Risk is an underlying factor in every business and can be defined as the probability or threat of damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities.
ISO Guide 73 defines risk as the effect of uncertainty on objectives which may be positive, negative or a deviation from the expected, usually described by an event, a change in circumstances or a consequence. In business, risk is typically the driver of strategic decisions’ and the management thereof is embedded in the activities of the company.
The Nigerian Code of Corporate Governance provides that the Board is to ensure the establishment of a risk management framework that defines the Company’s risk policy, risk appetite and risk limits
Risk management is an integrated process that encompasses the identification, assessment and ranking of risk facing an organisation and the practical efforts expended in mitigating and controlling them. The management of risk is at the heart of corporate governance as the sustainability and continuity of a company depends largely on its ability to measure, monitor and mitigate various dimensions of risk.
The responsibility to effectively manage risk in a manner that ensures business continuity rests squarely on the Board of Directors and derives primarily from Directors’ fiduciary responsibilities.
Principle 17 of the NCCG Code provides that “A sound framework for managing risk and ensuring an effective internal control system is essential for achieving the strategic objectives of the Company.”
A Risk Management Framework is the structured process used to identify potential threats to an organisation, define the strategy for eliminating or minimising the impact of these risks, as well as the mechanisms to effectively monitor and evaluate this strategy.
The Code recommends that the Board should articulate, implement and review the Company’s internal control systems to strengthen the risk management framework.
Risk management is not about eliminating risk, which is indeed a fundamental driving force in business and entrepreneurship. Rather it should provide a framework that enables the articulation of an organisation’s risk appetite (the amount of risk the Company is willing to accept in pursuit of stakeholder value), tolerance and capacity and would serve to ensure that decisions are considered within this context. A Risk Management Framework assures stakeholders of the Company’s commitment to profitability and sustainability.
The Nigerian Code of Corporate Governance provides that the Board is to ensure the establishment of a risk management framework that defines the Company’s risk policy, risk appetite and risk limits.
It recommends a framework covering all aspects of the Company’s business and ensures that mitigating strategies have been put in place to manage identified risks. The Board shall ensure that the framework is able to identify all possible risks that may affect the company.
An effective risk management framework would provide indices for identifying, evaluating, ranking and classifying risks. It is important to have a risk dashboard that will at a glance identify major risk exposures and mitigating responses. The risk elements should be properly defined and ranked in terms of the likelihood of occurrence and the possible consequences or impact.
Risk management responsibilities must be clearly delineated in the framework with the risk architecture, strategy and protocols clearly set out. The Board must also ensure that benchmarks to determine the significance or materiality of the identified risks are contained in the framework.
A significant risk that needs to be clearly articulated and monitored for impact is that of information and communication technology, given the speed of light with which technology is advancing. Cybersecurity and data protection are front burner issues that the Board must be very deliberate about and ensure these are adequately covered by the Framework.
Directors should carefully assess the adequacy of the company’s data security measures. Cyber risk is not going away, so it is imperative that Boards and Management do what they can to manage and minimise cyber risk. This includes identifying those areas where the Company is most vulnerable and understanding how it may be at risk.
Boards also need to have a response plan in place if and when a cyberattack occurs and ensure they have adequate insurance coverage for data breaches. Failure to adequately oversee this risk can cause dire consequences for the Company.
The Risk Management Committee plays an important role in establishing and implementing the risk management framework. The Board should thus ensure that members of the committee have a clear understanding of the Company’s business, sector and the business environment, to be able to provide the required oversight of risk management.
It is useful to combine the committees responsible for audit and risk management as this enhances discussions on the risk implication of audit matters. Where Audit and Risk Management Committees are separate, the Code recommends that one or more members should have joint membership of both committees. The Committee shall receive periodic reports on the Company’s risk status.
A member of senior management who is a professional with relevant qualification, competence, objectivity and experience is recommended to head the risk management function. It is not unusual for companies to combine the Chief Internal Audit function with risk management.
Read also: Nigerian Code of Corporate Governance 2018 (Principle 16): Remuneration governance
However, as much as possible, the roles should be separate. Indeed, Banks are not allowed to combine the roles. An annual assessment of the Risk Management Framework is recommended with more frequent assessment for companies with complex operations.
The Code recommends that a risk management report be included in the Company’s Annual Report to shareholders. The risk report should be forward looking and provide useful information to stakeholders on the status of risk management and actions that are being taken to ensure continuous improvement in performance.
An effective risk management framework should be integrated into the day-to-day operations of the business and provide guidelines and standards for managing key risks. It is important that the framework be communicated in simple and clear language to all employees.
An enterprise-wide approach to risk management ensures it is integrated into every aspect of the Company’s operations.
The Board and the Risk Management Committee should work with Management to promote and actively cultivate a corporate culture and environment that understands and implements enterprise-wide risk management. Comprehensive risk management should not be viewed as a “specialized function,” but instead should be treated as an integral component that affects how the company measures and rewards its success.
In setting the appropriate “tone at the top,” transparency, consistency and communication are key. The Board’s vision for the company, including its commitment to risk oversight, ethics and intolerance of compliance failures, should be communicated effectively throughout the organisation.
