Risk management is the culture, processes and structures directed towards taking advantage of potential opportunities while managing potential adverse effects. Risk management begins with understanding risk appetite.
The board’s role is to set the risk appetite of the organisation and then ensure it has a risk management framework to identify and manage risk on an ongoing basis.
Risk appetite is the mutual understanding, between management and board, of the drivers of and parameters around opportunity-seeking behaviour. A balanced approach to value creation means the organisation accepts those risks that are prudent to undertake and which it can reasonably expect to manage successfully, or handle the consequences.
The board is ultimately responsible for an organisation’s risk management framework. Management is responsible for designing and implementing the framework; the board’s role is to ensure it is sound and to oversee its effective operation. Since the banking Royal Commission, there has been a greater focus on risk management by boards, auditors and regulators.
The ASX Corporate Governance Council Corporate Governance Principles and Recommendations 4th edition, Principle 7, provides a useful benchmark for companies to measure and evaluate the effectiveness of their policies, procedures and practices
It provides that: “A listed entity should establish a sound risk management framework and periodically review the effectiveness of that framework”. It also includes four recommendations and commentary.
The board is ultimately responsible for an organisation’s risk management framework.
What are the key design elements of an effective risk management framework? The board establishes the organisation’s risk appetite. The board (or the board’s risk management committee) should establish a risk management framework that provides mechanisms for:
- Identifying risks including any emerging risks
- A regular review of the risks facing the organisation and updating of the organisation’s risk registers
- Determining the materiality of those risks and the development of a plan to minimise the impact of such risks on the organisation
- Formulation and updating the organisation’s risk management processes and procedures to address the significant risks
- Monitoring that the risk culture of the organisation is consistent with the board’s risk appetite and risk priorities
- Monitoring the extent to which the organisation’s risk management processes and procedures have been implemented and are operating effectively
- Monitoring and evaluating the personnel within the organisation responsible for risk management.
Types of risks
These will vary enormously from business to business and industry to industry. Commonsense indicates the risks faced by an organisation should be categorised in relation to what it does.
By definition, they include things that are not easy to predict.
Frequently used risk categories include financial, operational, organisational, reputation, security, legal and regulatory compliance, workplace health and safety, and technology.
For larger companies, one way for the board to focus on risk management is to establish a risk management committee.
The role of the risk committee is to report to the board on risk management activities, including making recommendations to improve the framework and to bring any issues to its attention. The committee in practice should work closely with management to ensure the board and/or committee receive adequate reporting on the organisation’s risks.
The AICD has a range of materials to guide directors on the topic of risk management. For more information, click here.