Following corporate scandals such as those that engulfed Enron and WorldCom, regulators responded by strengthening corporate governance through new legislation or guidelines. In the United States, the Sarbanes-Oxley Act was enacted in 2002.
The Singapore Exchange (SGX) revised its listing rules in 2011and the Monetary Authority of Singapore (MAS) its Code of Corporate Governance in 2012. The Hong Kong Stock Exchange also amended its listing rules, Code of Corporate Governance and Corporate Governance Report in 2012.
In each case, one of the regulators’ concerns was risk governance.
Without doubt, risk governance is key to good corporate governance. Beyond the need to simply comply with regulations, companies that adopt best risk management practices do so in their own interests.
Companies that understand and manage well the risks they face will have an advantage over their competition and better support their own value creation. Risk management enables a company to astutely deal with potential negative events that may create uncertainty to its business or operations.
A company which is prepared will be able to mitigate business disruptions or losses, for example, through having business continuity plans, insurance protection or financial hedging. A company may even increase its profits in situations where its business is kept running while the operations of competitors stalled, for example, due to natural calamities like flooding.
In this article, we highlight some key aspects of a good risk management system, namely risk identification, assessment, appetite and tolerance.
What Is Risk Management?
Risk management can be defined as the identification, forecasting and evaluation of potential risks that a company may face, together with the formulation of response options, procedures or scenario planning to avoid or minimize any negative impact.
These risks could be in the form of financial, operational, compliance, reputational and even human resource risks, among others. There are internationally recognized enterprise risk management frameworks. They include the Enterprise Risk Management – Integrated Framework
published in 2004 by COSO, a joint initiative of five private-sector organizations in the US, among them the American Institute of CPAs and the Institute of Internal Auditors.
Companies may utilize or adapt these frameworks for their risk management needs. Or they may develop their own standardized approach. For example, Lego Group, the global toymaker, developed scenarios around possible political, economic and competitive futures in the next few years. It then tested them to determine the impact of each scenario on the firm’s strategies.
Risks are traditionally seen as an undesirable downside to be simply avoided or accepted as something inherent when one pursues opportunities. But in the pursuit of a company's strategic goals and interests, it is vital that a company considers a deliberate and structured approach to undertake an appropriate degree of risk or “calculated risk”.
Good risk management is not just about risk avoidance or risk seeking, it’s about getting the best possible trade-offs by understanding the risk universe that a company may operate in.
A company should make a thorough effort to identify the full range of significant risks in its business environment or its “risk universe”. Once the risks are identified, risk assessment could be done to determine the root causes or dynamics of these risks.
Various risk assessment techniques are available. They vary from the qualitative to the quantitative. It is important for a company to identify the techniques appropriate to the nature of its activities, since not all risks can be easily quantified or monitored.
Some of the techniques include:
- risk ranking
- risk maps
- cash flow at risk
- earnings at risk
- validation of risk impact
- validation of risk likelihood
- risk benchmarking
The risk assessment should lead to the identification of both threats and opportunities. In addition, the understanding of the risks will allow the company to make better decisions, along with better agility to respond to changes in circumstances or emerging opportunities. At the same time, the risk assessment will help to reduce operational surprises and associated losses.
Li & Fung, a global sourcing and garment company that focuses on good governance, utilizes its information system to look across its operations. The objective is to identify trends and thus assess possible risks. For example, the company may analyze retailers’ order data to better prepare for an economic downturn or recovery before the trend becomes apparent.
“Growing your business without understanding what risks your company will be expected to face is not a sound strategy,” says R. Dhinakaran, Vice-President and Chairman, Corporate Governance Committee, at the Institute of Singapore Chartered Accountants (ISCA). “Understanding your risks clearly can be crucial to gaining a competitive advantage in a rapidly evolving business environment.”
Risk Appetite and Risk Tolerance
Risk appetite can be defined as the general level of risk a company is willing to accept in the conduct of its activities, with the aim of creating value or a return for the company. Undertaking a risk assessment should allow a company to crystallize an objective and write a comprehensive risk appetite statement.
The risk appetite thus crystallized and articulated can serve as a useful benchmark by which the company can determine whether it is operating within the boundaries decided upon by its key stakeholders, such as shareholders, board of directors and senior management.
To achieve effective risk management, a company’s risk appetite has to be integrated into daily decision-making and operational process. This may mean board directors coordinating with senior management and functional areas to operationalize the risk appetite in terms of some pre-determined thresholds or parameters that managers and staff can readily comprehend and apply in daily work. These thresholds or parameters serving as a framework to make decisions or work within may form the risk tolerance levels of a company.
While risk appetite and risk tolerance may appear to be the same, the main difference between them is that risk tolerance is the application of a company’s risk appetite and keeping it within limits while trying to achieve the company’s objectives. Risk tolerance operationalizes the company’s risk appetite.
Singapore Airlines, a leading global airline, has a progressive approach towards managing risks. It has put in place a structured and formalized risk management framework that requires tolerance limits, for managing specific types of risk, to be stated in risk policies and guidelines. This provides control boundaries and performance standards for business units to adhere to when managing risks.
When it comes to making risk assessment and ensuring that risk appetite and tolerance aspects work seamlessly together, it is crucial that there is direct and regular communication between those who are making the risk assessment and those who decide how the company should be managed.
For example, there may be companies where risk assessment is performed by staff other than at the board or senior management levels. In these instances, risk assessment could have been done by risk management committees that were drawn from various functional departments in the company.
For a comprehensive and effective understanding of risks faced by a company, it is important that both the board directors and senior management are well informed and thoroughly comprehend the risk assessment process.
This will ensure that the determination of the company’s risk appetite, which usually involves both the board and senior management, would be achieved with as comprehensive an understanding of the company’s significant risks as possible. This can then also be effectively operationalized as risk tolerance levels to be applied in the company’s daily operations.
After the company has defined its risk appetite and also risk tolerance, board directors and senior management must set the right tone in delivering the key message of risk governance and culture to their company.
“Cultivating a risk aware corporate culture takes time, patience and creativity in order to get staff buy-in. It should be a journey to enlighten people rather than a burden to comply,” says Dennis Lee, Chief Risk Officer at the National University of Singapore.
One key factor in a successful risk management system is the participation of every staff. In order to ensure participation, the commitment from the top should be communicated clearly. A common risk language or culture in the company should be fostered.
In addition, clear reporting lines for risk related matters should also be established in the event staff may require further guidance. This culture of risk governance has to be cultivated in the company in order to make every employee feel a sense of ownership and to act responsibly.
Risk management performance indicators can also be explicitly incorporated into the job descriptions and responsibilities of relevant employees. The board and senior management should consider whether compensation incentives for staff at various levels, not just for top management, are aligned with the company’s risk appetite. The board and senior management should also avoid rewarding excessive risk taking, if the exposure to those risks is not in line with the company’s risk appetite.
“ISCA advocates the adoption of the best practices of risks governance,” says Lee Fook Chiew, Chief Executive Officer of ISCA. “That is why we have always been working with all stakeholders to increase the awareness and to further promote the adoption of good risk governance through research, seminars or forums.”
About the Author
Chan Sze Yee is Head of Research at the Institute of Singapore Chartered Accountants. ©2014 Institute of Singapore Chartered Accountants. All rights reserved.
Photo credit: Shutterstock