Following the 2008 global financial crisis, there is a need to build a strong risk culture, develop a robust risk appetite framework, and increase the role of the board and board committees in risk governance. The essence of risk governance is oversight – in the sense that the board oversees organisational activities and risks – while risk management rests with senior management and ownership resides in the business units.
Simply mandating the risk governance roles and responsibilities of the board and its committees is unlikely to provide the envisaged improvements in risk management. A ‘one-size-fits-all’ approach that does not take into account an organisation’s corporate governance structure and business model is also less likely to provide meaningful improvements in risk governance than those appropriately tailored to the nature, scale, and complexity of the organisation.
The main challenge is to embed culture deeply in the organisation, so that changes in the economic cycle, leadership changes, and staff turnover do not cause it to fade away. Since cultures are dynamic by definition, sustaining the right attitudes and behaviours over time requires continuing effort and monitoring. The responsibility for maintaining the new risk culture extends to boards of directors, which should demand periodic reviews of the overall organisation and individual businesses to identify areas that merit a deeper look.
Setting the tone
Enabling a risk intelligent governance approach
Directors are responsible for risk governance which incorporates strategic decision-making and risk oversight. Risk governance defines the parameters of acceptable risk, monitors strategic alignment, and sets overall risk management expectations. In order to achieve risk intelligent governance, organisations need to embed appropriate risk management procedures into all of their business pursuits.
We find that many boards are starting to ask themselves the following questions:
• What further, if anything, should the board and the executives practically do to improve the organisation’s chances of survival and success?
• How can the board get the assurance that the executive’s reports about known and emerging risk exposures are reliable and complete?
• What are the best ways for the board to oversee the process of managing enterprise value and risk appropriately?
To start answering these questions, we have identified six distinct actions a board can take to help enable a risk intelligent™ governance approach:
• Define the board’s risk oversight role: Set the expectations and tone, elevate risk as a priority, and initiate the communication and activities that constitute intelligent risk management. The ultimate goal is to assist management in creating a cohesive process in which risks and their impacts are routinely identified, evaluated, and addressed.
• Foster a risk intelligent culture: Foster an environment where people at every level manage risk as an intrinsic part of their jobs. Rather than being risk averse, they understand the risks of any activity they undertake and manage them accordingly as an integral component of the activity undertaken. Further to this, the belief that ‘risk is everyone’s business’ should be ingrained in the day-to-day operations of the organisation. Organisations must build a culture that prides itself in staying ahead.
• Help management incorporate risk intelligence into strategy: Drawing on a solid practical understanding of the organisation’s efforts around value creation and preservation, you can work with management to collaboratively move from a negative ‘incident’ view of risk to a more positive ‘portfolio’ view that considers risks and rewards in a broader strategic context.
• Help define the risk appetite: While the CEO proposes risk appetite levels, the board needs to approve them – or challenge them, and send them back to the CEO for adjustments – based on an evaluation of their alignment with business strategy and stakeholders’ expectations.
• Execute the risk intelligent governance process: A risk intelligent governance process should be strategic in design, promote awareness of the relationship between value and risk, and efficiently and effectively allocate the organisation’s risk management resources. Effective execution of the process depends on maintaining a disciplined, collaborative approach focused on process design, process monitoring, and accountability.
• Benchmark and evaluate the governance process: Risk governance is a continual process, and systematic mechanisms for evaluating and improving risk governance proficiency can greatly benefit efforts to identify, prioritise, and implement improvements as well as give visibility into the organisation’s progress towards a risk intelligent governance approach. Such mechanisms allow gauging the current stages of development relative to peers; they can also help track the progress of the governance programme along a risk intelligence ‘maturity model’.
By implementing risk intelligent governance, the board will be able to sign off on risks with a higher level of comfort and not have to rely blindly on risk information being reported by the executives.
To assist with achieving an effective risk oversight role, King III provides the following guidance to boards:
• The board should assign oversight of the company‘s risk management function to an appropriate board committee (for example a risk committee or the audit committee).
• Smaller companies need not establish formal committees to perform these functions but should ensure that these functions are appropriately addressed by the board.
• The audit committee‘s charter should be clear on the scope of the audit committee‘s responsibilities for risk management.
• Where the board assigns the oversight of the risk management function to the audit committee, the audit committee‘s responsibility for overseeing the risk management function should be identical to that of a risk committee in a company where a risk committee is separately established.
• The board should ensure that there is effective communication and coordination of its oversight activities to ensure that the audit committee is informed of all significant actual or potential financial and non-financial risks (such as operational, strategic, regulatory risks) that may have implications on the integrated report.
• Regardless of the board‘s method and framework of assignment of overseeing the risk management function, the audit committee should have an understanding of, and have an adequate level of comfort regarding, the company‘s process for identifying, managing and reporting on risk.
• The audit committee should satisfy itself that the following areas have been appropriately addressed by itself, failing specific assignment by the board: financial reporting risks, internal financial controls, fraud risk as it relates to financial reporting; and IT risks as it relates to financial reporting.
The internal audit function in the organisation plays an important role in providing independent assurance to the board regarding the integrity and robustness of the risk management process.
Elevation of risk as a priority
The demands on risk, and the perceptions of what risk management does, have increased significantly in recent times. These have been influenced by a number of factors including:
• Managing business in volatile times: Lack of effective risk management practices can have a major impact on organisations. There is an increased focus on timely and clear communications with stakeholders on how risks are being managed. Systemic risks have led to significant losses in value.
• Protecting and creating value: Marketplace demand for board and executive accountability is intensifying. Organisations that do not effectively manage risk are being penalised by the capital markets and the costs associated with managing risk and compliance activities are increasing.
