|The Board is responsible for the governance of risk. The Board should ensure that Management maintains a sound system of risk management and internal controls to safeguard shareholders' interests and the company's assets, and should determine the nature and extent of the significant risks which the Board is willing to take in achieving its strategic objectives.|
The Board is responsible for the governance of risk. It sets the tone and direction for the way risks are managed in the company.
Managing risks well is crucial to long-term corporate success. But it is not a straightforward task. At the heart of the challenge are two apparently conflicting needs. The first need is the push to improve performance and the corresponding necessity to take some level of risks in order to achieve it. The second is the need to understand and manage risks to prevent unnecessary and excessive risk-taking that might lead not only to underperformance, but to the company’s demise.
Successful companies effectively and efficiently make decisions that optimise risk and reward. This requires them to consider not only the downside of risk (typically associated with measures to reduce levels of risk), but equally its upside (or taking on higher levels of risk to seize opportunities).
Risk governance is the framework within which risk management operates. It defines the way in which a company undertakes risk management. It is essential for the company to have clarity about how and what risks are being managed. Good risk governance thus provides guidance for sound and informed decision-making and effective allocation of resources.
The Board is responsible for influencing and approving the company’s strategy in a way that addresses stakeholders’ expectations, and which does not expose the company to an unacceptable level of risk. It is also ultimately responsible for approving key risk management policies, and ensuring a sound system of risk management and internal controls against which performance can be monitored.
The Guidelines describe:
- The responsibilities of the Board vis-à-vis management regarding risk management (Guideline 11.1).
- The requirement for an annual review of the adequacy and effectiveness of risk management and internal control systems (Guideline 11.2).
- The requirement for the Board to comment on the adequacy and effectiveness of the internal controls, and whether it has received assurance from the CEO and the Chief Financial Officer (CFO) (Guideline 11.3).
- The means, especially with a Board Risk Committee (BRC), by which the Board can be assisted in its risk oversight (Guideline 11.4).
The Board should determine the company's levels of risk tolerance and risk policies, and oversee Management in the design, implementation and monitoring of the risk management and internal control systems.
The Board should, at least annually, review the adequacy and effectiveness of the company's risk management and internal control systems, including financial, operational, compliance and information technology controls. Such review can be carried out internally or with the assistance of any competent third parties.
The Board should comment on the adequacy and effectiveness of the internal controls, including financial, operational, compliance and information technology controls, and risk management systems, in the company's Annual Report. The Board's commentary should include information needed by stakeholders to make an informed assessment of the company's internal control and risk management systems.
The Board should also comment in the company's Annual Report on whether it has received assurance from the CEO and the CFO:
- That the financial records have been properly maintained and the financial statements give a true and fair view of the company's operations and finances; and
- Regarding the effectiveness of the company's risk management and internal control systems.
The Board may establish a separate board risk committee or otherwise assess appropriate means to assist it in carrying out its responsibility of overseeing the company's risk management framework and policies.