King IV: Principle 11 (Risk Governance)
The governing body ought to govern risk in a way that supports the organisation in setting & achieving its strategic objectives
Organisation: a company, retirement fund, NPO, SOE, municipality, municipal entity, trust, voluntary association & any other juristic person
Risk: "Risk is about the uncertainty of events; including the likelihood of such events occurring & their effect, both positive and negative, on the achievement of the organisation's objectives. Risk includes uncertain events with a potential positive effect on the organisation (i.e. opportunities) not being captured or not materialising"
Recommended practices
Governing body must assume responsibility for risk governance by setting direction for how risk should be approached and addressed
Risk governance: (1) opportunities and associated risks to be considered in strategy development; (2) potential positive and negative effects of same risks on the achievement of organisational objectives
Governing body ought to treat risk as integral to decision-making and execution of duties
Governing body ought to approve risk policy
Governing body ought to evaluate & determine the nature and extent of risks that organisation can bear in pursuit of strategic objectives
Approve organisational risk appetite
Approve limit of potential loss organisation can tolerate
Governing body ought to delegate to management responsibility to implement and execute effective risk management
Governing body must exercise continuous oversight of risk management
Oversee an assessment of risks and opportunities emanating from triple context in which firm operates and capitals that firm uses and affects
Assessment of potential upsides, or opportunity presented by risks with potentially negative effects
Assessment of firm's dependence on resources and relationships as represented by various forms of capital
Design and implementation of appropriate risk responses
Integration and embedding of risk management in business activities and culture of the firm
Governing body ought to consider need to receive periodic independent assurance on the effectiveness of risk management
Nature and extent of risk and opportunities the firm is willing to take ought to be disclosed without comprising sensitive information
Disclose: (1) overview of arrangements for governing and managing risk; (2) key areas of focus during reporting period, including objectives; (3) actions taken to monitor the effectiveness of risk management and how outcomes were addressed; (4) planned areas of future focus