#LOCKDOWN DAY 5: RISK MANAGEMENT NOTES ABMI ? Practice Guideline A1: Risk Governance & Oversight

In my days of external auditing, around the start of South Africa’s democratic journey, I learnt of so-called assertions or management representations. What this meant in simple terms (illustrative) is that when an organisation provides financial information to the market, it attests to this information for example being accurate or complete. These assertions were logical and included some assumption on the basis of the reasonable-person-test. What this means is that from an organisational governance perspective, all intents being positive, every action and control mechanism assures the recipient or beneficiary that certain validations have actually been performed. This means that a typical process of signing off a management report for example is not merely ceremonial, but is a comprehensive attest and assurance exercise that should give comfort to others that, by affixing signature thereto, leadership or the Board has been assured and verified the accuracy, reliability and completeness of information presented.

The reason I bring this up first is to introduce the understanding that the governing authority (Board, Accounting Authority/ Officer) does not merely exist to sit and deliberate at their scheduled meetings but has a detailed fiduciary purpose which bears serious implication if not respected. I like this because it takes away the function of a member of a governing authority from the realms of ceremonial status to a significant oversight function where real and outcome-driven debate and decisions should be made to steer the organisation to success. An important component of that oversight includes risk management oversight by the governing authority. Indeed, for risk management to effectively take-off it needs active support and involvement of the governing authority.

Relating the governance expectations from governing authorities with the subject of assertions and representations made earlier, this means that it is not an automatic defense in the face of ineffective oversight and poor organisational performance to plead common excuses like “It was an error”, to “We can’t be perfect” and “These things happen”. Extending this to the broader governance space, it is not a fair argument to argue humanity and imperfection when the true reality is that oversight efforts were inadequate, conflicted or negligently performed. To properly entrench a culture of effective oversight we need to eliminate bias in the process of implementing, recognising and reinforcing such oversight. Too many a time it is easy to plead innocence in cases of failures in governance that everyone now finds opportunity in stating that their oversight efforts were only as effective as the quality of management reporting to the governing authority. One only needs to skim through the Companies Act, Public/ Municipal Finance Management Act and the King IV Report to see that such pleadings do not survive scrutiny as the onerous demands on members of the governing authority become more stringent. Deloach, in a study of 2014 notes an increase in accountability demands for leadership within organisations that is related to and a consequence of historic organisational failure and certain failures in risk oversight (ABMI Reference Library, 2018 edition, p22).

The governing authority is expected to actively lead and direct the risk management process of the organisation in terms of the competence standards of the attribute-based maturity index (ABMI Reference Library, 2018 edition, p5).

KEY SUB-ATTRIBUTES OF A1: RISK GOVERNANCE & OVERSIGHT

Please note that in terms of the attribute-based maturity index there are 7 core components of risk management that comprise 26 primary attributes. These primary attributes are in turn split up into 93 sub-attributes. Below I analyse the sub-attributes of one of the 26 primary attributes. Keep coming back for more articles that unpack the other elements.

Some elements aren’t explained in full save for the first item whose explanation is an extract from the ABMI Reference Library. All elements, however, are explained in detail in the ABMI Reference Library which can be obtained directly using a self-registered user profile on www.abmi.co.za

1.      Risk oversight structures

The governing authority establishes required risk governance committees responsible for dedicated oversight over risk management within the organisation.

It is common practice for risk oversight to be delegated by the governing authority to the audit committee, wherein they are then referred to as audit and risk committees. The requirements for audit committees are stipulated within a range of guidelines that include those by the South African Institute of Chartered Accountants, the National Treasury Guidelines and Risk Framework, King IV and the Companies Act. In addressing the aspects of independence, it is important to note that the key difference in traditional functions of an audit committee and those of a risk management committee lies in the fact that risk management committees play a more involved role in risk oversight and where such active involvement is played by the audit committee, the independence elements of that committee may be impaired. Should the organisation elect to place risk oversight at the audit committee level, it is suggested that they supplement this through the establishment of a focused risk management committee at executive level or the deliberate focus on certain risk accountabilities at the executive level. Whether an organisation establishes a dedicated risk management committee, other than as expressly provided for in law or a specific sector-standard, will be based on the unique circumstances of the organisation. Organisations should also note that for certain types of risk areas, specialised risk committees may be established. Regardless of the delegation of risk oversight to committees, the governing authority should ensure that it remains assured about the adequacy and effectiveness of risk management processes in the organisation.

If the organisation has elected the option of retaining primary risk oversight under the audit committee without a separate risk committee or subcommittee (of the audit committee), the audit committee should consider setting aside time for periodic review of risk management outside the context of its role in other areas of assurance and scope as this will allow the required time for risk management oversight. Where the audit committee cannot secure sufficient time to separately attend to risk oversight, organisations are advised (in order of preference) to redress this through the separation of functions into a separate risk management committee, the establishment of a sub-committee of the audit committee, or the establishment of a committee at executive management level that supplements the efforts of the audit committee.

2.      Risk assessment oversight

 The governing authority either directly or through its appointed risk governance committee provides input and ensures clear understanding of the organisation’s key risks and related control mechanisms.

 3.      Reporting by risk oversight structures

 The relevant risk governance committee reports to the governing authority in terms of the requirements of the terms of its constitution.

4.      Risk reporting by management

 Management provides periodic risk reporting either directly to the governing authority or through a formally appointed risk governance committee.

5.      Risk management focus/ deliberation

There is formal deliberation of risk matters by the governing authority and sufficient time and effort is set aside to enable such deliberation.

For additional context, register a free user profile via www.abmi.co.za and download our free ABMI Reference Library Preview document or explore additional value-added offerings. Good luck and feel free to share your views. We are all here to learn and no idea is unwelcome!!!