Please enable JavaScript.
Coggle requires JavaScript to display documents.
SETTING UP ENTERPRISE RISK GOVERNANCE - Coggle Diagram
SETTING UP ENTERPRISE RISK GOVERNANCE
Comply with Laws and Check Relevant Governance Codes
“
Gesetz zur Kontrolle und Transparenz im Unternehmensbereich” (KonTraG)
" - Germany
The legal framework - requires establishment of a risk management system + monitoring system (AktAG);
Risk early warning system and appropriate communication structures (KonTraG, 1998)
Executive board + managing director MUST deal appropriately with risks (GmbHG, 2017)
RM is an original management duty of the executive board or managing director (Romeike, 2018)
German Corporate Governance Code
Represents the essential statutory regulation for the management and supervision of German listed companies
Contains intentionally and nationally recognized standards of good and responsible corporate governance ← recommendation & suggestions
The code
The executive board informs the supervisory board regularly, promptly, and comprehensively
All relevant issues about the strategy, planning, business development, risk situation, risk management and compliance must be reported
The executive board should manage deviations between the current business development and existing plans and goals
The Management Board ensures appropriate risk management and risk control in the company (DCGK 2017)
The management board is responsible to ensure that all statutory provisions and the internal guidelines of the company are complied with
Appropriate measures that reflect the company’s risk situation → disclose the main features of the measures
Employees and third party must be given the opportunity to report suspected violations of the law in a protected manner
Swiss Code of Obligations (CO) - Switzerland
Risk management → one of the responsibilities of the board (CO, 1911)
The board can delegate to the executive board but has to maintain oversight of (OECD, 2014)
:red_flag:[!!!] YET, only larger companies that are subject to an ordinary audit (according to ART 727 CO)
The Code
The management report presents the business performance and the economic position of the undertaking and, if applicable, of the corporate group at the end of the financial year from points of view not covered in the annual accounts.
The management report:
the number of full-time positions on annual average;
the conduct of a risk assessment;
orders and assignments;
research and development activities;
extraordinary events;
future prospects.
The management report must not contradict the economic position presented in the annual accounts
Swiss Code of Best Practice for Corporate Governance (SCBP)
Contains nonbinding recommendations, in particular for Swiss stock corporations
Corporate governance encompasses all principles for safeguarding sustainable corporate interests → ensure transparency and a healthy balance between management and control + maintaining a company’s decision-making ability and efficiency at the highest level (SCBPCG 2016)
The SCBP is related to internal controls and risk management
Consider ERM-Frameworks Thoughtfully
Motivation for Risk Management Standards
WHY?
the increase in perceived risk exposure can be mentioned
higher security requirements ← Environmental protection and labour safety issues are becoming more important
the demands placed on company management have increased
AIM
to develop a common view of governance structures, processes, and practices
ISO 31000
one of the most widespread, accepted, and currently most up-to-date standard
Steps: establish the context → risks are assessed in three main steps (by source, timeframe, and risk categories)
The 2018 updates:
Simplified language
Focus on value creation and protection
Focus on management leadership
Risk management is an iterative process
Flexible standard
COSO ERM
developing frameworks and guidelines for ERM, internal control, and fraud prevention
it is important that the selected strategy supports the organisation’s mission and vision.
Steps
ERM should deal with the risk of a strategy not being aligned with the company’s missions and visions → consider the implications of selected strategy → decide if the selected strategy is in line with company’s risk appetite
The five components of COSO
Governance and culture
Strategy and objective-setting
Performance
Review and revision
Information
Limitations of ERM Frameworks
ERM is interpreted as an extended internal control framework
Focus on internal controls. Yet, :red_flag: internal controls are not designed to support strategic decision-making
Implementing a very restrictive ERM framework can limit creative thinking → , the introduction of ERM frameworks can become a heavy bureaucratic task
Develop a Sound Risk Policy
it is crucial to develop a sound risk policy that the board approves → depends on existing experiences with the ERM process → may change → must understand as provisional document
Risk Policy and Corporate Strategy
RISK POLICY
→ a strategic paper that outlines how ERM can support the achievement of strategic goals; explains how ERM can support the development of adequate strategies
CORPORATE STRATEG
Y → creation of goal orientation; create decision-making certainty for decision-makers + maintain a certain openness and flexibility
Risk Policy as the Basis for Dealing with Risks
The risk policy forms the basis for implementing ERM in coordination with corporate policy → explicitly defines how a company is dealing with uncertainty on objectives → strongly linked to corporate culture
Structure:
Definition of the purpose of a risk policy. Why is a risk policy important? What is the ultimate goal of a risk policy?
Precise formulation of the ultimate goals of ERM. For example, we can improve decision-quality by providing rational risk information.
Description of how ERM is linked to corporate strategy and goal-setting, including sub-strategies
Precise definitions of management responsibilities for ERM. The ultimate responsibility of ERM resides with the board.
