According to the guidelines outlined in the King 3 report, the risk management process is inseparable from the company’s strategic and business procedures. Corporate governance is an important aspect of running a successful business, as stakeholders including potential investors, shareholders, employees, government (local and national) as well as non-governmental movements would look into an organisation’s governance framework to form a perception about the competence of that organisation.
Risk Management is only one of the many levers of an organisation’s combined assurance function. The combined assurance function includes elements such as the risk, compliance, legal and internal as well as external auditing roles. These levers are related but vary in their approach, put together they provide reasonable governance assurance to any organisation. Hence, they are a requirement when one evaluates the effectiveness of an organisation’s governance framework.
The Risk Management discipline has the advantage of proactivity, as it requires the business to proactively look at its strategic objectives, operations and processes then evaluate each component to find potential pitfalls (on an ongoing basis) that could derail the organisation from achieving its objectives.
King 3 states that ultimately Risk Management is a function of the board, which has an option of delegating the role to a Risk Committee. However, the overall stance is that management led by the Chief Executive Officer is responsible for the implementation and management of the risk management process.
Furthermore, King 3 recommends that the risk management function should be as simple as possible in order to engage all employees in the process. In addition, each employee has to apply risk management principles in their day to day activities to ensure that the risk culture is entrenched at all levels of the business.
One of the major requirements of the process is that each year an organisation should set its own risk appetite. This defines the severity of a risk to the organisation and usually the impact is categorised according to financial, reputational, resource, legal and/or governance impact. This makes it easier to quantify, prioritise and analyse any risk as the impact assessment goes together with a probability rating.
The majority of risk related processes and procedures have to be evaluated and approved at board level. The board is widely regarded as safeguarding the interests of the owners of the business and all stakeholders including the employees. Understandably, the board is required to adopt the Risk Management Plan and approve an organisation’s chosen risk appetite as well as approach.
In some instances, the board delegates the responsibility of risk management to a Risk Committee. Often, the risk committee is chaired by a member of the board who is well qualified in Risk Management. Other members of the Risk Committee may include the Chief Executive Officer, Chief Financial Officer, Head of Internal Audit and Chief Risk Officer and/or any other critical role player.
The key tenets that are important in the process are that risk assessments are conducted on a regular basis and that the key risks are quantified and responded to appropriately – this is also strongly recommended by King 3.