Why risk management is crucial in corporate governance

Every entity exists to achieve certain objectives as well as set out the direction to which an entity is to take.

This includes the vision, mission, strategic objectives and the value system, which should be clearly specified.

Continuous review of the same should be undertaken to ensure the entity remains on course.

The various interested parties to an entity such as the public, providers of capital, suppliers, employees, the State and shareholders also have a myriad of expectations. Thus measures have to be put in place to ensure their expectations are met and exceeded and that the entity remains operational in the short and long-term. 

It remains an uphill task for every governing organ to ensure that the entity remains a going concern, operates sustainably, creates value, secures its physical and logical assets and retains its human capital.

Ostensibly, the environment under which businesses operate is uncertain and erratic, which makes it challenging to effectively and efficiently achieve the desired goals.

Apparently, a number of entities that have failed to invest in innovative strategies aimed at keeping their businesses relevant or in existence have ended up closing shop.

Over the years, the media has been awash with information on corporate collapses, corruption scandals both in the public and private entities, corporate reputation damage, cyber-attacks and political upheavals. Others terrorist attacks, corporate malfeasance, climatic fluctuations, environmental degradation and changes in legal and regulatory environment.

Managing risks

These, among other factors, have continued to threaten the survival as well as sustainability of entities.

Any entity that deals with uncertainties and achieves its desired objectives must effectively manage its risks.

The ISO 31000:2009 defines risk as the effect of uncertainty on objectives.

It is measured in terms of impact and likelihood. In the process of managing risks, opportunities may arise that an entity could exploit - not only minimise the effects of the risk but also ensure business sustainability.

The main aim of risk management is not its elimination but to ensure it is understood, managed and when appropriate as communicated (OECD (2014)). Organisations should thus have a progressive and effective risk governance system in place and strong risk culture if they are to mitigate adverse effects that would jeopardise the achievement of desired objectives.

A number of risks such as information technology risks (cyber-attacks), financial fraud, loss of lives, injuries to employees, damage to the corporate brand and reputation can have adverse climatic changes.

Loss of business to competitors could affect the existence of a business and therefore the need to have a robust framework for risk identification, assessment and treatment.

For an enterprise to create resilience, enhance sustainability, safeguard its resources and achieve the desired objectives, the control environment must be right.

This will also create value, ensure efficiency and effectiveness of its operations, and enhance accurate and reliable financial information.

The control environment revolves around everything that controls risks from materialising. These are actions taken to minimise the effect of a risk and give assurance that the desired objectives will be met.

This means the policies, systems and procedures effected by an organisation’s management to ensure the entity’s objectives are achieved effectively and efficiently and the financial information is reliable and laws and regulations are complied with.

The control environment plays a key role in the prevention and detection of fraud and irregularities as well as protection of an entity’s assets.

Internal auditors

Top management should design and implement strong controls around its operating environment.

For the controls to be effective, the ‘tone at the top’ or management philosophy must be right.

The board, management, audit committee and internal auditors play a key role in provision of oversight and in ensuring that controls are working and achieving desired objectives.

Controls should be continually monitored. They include segregation of duties where you assign separate roles to different persons in a process or activity; control of records which safeguards generation, transmission, storage, retrieval, archival and destruction and supervision of operations.

Others are input, process and output controls in the Information Technology environment; physical safeguards of lock and key, CCTV, fence and security personnel and authorisation of transactions, where review of transactions by the appropriate personnel.

In conclusion, an effective risk governance system, strong risk and ethical culture as well as effective control environment coupled with the right ‘tone at the top’ are critical to the existence and sustainability of corporates.

Boards should set the tone at the top, oversee the implementation of robust risk management systems and ensure strong effective control environment. As a result, corporate collapses and surprises will be mitigated.

Corporate reputation and assets will also be safeguarded and sustainability of the businesses guaranteed.

-The writer is a member of the Institute of Certified Secretaries