Regulatory frameworks
The link between risk management practices and corporate governance regulation
Corporate governance is the systsem and related processes by which an organisation is directed and controlled. Effective corporate governance should ensure that an organisation is directed and controlled in a manner that meets the needs and expectations of its stakeholders
This can be achieved by setting strategic objectives that meet stakeholders' needs and expectations as well as by implementing measures to identify, assess, monitor and control the various risks that could threaten the achievement of these risks
To identify and control the sources of risk that may either support or threaten the proper establishment and achievement of an organisation's objectives
A well governed organisation should take all reasonable steps to ensure it determines the right to achieve its objectives effectively, efficiently and economically.
The discipline of risk management supports these activities with a range of tools and techniques that can be used to identify, assess, monitor and ultimately control the risks to these objectives
These risks comprise the whole spectrum of uncertainty around the organisations objectives, whether already chosen or still under consideration and might include:
Risks that may affect the ability of an organisation to continue as a going concern such as the establishment of a new form subsidies, a large fraud or financial mismanagement
Risks to the reputation of an organisation, such as the breakthrough of a new invention or a major scandal
Risks which affect the continuity of the organisations operations, such as the loss of a key outsource service provider
Other risks that may positively or adversely affect an organisation's objectives in relation to the non-financial needs of its stakeholders such as ensuring their health and safety
Good governance should effectively manage, not eliminate risk. Even a well governed organisation may encounter risk events that threaten the achievement of its objectives.
As the effects of risk can never be completely eliminated, organisations need to build both resilience and agility in all their activities, enabling them to adequately respond to changes in circumstances or to deal with the consequences of unforeseen events.
Another link between corporate governance and risk management relates to the directed element of corporate governance. For a board or senior management to appropriately determine the strategic objectives of an organisation they will need to have a good understanding of the environment in which the organisation operates
Good governance should ensure the long term sustainability of an organisation, where value, is generated through the exploitation of opportunities that contribute to the organisation's missions but which do not create an excessive level of risk or related financial failure, reputation damage or similar
UK Regulations: UK Corporate Governance Code
The UK's CG Code contains a significant amount of guidance on risk-management, particularly on the role of the board and senior management in supporting risk management activity.
Although the UK Corporate Governance Code is primarily aimed at public limited companies (PLCs) with a premium listing on exchanges on the LSE, its influence goes far wider than this.
Many other UK organisations comply voluntarily with the Code or follow regulations and standards that are closely related to the contents of the Code - one such standard is BS 13500 (Delivering Effective Governance of Organisations) which provides a framework that organisations can use to assess and improve their corporate governance activities on a continuous basis
The comply or explain approach
The UK CG Code has always been built on a comply or explain approach
Organisations subject to the principles and guidance contained within the code are not required to follow its content in a strict rule based way, an organisation may decide not to comply or to amend specific principles to better suit its situation.
When organisations decide not to comply or to amend a principle, they are expected to explain publicly why they have made such a decision - this requirement to explain ensures that stakeholders are kept informed of the organisation's governance arrangements and the reasons why these arrangements may not follow precisely the principles contained within the code
The advantages of this comply or explain approach are that organisations are provided with clear principles in relation to their corporate governance practices but at the same time they are allowed a degree of flexibility in how they may apply them in their specific situation - this flexibility is appropriate given the wide variety of contexts that organisations operate within and the diversity of their activities and operating environments
The comply and sign approach
The US adopts a very approach to governance as part of the Sarbanes Oxley regulations: the 'comply and sign' approach.
A comply and sign approach is more prescriptive. Organisations must comply to the letter of the rule, with no exceptions.
Accountable individuals (usually the board of directors) are required to personally sign off the effectiveness of an organisation's governance arrangements.
If the organisation is then found to not have effective governance they can face fines or even imprisonment
The 'comply and sign' approach ensure maximum compliance. But it is much less flexible than a 'comply or explain' approach.
Key risk management regulations from the current UK Corporate Governance Code
The board is responsible for managing the principal risks an organisation is willing to take in the pursuit of its strategic objectives.
