Go to Risk Management Services page.
Go to Risk Management Resources page.
Go to Free Risk Management Newsletter page.
Go to Contact Us page.
Go to About SW&C page
Go to Links page.
First Name:
Last Name:
Email:

Earlier Issues:

Risk Management Strategists - Banner.
Go to Home page. Go to Risk Management Services page. Go to Risk Management Resources page. Go to Free Risk Management Newsletter page. Go to About SW&C page. Go to Contact Us page. Go to Links page.
A Free Risk Management Newsletter, Caretaker - Insight to Risk Logo.

 

Insight to Risk

A Free Risk Management Newsletter

Current Issue
Issue 17

King III:
What the new report means to risk management

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

King III Report
Anyone involved in risk management at the organisational level needs to study the King III Report in its entirety, because nearly all the chapters have compliance inter-relationships with risk management. In this issue I will focus on Chapter 4 and deal with the salient points in other chapters later.
It is also worthwhile having a look at the new Companies Act (no. 71 of 2008), since this is the reason given for a new report, along with changes in international governance trends.
It is important to note that King III will be applicable to all entities, large and small, public and private, notwithstanding the language used throughout the report, which refers to “companies” and “boards”.

Principle 4.1 has to do with the board’s responsibility for the governance of risk. In effect, it is saying that the highest level of authority in the organisation is responsible for risk (as it is for all other critical aspects of the business). It needs to set policy, agree objectives, and decide the high level attributes, such as risk criteria, tolerance levels, process and methodology, responsibilities and reporting requirements.  It allows that responsibility for risk management can be delegated but without the transfer of accountability. There is little difference from King II in this principle and the use of ISO 31000 as a guide would ensure its application.

Principle 4.2 states that the board should determine the levels of risk tolerance. In expanding on this it also uses the term “risk appetite” and suggests that this refers to the desire or willingness to take risk rather than the ability to do so. ISO 31000 does not use “appetite” although it is shown for reference in the ISO terminology guide 73. Readers other than risk “experts” are advised to avoid the debate. A good feature is where it suggests that limits of risk tolerance should be related to organisational authority levels.

Principle 4.3 recommends that the risk committee or audit committee should assist the board in carrying out its risk responsibilities. Its role is to review the risk management progress and maturity, the effective­ness of risk management activities, the key risks and the responses to address these key risks. It suggests that a risk committee be formed or that this responsibility be assigned to the audit committee. (Some organisations prefer to call this a risk and audit committee). The important thing is that this is an oversight and audit function, as opposed to the management of risk, which is a line function (see further on). This needs to be clearly spelt out in its terms of reference.

Principle 4.4 then deals with the board delegating to management the responsibility for executing the risk strategy, referring first to the design, implementation and monitoring of the risk management plan. The board must still ensure that the right support, structures and resources are provided to make this possible. In referring to the appointment of a chief risk officer, the points are made that the CEO retains accountability for execution and that the CRO is only the head of a team-based approach, not the sole point of implementation.

The need for embedding risk management into strategy, planning and business processes is stated in the context of safeguarding performance and sustainability. This is critically important because it has been observed that most initiatives fail in this area.

Principle 4.5 tends to be a “how to” on risk assessment, which I personally do not think is necessary in a governance guide. The “when to” aspect is valid, in that it states that assessments should be done ‘continually’ (as and when appropriate, I would assume) as well as formally once a year (I would suggest as part of the business planning process). Effective risk assessment produces the information for the appropriate prioritisation of risks and responses, relative to the organisation’s tolerance limits. The report rightly says that assessment should be conducted in the light of strategic and business objectives. It seems to recommend a top-down approach, whereas risk assessment should use all sources of useful information, so it should be contextualised by and aligned with the objectives at every level.

There is an emphasis on risks affecting sustainability of the organisation. Sustainability is one of the main targets of the required integrated reporting and it is perhaps erroneous to single it out here. Readers should rather take note of the requirement that risk assessment be comprehensive and that it considers the interests of all stakeholders. Overall, ISO 31000 will provide a better guide on the attributes and effective application of risk assessment.

Principle 4.6 asks the board to ensure that frameworks and methodologies are implemented to increase the probability of anticipating unpredictable risks, which might be a contradiction in terms. However, it is very appropriate that the organisation’s methods for identifying and analysing risks are sufficiently broad to capture long-odds situations and unusual combinations of consequences.

Principle 4.7 states that the board should ensure that management considers and implements appropriate risk responses. Again, I find this to be an unnecessary dialogue on how to treat risks and out of place in terms of a governance guide. Anyone using the ISO 31000 section on risk treatment would easily align it with this principle. However the report gives good governance advice in reminding us that enterprise exists to create value and whilst uncertainty is the basis of risk, it is also fundamental to opportunity.    

Principle 4.8 calls for the board to ensure continual risk monitoring by management. It usefully sets out monitoring requirements;

  • progress with implementation of the risk management plan
  • setting and monitoring performance against periodically reviewed risk indicators
  • monitoring changes in the internal and external environment (context)
  • ensuring the effectiveness of responses (existing risk controls?)
  • tracking the implementation of risk responses (risk treatment?)
  • learning lessons from changes, trends and events (successes and failures)
  • identifying emerging risks (part of monitoring changes?)

and points out that these need to be in the plan (from the outset)

Principle 4.9 refers to the risk assurance that the board should receive from both management and internal audit, via the audit (and/or risk) committee, regarding the implementation of the risk management plan and the effectiveness of the risk management process. The report from management should provide a balanced assessment of the key risks facing the organisation and the effectiveness of the risk responses, as well as drawing attention to any concerns or shortcomings and the measures intended to address them.

In turn the board should satisfy itself that management has appropriately applied the risk management processes and that these comply with the risk man­agement policies and procedures. For this it would rely on the independent assurance provided by the internal audit function. For this to be effective it is imperative that internal audit does not assume any of the functions of risk management. All too often, particularly in the public sector, we see risk management being housed in internal audit. Good sense however would suggest that the internal audit and risk management functions should coordinate their activities with respect to monitoring, audit and assurance to optimise resources and enhance efficiency. This coordination should also extend to external audit.

Principle 4.10 deals with risk disclosure required in the organisation’s integrated report to stakeholders. In chapter 9 it states that “integrated reporting means a holistic and integrated representation of the company’s performance in terms of both its finances and its sustainability”. The organisation needs to disclose information about unusual risks or losses that materialised in the past year as well as any risks it anticipates could affect sustainability going forward. It is also required to give a view on the effectiveness of its risk management processes. All this requires due regard to any commercially privileged information.

All in all, the application of these principles is not onerous. It may appear to be so for smaller organisations that were not previously required to report in this manner, but allowance is made to fit the principles to the size and complexity of each entity. The fact is, for any enterprise to be successful the understanding and practice of basic risk management is essential. The implementation of ISO 31000, which itself can be economically tailored to any organisation, will provide an effective foundation.

 

Want a free book?
The International Risk Management Institute, Inc. (IRMI) is offering a complimentary e-book, Risk Management—How and Why, that introduces the reader to the risk management process using an interesting case study involving a fire at a hypothetical garage and apartment complex. Written by George Head, a pioneer in risk management education, this high quality, 70-page e-book is available at www.IRMI.com/Online at no charge.

Best wishes,

Steve Winks

Quote of the month: "It is easier to perceive error than to find truth, for the former lies on the surface and is easily seen, while the latter lies in the depth, where few are willing to search for it."
Goethe

Copyright 2003-2009 Caretaker - Insight to Risk. A Free Risk Management Newsletter. All Rights Reserved.