Every company and financial institutions specifically are focused on internal controls over financial reporting (ICOFR), in the process neglecting risk management over the corporate strategy and it’s implementation. Failure of risk management is an important cause for many of the collapses during the financial crisis, and in many cases the boards were found to be ignorant of the risks faces by the company. Not surprisingly, OECD has identified oversight of risk management as an area of increasing importance for boards.
In this connection the OECD code identified the following as key functions of the board:
Principle VI D1. Reviewing and guiding corporate strategy, major plans of action, risk management policies and procedures, annual budgets and business plans; setting performance objectives; monitoring implementation and corporate performance; and overseeing major capital expenditures, acquisitions and divestitures.
Principle VI D7. Ensuring the integrity of the corporation’s accounting and financial reporting systems, including the independent audit, and that appropriate systems of control are in place, in particular, systems for risk management, financial and operational control, and compliance with the law and relevant standards.
Therefore, the Board is responsible for both establishing and overseeing the company’s enterprise-wide risk management system and ensuring that it is compatible with its strategy and risk appetite.
One of the projects of OECD after the financial crisis identified the following main messages with regard to Implementation of risk management;
It should be fully understood by regulators and other standard setters that effective risk management is not about eliminating risk taking, which is a fundamental driving force in business and entrepreneurship. The aim is to ensure that risks are understood, managed and, when appropriate, communicated.
Effective implementation of risk management requires an enterprise-wide approach rather than treating each business unit individually. It should be considered good practice to involve the board in both establishing and overseeing the risk management structure.
The board should also review and provide guidance about the alignment of corporate strategy with risk- appetite and the internal risk management structure.
To assist the board in its work, it should also be considered good practice that risk management and control functions be independent of profit centres and the “chief risk officer” or equivalent should report directly to the board of directors along the lines already advocated in the OECD Principles for internal control functions reporting to the audit committee or equivalent.
The process of risk management and the results of risk assessments should be appropriately disclosed. Without revealing any trade secrets, the board should make sure that the firm communicates to the market material risk factors in a transparent and understandable fashion. Disclosure of risk factors should be focused on those identified as more relevant and/or should rank material risk factors in order of importance on the basis of a qualitative selection whose criteria should also be disclosed
With few exceptions, risk management is typically not covered, or is insufficiently covered, by existing corporate governance standards or codes. Corporate governance standard setters should be encouraged to include or improve references to risk management in order to raise awareness and improve implementation.
Source : OECD Key Findings