management+business

Corporate governance
is our response to risk
Patrick Ow

THE AIM OF RISK MANAGEMENT FOR ANY ORGANISATION IS NOT THE MANAGEMENT
OF RISK BUT THE ACHIEVEMENT OF OBJECTIVES. ISO 31000:2009 RISK MANAGEMENT
 PRINCIPLES AND GUIDELINES EMPHASISES THE FACT THAT THE MANAGEMENT OF RISK
SHOULD BE TAILORED AND FITFORPURPOSE ACROSS THE ORGANISATION, INSTEAD OF
BEING SILOED AND OVERENGINEERED WITH THE FOCUS ON TICKING THE BOXES INSTEAD
OF GENUINE RISK MANAGEMENT.

T
he current enterprise-wide the organisation. And unless risk is
approach for risk manage- managed effectively throughout the
ment has advocated the organisation, opportunities will not
need for risk management be maximised and threats will not be
to be undertaken across all minimised. Risks and the manage-
areas of an organisation; that is on an ment of risks should be treated as part
organisation-wide basis. Unfortunately of each objective at all levels of the
in practice, risk management activities organisation.
continue to partially exist as a dis- This is where ISO 31000:2009
parate siloed over-engineered man- Risk Management – Principles and
agement system, without any clear guidelines have defined risk as the
integration with existing organisation- “effect of uncertainty on objectives”1.
al processes and/or without much This objectives-focused standard sets
Board and Management commitment. out principles, a framework and a
The solution is an integrated simpli- process for the management of risks
fied whole-of-organisational approach that are applicable to any type of
to organisational strategies, control organisation and it is not specific to
structure, strategic and operational any industry or sector. The standard
planning, risk management frame- does not mandate a one-size-fits-all
work and process, and performance approach or a separate management
and risk reporting. system for managing risks, but rather
Organisations exist for a purpose, emphasises the fact that the manage-
with objectives to achieve. They must ment of risk should be tailored and
therefore effectively manage uncer- fit-for-purpose to the organisation’s
tainties that will have an impact on specific needs and requirements, and
the achievement of their objectives, tightly integrated and embedded into
positively or negatively. Without risk,
there is no reward or progress for 1
ISO Guide 73:2009 – Risk management
– Vocabulary.

