| This
article was published in the October 2000 issue of "Director",
the newsletter of the Institute of Corporate Directors.
By Paul Fitzgerald
Articles
> RISK
and REWARD
- Directors must Promote Systems for making Strategic
Business Decisions.
By
now it is clear to most observers that managing risk is an important
control aspect of corporate governance and a principal responsibility
for boards of directors. Unfortunately, many boards are encountering
some difficulty in establishing a functional organizational system
to deal with risk. This was a finding of the 1999 Report on Corporate
Governance entitled Five Years to the Dey that was commissioned
by the Toronto Stock Exchange (TSE) and the Institute of Corporate
Directors (ICD).
The TSE initially set out Guidelines for Improved Corporate Governance
in Canada in a report entitled "Where Were The Directors?".
Commonly referred to as the Dey Report, it recommended that boards
assume responsibility for "the identification of the principal
risks of the business, ensuring the implementation of appropriate
systems to manage these risks".
All
corporate directors should consider whether the risk management
structure of their company will adequately deal with the threats
to their business or whether the structure is a contributing factor
in missed opportunities. The prevailing wisdom is that risk and
opportunity are closely linked and most business decisions involve
varying degrees of both.
In
research papers published by the Criteria of Control Board of the
Canadian Institute of Chartered Accountants (CICA), it states that,
"managers need to assess both the possible adverse consequences
and the possible beneficial consequences" of competitive business
choices. It further states "an organisation that is in a strong
position to seize opportunity and manage risk is in control".
The implication is that effective risk management can offer a distinct
competitive advantage.
Establishing
an effective risk management structure is no easy task. In large
part that is because in a rapidly changing business environment,
a company's risk profile will also be quite dynamic. A new or acquired
operation means new employees, customers, activities and processes,
all of which will have inherent risks as well as interdependencies
that may not be readily apparent. Since risk is typically random
in nature and involves uncertainty, a formal system offers the control
required.
The
following has all the elements of a classical risk management approach,
which requires the identification, evaluation, control and monitoring
of risk. The risk management process must be aligned to the strategic
goals and objectives that the organisation is pursuing. This is
essential for ensuring senior management and enterprise-wide support.
While
implementing a risk management process seems straightforward, a
functioning risk management system must be integrated into the culture
of the organisation and it must become a core competency for all
personnel. This is a complex task that does not become reality without
significant effort and resources.
Your
organisation may already be following certain risk management principles
and you may actually have a risk management group but you are not
likely to meet with success until you empower a skilled senior manager
with a clear mandate to improve the management of the prominent
risks facing your company. Simply relying on insurance to insulate
the company from the possible impact of significant risk is no longer
adequate.
Here
are the basic elements of an effective risk management program:
| A.
|
Senior
management and board level commitment to a broad-based, strategic
risk management process. This commitment must be sufficient
to ensure that risk management becomes a core skill of the
company and is practised throughout the organization, particularly
at the operating level; |
| B.
|
A structured risk assessment process to identify and thoroughly
assess each prominent risk. Risk is normally considered on
the likelihood of occurrence and its potential severity but
other factors may also be relevant - the possible impact that
a particular event may have on your reputation or the good
will from the community is an example. The risk assessment
process must involve key personnel from all areas and levels
of the business. A risk management forum will also ensure
that important information is fully communicated and it will
enhance the vital process of prioritising the risks; |
| C. |
A broad risk management policy that is communicated and adhered
to throughout the organization. Procedures should be established
in writing for the most prominent risks with specific objectives
and targets. Due diligence requires documentation to prove
that procedures are not only established but adhered to; |
| D.
|
Clearly
defined responsibilities for managing and controlling risk.
Performance evaluations that include specific risk management
objectives will improve accountability and achievement; |
| E. |
Adequate
resources and tools focused on the most prominent risks so
that compliance and effective performance is assured. Ongoing
employee training is essential; |
| F. |
Testing and monitoring of all programs and procedures, particularly
crisis response and business recovery plans with continual
improvement as the goal; |
| G.
|
Regular
reports including independent audits prepared for review by
senior management and board directors. These reports should
provide concise information regarding the status (including
deficiencies) of all corporate risk management programs. |
A
functional risk management system will allow a company to make informed
decisions that may avoid the tragic circumstances that can result
from risk-taking. The Westray Mine explosion and the Walkerton water
contamination are vivid examples of events that can be avoided.
Board
directors must continue to monitor and revisit the risks facing
their organisation on a regular basis. By adhering to a structured
risk management process, a company will develop thorough knowledge
of its risk profile and will be able to publicly report how risks
are managed and what control measures are in place, in a full and
transparent manner.
Profits
are the reward for successful risk-taking. The shareholders' investment
must be protected. Board members are now being advised that they
have an ethical obligation to their employees, customers and the
public who are also stakeholders. Adopting quality risk management
practices will ensure that all interests will be well served.
Back
to top
|
