The relevance of the MaRisk for corporates - KPMG Germany
Share with your friends

The relevance of the MaRisk for corporates and current changes under the 5th set of amendments of 2017

The relevance of the MaRisk for corporates

MaRisk does offer generally recognised and leading methods for the identification, measurement and control of financial risks.


Related content

FTM Bildwelt: Eiskletterer

MaRisk (Minimum Requirements for Risk Management) is a binding policy for German financial institutions, based on Section 25a of the German Banking Act [KWG], that specifies a holistic framework for the organizational and operational structure for financial risk management. In contrast to banks, MaRisk is not legally binding upon industrial companies. MaRisk does, however, offer generally recognised and leading methods for the identification, measurement and control of financial risks and thus represents a frame of reference for industrial companies as well. Every larger non-financial company should be in a position to justify deviations from the specifications either through the absence or immateriality of the risk in question. This is why numerous risk-management guidelines and policies are oriented around the specifications of MaRisk. MaRisk is thus indirectly significant for a broader group of companies as well.

For the most part, however, while the rules do not apply to credit transactions in industrial companies, the rules on risk-bearing capacity, internal control system, risk management and controlling are highly relevant in the corporate treasury and in commodities and energy trading.

Given the risks involved, specifically companies with extensive activity in the trading of derivative and non-derivative financial instruments as well as contracts for commodities and energy are more likely to apply the specifications of MaRisk voluntarily, in some cases commissioning independent auditors to confirm correct application of the specifications.  For these companies, MaRisk presents a clear guideline that is laid down by in-house supervisory bodies and forms the point of reference for internal organisation. MaRisk is also often applied so as to help build trust in the eyes of external trading partners and banks.

MaRisk has been in existence since 2005 and has been amended several times since. After multiple postponements, the policy published on 27 October 2017 is now available in its fifth, amended form and takes effect immediately, without any transition deadlines.

With the current amendment to MaRisk, regulatory authorities take into account, among other things, international specifications of the European Banking Authority (EBA) and the Basel Committee on Banking Supervision (BCBS) while at the same time attempting to curtail previous interpretative latitude. Major amendments that are also of relevance to industrial companies can be found in the following sections:

Risk culture and governance:

In future, risk management will include an appropriate risk culture. Aside from defining the appetite for risk, creating a risk culture also calls for promoting behaviour commensurate with risk and an open exchange about risk-related issues within the enterprise.

  • To achieve this, control and monitoring processes must be established within the company, and a code of behaviour specified and communicated to employees.


Risk data and risk reporting:

Risk reporting must be performed regularly, based on up-to-date, complete and exact data.  Achieving this requires group-wide rules on data management, data quality and data aggregation.

  • The risk report must not only reflect the risks involved but provide an evaluation of them as well. The report must also integrate the results of stress testing along with possible future consequences. The company must ensure that reporting is prompt and that ad-hoc reports can be issued at all times.
  • Capacities for data aggregation must be kept flexible to ensure that risk data are available at all times. It should also be possible to generate ad-hoc information based on a variety of categories.


  • Outsourcing is permissible only if the company then has reliable knowledge and experience in the outsourced area and can thus ensure any reintegration of the area outsourced. Central outsourcing management must also be set up, with exit strategies defined. Outsourcing of risk controlling is prohibited.
  • Reliance on software and expert services in risk management can also be classified as a form of outsourcing.


  • When employees transfer from trading and sales areas to control areas within which no activities may be exercised, care must be taken to observe a control deadline that can ensure compliance with the prohibition on self-audit and self-review.
  • Suitable risk-management and controlling processes must be established to counter IT risks as well.

Generally speaking, the bulk of the amendments tend to be less relevant for industrial companies than they are for banks. Nevertheless, publication of the 5th set of amendments to MaRisk ought to provide many companies an occasion not only to take the new requirements into account but also to redouble their efforts to apply existing rules and refine the rigour with which the rules are carried out.

Source: KPMG Corporate Treasury News, Edition 73, November 2017
Author: Daniel Rahmann, Manager, Finance Advisory, 

© 2019 KPMG AG Wirtschaftsprüfungsgesellschaft, ein Mitglied des KPMG-Netzwerks unabhängiger Mitgliedsfirmen, die KPMG International Cooperative (“KPMG International”), einer juristischen Person schweizerischen Rechts, angeschlossen sind. Alle Rechte vorbehalten.

Connect with us


Want to do business with KPMG?


Request for proposal