The Governance of RiskMoving from the Management of risk to

the governance of risk

OCTOBER 2012

Gert Cruywagen

“Risk comes from not knowing what you are doing”

Warren Buffet

.

Why? – Business Case

• Risks should not always be managed but MUST BE UNDERSTOOD

• NO SURPRISES• Process should enable Management to take

correct decisions• Risks are not only “BAD THINGS HAPPENING”

but also “GOOD THINGS NOT HAPPENING”• Some identified risks may be acceptable as they

are – RESOURCES ARE NOT UNLIMITED

History of Risk Management• Henri Fayol• Continued Industrialisation• Bird Triangle• Security Imperatives• Insurance Requirements• Corporate Scandals• Corporate Governance• Value Add!

The changing risk landscapeBusiness dynamics are changing risk profiles and challenging traditional risk management frameworks

External Developments

Investors are more sensitive to deviation from earnings expectations

Trial of disasters Heightened regulatory,

board/investor, and accounting requirements

Internal Demand

Legacy of crises or near misses

Real and perceived rise in the number and severity of risks

Corporate governance challenges

Methodological Advances

Risk analytics Shareholder Value

measures Portfolio analytics Systems and databases

Enterprise Risk Management

Establishment of a board risk committee and/or appointment of a chief risk officer Realignment or organisational roles and responsibilities Improvement in risk analytics, reporting, and early warning systems Application of risk management in business processes Optimisation of risk/return performance

Improving risk quality demonstrates good corporate governance and has clear implications for shareholder value1

There is a clear correlation between companies’ risk quality and their financial performance

1 Source: ‘Improving Risk Quality to Drive Value’ - An independent research briefing commissioned by FM Global and undertaken by Oxford Metrica in 2003.

A clear empirical connection was found between risk quality and shareholder value performance.

High-quality risk engineering was found to be highly correlated with low cash flow volatility, a core value driver.

Stable cash flow is a strong driver of value creation.

Risk quality is a strategic issue and an essential aspect of effective corporate governance procedures.

Diligently pursuing property risk improvement practices is a characteristic of value creating firms

Operational cash flow, risk and expected growth constitute the three core drivers of shareholder value

Therefore, by doing one of the following, shareholder value is enhanced. Increasing or protecting the cash flow generated from operations. Improving the growth rate in operating cash flow. Reducing the risk associated with generating cash flow (i.e. the cost of capital).

King Committee on Corporate Governance:Introduction and Mandate

First King Report King 2 King 2 Risk Management Section was good, but needed

updating. King 3 Move away from “tick box” approach Move away from merely “Management of Risk” to

complete “Governance of Risk” Take cognisance of causes and effect of credit crunch

and recession (risk management got some blame!)

4.1 The Board should be responsible for the governance of risk• Formal process• Board should be able to demonstrate

comprehensiveness.• Responsibility in board charter• Risk policy and plan

• Documented• Widely distributed• Risk Structure• Framework (many different ones available)• Regular review

4.2 The Board should determine the levels of risk tolerance

Board should set limits annually Review limits during times of uncertainty / adverse

changes Internal and external factors Where risk appetite is different from risk tolerance –

should be disclosed Board should monitor significant risk taken by

management Board should ensure that it understands risk

implications, also on shareholders and other stakeholders

4.3 The risk committee (or audit committee) should assist the board in carrying out its risk responsibilities

Board should appoint a risk committee to review: Risk management progress and maturity of company Effectiveness of risk management activities Key risks Responses to address risks

Board may assign this to the audit committee: However, must carefully consider audit committee’s resources to

adequately deal with risk governance in addition to its audit responsibilities

Terms of reference and consideration of policy and plan Meet 2x per year, be provided with sufficient information Should be annually assessed by the Board for effectiveness

Risk Committee Composition

Should include executive and non-executive directors Members of management responsible for various areas

of risk management should attend. Members of the risk committee should comprise people

with adequate risk management skills and experience to equip the committee to perform its functions

To supplement its risk management skills and experience, the risk committee may invite independent risk management experts to attend its meetings

4.4 The Board should delegate to management the responsibility to design, implement and monitor the risk management plan The Board’s risk strategy should be executed by

management. Management is accountable to the board for risk

management, and delegations should recognise this Board should ensure adequate support and resources Accountability to the board remains with the CEO Board may appoint CRO – should be a suitably experienced

person. CRO should have access to and interact regularly on, strategic

risk matters with board, committee and management. Risk management should be intrusive – embedded within

strategy setting, planning and business processes.

