Why? – Business Case Risks should not always be managed but MUST BE UNDERSTOOD NO SURPRISES Process should enable Management to take correct decisions Risks are not only “BAD THINGS HAPPENING” but also “GOOD THINGS NOT HAPPENING” Some identified risks may be acceptable as they are – RESOURCES ARE NOT UNLIMITED
History of Risk Management Henri Fayol Continued Industrialisation Bird Triangle Security Imperatives Insurance Requirements Corporate Scandals Corporate Governance Value Add!
The changing risk landscape Business dynamics are changing risk profiles and challenging traditional risk management frameworks External Developments Investors are more sensitive to deviation from earnings expectations Trial of disasters Heightened regulatory, board/investor, and accounting requirements Internal Demand Legacy of crises or near misses Real and perceived rise in the number and severity of risks Corporate governance challenges Methodological Advances Risk analytics Shareholder Value measures Portfolio analytics Systems and databases Enterprise Risk Management Establishment of a board risk committee and/or appointment of a chief risk officer Realignment or organisational roles and responsibilities Improvement in risk analytics, reporting, and early warning systems Application of risk management in business processes Optimisation of risk/return performance
Improving risk quality demonstrates good corporate governance and has clear implications for shareholder value 1 There is a clear correlation between companies’ risk quality and their financial performance 1 Source: ‘Improving Risk Quality to Drive Value’ - An independent research briefing commissioned by FM Global and undertaken by Oxford Metrica in 2003. A clear empirical connection was found between risk quality and shareholder value performance. High-quality risk engineering was found to be highly correlated with low cash flow volatility, a core value driver. Stable cash flow is a strong driver of value creation. Risk quality is a strategic issue and an essential aspect of effective corporate governance procedures. Diligently pursuing property risk improvement practices is a characteristic of value creating firms Operational cash flow, risk and expected growth constitute the three core drivers of shareholder value Therefore, by doing one of the following, shareholder value is enhanced. Increasing or protecting the cash flow generated from operations. Improving the growth rate in operating cash flow. Reducing the risk associated with generating cash flow (i.e. the cost of capital).
King Committee on Corporate Governance: Introduction and Mandate First King Report King 2 King 2 Risk Management Section was good, but needed updating. King 3 Move away from “tick box” approach Move away from merely “Management of Risk” to complete “Governance of Risk” Take cognisance of causes and effect of credit crunch and recession (risk management got some blame!)
4.1 The Board should be responsible for the governance of risk Formal process Board should be able to demonstrate comprehensiveness. Responsibility in board charter Risk policy and plan Documented Widely distributed Risk Structure Framework (many different ones available) Regular review
4.2 The Board should determine the levels of risk tolerance Board should set limits annually Review limits during times of uncertainty / adverse changes Internal and external factors Where risk appetite is different from risk tolerance – should be disclosed Board should monitor significant risk taken by management Board should ensure that it understands risk implications, also on shareholders and other stakeholders
4.3 The risk committee (or audit committee) should assist the board in carrying out its risk responsibilities Board should appoint a risk committee to review: Risk management progress and maturity of company Effectiveness of risk management activities Key risks Responses to address risks Board may assign this to the audit committee: However, must carefully consider audit committee’s resources to adequately deal with risk governance in addition to its audit responsibilities Terms of reference and consideration of policy and plan Meet 2x per year, be provided with sufficient information Should be annually assessed by the Board for effectiveness
Risk Committee Composition Should include executive and non-executive directors Members of management responsible for various areas of risk management should attend. Members of the risk committee should comprise people with adequate risk management skills and experience to equip the committee to perform its functions To supplement its risk management skills and experience, the risk committee may invite independent risk management experts to attend its meetings
4.4 The Board should delegate to management the responsibility to design, implement and monitor the risk management plan The Board’s risk strategy should be executed by management. Management is accountable to the board for risk management, and delegations should recognise this Board should ensure adequate support and resources Accountability to the board remains with the CEO Board may appoint CRO – should be a suitably experienced person. CRO should have access to and interact regularly on, strategic risk matters with board, committee and management. Risk management should be intrusive – embedded within strategy setting, planning and business processes.
