the governance of risk moving from the management of risk to the governance of risk october 2012...
TRANSCRIPT
The Governance of RiskMoving from the Management of risk to
the governance of risk
OCTOBER 2012
Gert Cruywagen
“Risk comes from not knowing what you are doing”
Warren Buffet
.
Why? – Business Case
• Risks should not always be managed but MUST BE UNDERSTOOD
• NO SURPRISES• Process should enable Management to take
correct decisions• Risks are not only “BAD THINGS HAPPENING”
but also “GOOD THINGS NOT HAPPENING”• Some identified risks may be acceptable as they
are – RESOURCES ARE NOT UNLIMITED
History of Risk Management• Henri Fayol• Continued Industrialisation• Bird Triangle• Security Imperatives• Insurance Requirements• Corporate Scandals• Corporate Governance• Value Add!
The changing risk landscapeBusiness dynamics are changing risk profiles and challenging traditional risk management frameworks
External Developments
Investors are more sensitive to deviation from earnings expectations
Trial of disasters Heightened regulatory,
board/investor, and accounting requirements
Internal Demand
Legacy of crises or near misses
Real and perceived rise in the number and severity of risks
Corporate governance challenges
Methodological Advances
Risk analytics Shareholder Value
measures Portfolio analytics Systems and databases
Enterprise Risk Management
Establishment of a board risk committee and/or appointment of a chief risk officer Realignment or organisational roles and responsibilities Improvement in risk analytics, reporting, and early warning systems Application of risk management in business processes Optimisation of risk/return performance
Improving risk quality demonstrates good corporate governance and has clear implications for shareholder value1
There is a clear correlation between companies’ risk quality and their financial performance
1 Source: ‘Improving Risk Quality to Drive Value’ - An independent research briefing commissioned by FM Global and undertaken by Oxford Metrica in 2003.
A clear empirical connection was found between risk quality and shareholder value performance.
High-quality risk engineering was found to be highly correlated with low cash flow volatility, a core value driver.
Stable cash flow is a strong driver of value creation.
Risk quality is a strategic issue and an essential aspect of effective corporate governance procedures.
Diligently pursuing property risk improvement practices is a characteristic of value creating firms
Operational cash flow, risk and expected growth constitute the three core drivers of shareholder value
Therefore, by doing one of the following, shareholder value is enhanced. Increasing or protecting the cash flow generated from operations. Improving the growth rate in operating cash flow. Reducing the risk associated with generating cash flow (i.e. the cost of capital).
King Committee on Corporate Governance:Introduction and Mandate
First King Report King 2 King 2 Risk Management Section was good, but needed
updating. King 3 Move away from “tick box” approach Move away from merely “Management of Risk” to
complete “Governance of Risk” Take cognisance of causes and effect of credit crunch
and recession (risk management got some blame!)
4.1 The Board should be responsible for the governance of risk• Formal process• Board should be able to demonstrate
comprehensiveness.• Responsibility in board charter• Risk policy and plan
• Documented• Widely distributed• Risk Structure• Framework (many different ones available)• Regular review
4.2 The Board should determine the levels of risk tolerance
Board should set limits annually Review limits during times of uncertainty / adverse
changes Internal and external factors Where risk appetite is different from risk tolerance –
should be disclosed Board should monitor significant risk taken by
management Board should ensure that it understands risk
implications, also on shareholders and other stakeholders
4.3 The risk committee (or audit committee) should assist the board in carrying out its risk responsibilities
Board should appoint a risk committee to review: Risk management progress and maturity of company Effectiveness of risk management activities Key risks Responses to address risks
Board may assign this to the audit committee: However, must carefully consider audit committee’s resources to
adequately deal with risk governance in addition to its audit responsibilities
Terms of reference and consideration of policy and plan Meet 2x per year, be provided with sufficient information Should be annually assessed by the Board for effectiveness
Risk Committee Composition
Should include executive and non-executive directors Members of management responsible for various areas
of risk management should attend. Members of the risk committee should comprise people
with adequate risk management skills and experience to equip the committee to perform its functions
To supplement its risk management skills and experience, the risk committee may invite independent risk management experts to attend its meetings
4.4 The Board should delegate to management the responsibility to design, implement and monitor the risk management plan The Board’s risk strategy should be executed by
management. Management is accountable to the board for risk
management, and delegations should recognise this Board should ensure adequate support and resources Accountability to the board remains with the CEO Board may appoint CRO – should be a suitably experienced
person. CRO should have access to and interact regularly on, strategic
risk matters with board, committee and management. Risk management should be intrusive – embedded within
strategy setting, planning and business processes.