The board is also responsible for ensuring that the organisation has sound risk management and internal control systems - this should include mechanisms to monitor the soundness of these systems and reviewing the effectiveness of these systems at least annually
NEDs should scrutinise management performance including the robustness of the organisation's financial controls and risk management systems
A board audit committee or a separate board risk committee should normally be in place to support the work of the board on internal control and risk management
Information on the organisation's principal risks and the soundness of its risk management and internal control systems should be provided in the annual report
The board's work on risk management should include consideration of the organisation's appetite for risk as well as embedding the desired culture and the related risk culture. The board should also consider the risks associated with strategic change and other major change initiatives as well as the effectiveness of an organisation's crisis-management and business continuity arrangements
Principal risks
Large scale risks to the achievement of an organisation's strategic objectives that may threaten the business model, future performance, the solvency (capital and other financial resources) and liquidity (cash flow) of an organisation
Irish Regulations: the Irish Companies Act 2014 and system of corporate governance
The Companies Act 2014
The Irish Companies Act 2014 came into force on 1 June 2015 with a transitional period until 30 November 2016
The Act set out a completely new legal architecture for corporate governance in Ireland
The Act includes the normal requirements expected in relation to modern company law, including the requirement to file accounts, the definition of shareholder rights and the responsibilities of board members
The Act also requires companies on a comply or explain basis to adopt appropriate compliance measures and to prepare a statement of compliance with company and tax law in their annual financial statements.
The Irish system of corporate governance
Corporate governance requirements exist for various types of company in the Republic of Ireland
The main requirements are applied to public companies listed on the Irish Stock Exchange (ISE)
Since the Irish Stock Exchange Act of 1995, the listing rules of the ISE have been based on the UK Corporate Governance Code
Additional corporate governance regulations for listed companies are laid out in the Irish Corporate Governance Annex - this includes two clauses on the role of the audit committee or risk committee, where appropriate.
Companies are expected to include a 'meaningful description' of the work carried out by the audit or risk committee on risk management in their annual report
European Union regulations
Developing a common EU approach to corporate governance and related risk management regulations is very challenging.
Governance practices vary considerably; one notable difference is the composition of boards. The UK, for example, has a single unitary board, while other countries, such as Germany, have a dual board structure with two tiers: a management board that reports to the supervisory board. The supervisory board consists of external directors and itself reports to the shareholders or owners
Developing a degree of consistency across the EU is necessary to facilitate the operation of the single marker. IT is also important to meet other objectives such as the protection of human rights which includes factors such as health and safety and the role of the board in ensuring that any risks related to the human rights of individuals are managed in an appropriate way.
The EU has been following an action plan for corporate governance reform since 2003, which was updated in 2012. Much of this action plan does not focus directly on risk management practices but there are some relevant issues:
The recruitment of independent directors who are free from any business, family or other relationship with the organisation to avoid conflicts of interest
Enhance disclosure requirements which includes the disclosure of risk management policies
Enhancing the long term sustainability of organisations by preventing excessive risk taking in the pursuit of short term profits
The G20/OECD Principles of Corporate Governance
The G20/OECD Principles of Corporate Governance provide a worldwide benchmark for good corporate governance practice and for supervisory assessments of this practice
From a risk management perspective, the key principles are as follows
Ensuring that shareholders with a controlling interest do not force excessive risk taking to generate short term because their limited liability may help to insulate them from the costs of this risk taking
Prevention of unethical or illegal practices through the use of whistleblowing controls
Public disclosure to ensure that stakeholders have information on all reasonably foreseeable material risks
The board is responsible for overseeing an organisations internal control and risk management systems. This include board level reviews of risk management policies and procedures and where relevant, the creation of audit committees and risk committees to facilitate this work
World Bank Corporate Governance and Financial Reporting Initatives
The World Bank exists to provide financial and technical assistance to developing countries around the world.
The World Bank is a major provider of low interest loans. In addition, it provides knowledge sharing through policy advice, research and analysis
The World Bank recognises that effective corporate governance in private and public sector organisations is an essential element of a well functioning market economy and can help to ensure an equitable allocation of financial and non-financial resources across stakeholder groups.