• Regulatory complexity: Regulatory bodies and rating agencies have made it clear that greater disclosure lies ahead. Regulatory examinations will have increased focus on risk management oversight and global regulations are increasing the importance of compliance and risk management.
As a result of these increasing expectations of risk management within business, directors and boards need to be better prepared to oversee the management of risk and the effectiveness of risk processes in organisations.
Initiation and communication of activities that lead to sound risk management
Skills and experience
The extent of skills and experience that directors possess in understanding business risk and the extent of time that they invest in understanding the risks across the business are essential in ensuring that the board has adequate understanding to oversee the organisation as a whole. Non-executive directors are generally chosen because they have a breadth of experience, are of an appropriate calibre and have particular personal qualities and attributes. Additionally, they may have specialist knowledge that will help provide the board with useful insights or, perhaps, key contacts in related industries. This means they can bring a degree of objectivity to the board’s deliberations and play a valuable role in monitoring management decisions.
• Board composition and risk expertise: The board should possess the expertise and experience needed to promote a broad perspective, open dialogue, and useful insights regarding risk. Thus, the board, and particularly the nominating or risk governance committee, should consider the board’s composition. Periodically assessing each member’s expertise, experience, and perspective will enable the board to develop and implement a sound risk governance process. The nomination committee should also assess whether, and to what extent, the establishment of committees of the board is necessary and appropriate.
• Director induction: This is a crucial element in ensuring that new directors have the appropriate background and understand the business. In addition, on-going training and awareness is crucial to provide directors with both updates on technical developments as well as changes in industry and market perspectives. The risk committee can be a useful introduction to new directors given its focus on the critical risks faced by an organisation.
• Perform site visits: Board members should tour facilities, comprehend work processes at a high level, and understand the risks associated with value creation and preservation. The board should also recommend that management conduct similar site visits.
Key questions in understanding the role of risk management in business strategy and operations
- Are we getting the information and insights we need for key decisions?
- How is this information impacting strategic decisions?
- Is there sufficient challenge of the risk information and insights to ensure the embedding of risk management in strategic decision-making?
Which frameworks might provide the best basis for our risk management programme? On the basis of which criteria should we select a framework?
Which elements of our risk management programme are already embedded in procedures that address regulatory requirements? How can we leverage them?
By what mechanisms does management monitor emerging risks? Do we have effective early warning mechanisms? How, and how often, do we calibrate these mechanisms?
What is the role of technology in our risk management programme? How was it chosen, and on the basis of which criteria was it last evaluated?
What evidence exists relating to the above questions and decisions?
FIGURE 1 RISK CULTURE FRAMEWORK
This culture in turn is influenced by what is considered important and what is rewarded across the organisation, management systems in place to drive and monitor strategy, and the behavioural norms in place.
Figure 2 The four-quadrant risk reporting framework
The reporting function is integral to the management of risk and plays a critical role in enabling non-executive directors to fulfil their risk oversight function.
This responsibility requires board members and board committees to have the appropriate expertise and experience to make rigorous and informed judgements on risk.
They also need to ensure that a combined assurance model is applied to provide a coordinated approach to all assurance activities.
A number of key elements should be available to management and the board in order to enable informed decision-making:
• The board should disclose any current, imminent or envisaged risks that may threaten the long-term sustainability of the organisation.
• Risk reports to the board should contain meaningful information on the firm’s overall risks, risk concentrations, emerging risks, and any changes or trends in key risks.
• Risk reports should also include relevant strategic information in order to facilitate the use of risk information in strategic decision-making.
• The board must understand and appreciate risk issues, challenge management on risk decisions, and have a plain-language conversation about risk at board level.
• Reports from management to the board should provide a balanced assessment of the key risks facing the company and the effectiveness of the ensuing risk responses and interventions. Any significant risk response failings or weaknesses should be disclosed in management‘s reports to the board, including the impact that they may have had, or may have on the company, and the resultant corrective responses and interventions taken.
• Non-executive directors should ensure that a combined assurance model is applied to provide a coordinated approach to all assurance activities.
One of the lessons learned from the 2008 global financial crisis was that only evaluating current risks is not sufficient; potential emerging risks deserve equal attention, as they may impact current decisions, enabling the organisation to better position itself for the future.
These principles of risk reporting are critical in bringing non-executive directors close to the organisation and are depicted in figure 2 per the ‘four-quadrant’ risk reporting framework which encompasses risk events and near misses, key risk indicators, the current risk profile, and emerging risks.
The biggest risk reporting challenge for many organisations is achieving a balance of comprehensiveness and clarity that enables the board to focus on decision-making. This lack of clarity is exacerbated by a number of gaps traditionally found in risk reporting:
• Inadequate processes to monitor the risk profile against the stated risk appetite
• How to best report to the board on risk and how to focus board members’ attention on the most crucial risk factors, especially as boards and board committees are being asked to digest an increasing amount of risk material
• Ability of the directors to challenge management on risk management issues, their understanding of risks that might be facing the organisation and overall understanding of risk management
• Ability of the directors to have forward-looking risk discussions including a number of topics that could develop into potential risks in the future. These topics generally reflect what is being observed in the market and focus on those items that could negatively influence the organisation’s portfolio and financial performance, and
• Ability of directors to discuss risk scenarios, identifying areas where the greatest opportunities lie and identifying those events that could negatively impact the achievement of the group’s strategic objectives
In summary, effective risk governance stands among the most valuable contributions a board can make to its organisation.
The combination of depth of experience, perspective, knowledge of the business and the environment it operates in plays an important role in supporting the organisation’s risk management efforts. We hope that board members across various industries continue to find these concepts useful as they continue to pursue risk intelligent governance in the organisations they serve. ❐
Author: SAICA Risk Governance Forum sponsored by Deloitte.