---

The purpose of every for-profit organization is to earn profit, to secure its existence and to meet stakeholders´ expectations, but every company is also confronted with certain risks. Some are easy to handle, others are existence-threatening. The accumulation of global economic crises, frauds, and financial scandals, but also terrorist attacks and failures in large computer systems, shows that businesses face greater challenges than before and verifies the importance of risk management. Hence, companies have to implement risk management systems and processes to identify, assess and treat risks. Many of these risks and problems are externally given, but some also result from the misconduct of a company´s managers and employees. This leads to the need of systems that help to control employees and managers and ensure that they behave in the firm´s sense. These systems are called management control systems. But what is more effective and efficient in supporting the company to reach its goals, risk management or management control systems? There is a research gap concerning this question. Thus, the resulting questions are as follows: What exactly is risk management? What exactly is a management control system? What are the similarities and differences? Is it possible to combine both to reach a kind of perfect control system for businesses? This book is intended to answer these questions.

---

Text sample:
Chapter 3.3.2. The main differences:
3.3.2.1. Objectives:
The basic goal of risk management and management control systems is the same, namely to help the company to achieve its goals, but upon a closer look it can be said that both do this in different ways, both have different sub objectives. First, human resources have two roles in RM: people as a source of risk and people as risk managers being important in handling risks. It can be said that MCSs focus on human resources risks (e.g. fraud), and RM focuses on all kind of risks that can occur in a company, thus RM analyses internal factors as well as external factors, whereas a MCS only analyses internal factors. A report by Deloitte (2008) says that people and their behavior are often the biggest sources of business risk.
It can be derived from chapters 2.1. and 2.2. that MCSs aim to control behaviors and RM aims to handle risks. While supporting the company, MCSs try to reduce the probability of employees´ behavior that could impact the company in a negative way, so it influences people´s behavior, and RM tries to avoid, reduce or transfer negative impacts. Thus, RM has broader objectives than MCSs. One can say that RM contains MCS´s objectives, but it is not RM´s primary target to control employees and to regulate their behavior.
In A method of Integrating Risk and Performance by KPMG (2008, p. 7), it is said that enterprise risk management "is focused on defining and mitigating risk, which means moving from higher to lower risk [and performance management] is focused on seeking higher returns on investment, which can often only result from moving from lower to higher risk". This shows that, even RM and MCSs have a lot a in common, they also may conflict. RM and MCSs could stand in the way of each other, because if limitations implemented through RM are too strict, one´s performance could be too low.
Another difference concerns the time orientation. An enterprise-wide RM concentrates on strategic, long-term risks, while PMSs draw attention to short-term issues (see Palermo, 2011, p. 4).

---