4.5 The board should ensure that risk assessments are performed on a continual basis Ongoing risk assessment process (identification,

quantification and evaluation) using generally recognised methodology.

Identify risks and opportunities, measure impact and likelihood

A formal assessment once a year (systematic and documented) providing realistic perspective of key risks

Risks should be prioritised and ranked Assessments should not only rely on perceptions of

group of managers. Should use data analysis, business indicators, market information, loss data, scenario planning and portfolio analysis.

Risk Assessment Should be comprehensive, accurate, thorough, and

complete. Should not be limited to list of categories Should be directed to:

Strategic or business objective Various income streams Critical business processes Critical dependencies Sustainability dimensions Stakeholders’ interests

Top down approach, but not only high-end risks – all operational levels

Board should regularly receive and review key risks, but also aggregated risks, correlated risks and risk concentrations

Sustainability risks!

4.6 The board should ensure that frameworks and methodologies are implemented to increase the probability of anticipating unpredictable risks

Unanticipated catastrophic risks like global credit crunch (systemic) as well as other unpredictable risks.

Frameworks in place should have: Insight – ability to identify cause of the risk Information – comprehensive information on risks and sources Incentives – separate risk origination and ownership

(accountability) Instinct – avoid “herd behaviour” in systemic and pervasive risks Independence – view company independently from environment Interconnectivity – understand how risks are related, especially

where this exacerbates risks

4.7 The board should ensure that management considers and implements appropriate risk responses

Management should indentify and consider the different ways that the company can respond to identified risks: Avoiding Treating, avoiding, or mitigating the risk Transferring the risk exposure Tolerating or accepting the risk Exploiting the risk Terminating the activity that gives risk to intolerable risk Integrating

Management should demonstrate to the board – plan provides for identification and exploitation of opportunities

Should not only identify negative impact of major risk events, but also potential hidden opportunities – converse relationship

4.8 The board should ensure continual risk monitoring by management

• Management should monitor:• Measure risk performance against risk indicators (periodically reviewed

for appropriateness)• Measure progress against, and deviation from risk management plan• Monitor changes in external and internal environment• Impact of environment changes on strategic risk profile• Ensure responses are effective and efficient in design and operation• Track implementation of risk responses• Analysing and learning from changes, trends, successes, failures and

events (near – misses)• Identifying emerging risks

• Responsibilities for monitoring should be clearly defined in risk management policy and plan

4.9 The board should receive assurance regarding the effectiveness of the risk management process

• Management is accountable to the board regarding assurance• Management’s report should be balanced• Any risk response failings or weaknesses should be disclosed• Should report on maturity and degree of embeddedness• Independent provider of assurance – internal audit• IA does not assume the functions, systems and processes of risk

management, but provides independent assurance to the board on the integrity and robustness of the risk management process.

• IA should provide an annual written assessment on effectiveness• External audit may consult with risk committee, CRO and IA for an

understanding of the company’s risk management activities.

4.10 The board should ensure that there are processes in place enabling complete, timely, relevant, accurate and accessible risk disclosure to stakeholders

Major departure from before. Board should disclose, in annual integrated report, any

undue, unexpected or unusual risks it has taken in the pursuit of reward.

Should disclose any material losses and their causes. Quantify and disclose impact of losses, as well as responses

implemented. NOT compromise sensitive information. Should disclose any current, imminent or envisaged risk that

threaten long-term sustainability. Board should disclose its views on effectiveness of risk

management processes

King 3 Risk Principles - COSO and ISO 31000• Using only COSO or ISO 31000 will not ensure FULL King 3

compliance.• King 3 looks at total Risk Landscape, namely risk responsibility, risk

tolerance, risk oversight, Risk Management (policy, assessment, responses, monitoring), risk assurance, risk disclosure.

• ISO 31000 concentrates on Risk Management portion, which is probably the bulk.

• COSO has financial slant with reference to multiple and cross-enterprise risks, opportunities and deployment of capital

• King 3 states that the risk management plan should include the risk management framework (Para 9.1 Principle 4.1)

• COSO and ISO 31000 will assist

Questions and discussions