  78. Olbrich, M., Quill, T., & Rapp, D. J. (2015). Business valuation inspired by the Austrian school. Journal of Business Valuation and Economic Loss Analysis, 10(1), 1–43. [Google Scholar] [CrossRef]
  79. Pan, Y., Siegel, J., & Wang, T. Y. (2020). The cultural origin of CEOs’ attitudes toward uncertainty: Evidence from corporate acquisitions. The Review of Financial Studies, 33(7), 2977–3030. [Google Scholar] [CrossRef]
  80. Pálka, P., Blahová, M., Kim, J., Kwarteng, A., & Ntsiful, A. (2025). Business valuation unveiled: A 40-year bibliometric perspective on trends and transformation. Journal of Competitiveness, 17(3), 362–387. [Google Scholar]
  81. Pedell, B., & Renzl, B. (2021). Purpose und resilienz. Controlling, 33(3), 120–125. [Google Scholar] [CrossRef]
  82. Pinkwart, A., Schingen, C., Pannes, P., & Schlotböller, D. (2022). Improving resilience in times of multiple crisis. Commentary from a German economic policy point of view. Schmalenbach Journal of Business Research, 74(4), 763–786. [Google Scholar] [CrossRef] [PubMed]
  83. Racz, N., Weippl, E., & Seufert, A. (2010). A frame of reference for research of integrated governance, risk and compliance (GRC). In B. De Decker, & I. Schaumüller-Bichl (Eds.), Communications and multimedia security (Vol. 6109). CMS 2010. Lecture Notes in Computer Science. Springer. [Google Scholar] [CrossRef]
  84. Radicz, R., Hermann, A., Haberland, M., & Rese, M. (2022). Development of a business model resilience framework for managers and strategic decision-makers. Schmalenbach Journal of Business Research, 74(3), 575–601. [Google Scholar] [CrossRef]
  85. Rappaport, A. (1997). Creating shareholder value: A guide for managers and investors (2nd ed.). Free Press. [Google Scholar]
  86. Rieg, R., & Gleißner, W. (2022). Was ist ein erwartungstreuer plan? WPg—Die Wirtschaftsprüfung, 75(24), 1407–1414. [Google Scholar]
  87. Rieg, R., Vanini, U., & Gleißner, W. (2025). Enterprise risk management—A modern approach. Springer. [Google Scholar]
  88. Righi, M. B., & Müller, A. (2023). Range-based risk measures and their applications. Astin Bulletin, 53(3), 636–657. [Google Scholar] [CrossRef]
  89. Romeike, F., & Hager, P. (2020). Erfolgsfaktor risiko-management 4.0: Methoden, beispiele, checklisten praxishandbuch für industrie und handel (4th ed.). Springer Gabler. [Google Scholar]
  90. Rossi, M. (2016). The capital asset pricing model: A critical literature review. Global Business and Economics Review, 18(5), 604–617. [Google Scholar] [CrossRef]
  91. Saha, A., & Malkiel, B. G. (2012). DCF valuation with cash flow cessation risk. Journal of Applied Finance, 22(2), 175–185. [Google Scholar]
  92. Schildbach, T. (2022). Modigliani/miller-thesen und CAPM: Irrlehren statt wegweisender theorien. BFuP, 74(4), 375–394. [Google Scholar]
  93. Sheedy, E. A., & Griffin, B. (2017). Risk governance, structures, culture, and behavior: A view from the inside. Corporate Governance—An International Review, 26(1), 4–22. [Google Scholar] [CrossRef]
  94. Sinn, H.-W. (1980). Ökonomische entscheidungen bei ungewissheit. Mohr. [Google Scholar]
  95. Smithson, C. W., & Simkins, B. J. (2008). Does risk management add value? A survey of the evidence. In D. H. Chew (Ed.), Corporate risk management (pp. 235–256). Columbia University Press. [Google Scholar]
  96. Stein, V., & Wiedemann, A. (2016). Risk governance: Conceptualization, tasks, and research agenda. Journal of Business Economics, 86(7), 813–836. [Google Scholar] [CrossRef]
