The role of risk management in corporate governance

Businesses have always needed to safeguard valuable corporate assets and information. Today, however, corporate assets have become global networks of electronic information systems, and the protection process has, of necessity, evolved considerably.

Annette Hieber, a director of Bytes Business Solutions, looks at the issues surrounding risk management from a corporate governance perspective. She addresses the value of internal control systems and methodologies and how they can be harnessed to build more robust business operations.

The issue of corporate governance - from both good and bad perspectives - has made headlines in recent months as law-makers around the globe have moved to introduce rules designed to promote greater corporate accountability, transparency and stakeholder confidence.

A direct result of these changes is increased accountability of company directors regarding risk control within their organisations.

In SA, the release of the second King Committee Report (King II) in July 2001 highlighted the importance of risk management - as did the JSE Securities Exchange, in its published Listing Requirements Guidelines.

Both sources proposed that company directors, collectively and individually, accept full responsibility for the accuracy of information relating to - among other issues - audited risk exposure.

What`s more, King II recommends that organisations report on a "triple bottom line" which covers the social, economic and environmental aspects of the organisation - and not only on financial performance.

Social aspects involve values, ethics and the reciprocal relationship with stakeholders other than the shareowners of the company.

The environmental aspects include the effect that the product or services produced by the company have on the environment.

And economic aspects refer to the financial performance of the company.

The report stresses the significance of non-financial issues such as human rights, ethics and the AIDS pandemic - all of which are now seen as part of the responsibility of organisations.

In terms of both King II and the JSE requirements, organisations must regularly monitor all aspects of human resources in the company to ensure effective internal and external communication regarding strategic plans and ethical code.

To summarise in the words of King II: "Successful governance in the world of the 21st century requires companies to adopt an inclusive approach that takes the community, its customers, its employees and its suppliers into consideration when developing the company strategy.

"The company must be open to institutional activism and there must be greater emphasis on the non-financial aspects of its performance.

"Boards must apply the test of fairness, accountability, responsibility and transparency in all acts or omissions and be accountable to the company but responsive and responsible towards the company`s identified stakeholders. The correct balance between conformance and performance must be struck."

In many analysts` opinion, there is but one option open to organisations today: To seize the opportunity to add value to the company through the development of IT infrastructures that facilitates transparency at every level.

At the heart of such a quest - and forming the backbone of every business - should be a comprehensive risk management system.

Such a system, with appropriate internal controls, will build a more robust business from an operations point of view and deliver a demonstrable system of risk identification.

Risk management is central to good corporate governance because it closes the loop between strategic initiatives and day-to-day operational performances. It also provides the foundation for dynamic goal setting, balanced scorecards, and guided analysis.

Required are:

a. A commitment by management to the process.

b. A demonstrable system of risk mitigation activities.

c. A system of documented risk communications.

d. A system of documenting the cost of non-compliance and losses.

e. A documented system of internal control and risk management.

f. An alignment of assurance of efforts to the risk profile.

g. A register of key risks that could affect the shareowner and relevant stakeholder interests.

The balanced scorecard approach provides an easy-to-use interface for tracking and analysing organisational performance. If executed correctly, users get an immediate and intuitive view of current status with stoplights and trend arrows that show current performance versus predefined thresholds.

It allows managers to review the current status of any project or activity and focus on the most important issues by sorting goals by status, trend and initiative.

Collaboration is a tool that can help all staff within an organisation to leverage the expertise of others. This will result in better and faster decisions that are more aligned with strategic initiatives and added value to the bottom line.

There are a number of risks that all companies face. These include supplier risk, in which supply chain management plays a critical role, and internal/ operational risk in which human resources and the HR infrastructure and related processes fall under the spotlight.

Then there is customer risk, with associated credit risk and variable marketing costs.

In order to mitigate against these risks, organisations need to introduce IT systems and processes that are auditable and in which all changes in the IT environment are tracked and managed effectively.

In this regard, IT systems that are sustainable and processes that are repeatable must be implemented.

Most important of all are complete transparency in all transactions, a thorough visibility of the enterprise and solid, enquiry-proof reporting procedures.

The final word must come from the McKinsey report of a year ago prepared for the National Information Infrastructure Advisory Council (NIIAC) in the US. It revealed that investors are willing to pay a premium for companies that practice good corporate governance. In the UK this equates to around 18% premium, while in emerging markets - and SA is among them - it is 27%.