48 ACCOUNTANTS TODAY | MARCH 2010

 CORPORATE GOVERNANCE IS OUR RESPONSE TO RISK

the existing business practices and proc- for the achievement of the organisation’s in job descriptions of individuals and in
esses of the organisation. objective. terms of reference of committees and
The first section of ISO 31000 sets out We know that everyone in the organi- team meetings.
11 principles that organisations should sation has to have personal objectives (as The essence of good risk management
comply with in order for them to effec- part of an individual’s performance man- and governance is personal accountability.
tively manage their risks and achieve their agement plans) that are cascaded from When individuals, teams / committees
objectives. The next section of the guide- and aligned to organisational, departmen- and departments are held accountable
line refers to a framework that needs to tal and team objectives. Using tools such for their actions (or inactions), there is
be established to provide the foundations as the balanced scorecard, organisational effective performance management and
and arrangements that will embed or inte- or strategic objectives are cascaded as governance. By objectively measuring
grate the management of risk throughout departmental objectives, which in turn performance and reporting against agreed
the organisation at all levels. And finally,
we have the process for managing risk,
which is the systematic application of
policies, procedures and practices to the
activities of communicating, consulting,
establishing the context, and identifying,
analysing, evaluating, treating, monitor-
ing and reviewing risk.
It is therefore imperative that the aim
of risk management for any organisation
is not the management of risk but the
achievement of objectives. By embarking
on risk management activities in accord-
ance with ISO 31000, organisations can
achieve their objectives if risk manage-
ment is an integral part of their planning,
decision-making and reporting process,
embedded throughout the organisation
at all levels and into its
governance structure,
processes and organi- can be further cas- performance measures and targets, there
sational culture as an It is therefore imperative caded as team and is clear accountability for the achievement
element of normal that the aim of risk ultimately indi- of objectives at all levels of the organisa-
business practice. This vidual objectives. tion.
is where all decisions management for any Performance man- Linked to each objective are SMART
undertaken by every- organisation is not the agement becomes performance measures and targets. From
one within the organi- easier as we have a performance reporting perspective, any
sation involves the
management of risk measurable per- variance from expected performance tar-
explicit consideration but the achievement of formance measures gets may indicate that either the organi-
of objectives and risks, objectives. and targets for each sation’s risk management activities (e.g.
and the application of individual. controls and risk treatments) for that
risk management proc- By doing so, objective are not as efficient, effective
ess. Sound and mature risk management everyone in the organisation who has and/or adequate as implemented, or that
provides the basis for effective govern- accountability for achieving one or more the risks associated with that objective
ance for the organisation. objective also has the accountability and/ have changed.
Consequently, risk management must or responsibility for managing the risks As such, risk reporting must be
also be viewed as central to the organi- associated with that objective, and the embedded into the organisation’s per-
sation’s management system, such that corresponding treatment plans and con- formance reporting system and not a
risks are considered in terms of effect trols to manage the risks. This effectively separate exercise. Reporting against per-
of uncertainty on objectives. Effective means that accountabilities and responsi- formance targets for each objective is also
risk management must be regarded by bilities for the management of risks must a report on the effectiveness of strategies,
everyone in the organisation as essential be clearly established and encapsulated controls and the risk management proc-

MARCH 2010 | ACCOUNTANTS TODAY 49

CORPORATE GOVERNANCE IS OUR RESPONSE TO RISK

ess for that objective. Risk reporting and The implementation of the corporate for their actions. We need to differentiate
treatments can be enhanced when the governance elements (including risk man- between those who are “accountable”
organisation’s risk register is arranged agement) for the sake of compliance and (persons with a liability for their decisions
by objectives. accreditation, or as a process-driven exer- or lack of decision) and those who are
As an objectives-focused concept, cor- cise will not guarantee an effective corpo- “responsible” (persons with an obligation
porate governance is a guidance system rate governance framework. The box-tick- to carry out an instruction from a higher
and control environment for the achieve- ing approach does not add any value for authority).
ment of planned objectives2. It is the man- the organisation and should be avoided. Strategic risks are systematically iden-
ner in which an organisation is managed We can diagrammatically show in tified and linked to organisational strat-
and governed in order to achieve its Figure 1 the integration of organisation- egy and strategic objectives, measures
objectives. A sound control environment al strategies, control structure, strategic and indicators. These risks are external
delivered by an effective risk manage-
ment framework provides reliability and
assurance to the organisation that objec- Organisational Strategy
tives can be achieved and considered
effective when risks are reduced to an
acceptable / tolerable level. Strategic & Risk
Control Management
Operational Performance &
This then dwells heavily on control Structure
Planning Framework & Risk Reporting
Process
and oversight. But there is also a need
for an organisation to be flexible in order
Board
to respond to changes in its external
and internal environments. Risk manage-
Evaluated & Reported
ment can be designed to provide both Strategic CEO/Board
Objectives Report
the control and resilience required for CEO/
Strategic
Risk
the organisation, and is therefore a fun- Management