  97. Tirole, J. (2006). The theory of corporate finance. Princeton University Press. [Google Scholar]
  98. van den Boom, B. (2020). Financial risk management in SMEs: A new conceptual framework. International Business Research, 13(3), 85–94. [Google Scholar] [CrossRef]
  99. Vanini, U., & Rieg, R. (2021). Risk attitude, information selection, and information use in capital budgeting decisions. International Journal of Managerial and Financial Accounting, 13(3), 253–278. [Google Scholar] [CrossRef]
  100. Vernimmen, P., Quiry, P., & Le Fur, Y. (2022). Corporate finance. Theory and practice (6th ed.). Wiley. [Google Scholar]
  101. Weitzmann, M. (2021). Krisenfrüherkennung und -management. In K. Pannen, J. Riedemann, & S. Smid (Eds.), StaRUG. Unternehmensstabilisierungs- und -restrukturierungsgesetz (pp. 61–94). Otto Schmidt. [Google Scholar]
  102. Wieczorek, M., & Nickert, C. (2023). Die bayessche statistik im risikomanagement. BFuP, 75(6), 658–678. [Google Scholar]
  103. Winter, S. (2007). Managerial risk accounting and control—A German perspective. MPRA Paper. University Library of Munich. [Google Scholar]
  104. Wood, D. (2025). Rewiring your mind for AI: Wie man im zeitalter der künstlichen intelligenz denkt, arbeitet und erfolgreich ist. Vahlen. [Google Scholar]
Jrfm 19 00338 g001
Figure 1. Robust company (source: Gleißner, 2023b, p. 90).
Figure 1. Robust company (source: Gleißner, 2023b, p. 90).
Jrfm 19 00338 g001
Jrfm 19 00338 g002
Figure 2. Financial Sustainability Metrics.
Figure 2. Financial Sustainability Metrics.
Jrfm 19 00338 g002
Jrfm 19 00338 g003
Figure 3. Focused Risk Analysis—From Strategic Risks to Uncertain Planning Assumptions.
Figure 3. Focused Risk Analysis—From Strategic Risks to Uncertain Planning Assumptions.
Jrfm 19 00338 g003
Jrfm 19 00338 g004
Figure 4. Probability Distributions for Describing a Risk (Example).
Figure 4. Probability Distributions for Describing a Risk (Example).
Jrfm 19 00338 g004
Jrfm 19 00338 g005
Figure 5. Range of Profit/Return from Monte Carlo Simulation (Risk Aggregation).
Figure 5. Range of Profit/Return from Monte Carlo Simulation (Risk Aggregation).
Jrfm 19 00338 g005
Jrfm 19 00338 g006
Figure 6. Triangle (AI generated).
Figure 6. Triangle (AI generated).
Jrfm 19 00338 g006
Jrfm 19 00338 g007
Figure 7. Current State and Future Vision of Risk Management.
Figure 7. Current State and Future Vision of Risk Management.
Jrfm 19 00338 g007
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Gleißner, W. The Core Ideas of Enterprise Risk Management in the Age of Artificial Intelligence (AI): 10 Theses. J. Risk Financial Manag. 2026, 19, 338. https://doi.org/10.3390/jrfm19050338

AMA Style

Gleißner W. The Core Ideas of Enterprise Risk Management in the Age of Artificial Intelligence (AI): 10 Theses. Journal of Risk and Financial Management. 2026; 19(5):338. https://doi.org/10.3390/jrfm19050338

Chicago/Turabian Style

Gleißner, Werner. 2026. "The Core Ideas of Enterprise Risk Management in the Age of Artificial Intelligence (AI): 10 Theses" Journal of Risk and Financial Management 19, no. 5: 338. https://doi.org/10.3390/jrfm19050338

APA Style

Gleißner, W. (2026). The Core Ideas of Enterprise Risk Management in the Age of Artificial Intelligence (AI): 10 Theses. Journal of Risk and Financial Management, 19(5), 338. https://doi.org/10.3390/jrfm19050338

Article Metrics

Back to TopTop