what is erm?
Enterprise Risk Management (“ERM”) is an ongoing enterprise-wide discipline to identify,
assess, control, exploit, finance and monitor risks from all sources and at all levels of the
enterprise, for the purpose of maximising the long-term value to all stakeholders.
why erm is important?
Value is constantly created, preserved or eroded by decisions and actions of the board, management and staff across the enterprise, in all activities. ERM supports value creation by enabling the board and management to plan for future uncertainty
and potential events and to deal effectively with them in a manner that increases upside potential and reduces downside risk.
The increasing requirement for legal and regulatory compliance makes risk governance in all enterprises, large and
small, a key imperative of management and the board.
erm: an integrated approach
An assumption of the traditional management paradigm involves that financial risk dominates the business mindset.
Managers assume that the primary risks they face are related to financial and product markets. They also manage product-market risks that involve uncertainty about product demand caused by changing economic conditions, consumer preferences, market demographics, competitive pressures, and regulatory changes. They ignore the risks posed by its waste products and their impact on the natural environment.
Enterprise Risk Management thrives on a different mindset compared to traditional risk management. ERM is a structured and disciplined approach: it aligns strategy, processes, people, technology and knowledge with the purpose of evaluating and managing the uncertainties the enterprises face as it creates value.
ERM thus operates with a rather wide scope which can allow sustainability issues to be fully integrated.
Risk management and the board
Board members should step up their efforts to define and fulfil their risk governance responsibilities. The King Report on Governance for South Africa (“King III”) is quite specific about this responsibility— see Principle 4.1.
They should recognize that their organizations are facing a broad range of risks relating to strategic, security, property, information technology (IT), legal, regulatory, reputational and financial risks.
With the guidance of the chairman, boards should focus on strategic risk management as a core competency amongst its members. The South African Companies Act 2008 clearly defines the role and responsibility of the board – and also defines the potential liabilities and risks which board members are exposed to should they fail to diligently discharge their fiduciary and other duties.
Failure by directors to have or to acquire a sufficient level of financial literacy or familiarity with the company’s affairs, may of itself amount to a breach of the duty of care and diligence.
Risk management cannot exist in isolation – it needs a risk-based internal audit function to counter-balance it, and these functions should report to 2 separate board committees. Risk-based internal audit is not a cost centre, but an integral part of risk management at all levels of the enterprise and is a tool used by the board to exercise its oversight duties.
“The board should comprise a balance of power, with a majority of non-executive directors, the majority of whom in turn should be independent.” – Principle 2.18 of King III.
Too many companies still apply a liberal interpretation to the term “independent director”, ignoring family ties, decades of continuous service, controlling shareholders’ nominees, etc. Self-determination by the board, and giving one another the benefit of the doubt is often openly abused.
Acting independently comes down to the integrity and honesty of each individual director. Being independent should be more than mere years of service, of association with significant shareholders and of financial gain accruing to the person.
The risk committee must ascertain, to a reasonable degree, that the executive team of the enterprise has identified and assessed critical risks and has appropriate risk mitigation and actions in place that are designed to adequately address these risks.
board risk committee
The board should appoint a board-level risk committee from amongst its members, who should be non-executive directors. It should be established with formal, written terms of reference issued by the board. The risk committee must ascertain, to a reasonable degree, that the executive team of the enterprise has identified and assessed critical risks and has appropriate risk mitigation and actions in place that are designed to adequately address these risks.
Board risk committees cannot be housed within another committee, must report directly to the board, and the Chief Risk Officer (“CRO”) should functionally report directly to this committee who must receive and review regular reports from him.
the risk Officer
It is an accepted fact that the role of the chief risk officer (the “CRO”) will very likely be different in a smaller organization compared to a large enterprise. When an organization is small, the CRO’s role is much more hands-on. As the organization grows, the role becomes more formalized and farther removed from day to day program management.
By committing to employing a chief risk officer, the organization creates one central, highly qualified individual that can develop a solid risk framework and assist management in ensuring that it is consistently utilized. This has a profound impact on reducing losses and preserving capital and shareholder equity.
The CRO should not be expected to manage the risk on behalf of a business. Managing risk is the responsibility of business management.
Enterprise risk framework
A framework defines a common approach, common language and a clear direction and guidance for implementation & ongoing maintenance and is sanctioned by the board.
Enterprise-wide objectives are viewed in the context of the following dimensions:
Business & reputational risk
risk is not all bad
A perception exists that all risks are bad and must be eliminated. This is not correct. Risk and Compliance Officers in the enterprise must position themselves as collaborative partners with business units in achieving both corporate and business unit objectives.
This means that some risks are retained by the enterprise in pursuit of profit. Close alignment of corporate strategies and risk management is akin to the headlights of a car driving at night on an unknown road – risk management allows management to be aware of what risks and opportunities are ahead.
The idea that an event can have either a negative outcome (a risk) or an unexpectedly positive outcome (an opportunity) makes sense and does help clarify risk assessments.
Risk management is to harness knowledge
Managing risks is to focus on the experience, thinking & intellectual input from all
management and staff. Harnessing their knowledge and ideas, no matter how junior,
can often add significant value to the business.
We specialise in the provision of focused ERM consulting input on an informed basis,
and in a manner that adds value to the enterprise. Businesses should not adopt a
“one size fits all” risk policy and we localise global principles to meet the local risk
conditions and requirements.
Put succinctly: we can help; we know what
has to be done.
PostNet #432, Private Bag X4
Wierdapark, Gauteng, 0157