Chapter 4: The governance of risk

The requirement to disclose how the board has satisfied itself that risk assessments, responses and interventions are effective will need to be effectively evidenced. Due care and diligence will need to be exercised and disclosed.
This due care and diligence is achieved through:

• The structures of governance – risk/audit committee
• Adoption and implementation of an annual risk management plan
• Effective risk management practices through the application of recognised frameworks, methodologies, continuous assessments and monitoring
• Applying risk considerations into the decisionmaking frameworks (appetite and tolerance) and on specific decisions
• Ensuring that the board receives adequate assurance on the effectiveness of the risk management process and on the management of specific risks
• Disclosing how the board is satisfied with the effectiveness of risk management.

Corporate governance requires active consideration of risk management. This should be the last reason for applying risk management into a business or organisation. The future is uncertain and risk management deals explicitly with uncertainty. Effective risk management is a fundamental requirement for businesses and organisations to succeed and survive.

There are now a significant number of authoritative globally relevant guidelines (e.g. ISO 31000, COSO and rating agency ERM criteria) on how effective risk management can be applied. While King III sets out the principles, the challenge is to make the principles real and practical through reference to these global guidelines.

Combined assurance should be based on identified risks and how assurance is achieved and reported to the board. This will be one of the biggest challenges facing businesses and organisations in adopting King III. However, it offers tangible benefits that extend well beyond proving compliance, including:

• Coordinated and relevant assurance efforts focussing on key risk exposures
• Minimised business/operational disruptions
• Comprehensive and prioritised tracking of remedial action on identified improvement opportunities/weaknesses
• Improved reporting to the board and committees, including reducing the repetition of reports being reviewed by the different committees
• Possible reduced assurance costs.

1. Do we understand how risk appetite and tolerance is applied in our organisation?
2. How do we know that the biggest risk exposures to our organisation are being adequately managed?
3. When last did we participate in a risk assessment activity?
4. How often have we considered the same riskrelated issue in the various management and governance meetings?
5. Is ICT risk actively considered in our risk management process?
6. Do we specifically consider compliance risk and, if so, how satisfied are we that it is effectively covered?
7. Are risks prioritised and ranked to focus the responses and interventions on those risks outside the board’s risk tolerance limits?
8. Do we have an approved annual risk management plan?
9. Who assures non financial risks, such as plant availability, staff capacity and competency, the impact of legislative changes on the business/ organisation etc? And to which management or board committee is the assurance provided? Are we satisfied that this assurance is reliable?
10. Do we have a fraud risk plan to consider our fraud exposure and prevention?
11. Does our disclosure on the effectiveness of risk management reflect the actual position of our business/organisation?