Last week, the Corporate Governance Council in Singapore released Risk Governance Guidance for Listed Boards.
This is an exceptional product of value to boards of all organizations, their executives and risk practitioners.
Singapore's Code of Corporate Governance requires listed companies (i.e., not just banks and financial services companies) to address risk management. This document provides guidance on the board's oversight role and, in the process, does a fine job of describing risk management itself.
As I read the guide, I was tempted to share almost the entire document! It has sections of value that describe:
- The nature of risk management.
- The need to integrate the consideration of risk into governance processes such as strategy-setting and performance management.
- The need for assurance on risk management and related internal controls, and guidance on how to assess risk management.
- How to determine whether you need a board risk committee and how to structure it.
- Risk tolerance (a.k.a. risk appetite).
- Risk management standards (the guide uses language consistent with ISO 31000:2009).
- Technology-related risks.
- Risk culture.
The document's four-member working group included two partners from audit firms (KPMG and PwC) and two practitioners from major Singapore companies: one chief risk officer and one chief audit executive.
The guide starts with a description of governance, to put the discussion into context:
Corporate governance refers to the system by which companies are directed and managed. This involves a set of relationships between a company's board, management, employees, shareholders and other stakeholders. This also provides the structure through which the company achieves its objectives and provides accountability to stakeholders. Good corporate governance therefore is an effectual balance of promoting the long-term success of the company, and providing accountability and control systems which are symmetric with the risks involved.
The guide continues to set context by quoting the Singapore Corporate Governance Code:
The Board is responsible for the governance of risk. The Board should ensure that Management maintains a sound system of risk management and internal controls to safeguard shareholders' interests and the company's assets, and should determine the nature and extent of the significant risks which the Board is willing to take in achieving its strategic objectives.
The Board should determine the company's levels of risk tolerance and risk policies, and oversee Management in the design, implementation and monitoring of the risk management and internal control systems.
The Board should, at least annually, review the adequacy and effectiveness of the company's risk management and internal control systems, including financial, operational, compliance and information technology controls. Such a review can be carried out internally or with the assistance of any competent third parties.
The Board should comment on the adequacy and effectiveness of the internal controls, including financial, operational, compliance and information technology controls, and risk management systems, in the company's annual report. The Board's commentary should include information needed by stakeholders to make an informed assessment of the company's internal control and risk management systems.
The Board should also comment in the company's annual report on whether it has received assurance from the Chief Executive Officer and the Chief Financial Officer:
a) that the financial records have been properly maintained and the financial statements give a true and fair view of the company's operations and finances; and
b) regarding the effectiveness of the company's risk management and internal control systems.
The Board may establish a separate board risk committee or otherwise assess appropriate means to assist it in carrying out its responsibility of overseeing the company's risk management framework and policies.
Here are some notable excerpts from the guide:
Risk governance is the architecture within which risk management operates in a company. It defines the way in which a company undertakes risk management. It is essential for the company to have clarity about what risks are being managed and how. It provides guidance for sound and informed decision-making and effective allocation of resources.
- Sound risk governance allows for the articulation of how, in the context of its risks, a company is able to:
- o achieve its business objectives;
- o formulate its value proposition;
- o assess its risk tolerance; and
- design its processes with respect to the reasonable expectations of stakeholders.
- The Board should first begin with a fundamental understanding of the mission of the company and of the reasons it exists in relation to all its stakeholders. From there, the Board should work with Management to:
- identify the risks relevant to the company (also known as the risk universe); and
- effectively allocate the company's resources to create and preserve value in ways that resonate with the company's mission.
- Effective risk governance provides the appropriate level of direction and control in:
- determining the goals and strategy of the company;
- pursuing those goals;
- identifying the risks which are present or which may arise when the company pursues its goals; and
- determining measures to mitigate the risks.
- The Board is responsible for the governance of risk and sets the tone and direction for the company in the way risks are being managed.
- The Board has ultimate responsibility for approving the strategy of the company in a manner which addresses stakeholders' expectations and does not expose the company to an unacceptable level of risk. It also has ultimate responsibility for approving the key risk management policies, ensuring a sound system of risk management and internal controls, and monitoring performance against them.
- The Role of the Board in the governance of risk should comprise the following:
a) determining the approach to risk governance for the company;
b) setting and instilling the right culture throughout the company for effective risk governance;
c) ensuring that the risks relevant to the company are properly identified, including those risks inherent in the company's business model and strategy, and risks from external factors as the company pursues its strategic objectives;
d) monitoring the company's exposure to risk and the key risks that could undermine its strategy, reputation or long-term viability, including provide for periodic environmental scans to gauge any possible impact on the risk profile of the company;
e) ensuring that Management put in place action plans to mitigate the risks identified where possible; and
f) providing oversight of the risk management system, and system of internal controls, and reviewing their adequacy and effectiveness at least on an annual basis.
- The Role of Management in the management of risks is to:
- a) design, implement and monitor the risk management and internal control systems of the company in accordance with Board policies on risks and controls, using effective processes and procedures;
- b) identify the risks relevant to the business of the company and manage the business in accordance with risk policies / directions from the Board;
- c) identify changes to risks or emerging risks and promptly bring these to the attention of the Board where appropriate; and
- d) ensure the quality, adequacy and timeliness of the information that goes to the Board.
- ERM is a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity and manage risk to be within its risk tolerance, to provide reasonable assurance regarding the achievement of the entity's.
- It is impossible to fully eliminate risk, and in fact it may be counter-productive to even try. The correct approach is to determine and achieve the right balance between mitigating the downside of risks to an acceptable level whilst still taking advantage of opportunities.
- Effective risk assessment provides forward-looking insights, not only helping to manage risks, but providing greater and more meaningful clarity in respect of the following:
- o The vast range of existing and emerging risks that a company faces;
- o How these risks are managed; and
- o The level of risk that is being run and the extent to which the company intends to take risks.
- The Board, when considering a possible ERM framework for the company, may wish to have regard to the following six common characteristics of leading, sustainable international risk management frameworks:
(i) Risk Strategy and Policy
- The consideration of risk as a company sets its strategic direction
- How risk is considered as a company allocates its capital across competing priorities
- How risk is reflected in the policies that are adopted
(ii) Risk Process – How risk is identified, assessed and responded to in day to day activities.
(iii) Risk Structure – The specific risk management functions and responsibilities established to sustain the focus on risk management.
(iv) Culture – The culture and behaviours that need to be developed and sustained to support effective risk management and reinforce doing the right thing naturally.
(v) Risk Systems and Tools – The systems and tools used to facilitate the risk management process.
(vi) Assurance – How assurance is gained over the effective operation of the risk management framework and continuously improved over time.
- To help reduce some of the ambiguity that may arise, the Board may wish to consider common membership among the separate committees that are responsible for the oversight of different risks, or have the separate committees hold joint meetings at least once a year.
- Regardless of the committee structure or other means which the Board employs, all directors must ensure the adequacy of their own director expertise with regard to risk awareness and management.
- The Nominating Committee should balance expertise versus objectivity in determining the composition of the Board Risk Committee. Specialists who are non-Board members could also be invited to support the Board Risk Committee.
- It is important that communication be maintained between the Board Risk Committee and the Audit Committee. Both committees should interact as often as possible to ensure timely information is exchanged and appropriate action taken where necessary.
The Risk Governance Guidance for Listed Boards was produced by Singapore's Corporate Governance Council, which advises the Monetary Authority of Singapore on governance matters. Information about the two organizations is available from the corporate governance section of MAS' website.