4.5 The board should ensure that risk assessments are performed on a continual basis Ongoing risk assessment process (identification, quantification and evaluation) using generally recognised methodology. Identify risks and opportunities, measure impact and likelihood A formal assessment once a year (systematic and documented) providing realistic perspective of key risks Risks should be prioritised and ranked Assessments should not only rely on perceptions of group of managers. Should use data analysis, business indicators, market information, loss data, scenario planning and portfolio analysis.
Risk Assessment Should be comprehensive, accurate, thorough, and complete. Should not be limited to list of categories Should be directed to: Strategic or business objective Various income streams Critical business processes Critical dependencies Sustainability dimensions Stakeholders’ interests Top down approach, but not only high-end risks – all operational levels Board should regularly receive and review key risks, but also aggregated risks, correlated risks and risk concentrations Sustainability risks!
4.6 The board should ensure that frameworks and methodologies are implemented to increase the probability of anticipating unpredictable risks Unanticipated catastrophic risks like global credit crunch (systemic) as well as other unpredictable risks. Frameworks in place should have: Insight – ability to identify cause of the risk Information – comprehensive information on risks and sources Incentives – separate risk origination and ownership (accountability) Instinct – avoid “herd behaviour” in systemic and pervasive risks Independence – view company independently from environment Interconnectivity – understand how risks are related, especially where this exacerbates risks
4.7 The board should ensure that management considers and implements appropriate risk responses Management should indentify and consider the different ways that the company can respond to identified risks: Avoiding Treating, avoiding, or mitigating the risk Transferring the risk exposure Tolerating or accepting the risk Exploiting the risk Terminating the activity that gives risk to intolerable risk Integrating Management should demonstrate to the board – plan provides for identification and exploitation of opportunities Should not only identify negative impact of major risk events, but also potential hidden opportunities – converse relationship
4.8 The board should ensure continual risk monitoring by management Management should monitor: Measure risk performance against risk indicators (periodically reviewed for appropriateness) Measure progress against, and deviation from risk management plan Monitor changes in external and internal environment Impact of environment changes on strategic risk profile Ensure responses are effective and efficient in design and operation Track implementation of risk responses Analysing and learning from changes, trends, successes, failures and events (near – misses) Identifying emerging risks Responsibilities for monitoring should be clearly defined in risk management policy and plan
4.9 The board should receive assurance regarding the effectiveness of the risk management process Management is accountable to the board regarding assurance Management’s report should be balanced Any risk response failings or weaknesses should be disclosed Should report on maturity and degree of embeddedness Independent provider of assurance – internal audit IA does not assume the functions, systems and processes of risk management, but provides independent assurance to the board on the integrity and robustness of the risk management process. IA should provide an annual written assessment on effectiveness External audit may consult with risk committee, CRO and IA for an understanding of the company’s risk management activities.
4.10 The board should ensure that there are processes in place enabling complete, timely, relevant, accurate and accessible risk disclosure to stakeholders Major departure from before. Board should disclose, in annual integrated report, any undue, unexpected or unusual risks it has taken in the pursuit of reward. Should disclose any material losses and their causes. Quantify and disclose impact of losses, as well as responses implemented. NOT compromise sensitive information. Should disclose any current, imminent or envisaged risk that threaten long-term sustainability. Board should disclose its views on effectiveness of risk management processes
King 3 Risk Principles - COSO and ISO 31000 Using only COSO or ISO 31000 will not ensure FULL King 3 compliance. King 3 looks at total Risk Landscape, namely risk responsibility, risk tolerance, risk oversight, Risk Management (policy, assessment, responses, monitoring), risk assurance, risk disclosure. ISO 31000 concentrates on Risk Management portion, which is probably the bulk. COSO has financial slant with reference to multiple and cross- enterprise risks, opportunities and deployment of capital King 3 states that the risk management plan should include the risk management framework (Para 9.1 Principle 4.1) COSO and ISO 31000 will assist