CORPORATE GOVERNANCE Lesson n. 9 Corporate Governance and Risk Management a.y. 2015-2016 1 st semester f.buzzichelli@lumsa.it
CG and Risk Management Contents 1. Corporate Risk Assessment: ERM 2. US COSO Integrated Framework 3. Levels of Risk 4. Responsibilities of the BoD 5. Chief Risk Officier 6. OECD surveys on RM and CG 7. Risk analysis process 8. 10 steps to structure a Risk Management Policy 2
CG and Risk Management CORPORATE RISK ASSESSMENT CG Cadbury Code refers to risk only in the context of BoD s responsibilities The need to reinforce corporate risk assessment derives from financial crisis: several surveys revealed that global financial crisis has increase the awareness of the need to manage and leverage risk ENTERPRISE RISK MANAGEMENT In an advanced approach it allows to: define a critical framework for successfull decision-making and for driving value; engage all stakeholders in the development of risk management strategy and policy setting; move from a mitigation and avoidance view of risks to leveraging and managing risks to extract business value. 3
CG and Risk Management US COSO Integrated Framework for ERM COSO=Committee of Sponsoring Organizations of the Treadway Commission (since 1985) 4
CG and Risk Management US COSO Integrated Framework for ERM 5
CG and Risk Management US COSO Integrated Framework for ERM THREE DIMENSIONS FOR ERM 1. Achievement of 4 objectives 2. 8 interrelated components 3. Entity s unit 6
Emphasis on corporate risk CG and Risk Management OECD reviewed the adequacy of CG by suggesting: risk management function reporting directly to the BoD; risk management function to consider any risk deriving from existing compensation and incentive system; effectiveness of risk assessment and management process to be monitored and disclosed ICGN published a set of Corporate Risk Oversight Guidelines: risk oversight process begin with the BoD; corporate management responsible for developing and executing a risk program ; shareholders have a responsibility to assess and monitor the effectiveness of BoD in overseeing risk 7
CG and Risk Management Levels of risk Corporate risk arises at every level in the organization OPERATIONAL RISK Within the company (fire, accident, ) MANAGERIAL RISK Hazards deriving from company s activities (product liability, third-party risk, ) STRATEGIC RISK Responsibility of directors who does not know risk profile, wrong decisions of the BoD 8
CG and Risk Management Levels of risk Corporate risk arises at every level in the organization BoD has a supervisory role on policies, sysyems, performances. OPERATIONAL RISK Within the company (fire, accident, ) Delegating MANAGERIAL resonsibilities RISK to AUDIT COMMITTEE is frequent and recommended for some Hazards deriving from company s activities listed companies (product liability, third-party risk, ) STRATEGIC RISK Responsibility of directors who does not know risk profile, wrong decisions of the BoD 9
Responsibilities of the BoD RISK MANAGEMENT 10 CG and Risk Management RISK MINIMIZATION BoDs should recognize, understand and accept the RISK PROFILE of the company, balancing risks with approprate/acceptable rewards «creating business value while managing risk» Duties of the BoD: Recognize significant risks facing the company; Ensure the existance and the effectiveness of risk assessment systems; Ensure the development and the effectiveness of risk evaluation procedures; Ensure efficiency and effectiveness of risk monitoring systems; Ensure the existance, updating and application of business continuity strategies and risk management policies
CG and Risk Management Responsibilities of the BoD Options for the BoD: 1. Delegating to AUDIT COMMITTEE 2. Creating a RISK ASSESSMENT or RISK MANAGEMENT COMMITTEE 3. Creating a management-based RISK MANAGEMENT GROUP In the peculiar case of financial institutions, a RISK POLICY COMMITTEE is created, to support the BoD in its responsibility of setting tolerance thresholds for risks 11
CG and Risk Management A new Chief Officier CRO - CHIEF RISK OFFICIER he/her is the executive accountable for enabling the efficient and effective governance of significant risks, and related opportunities, to a business and its various segments in complex organizations, he/her is generally responsible for coordinating the organization's ERM approach he/her has to ensure that the organization is in full compliance with applicable regulations and to analyze all risk related issues he/her has business-related experience, with actuarial, accounting, economics, and legal backgrounds he/her is accountable to the Executive Committee and the Board for enabling the business to balance risk and reward 12
OECD RM & CG CG and Financial Crisis (OECD, 2010) CG and Risk Management One of the greatest shocks from the financial crisis has been the widespread failure of risk management; It should be fully understood by regulators and other standard setters that effective risk management is not about eliminating risk taking: risks should be understood, managed and, when appropriate, communicated; Effective implementation of risk management requires an enterprise-wide approach rather than treating each business unit individually; The board should also review and provide guidance about the alignment of corporate strategy with risk-appetite and the internal risk management structure; Risk management and control functions should be independent of profit centres and the CRO or equivalent should report directly to the board; The process of risk management and the results of risk assessments should be appropriately disclosed; CG standard setters should be encouraged to include or improve references to risk management in order to raise awareness and improve implementation 13
