corporate governance and risk management. corporate governance is the glue that holds an...
TRANSCRIPT
Corporate Governance
and Risk Management
Corporate governance is the glue that holds an organization together in pursuit of its objectives while risk management provides the resilience. The challenge is for the organization to identify clearly the risks it must manage and to assign ownership and accountability for their effective management.
“Without risk, there is no advance,” and, “The higher the risk, the greater the reward,” are well-established truisms. Both, however, can only succeed if the risk is effectively managed.
Risk management has been a significant part of the insurance industry for some 50 years, but in recent times it has developed a wider currency as an emerging management philosophy across the globe. It is a common sense methodology that allows a clear direction and pathway for decision making within an enterprise. Inherently, culture and acceptance of risk varies from location to location.
Today’s most vibrant industries and organizations understand that doing business in this dynamic market-place demands highly trained and well-rounded workers equipped to handle the challenges of an ever-changing, fast-paced, business environment. This has encouraged the development and expansion of the skills that are needed to survive the complexity and uncertainty which is faced in an increasingly competitive world.
The risk management practitioner of the future must facilitate the knowledge needs of directors, officers of companies, and government entities to ensure survival and sustainability.
Just as risk management has reached these new levels of maturity, business has been confronted by demands for more accountable corporate governance. In order for corporate governance to be effective, it must be supported by a rigorous risk management process and strong controls assurance. Risk management identifies the controls needed, while internal audit provides the assurance that they are being observed and are efficient.
Many jurisdictions have opted for the “black letter” law approach to corporate governance. While such an approach allows lawmakers to demonstrate that they have done something, it is unlikely to stop further cases of corporate collapse due to criminal activity by senior management. This is because as soon as a law is enacted people start to work out how to circumvent it.
What is needed is a return to ethical management with strong accountability for actions. All too often, when something goes wrong the system is responsible for the problem, but no one is accountable for having made the decision to do or not to do something that led to the failure. Nowhere is this trend towards unaccountability more apparent than at the political and multinational corporate level.
The corporate governance challenge for an organization is to identify clearly the risks it must manage in order to turn strategic objectives into operational reality, and to assign ownership and accountability for their effective management.
Unfortunately, all too many organizations do not recognise the difference between accountability for decision making and responsibility for enacting the decision. This is where the development and adoption of a risk culture that is specific to the organization becomes crucial.
A risk culture is established when staff at all levels accept accountability for all their business behaviours relating to their individual performance. This encompasses informed decisions, and doing or not doing things based on a reasonable analysis of foreseeable risks, opportunities and their associated impacts on the strategic corporate objectives.
Unless such a risk culture is developed the management of risk will not be the clear accountability of the risk makers and the risk takers.
Management of risk is an integral part of good management. It is an iterative process of continual improvement that is best embedded into existing practices or business processes.
An effective risk management regime is a combination of the culture, processes and structures that are directed towards realising potential opportunities whilst managing adverse effects.
An organization’s culture is the sum of its people, symbols, stories, business experiences, power structures, control systems, organizational structures, rituals and routines that, when combined, make it unique.
The structure adopted must ensure that all risks have owners who have accountability for their management and who also have the authority to make decisions with respect to the treatment of the risk.
Management of risk is a line management accountability and while there may be experts to advise on and facilitate risk management activities within the enterprise, the accountability cannot be delegated by the manager/owner with the authority to effect decisions about the specific risk. Risk management must also become an integral part of the strategic planning process and Board reporting programme.
The end result is to direct the enterprise’s culture, process and structure towards realizing potential opportunities, while managing adverse effects in pursuit of the corporate objectives.
The culture and structure will depend very much on the commitment of the Board and management. However, whatever risk management framework is adopted must ensure that:· clear lines of communication and consultation are established with all stakeholders, both internal and external as appropriate; · a risk context is developed and promulgated by the Board of the enterprise that reflects the risk culture required of the staff and defines the structure of the analysis to be undertaken;
……..
· a rigorous process is created to identify what, when, where, why and how events could enhance, prevent, degrade or delay the achievements of the enterprise’s objectives; · the consequences and likelihood and, therefore, the level of risk are determined and existing controls are identified and evaluated; · estimated levels of risk are compared with established criteria and the balance between potential benefits and adverse outcomes are considered;
………..
· specific cost-effective strategies and action plans for increasing benefits and reducing potential costs are developed and implemented, and · the effectiveness of all steps in the risk management process are continuously monitored and reviewed so as to ensure continual improvement and that priorities do not need changing due to altered circumstances.
Such a process can be applied at many levels in an organization. It can be applied at a strategic level and at tactical and operational levels throughout an enterprise. It may be applied to specific projects such as outsourcing activities or major infrastructure, to assist with specific decisions, or to manage specific recognised risk areas such as quality, safety or environmental obligations.
Risk management practitioners are often their own worst enemy when it comes to championing the cultural change required in an organization if it is to effectively manage its risks.
Sadly, this is not a recent phenomenon as the following quote from Felix Kloman, a long-time commentator, prophet and philosopher on risk management and the management of risk illustrates. His comment in “The Revolt of the Risk Manager”, published in Bests Review, October 1971, is as fresh and applicable today as when first made 33 years ago:
Until the Risk Manager can be completely free of his real and psychological ties to insurance and the insurance industry, he will not be able to perform the risk management function.
The challenge facing today’s risk manager is not just breaking free of the mantra that “risk management is all about insurance, and if we have insurance, then we have managed our risks”, but rather being accepted as a provider of advice and service to the risk makers and the risk takers at all levels within the enterprise. It is the risk makers and the risk takers who must be the owners of risk and accountable for its effective management.
A consequence of the uncertainty as to the place of risk management in an organization and the role of the risk manager has seen a plethora of persons and professional bodies presenting themselves as the true “risk managers”.
Just as the accounting profession recognized the need for a professional programme to round out the university studies of those offering accounting services, there is a definite need for a similar programme for risk management practitioners. This has now been achieved to varying levels and is slowly gaining acceptance within a number of countries, most notably Australia, Canada, South Africa, the United Kingdom and the USA.
The formal risk management programmes that have been developed are not substitutes for existing qualifications, but rather an umbrella under which the broad array of risk management practitioners can gather and be recognized by the community as risk management professionals who possess a core of common knowledge and who adhere to a strict code of conduct.
This educational and professional development approach has been facilitated by bodies such as the Institute of Risk Management in the United Kingdom , the New Zealand Society of Risk Management, the Risk Management Institution of Australasia, and the South African Institute of Risk Management.
These bodies have a common objective of striving to bring together all parties involved in managing risk in order to:
promote and further the interests and advancement of risk management practitioners;
provide a forum for and to disseminate and exchange views, ideas, and experiences about the management of risk;
……..
· promote and support education activities and research that encourage professional development of the science, art, skills, attitudes and knowledge of risk management; and
· support the development of risk management education and research programmes at universities and similar institutions.
Risk management is seen as a business activity, but should also be used to address developing infrastructure that will withstand natural disasters and providing programmes to minimize human suffering. This is not to suggest that it is a panacea for all the ills of society, but if used properly, it empowers people to become more responsible for their actions.
The greatest risk of all is to take no risk at all. Without risk, there is no advancement. The challenge for us all is to manage the risk so as to ensure a successful outcome. Risks must be taken if we are to learn, feel, change, grow, love, and live. Only the person who risks is free.
Thank you