4.5 The board should ensure that risk assessments are performed on a continual basis Ongoing risk assessment process (identification,
quantification and evaluation) using generally recognised methodology.
Identify risks and opportunities, measure impact and likelihood
A formal assessment once a year (systematic and documented) providing realistic perspective of key risks
Risks should be prioritised and ranked Assessments should not only rely on perceptions of
group of managers. Should use data analysis, business indicators, market information, loss data, scenario planning and portfolio analysis.
Risk Assessment Should be comprehensive, accurate, thorough, and
complete. Should not be limited to list of categories Should be directed to:
Strategic or business objective Various income streams Critical business processes Critical dependencies Sustainability dimensions Stakeholders’ interests
Top down approach, but not only high-end risks – all operational levels
Board should regularly receive and review key risks, but also aggregated risks, correlated risks and risk concentrations
Sustainability risks!
4.6 The board should ensure that frameworks and methodologies are implemented to increase the probability of anticipating unpredictable risks
Unanticipated catastrophic risks like global credit crunch (systemic) as well as other unpredictable risks.
Frameworks in place should have: Insight – ability to identify cause of the risk Information – comprehensive information on risks and sources Incentives – separate risk origination and ownership
(accountability) Instinct – avoid “herd behaviour” in systemic and pervasive risks Independence – view company independently from environment Interconnectivity – understand how risks are related, especially
where this exacerbates risks
4.7 The board should ensure that management considers and implements appropriate risk responses
Management should indentify and consider the different ways that the company can respond to identified risks: Avoiding Treating, avoiding, or mitigating the risk Transferring the risk exposure Tolerating or accepting the risk Exploiting the risk Terminating the activity that gives risk to intolerable risk Integrating
Management should demonstrate to the board – plan provides for identification and exploitation of opportunities
Should not only identify negative impact of major risk events, but also potential hidden opportunities – converse relationship
4.8 The board should ensure continual risk monitoring by management
• Management should monitor:• Measure risk performance against risk indicators (periodically reviewed
for appropriateness)• Measure progress against, and deviation from risk management plan• Monitor changes in external and internal environment• Impact of environment changes on strategic risk profile• Ensure responses are effective and efficient in design and operation• Track implementation of risk responses• Analysing and learning from changes, trends, successes, failures and
events (near – misses)• Identifying emerging risks
• Responsibilities for monitoring should be clearly defined in risk management policy and plan
4.9 The board should receive assurance regarding the effectiveness of the risk management process
• Management is accountable to the board regarding assurance• Management’s report should be balanced• Any risk response failings or weaknesses should be disclosed• Should report on maturity and degree of embeddedness• Independent provider of assurance – internal audit• IA does not assume the functions, systems and processes of risk
management, but provides independent assurance to the board on the integrity and robustness of the risk management process.
• IA should provide an annual written assessment on effectiveness• External audit may consult with risk committee, CRO and IA for an
understanding of the company’s risk management activities.
4.10 The board should ensure that there are processes in place enabling complete, timely, relevant, accurate and accessible risk disclosure to stakeholders
Major departure from before. Board should disclose, in annual integrated report, any
undue, unexpected or unusual risks it has taken in the pursuit of reward.
Should disclose any material losses and their causes. Quantify and disclose impact of losses, as well as responses
implemented. NOT compromise sensitive information. Should disclose any current, imminent or envisaged risk that
threaten long-term sustainability. Board should disclose its views on effectiveness of risk
management processes
King 3 Risk Principles - COSO and ISO 31000• Using only COSO or ISO 31000 will not ensure FULL King 3
compliance.• King 3 looks at total Risk Landscape, namely risk responsibility, risk
tolerance, risk oversight, Risk Management (policy, assessment, responses, monitoring), risk assurance, risk disclosure.
• ISO 31000 concentrates on Risk Management portion, which is probably the bulk.
• COSO has financial slant with reference to multiple and cross-enterprise risks, opportunities and deployment of capital
• King 3 states that the risk management plan should include the risk management framework (Para 9.1 Principle 4.1)
• COSO and ISO 31000 will assist
Questions and discussions