Please note that this pertains to South African Legislation, the King Requirements and Best Practice.
Today we are looking specifically at the issues around the Governance of Risk
Now before we start getting into the detail and the specifics of this, the reality is that every business has risk! Actually let me take that one step further – every aspect of business has its’ own risk! It makes no difference what type of business you are in or what industry you are in, every single aspect of the business will have an element of risk attached to it.
Part of the Directors leadership and responsibility role should be in the prevention and management of these risks and to be effective they would of course need to ensure that the activities around risk remain within the realities of the challenges of the company’s business.
Some of the questions that the directors should be asking are (but not limited to):-
1. Do we understand what the risk is? Let’s face it, you can’t prevent or manage something that you don’t know about and the fact is that very few Directors are even aware of what the risks are, let alone how to either prevent them or manage them. So clearly the research has to be done because ultimately whether or not they are aware of the risks, they will be held accountable for the consequences of those risks.
2. Then of course there are risks and there are RISKS! Some are minor irritations, some have major consequences and the majority are usually somewhere in the middle between the two. Understanding the risk means that you should understand the consequence and understanding the consequence means that you will be better able to set a ‘reasonable’ level of tolerance that can be applied to each risk.
3. Following on from the previous question – are the biggest risk exposures to the organization being managed and more importantly how do you know if they are being adequately managed? Are there measurements in place to determine this?
4. How often are risk assessments performed and how often do directors participate in any way in these assessments? Remember business trends and markets are constantly changing and evolving and the risks need to be assessed regularly to ensure that they are being properly managed.
5. Are the same risk related issues repeated, raised and discussed in the various management, governance, committee and sub-committee meetings? If so what steps are being taken to bring resolution to closure into the picture?
6. What about the ICT (Information, Communication and Technology) risk – is that also considered in the risk management process?
7. Is compliance risk covered and properly managed?
8. Are the risks prioritized and inserted into an action plan with realistic achievement dates?
9. Are all the risks that are “outside” of the Board’s tolerance levels focused on in order for solutions and interventions to be implemented and properly managed and effectively measured?
10. Is the planned and documented risk management plan in place and is this regularly updated and who manages this?
11. Is there a fraud risk plan in place to assess fraud prevention and exposure and who manages this?
12. Does your disclosure accurately reflect the actual position of your company?
As you can see these are very deep and detailed questions that require a fair amount of research and work, not only from the Directors themselves, but also from both internal and external resources.
Ensuing that you understand what it is that is required will go a long way to making sure that as a Director you contribute positively to a healthy, profitable and sustainable company.
Next time we will look specifically at the issues around the governance of Information Technology.