OECD RM & CG Financial Crisis effects on listed companies CG and Risk Management Main outcome risk not managed on an enterprise wide basis and not adjusted to corporate strategy Boards were ignorant of the risk facing the company Challanges: Linking risks to strategy; Better defining risks; Effectively considering stakeholders concerns 14
OECD RM & CG CG and Risk Management McKinsey survey on listed companies (2011) reveales that: 1. 44% of respondents said that boards simply review and approve management s proposed strategies; 2. 14% (only) of board time was spent on business risk management; 3. 14% of respondents had a complete understanding of the risks their company faced; 4. 50% of directors said that information received was too shorttime 15
OECD RM & CG CG and Risk Management Risk Management and Corporate Governance (OECD, 2014) survey on 27 jurisdictions (participants to OECD Corporate Governance Committee); while risk-taking is a fundamental driving force in business and entrepreneurship, the cost of risk management failures is still often underestimated; that most companies consider that risk management should remain the responsibility of line managers; Corporate governance standards should place sufficient emphasis on exante identification of risks; risk governance standards tend to be very high-level, limiting their practical usefulness, and/or focus largely on financial institutions; boards place sufficient emphasis on potentially catastrophic risks, even if these do not appear very likely to materialize 16
CG and Risk Management Companies with a comittee with explicit reference to risk (2010) 17
CG and Risk Management Risk governance requirements/recommendations for listed companies 18
Risk analysis process Risk Recognition Identify risks, threats and hazards Risk Assessment Assess the effect; consider the value, sensitivity and criticality of the event; prioritize risk exposure CG and Risk Management Risk Monitoring and Reporting Monitoring and recording risk Review of ongoing insurance coverage Risk Evaluation Determine the probability of the event Risk Management Policy Determine RMP to resolve the risk Routine board supervision for the application of the policy Revision of the policies Board Policy Approval 19
CG and Risk Management Risk recognition and assessment How to recognize/assess risks? Never occurred before or No data or experience to evaluate the impact It is important to create a corporate culture throughout the organization to RISK RECOGNITION AND ASSESSMENT tabular approach mind mapping software programs questionnaires risk benchmarking 20
CG and Risk Management Risk recognition and assessment How to recognize/assess risks? Never occurred before or No data or experience to evaluate the impact SOFTWARE PROGRAMS: It is important to create a corporate culture throughout the organization to RISK RECOGNITION AND ASSESSMENT Identification of risks Development of appropriate risk management policies tabular approach Supporting ongoing mind mapping business activities software programs questionnaires risk benchmarking 21
CG and Risk Management Risk evaluation To measure the extent of a risk (i): Ri= Li * p(li) but Both the amount of the loss (L) and the probability of a risk occuring ( p(l) ) might be difficult to be determined 22
CG and Risk Management Risk evaluation To measure the extent of a risk (i): Ri= Li * p(li) APPROPRIATE RISK MANAGEMENT POLICIES! but Both the amount of the loss (L) and the probability of a risk occuring ( p(l) ) might be difficult to be determined 23
high Impact of the event low Mitigate, assume or insurance the risk Carry any further costs itself Risk evaluation Sharing risk No significant need of RM policies CG and Risk Management BoD decision low Likelihood of the event high 24
CG and Risk Management Risk mangement information system Directors don t have to be concerned about risks only once they have occurred! Centralization of information and risk management responsibility is the core approach of ENTERPRISE RISK MANAGEMENT: Provide information on regular basis for management, to take executive decisions; Support the board in its monitoring and supervisory function; Enable the company to communicate externally (auditors, regulators, shareholders) 25
CG and Risk Management Risk mangement information system Directors don t have to be concerned about risks only once they have occurred! Centralization of information and risk management responsibility is the core approach of ENTERPRISE RISK MANAGEMENT: Issue of confidentiality Provide information on regular basis for management, to take executive decisions; Support the board in its monitoring and supervisory function; risk Enable the company to communicate externally (auditors, regulators, shareholders) management data 26
