King II - risk mangement and internal control

Accountancy SA,  Jun 2002  by Payne, Nigel

• E-mail
• Print
• Link

"The average company today is a complex enterprise engulfed by rapid technological change and fierce global competition. You have to assess exposure to risk on an ever changing landscape." - Arthur Levitt, Chairman: US Securities Exchange Commission

Last month we considered the Boards and Directors chapter in King II. It is no coincidence that the next chapter in the report deals with Risk Management & Internal Control, as these are key factors in both the performance and conformance aspects of corporate governance, and set the platform for the auditing and reporting chapters that follow. I covered this subject in the context of Enron in April 2002 but did not make reference to King II, which has an entire chapter on the subject. I had the privilege of chairing this task team, and have been accused of being passionate about risk management.

Enterprise is the undertaking of risk for reward. Corporate governance can be viewed as a strategic response to risk. To the extent that a company is able to manage risk more effectively than its competitors it will derive a competitive advantage. Risk should thus not be viewed only in a negative context or as something to be avoided. Red Adair, whose company has a global reputation in the management of fires on oilrigs, embraces huge risk in exchange for commensurate rewards.

Accountants and auditors have had the principles of internal control drummed into us during our university days, and again during articles. What was lacking was an understanding of the relationship between risk and control.

There are four ways to address risk. Risk can be avoided, for example by choosing not to make a living fighting oil fires. Risk can be transferred to someone else, perhaps contractually or by way of insurance. Risk can be accepted, perhaps because it is unavoidable or would cost too much to prevent. Finally, risk can be managed. One of the primary ways in which to manage risk is via internal control. King II focuses on the accountability and responsibility for risk management, identification of risks, the decision as to how each risk should be addressed, internal control, monitoring and reporting.

The board is responsible for the total process of risk management, as well as for forming its own opinion on the effectiveness of the process. Management is accountable to the board for designing, implementing and monitoring the process of risk management and integrating it into the day-to-day activities of the company.

The board should set the risk strategy in liaison with the executive directors and senior management. All employees should be involved in the management of risk, whether this be the risk of an accident or the risk that a customer will receive poor service.

The board must decide the company's appetite or tolerance for risk - those risks it will take and those it will not take in the pursuit of its goals and objectives. The board has the responsibility to ensure that the company has implemented an effective ongoing process to identify risk, to measure its potential impact against a broad set of assumptions, and then to activate what is necessary to proactively manage these risks.

The board should make use of generally recognised risk management and internal control models and frameworks in order to maintain a sound system of risk management and internal control.

The board is responsible for ensuring that a systematic, documented assessment of the processes and outcomes surrounding key risks is undertaken, at least annually. This risk assessment should address the company's exposure to at least the following:

* physical and operational risks;

* human resource risks;

* technology risks;

* business continuity and disaster recovery;

* credit and market risks; and

* compliance risks.

A board committee, either a dedicated committee or one with other responsibilities, should be appointed to assist the board in reviewing the risk management process and the significant risks facing the company.

Risk management and internal control should be practiced throughout the company by all staff, and should be embedded in day-to-day activities.

In addition to the company's other compliance and enforcement activities, the board should consider the need for a confidential reporting process ("whistleblowing") covering fraud and other risks.

A comprehensive system of control should be established by the board to ensure that risks are mitigated and the company's objectives are attained. The control environment should also set the tone of the company and cover ethical values, management's philosophy and the competence of employees.

Companies should develop a system of risk management and internal control that builds more robust business operations. The systems should demonstrate that the company's key risks are being managed in a way that enhances shareowners' and relevant stakeholders' interests.

The board must identify key risk areas and key performance indicators of the company, and monitor these factors as part of a regular review of processes and procedures to ensure the effectiveness of its internal controls, so that its decisionmaking and the accuracy of its reporting are maintained at a high level at all times.