Risk Governance

Definition of Risk Governance

Risk Governance refers to the institutions, rules conventions, processes and mechanisms by which decisions about risks are taken and implemented. It can be both normative and positive, because it analyses and formulates risk management strategies to avoid and/or reduce the human and economic costs caused by disasters. Risk governance goes beyond traditional risk analysis to include the involvement and participation of various stakeholders as well as considerations of the broader legal, political, economic and social contexts in which a risk is evaluated and managed. The scope of risk governance encompasses public health and safety, the environment, old and new technologies, security, finance, and many others.^[1]

Risk governance is the architecture within which risk management operates in an organisation. It will reflect, and seek to sustain and evolve, the organisation’s risk culture. Since risk management is fundamental to running any business, risk governance is a fundamental part of corporate governance. The British Standard BS13500 defines governance as: ‘system by which the whole organization is directed, controlled and held accountable to achieve its core purpose over the long term’. The UK Corporate Governance Code states that ‘good governance should facilitate efficient, effective and entrepreneurial management that can deliver the long-term success of the company’. Good risk governance should result in risk being accepted and managed within known and agreed risk appetites. Risk governance should put in place a structure of risk responsibility throughout the organisation. As a result, everybody in the organisation will be aware of their own risk responsibilities and accountabilities and those of others with whom they work. Governance delivers effective accountability, including the accountability of the governing body to its owners.Risk governance is an integral part of the day to day running of the business and is not about just complying with a set of rules. Since operational risk management involves everybody in the organisation, the risk governance framework should encompass everybody. That means that it can only operate successfully if there are clear and effective lines of communication both up and down the organisation and a culture in which good and bad news is allowed to travel freely.^[2]

The Concept of Risk Governance^[3]

The guidance states that Risk Governance:

• Is the architecture within which risk management operates in a company
• Defnes the way in which a company undertakes risk management
• Provides guidance for sound and informed decision-making and e!ective allocation of resources

Successful Risk Governance is therefore contingent on how e!ectively the Board and Management are able to work together in managing risks. Central to this is the Enterprise Risk Management (ERM) framework, which articulates and codifies how an organisation approaches and manages risk.

Effective Risk Governance^[4]

Risk governance applies the principles of good governance to the identification, assessment, management and communication of risks. It refers to the formal structures used to support risk-based decision making and oversight across all operations of an organisation. Risk governance involves the board, board committees, delegations, management structures (i.e. CEO, senior management team, etc.) and related reporting. Risk governance structures must be designed to fit the size, business mix and complexity of each organisation’s operations. To manage risk effectively, the board must ensure it has adequate systems to measure, manage and report the material risks to which it is exposed. The risk management system must be sufficient to:

• Provide the board, board committees and the SMT with regular, accurate and timely information regarding the organisation’s risk profile;
• Measure, assess and report all material risks;
• Provide robust (relevant, timely, complete and accurate) data;
• Measure risk against pre-determined limits (tolerances) and promptly report and escalate when limit breaches occur;
• Provide a sound basis for making risk-based decisions.

Risk Governance Framework^[5]

The International Risk Governance Council (IRGC) has developed a Risk Governance Framework whose purpose is to help policy makers, regulators and risk managers both understand the concept of risk governance and apply it to their handling of risks.

The IRGC Framework provides guidance for early identification and handling of risks, involving multiple stakeholders. It recommends an inclusive approach to frame, assess, evaluate, manage and communicate important risk issues, often marked by complexity, uncertainty and ambiguity. The Framework is generic and adaptable. It can be tailored to various risks and organisations. The Framework comprises interlinked elements, with three cross-cutting aspects:

• Pre-assessment – Identification and framing; setting the boundaries of the risk or system.
• Appraisal – Assessing the technical and perceived causes and consequences of the risk.
• Characterisation and evaluation – Making a judgment about the risk and the need to manage it.
• Management – Deciding on and implementing risk management options
• Cross-cutting aspects – Communicating, engaging with stakeholders, considering the context.

source: IRGC

IRGC’s risk governance framework is a comprehensive approach to help understand, analyse and manage important risk issues for which there are deficits in risk governance structures and processes. The framework comprises five linked phases including pre-assessment, appraisal, characterisation and evaluation, management, and communication. These interlinked phases provide a means to gain a thorough understanding of a risk and to develop options for dealing with it.IRGC risk governance framework can contribute to the development of more inclusive and effective risk governance strategies.

Risk Governance and the CIO^[6]

Many corporations' boards and senior management do not believe that the CIO should be concerned with corporate governance. This is a grave blunder, and I pity the CIO and the shareholders of any corporation with this attitude.

Many risk governance-related risks have now fallen directly into the CIO's sphere of control. While not every IT risk is a governance risk, almost every governance risk involves IT. The reasons are plain: IT is pervasive in corporations, touching on almost everything it does. Financial results depend on IT systems to produce them. A corporation's operations, products, and services likely depend on IT. The misuse or unavailability of IT can have serious legal, let alone financial, consequences for the corporation.

For example, to abide by the requirements of Sarbox, corporations must be able to demonstrate the transparency of their financial transactions and the decision-making processes underlying financial transactions. Ultimately, it's up to the CIO to ensure that this transparency is possible. This means that how every financial transaction was generated and why must be possible to reconstruct. Anyone (and any system) with potential access to a financial transaction also must be able to be identified across the whole of the value chain. Can your enterprise resource planning (ERP) system easily do that?

The reason for this level of scrutiny is that, in the US, when companies such as Enron and WorldCom went belly-up, it reflected the fact that everyone in the compliance chain executives, boards of directors, outside auditors, and regulators had failed to do their job. Each believed that others were performing the necessary checks. And because of this widespread breakdown, the US Congress imposed draconian criminal and civil penalties to ensure that now all parties do. In their pursuit of corporate malfeasance, regulators have also changed from being reactive to being proactive. US regulators and federal prosecutors have been open about their desire to make examples of corporations and executives who don't follow the rules. I don't envy CxOs caught in the crosshairs of an SEC or congressional investigation. If the SEC decides to investigate a corporation, or if a corporation must restate its financials, shareholder lawsuits are almost a given. It will be interesting to see what happens on 16 November 2004, which is the deadline for large corporations to comply fully with Sarbanes-Oxley; the deadline for everyone else is July 2005.

Further, Sarbox requires accurate and timely disclosure of events that materially affect the business. How quick and, more important, how accurate these disclosures are largely depends upon how well a corporation's IT systems can produce the information. In some cases, data on these transactions may need to be kept and remain searchable for a period of 10 years or more. E-mail messages must be searched, which means that e-mail must be saved as well. While corporate lawyers may be the ones who set data or e-mail retention policy, it is the CIO's responsibility to ensure that the policy is enforced to prevent unauthorized destruction of e-mail (or other data).

The real change is that the CIO can no longer be satisfied with merely improving the capture and dissemination of information; now he or she must be concerned about the content of that information as well. Most CIOs probably disagree with this statement, asserting that CIOs should not be responsible for the information in their corporate IT systems. However, CIOs must put themselves in the shoes of a CEO or CFO: would either sign off on the accuracy of the corporation's financial statements without assurance about the information in his or her system? If the answer is no, the CIO and the corporation have a risk governance issue to deal with.

See Also

• Enterprise Risk Management (ERM)

References

Further Reading

• Risk Governance: Contemporary and Future Challenges Andreas Klinke, Ortwin Renn
• Introduction to the IRGC Risk Governance Framework EPFL International Risk Governance Center
• White Paper on Risk Governance: Toward an Integrative Framework Ortwin Renn