CG and Risk Management Risk transfer The oversight of risks is a strictly BoD responsibility, as a basic element of corporate governance Therefore, the BoD should define / agree on corporate risk strategies and risk policies AVOID THE RISK TRANSFER THE RISK MITIGATE THE RISK RETAIN THE RISK 27
Risk Management Policy 10 step to define a Risk Management Policy A Risk Management Policy serves two main purposes: to identify, reduce and prevent undesirable incidents or outcomes; to review past incidents and implement changes to prevent or reduce future incidents Knowing how to write a risk management policy is a central part of an organization or business's strategic planning and growth 28
Risk Management Policy 1.POTENTIAL RISKS Identify all potential risks for the company Consider all the different transactions or processes in the reference context. Include long-term strategic objectives and decisions, operational or day-to-day activities, financial management and controls, intellectual and information technology actions and knowledge, and compliance/regulatory issues and policy decisions. Write down all the things that could potentially go wrong and how that might happen. Divide this information into sections to address each individually 29
Risk Management Policy 2. TO ANALYZE THE RISKS All the identified potentential risks should be analyzed Write down how they may occur and potential methods of prevention, additional steps that could be taken to prevent them, and how those risks are evaluated and assessed regularly 30
Risk Management Policy 3. PAST INCIDENTS Assess all the past incidences occurred to the organization and how these occurrences were handled Consult past records to determine how frequently incidents have happened, and how they were handled, including processes that worked and those where there were areas of improvement 31
Risk Management Policy 4. RE-OCCURRENCE Estimate the likelihood of each risk The probability of each risk should be estimated, basing on the history of the organization, best practices, and peer experiences 32
Risk Management Policy 5. TREATMENT PLAN Develop a treatment plan for all of the identified risks The treatment plan should be designed prioritizing the identified risks that will be more likely to occur. Be sure to outline a step-bystep expectation for how each risk will be avoided, how it will be handled if it does occur, and how it will be recorded. 33
Risk Management Policy 6. COSTS Calculate and include cost estimations For all the steps needed to align with the risk management policy recommendations, costs should be estimated Information on costs should be provided to the internal audience when the policy is proposed 34
Risk Management Policy 7. REPORTING Prepare a report for both internal and external stakeholders Auditing steps in place to revisit and evaluate the policy should be illustrated. The internal audiences need to know the greatest risks, who is accountable for what, and how the process will be monitored. The external audiences need to know risk management is a part of the organization's culture and how the process and policy has been laid out. 35
Risk Management Policy 8. DATA TRACKING Create a data tracking system to input all statistics on risk management successes and failures Training activities on staff to use the created database should be performed Creating a risk assessment form to be used after an incident can be a useful tool to examine whether more precautions should have been taken. This allows all the data to be recorded right after the occurrence, and for the same information to be gathered each time 36
Risk Management Policy 9. MONITORING Design a monitoring process Set up a regular monitoring process to review all risks and evaluate how the treatment plan has been working 37
Risk Management Policy 10. RMP REVIEW Regularly update the RMP Revisit the risk management policy every 6 months to evaluate its effectiveness by comparing incident occurrence rates. Revise the plan as necessary. Risk management planning and evaluation should be a continuous, evolving process that integrates seamlessly into a company or organization's culture. 38
Risk Management Policy DON T FORGET.. The needed awareness of all board members, senior managers, employees, volunteers and residents concerning risk management within the organization Establishing a Risk Management Committee with representatives from each department, whose responsibilities will be to implement, monitor, evaluate and revise plans to achieve goals and objectives Electing a Risk Management Coordinator to serve as the head of the Risk Management Committee and report to the BoD Including risk management as an item for discussion at every staff meeting 39
References Tricker B., 2015, Corporate Governance. Principles, Policies and Practices, Third edition. Oxford University Press. Chapter 8 Committee of Sponsoring Organizations of the Treadway Commission (COSO), 2004, Enterprise Risk Management Integrated Framework Executive Summary OECD (2014), Risk Management and Corporate Governance, Corporate Governance, OECD Publishing. http://dx.doi.org/10.1787/9789264208636-en 40