damental and integral part of corporate Cascaded

Escalated Consolidated
Aligned & Down & Escalated
governance. It not only provides effective Cascaded
Up
Up
Down
strategies for managing risks that might Operational
Risk
impede the organisation in its pursuit Support
Operations
Service Operational Operational
Services Lines Objectives Reports
of its goals and objectives, but also sup- Evaluated & Reported
plies the flexibility for the organisation
to respond to unexpected risks and take
advantage of unexpected opportunities Figure 1: An integrated approach
and circumstances.
Risk management develops treatment and operational planning, risk manage- and internal forces that may have a sig-
plans and monitors existing controls and ment framework and process, and per- nificant impact on the achievement of the
strategies associated with achieving each formance and risk reporting. organisation’s strategic objectives.
objective. The resultant control environ- Organisational strategy (developed as Identification of risks in isolation from
ment from an effective risk management part of the organisation’s strategic plan- the development and management of
framework will give reasonable assurance ning process) will determine the requisite objectives, measures and targets has the
to the Board and Management that objec- control structure, strategic and operation- potential to leave organisations exposed to
tives will be achieved within an accept- al planning processes, risk management significant, unrecognised risks. Everyone
able degree of residual risk. The appro- framework and process, and perform- in the organisation is therefore respon-
priate governance framework provides ance and risk reporting framework. The sible for managing risk within their area
the structure within which the control common factor linking these is the focus of accountability and actively involved in
environment and risk management activi- on achieving objectives. Without sound the identification and reporting of risks
ties operate. Effective risk management and quantifiable strategies, organisations that could impact on the organisation as
is therefore the cornerstone of sound would not achieve their objectives. a whole.
corporate governance. The meaning of Whether the control structure is func- Each strategic objective (and associat-
control is much broader than internal tional-based (e.g. HR, finance) or process- ed measures and targets) is ‘broken down’,
financial controls and includes all plan- based (e.g. programme, service line) or a translated and allocated across various sub-
ning and strategies after objectives have hybrid of both (e.g. matrix), it should be
2
HB 254-2005 - Governance, Risk Management
been set. designed to hold individuals accountable
and Control Assurance, p. 6.

50 ACCOUNTANTS TODAY | MARCH 2010

 CORPORATE GOVERNANCE IS OUR RESPONSE TO RISK

parts of the organisation (e.g. departments, some plans require allocation of resources include variance reporting from expected
programmes, services and support units) through the annual budgeting process. operational performance targets and budg-
through a systematic cascading process The risk register represents a single ets, and the progress of implementing
into annual operational plans and budgets. repository of risk information associated operational risk treatment plans based on
This ensures that all operational plans and with the achievement of objectives. Risk information contained in the risk register.
budgets are aligned to organisational strat- reports, risk treatment plans and risk pro- Similarly, apart from consolidating infor-
egies and objectives. A carefully designed files could be extracted based on the infor- mation from operational reports, the CEO
cascading process also ensures alignment mation contained in the risk register, and (or management) performance report will
and fit between strategic and operational will be formally reviewed and updated annu- include variance reporting from expected
objectives, measures and targets. ally as a part of the organisation’s planning strategic performance targets and budg-
Operational risks for each operational processes. Regular reviews and updates ets, and the progress of implementing
area can then be derived from these opera- by department, service, programme and strategic risk treatment plans based on
tional objectives, measures and targets. support unit managers are encouraged in information contained in the risk register.
Operational risks may be aggregated or accordance with any significant changes to In summary, organisational strategies,
rolled-up as strategic risks when they meet activities. Performance management plans control structure, strategic and opera-
pre-defined escalation criteria. for individual staff are developed through tional planning, the risk management
All identified strategic and operational the cascading process thereby ensuring framework and process, and performance
risks are consolidated, categorised and that the individual’s actions are closely and risk reporting have to be integrated
recorded in one organisational-wide risk aligned and motivated through a clear line- as a whole-of-organisation approach. This
register, which is also used for developing of-sight with operational plans and organi- would ensure that organisations achieve
and managing risk treatment plans, and sational strategy, enhanced through the use their objectives. Q
for Board and Management reporting. of appropriate human resource reward and
Risk treatment plans can be incorporated recognition systems. The writer can be contacted at patrickow@
into strategic and operational plans since Operational performance reports will [Link].

MARCH 2010 | ACCOUNTANTS TODAY 51