Putting in place a structure to manage risk across a company can be difficult unless there are agreed practices and definitions. Carole Edrich explains how to approach the task
The form and nature of the implementation of any framework for corporate governance and risk management must vary according to the technology and culture of the enterprise. While the overall reporting structure and management information system should be uniform and consistent, the level of protection should also reflect the importance of the component, process or information to the enterprise as a whole.
The Combined Code, and Turnbull in particular, indicates that risks should be reviewed by the board twice yearly as a minimum. Some organisations have undoubtedly interpreted this as a review of existing and new risks once every six months. Not only does this fail to follow the spirit of the Turnbull recommendations, it is unlikely to be acceptable to the Financial Sevices Authority (FSA).
A more sensible interpretation would be to implement a framework and processes that ensure risks are identified, assessed and evaluated on a six-month cycle, with periodic oversight from the risk committee. Others believe that a six-month cycle is too long, and may choose periods varying between one day and six months. Another view is that the only way to manage risks and implement controls is through a process of continuous monitoring and control or of continuous monitoring with periodic control and review phases.
Two perspectives
Continuous monitoring and control requires a heavy level of training, resource usage, automation, complete integration with the enterprise's management information system, and a familiarity with all areas of enterprise and environmental risk and governance that is rarely achieved.
Continuous or dynamic risk monitoring is an activity that is necessarily influenced by change, and tension still lies between the proponents of the two perspectives. Those who think that cyclical monitoring is good, are likely to be involved in process audit or overly concerned with budgetary constraints. Those who believe that risk monitoring should be continuous are usually involved in the corporate governance and risk management process itself, and believe that the monitoring should assure the process and therefore indirectly the organisation itself.
It is easier to establish a good risk monitoring process if senior management see corporate governance as a useful and ongoing management information tool rather than as an overly bureaucratic, periodic process interspersed with interruptions from regulators with ambiguous guidelines. This can only be done if information of the kind that management considers useful for decision support is integrated into the framework or process.
Integrating the many approaches,
techniques and methods for the multifarious aspects of corporate governance, risk management and the implementation of firm wide controls is a new science, a huge task for which there is no common language. Even within individual sectors and the same organisations, the same terms can have completely different meanings. Since the world of risk is so discordant with so little common understanding and definitions, any corporate governance or control framework must be careful, concise and clear.
Simple categories
A misunderstood word or interpretation means that two or more people may no longer be discussing, reporting or managing the same risk. If a risk is not described correctly, the meaning of what is discussed may be completely transformed and this might be enough to change the way the risk is treated.
One of the best ways to get around this challenge is to adopt very simple categories for the allocation of risk. Potential users must bear in mind that each risk can only be placed into one category. If there is disagreement as to the category then experience tells that the risk or the category has been defined incorrectly.
Developing a consistent interpretation of terms throughout the enterprise entails a co-ordinated set of activities, probably best started by those in audit and risk management. A minimum step would be the adoption of an agreed set of common terms and its provision for easy access throughout the organisation.
Corporate governance is not a bureaucratic or simple compliance initiative, but an enterprise-wide process requiring management attention. Once management understands this and is amenable to providing appropriate data, it will have considerable information and support on which it can base its long-term decisions.
It is important to undertake a clearly defined exercise. Consideration and agreement to the results of the following steps is likely to be vital in adopting the best framework and process for the organisation as a whole:
What is a dynamic corporate governance and risk management process? Is it appropriate or would a cyclic or periodic process be better? How would this be justified to the internal decision makers, shareholders and regulators?
What do we need to do to get our respective organisations to adapt to such a process? Who are the major sponsors and are they board members? How can board members' attention be gained and maintained?
Who is responsible? At what level? To what extent is this formal and documented? Who should own and who should develop the process? What processes, techniques, methods and tools need putting into place? Is it necessary to invent everything from scratch or are there processes, approaches or frameworks that can be customised? Is it worth spending money on external assistance or should it be developed this internally? How might technology help? How long will it take to develop the systems?
All commercial organisations are out to make profits, therefore what should be totally and utterly unacceptable is a risk without benefit. In most organisations a benefit is simply a measurable financial reward. But it is also important to recognise that risk-taking is a normal part of business and that governance is about controls for opportunity as well as danger.
While some organisations are implementing a top-down approach to governance and risk management, with the board and directors initiating the process and delegating responsibilities, others have selected a bottom-up approach.
However, even though it is appropriate that those with detailed knowledge of areas such as health and safety or the environment participate fully, unless the board or equivalent understands and participates in the monitoring, review and control processes, it is likely that eventually a glaring, big-picture omission will result in embarrassment, financial loss or worse.
Question 1
Select the most appropriate answer:
On what does the form and nature of the implementation of any corporate governance framework depend?
a.The priorities of the director who has responsibility for its implementation
b.Media management
c.The technology, culture and enterprise-wide priorities of the organisation
d.The current reporting structure.
Question 2
Select the exception:
Corporate governance and control is best implemented in the following ways
a.Through a twice yearly evaluation and reporting process
b.Through a continuous evaluation and management process and periodic reviews
c.Through a continuous evaluation and management process and continuous reviews
d.Through monthly evaluation and manage-ment and monthly reviews.
She can be contacted at cedrich@kaicorporation.com or refer to the website www.kaicorporation.com
How to use CPD
This free Insurance Times reader service is intended to help you improve your skills and understanding from the comfort of your office or home. All you have to do is read the text and answer the multiple-choice questions. The answers will appear in next week's issue.
Why CPD is important
The Financial Services National Training Organisation (FSNTO)'s mission is to improve the quality and skills of the workforce as a fundamental requirement for the sustainable competitiveness of the industry. We fully support the practice of continuing professional development (CPD) as a major contributor to achieving this aim. Many people across the sector are required to undertake CPD by virtue of the work they do or the professional body to which they belong, but everyone can benefit from continuing to develop their knowledge and skills.