Case study: how Siemens Energy is quantifying risk without losing judgement

Enterprise risk management can easily become a reporting exercise. Risks are gathered, ranked, formatted and handed to senior leaders, but the process does not always show whether the business is managing exposure effectively or where management attention should go next.

This was the message from Markus Buchner, head of enterprise risk management at Siemens Energy, speaking to the audience at Risk-!n in Zurich. Buchner said the company’s earlier approach had some of those weaknesses. Reports were too long, risk scoring relied heavily on impact and likelihood, and knowledge from other assurance and risk functions was not being fully used.

“The reports were kind of an exercise,” he said. “Put together nice risks in a meaningful format, not colourful, and hand it over to the board. It was a manual reporting exercise. It was much too lengthy in retrospect.”

Siemens Energy had a rare chance to rethink the model after it was listed in 2020. Although the company carries the Siemens name, Buchner stressed that it is no longer part of Siemens. It operates in more than 90 countries, has more than 100,000 people and is growing rapidly as demand for energy technology accelerates.

The company has used that transition to build a more integrated risk approach. Instead of treating enterprise risk management as a standalone process, Buchner said Siemens Energy now draws on knowledge from internal control, internal audit, compliance, cybersecurity, health and safety and other risk-related functions.

“What we try to achieve here is that we live up to really what we mean when we say integrated risk reporting,” he said. “Integrated risk reporting is not about just putting together enterprise risk management risks.”

Cutting the noise

One of the most visible changes is a tighter focus on what boards actually need to know.

“We have cut the formats, I think, by almost 80%,” he said. “A typical ERM group report to our ExCo would comprise four to five pages. Annexes, attachments are not allowed.”

The aim is speed as well as brevity. Buchner said the volatility of the external environment means risk teams need to move beyond static quarterly reporting and work towards more automated, real-time sensing.

“We have to automate processes because we have to speed up,” he said. “Speed up in constantly applying our sensors to the environment and see what’s going on.”

The shorter format only works because the inputs have changed. Siemens Energy is not just compressing the same information into fewer pages; it is drawing from a broader set of risk and assurance data before deciding what reaches senior leaders.

Moving beyond impact and likelihood

Siemens Energy has moved away from scoring risks only through impact and likelihood. Its model now uses 18 factors, grouped across five contributors: risk research, risk functions, company performance, key risk indicators and risk community judgement.

Some of these inputs are qualitative, including views from risk owners on disruption, mitigation and future exposure. Others are based on more objective data, such as internal audit findings, internal control deficiencies, cyber maturity assessments, health and safety indicators or other key risk indicators.

“When we say quantification, it’s not about monetising risk,” he said. “We’re having a quantified risk modelling. So at the end we are having a score, but it’s not necessarily a euro number.”

That score is then compared with Siemens Energy’s performance corridor, or risk appetite. If a risk remains within the corridor, it does not need to dominate executive discussion. If it moves outside, additional action can be assessed.

“Whenever a certain threshold is not breached in terms of the risk score, we just put a tick mark,” Buchner said. “Let’s talk about other risks. Let’s focus about others.”

Getting the model right

Graeme Keith, managing partner at Stochastic ApS, said the Siemens Energy approach reflects a broader point about quantification: it should start with decisions, not mathematics.

“If you’re not informing decisions, you may as well just not do it,” he said. “Because if you’re not actually changing anything, then there really isn’t any point in doing it.”

Keith said risk quantification can support better choices, improve objectivity and force discipline in how decisions are framed. But he warned against treating all risk modelling as the same. Credit risk, insurance models, Monte Carlo analysis, enterprise risk scoring and scenario work all serve different purposes.

The challenge at enterprise level is scale. A company cannot build a bespoke model for every risk in the organisation. Nor can it rely on a simple weighted average if that scoring method collapses different risks into a narrow, unhelpful range.

Keith said Siemens Energy’s existing risk framework gave the modelling work a strong base because it was connected to strategy and structured around consistent risk themes.

“Very rare to see risk management and strategy so much in lockstep as they are in Siemens Energy,” he said. “It’s built into the strategy process in a very intentional way.”

Keeping the model usable

Quantification needs to be introduced carefully. Buchner said Siemens Energy had to overcome fragmented risk functions, resistance to change, limited external benchmarks, data and technology limitations, and capacity constraints.

The work required standardisation across functions so that findings from different sources could be used in the model without constant translation.

Buchner said the company’s assurance organisation now aligns findings across enterprise risk management, internal control and internal audit. The wider ambition is to bring together information from across risk functions and use it to create a more objective and auditable view of exposure.

“Have a holistic view when you’re talking about risk, because everybody is understanding different aspects of risk,” he said.

Keith’s advice for risk managers is to start with the process they already have, rather than trying to model everything from scratch. The right approach depends on the organisation’s strengths, data, decisions and maturity.

“Start where you’re at,” he said. “Look at the things that you are obviously getting value from. Can you make them slightly better?”

For Siemens Energy, that has meant using quantification to sharpen an existing ERM process rather than replace judgement. The model does not remove the need for risk owner input or management challenge. It gives those conversations more structure, more consistency and a clearer link to action.