Responsibility over risk is one of the key functions of a Board of Directors. It is so critical that most corporate governance codes recommend that this responsibility should be enshrined in the Board Charter. King III recommends the Board to develop a policy and plan for a system and process of risk management and King IV recommends that the Board should set the direction for how risk should be approached and addressed in the organization. The Board should formally approve the policy. The Board can delegate risk management to a sub-committee that reports to it such as the Audit and Risk Committee or Risk Committee.
Risk and Strategy
King IV emphasizes that risk management should be reflected in the corporate strategy. Opportunities and associated risks should be considered when developing strategy (King IV, Principle 11.1(a)). Of note is the fact that risks should not only be considered from a negative effects point of view-rather, the positive effects (upside of risk) should also be equally considered.
Risk Management Framework
While this is not specifically recommended in corporate governance codes, within the field of risk management, there are several enterprise risk management frameworks that have been developed to assist in orderly management of risk. Choosing a risk management framework is probably the first thing a Board needs to do so that the risk management process is organized and benefits from global frameworks that are tried and tested. Without a framework, the risk management process will be disorderly and difficult to control and monitor. Some of the leading global enterprise risk management frameworks are the COSO (Committee of Sponsoring Organizations of the Treadway Commission) and ISO 31000.
Risk Monitoring and Assurance
The Board should delegate to management the responsibility for the design, implementation and monitoring of the risk management plan. This means that management are responsible for integrating risk into the day-to-day activities of the company (King III, Principle 4.4). Organizations should appoint an appropriately qualified and experienced Chief Risk Officer (CRO) to manage the risk management function. The CRO should have access to and interact with the Board and its sub-committees and executive management.
One of the key aspects of risk management is risk monitoring. King III recommends that the Board should ensure that effective and continual monitoring of risk management takes place annually. Most entities make use of a risk register to monitor the key risks. The risk register should include risk responses to the key risks.
Risk assurance is concerned with the audit of the risk management process to verify that it is working effectively. This role is performed by the Internal Audit function and a written assessment should be provided to the Board periodically.
Risk Tolerance Levels and risk appetite
Risk tolerance refers to the level of risk that an organization is willing to accept for each individual risk and risk appetite is the total risk that the organization can bear in a given risk profile (Enablon.com). The Board is required to set the levels of risk tolerance once a year, set the limits for the risk appetite, and continually monitor that the risks taken are within the tolerance and appetite levels (King III Principle 4.2).
Risk Disclosures in the Integrated Report
The King III and King IV codes recommend that the Board should make certain disclosures in the integrated report regarding risk management. These include the following;
- an overview of arrangements for governing and managing risk;
- Undue, unexpected or unusual risks;
- the Board’s view on the effectiveness of the risk management process;
- key areas of focus during the year and actions taken to monitor the effectiveness of risk management and how the outcomes were addressed;
- the nature and extent of the risks and opportunities the organization is willing to take-this should however not compromise sensitive information; and
- planned areas of future focus.
Conclusion
The Board should select a robust enterprise risk management framework to assist in the implementation of an effective risk management process. The Board should take responsibility for risk management in its Board Charter.
Innocent Munjanja is Technical Director at Botswana Accountancy Oversight Authority