Please note that this pertains to South African Legislation, the King Requirements, and Best Practice.
Today we are looking specifically at the issues around the Governance of Risk
Now before we start getting into the detail and the specifics of this, the reality is that every business has risk! Actually, let me take that one step further – every aspect of the business has its’ own risk! It makes no difference what type of business you are in or what industry you are in, every single aspect of the business will have an element of risk attached to it.
Part of the Directors’ leadership and responsibility role should be in the prevention and management of these risks and to be effective they would of, course, need to ensure that the activities around risk remain within the realities of the challenges of the company’s business.
Some of the questions that the directors should be asking are (but not limited to):-
1. Do we understand what the risk is? Let’s face it, you can’t prevent or manage something that you don’t know about and the fact is that very few Directors are even aware of what the risks are, let alone how to either prevent them or manage them. So clearly the research has to be done because ultimately whether or not they are aware of the risks, they will be held accountable for the consequences of those risks.
2. Then, of course, there are risks and there are RISKS! Some are minor irritations, some have major consequences and the majority are usually somewhere in the middle between the two. Understanding the risk means that you should understand the consequence and understanding the consequence means that you will be better able to set a ‘reasonable’ level of tolerance that can be applied to each risk.
3. Following on from the previous question – are the biggest risk exposures to the organization being managed and more importantly how do you know if they are being adequately managed? Are there measurements in place to determine this? As always, remember that “if you can’t measure it, you can’t manage it!”
4. How often are risk assessments performed and how often do directors participate in any way in these assessments? Remember business trends and markets are constantly changing and evolving and the risks need to be assessed regularly to ensure that they are being properly managed.
5. Are the same risk-related issues repeated, raised, and discussed in the various management, governance, committee, and sub-committee meetings? If so what steps are being taken to bring resolution to closure into the picture? It’s not just about ‘discussions’, although those are very important too, you have to find a solution and that takes action!
6. What about the ICT (Information, Communication, and Technology) risk – is that also considered in the risk management process? Please think, in particular about, the new PoPI Act and that particular quagmire that we all have to navigate. It’s a major threat and the requirements of the Act have to be implemented sooner rather than later!
7. Is compliance risk covered and properly managed? There is the generic compliance that is applicable to all businesses and then there is the risk that is determined by the industry that you are in.
8. Are the risks prioritized and inserted into an action plan with realistic achievement dates? This is of the utmost importance if you are going to meet implementation deadlines.
9. Are all the risks that are “outside” of the Board’s tolerance levels focused on in order for solutions and interventions to be implemented and properly managed and effectively measured? Again, this is something that should be on the agenda.
10. Is the planned and documented risk management plan in place and is this regularly updated and who manages this? In big corporations there is usually a ‘risk’ officer as well as an Internal Audit, so the function is pretty much ‘ring-fenced’. Medium to Small businesses would have to add this function onto someone’s portfolio and in SMMEs this usually falls onto the shoulders of the CEO. Make sure that discussion on the risk management plan is documented and make sure that it is an item on the agenda irrespective of whether you are a huge corporation or a small start-up!
11. Is there a fraud risk plan in place to assess fraud prevention and exposure and who manages this? See point 10 above as the same requirements apply.
12. Does your disclosure accurately reflect the actual position of your company? Make sure that you are ethically transparent here.
As you can see these are very deep and detailed questions that require a fair amount of research and work, not only from the Directors themselves but also from both internal and external resources.
Ensuring that you understand what it is that is required will go a long way to making sure that as a Director you contribute positively to a healthy, profitable, and sustainable company.
Next time we will look specifically at the issues around the governance of Information Technology.