Running a business, indeed running almost every enterprise, involves risk. Risk can only be avoided by choosing to do nothing and even then unexpected events can occur. In many business situations, as is well known, the greater the risk, the greater the potential return to the enterprise. The challenge faced by Board of Directors (BoDs) is to balance risk with acceptable reward. In other words, to understand the exposure of their companies to risk, to determine how those risks are faced, and to ensure that they are handled appropriately.
Corporate governance involves creating business value while managing risk. Risk management, not risk minimization, should be the theme; and it refers to the identification, evaluation, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability or impact of unfortunate events or to maximize the realization of opportunities. BoDs have a specific and vital responsibility to recognize, understand, and accept the risk profile inherent in their corporate strategies, what some people call ‘approving the company’s risk appetite’.
Every board has a duty to ensure that:
- significant risks facing its company are recognized;
- risk assessment systems exist and are effective throughout the organization;
- risk evaluation procedures are developed and operational;
- risk monitoring systems are robust, efficient, and effective;
- business continuity strategies and risk management policies exist, are regularly updated, and are practical.
Many corporate governance codes and companies’ law now call for BoDs to give assurances that systems are in place to handle corporate risk in their regular corporate governance reports to shareholders.
BoDs need to understand where value is added within their business, at what point the company is critically exposed to risk, and where the most sensitive areas are in which the very survival of the business could be threatened. BoDs need to face those risks and to develop relevant risk strategies and policies. Such responsibilities call for a formal system to ensure that risk is properly assessed and considered at board level and then professionally managed throughout the company.
Sophisticated investors around the world focus on the nature and extent of risk in the companies and industries in which they invest. Companies that are recognized as having professional Enterprise Risk Management (ERM) and transparent risk reporting are respected. Their shares can command a premium over those of competitors, and their overall cost of capital is likely to be lower.
Some BoDs include corporate risk assessment in the mandate of the board’s audit committee. However, audit committees can be orientated towards the past, involved with audit outcomes and approving accountability information for publication. Whereas risk assessment needs a proactive, forward looking orientation. Consequently, other boards have decided to create a risk assessment or risk management committees as a distinct standing committee of the board. Such a committee might have four or five members, wholly or mainly Independent Non-Executive Directors (INEDs) with appropriate business experience. Initially, when a company is building its risk management systems, the committee might meet quite frequently, but then two or three times a year, reporting to the board as a whole. Members of senior management and external experts in risk are likely to be invited to attend to advise the committee.
An alternative approach is for the board to form a management-based risk management group, perhaps including the Chief Executive Officer (CEO), the Chief Finance Officer (CFO), profit-responsible division or unit heads, and the responsible risk management executive(s). External experts could also be invited to advise the group. A management-based risk management group needs to take a strategic view of corporate risk and to avoid adopting a purely financial view. In other words, the group needs to see the enterprise in the context of its overall risk profile, not only from a financial perspective. A management-based risk group might typically report to the CEO or CFO, but it is essential that its work is reviewed and approved at board level. Of course, it is possible that a company might decide to have both a board-level risk management committee and a management-based group reporting to it.
The issue of risk management is particularly significant in the case of financial institutions. Their entire business involves the management of risk. This was confirmed in a report by the Basel Committee on Banking Supervision, widely known as Basel II: ‘The bank’s BoDs have a responsibility for setting the board’s tolerance for risks.’ Favourable capital adequacy decisions need to demonstrate that the bank’s BoDs and senior management, as appropriate, are actively involved in the oversight of the operational risk management framework’. According to the report, a risk policy committee to fulfil this requirement should have its own written charter, board representation with at least three independent directors with the requisite skills and knowledge to oversee risk management, and a chairman appointed by the whole board.
Many major companies have specialized risk managers to oversee the company-wide risk assessment systems and procedures, who can advise the board on risk issues. The Chief Risk Officer (CRO) is an increasingly important figure in many companies, just as the global head of risk is in international banks. The risk management committee will typically agree the job description, appoint, and monitor the CRO, who is then secretary to that committee.
The global financial crisis, which resulted in the collapse of financial institutions and the need for government support in a number of countries, also led to the re-evaluation of the governance of risk. In some banks, the power of financial risk-takers was rebalanced in favour of the CRO and the risk assessment function. Goldman Sachs achieves a balance between risk-taking traders and potentially risk-averse risk officers by moving traders into risk management functions as part of their career progression, although in other institutions the CRO remains little more than a compliance officer.
Unfortunately, in some companies, risk management issues seldom reach board level. The management of risk is piecemeal and undertaken at the business unit level-sometimes known as a ‘silo’ or ‘bucket’ approach, with each part of the organization standing on its own base. Responsibility for risk management is then located in middle management, with managers insuring the business against the classical risks of fire, theft, and accident. This orientation is likely to be operational rather than strategic, and to have more to do with cost reduction, searching for the cheapest cover available, than with conscientious risk assessment. Moreover, the middle manager can become a bottleneck, even a block, between the board and its responsibility for overall strategic risk assessment and management.
The company’s risk management structure should include an ongoing effort to assess and analyze the most likely areas of future risk for the company, including how the contours and interrelationships of existing risks may change and how the company’s processes for anticipating future risks are developed. This includes understanding risks inherent in the company’s strategic plans, risks arising from the competitive landscape and the potential for technology and other developments to impact the company’s profitability and prospects for sustainable, long-term value creation. Anticipating future risks is a key element of avoiding or mitigating those risks before they escalate into crises. In reviewing risk management, the board or relevant committees should ask the company’s executives to discuss the most likely sources of material future risks and how the company is addressing any significant potential vulnerability.
About the Author:
Dr. Asare Bediako Adams, FCILG is the Director of Operations for the Chartered Institute of Leadership and Governance and the Executive Director of PMRIG Group of Companies.
Reprint Policy: You may reprint/publish the above article. All we ask is that you keep all links active, make no changes to article and include the author’s bio. Article Resource: CILG Ghana