Clear definitions of ERM and risk. ERM is the process of assessing, quantifying, reporting key risks to support decision-making. It is designed to add value to the company. Risk is defined as the deviation from expectation.
Definition of the scope of ERM. All risk categories are relevant. We need to defne proper risk categories such as strategic, operational, and financial risks.
The risk policy also defines what risks companies need to bear. Every business goal is associated with risks (and rewards). For example, a company could decide to bear all strategic key risks (risks from pursuing strategic goals) and to mitigate all non-core risks (caused by support processes)
Brief explanation of the ERM process steps. What about risk identification, risk assessment techniques, risk reporting, risk disclosures, monitoring, and benchmarking?
Definition of risk appetite statements. The risk policy should defne clear, quantified risk limits for specific individual risks or business goals. For example, an individual customer should not account for more than 20% of total revenues. Alternatively, the equity ratio should be kept at least 40%.
Definition of roles and responsibilities. We need risk owners, risk managers, subject matter experts. We also have to clarify the role of the management, the board, and the internal audit.
Description of relevant mitigation measure options. The risk policy defines basic procedures and principles for mitigating risks. For example, non-strategic risks are to be insured. Strategic risks are to be accepted. Currency risks are to be hedged by call or put options.
The description of a rating strategy is optional. Loans granted by a bank must be backed by equity corresponding to the risks of lending. Therefore, lending policies (specifically interest rate conditions) are increasingly aligned with the rating of individual companies. Companies that fall into a low rating category must expect higher financing costs. The risk policy—and thus the design and objectives of an ERM— can have a decisive impact on the financial rating. For example, ERM can support to achieve stable cash flows.
Development of glossary in the appendix that defines all relevant terms and abbreviations
Limitations of Risk Policies
A risk policy is a document containing formal rules, definitions, roles, and responsibilities → the risk policy is not well known to all risk owners ← lack of communications, infrastructure, and organizational boundaries
The document itself does not protect against fraud, corruption, and other illegal behavior
Risk policies cannot address or translate intercultural risk components
Once a risk policy has been approved, its validity is very limited in time
Finally, a risk policy must not deteriorate into a pure marketing tool
[!] The board of directors often does not have sufficient time to discuss the risk policy :red_flag:
Enhance RIsk Culture
HOW
risk culture is related to corporate culture +
HOW
the risk culture can contribute to ERM effectiveness
Relate Risk Culture to Corporate Culture
Three level concepts of corporate culture:
Artefacts and symbols are related to the surface of the company
Espoused values are partly visible and partly perceived unconsciously
Basic underlying assumptions are often unconsciously perceived
With a positive risk culture in the company, ERM can lead to a strategic competitive advantage
A strong risk culture → risk information is integrated into decision-making → possible to counter the still bad image of ERM as a pure cost burden
Understand How Risk Culture Evolves
Can develop in two ways:
a conscious implementation takes place based on intended decisions
the risk culture naturally develops without explicit management
Increase Risk Culture Maturity Level
It would be supportive to have a benchmarking tool that enables a quantitative measurement of risk culture
Organise ERM Properly
Some Thoughts on Roles and Responsibilities
With regard to ERM, the board has to make sure that
ERM is effectively implemented by management
it defined risk appetite statements appropriately
it reviews the business portfolio with regard to risk and reward
it takes into consideration the risk appetite statements
it understands the key risks and that these key risks are managed appropriately.
The example functions:
The ERM committee coordinates all major ERM decisions and actions, prepares risk policy documents, and supports the board with risk-reward information. It also suggests a risk policy and risk appetite statements.
The line management sets risk priorities for its area of responsibility. It gathers and updates the corresponding key risks together with the risk manager and monitors individual risks. It prepares and sends risk reports to the risk manager (Hopkin 2017, p. 264).
Risk managers play the coordinator role in a company but do not manage the risks themselves. This is often misunderstood in practice. A risk manager provides a toolset and supports the operative units in the management of their risks. A risk manager observes risks and provides the risk owners with proposals of how to deal with them (Romeike 2018, p. 47; Hunziker and Meissner 2017, pp. 37–39).
The risk owner is responsible for the risks in his or her area of responsibility. Risk owners identify, manage, and monitor risks in accordance with the risk mitigation decisions of the ERM committee. Important information provided by the risk owner is included in risk reporting (Hunziker and Meissner 2017, pp. 37–39).
The risk manager (CRO) is responsible for the coordination of the ERM and defines the different ERM processes. The risk manager is part of the ERM committee and provides the necessary risk management techniques. He or she supports risk owners in identifying and assessing risks.
Important skills risk managers need to fulfil:
Knowledge about cognitive and motivational biases
Risk managers must have leadership experience
Developing key risk scenarios are one of the most important steps in an effective ERM programme
Very good communication skills are key for a successful ERM
In all, soft skills to bridge the gap between the rather technical ERM language and business language are very important