Effective corporate governance can also help to protect markets and stakeholders from damaging risk events
The World Bank's work on governance focuses on two key areas
Promoting transparent and accurate financial reporting. From a risk management perspective, this should ensure that stakeholders have reliable information on which to assess the longer term performance of an organisation. This can support key activities such as corporate lending and shareholder investments, providing creditors and investors with the confidence they need to invest
Improving the governance of state owned enterprises who are often providers of essential products and services to local communities and businesses. This ensures that state owned enterprises are accountable for the quality of the products and services that they provide, as well as being free from corruption
Corporate governance regulations in other nations
The Channel Islands
There are no generally applicable corporate governance regulations in the Channel Islands beyond the general fiduciary duties of directors that exist in company law and the requirement for directors to perform these duties with due care, skill and diligence
There are also company-law requirements relating to the rights of shareholders and regulations in relation to rights of other stakeholders in areas such as health and safety and the environment
Commercial organisations that are subsidiaries of parent companies in the UK, elsewhere in Europe or internationally must comply with some or all of the relevant regulations in the home state of their parent company. This means that many Channel Island companies will take steps to comply with the elements of the UK Corporate Governance Code or associated QCA code for small to medium-sized enterprises that they feel are relevant
Specific corporate governance exist for financial institutions operating in the Channel Islands because of the effect they can have on investor confidence and the stability of the financial system
United Arab Emirates
Corporate Governance regulations in the UAE focus on listed companies
These rules are not based on a comply or explain principle and contravention of these rules can lead to significant fines
Cover issues such as board composition, board committees, remuneration and audits
Effective internal control is required via risk management and compliance procedures and these controls must be reviewed annually
There is no requirement for companies to have a company secretary or related governance professional but they are required to have a compliance officer
Kenya
Company law and the associated governance regulations in Kenya are modelled on the UK regime
The latest Companies Act came into force in 2015 and this was extended in 2016 with new rules on competition, bribery and insurance
Only applies to public listed companies
Apply and explain basis
Mandatory requirements include a requirement for boards to implement an effective risk management framework, along with an effective system of internal control
Mandatory requirements include a requirement for boards to implement an effective risk management framework along with an effective system of internal control
Nigeria
Formal corporate governance regulation in Nigeria began in 2003
Compliance with the code is one of the requirements for listing with the Nigerian Stock Exchange, there are other codes for specific industries such as banking, pensions and insurance
Manadtory requirements cover issues such as the powers of shareholders, financial reporting requirements and the requirement that public limited companies should have an audit commitee.
The comply or explain approach is used for all governance codes
On risk management, the Securities and Exchange Commission Code of Corporate Governance states that the board of a company is responsible for the process of risk management and that it should form its own opinion on the effectiveness of this process.
It also states that management is responsible for implementing and monitoring the risk management process and for embedding it into the day to day operations of the company
Russian Federation
There is no specific regulation on corporate governance although the Central Bank of the Russian Federation approved a new version the Corporate Governance Code in March 2014
The Code sets out voluntary principles and recommendations for public joint stock companies, especially those who have shares traded on stock exchanges
Although compliance with the Code is not mandatory, a company that wishes to list on a stock exchange or be included on quotation list will usually be expected to comply with the Code
The Russian Federation code covers very similar elements to other governance codes, including:
Shareholder rights and the fair treatment of shareholders
The board of directors
The role of the company secretary
Incentive arrangements
Risk management and internal controls
The disclosure of information
United States of America
Where organisations are listed on a US stock exchange or where they have a subsidiary that is listed, they re required to comply with US corporate governance regulations
The US approach is very different from that of many other nations
Based on a comply and sign approach
Signed into US federal law in 2002, the act was a response to a number of high-profile governance scandals
A key element in section 302 which requires company accounts to be free of any untrue statements and material omissions
The signatories of the accounts must satisfy themselves that appropriate internal controls are in place to prevent any accidental or deliberate mis-statements
One of the major differences between SOX and the current UK approach is that the signatories of a company's accounts (usually the CEO, CFO and Chair where appropriate) are held personally liable for this action