Bob Tricker

Corporate Governance
Principles, Policies and Practices 3e
Chapter 8
The Governance of Corporate
Risk

Bob Tricker, 2015. All rights reserved.

 The Governance of Corporate Risk

- In which we consider:
- the US COSO integrated framework for enterprise risk
management (ERM)
- the global financial crisis: a new emphasis on corporate risk
- levels of risk the concept of enterprise risk management
- responsibility for risk profiling, risk strategy, risk policy,
and risk supervision
- identifying types of risk
- risk analysis,
- risk recognition and assessment,
- risk evaluation
- risk management information systems
- risk transfer.

Tricker: Corporate Governance, 3rd edition

 Corporate Risk Assessment
The 2010 Aon Global ERM Survey

Uncertainty from global economy increased

Awareness of the need to manage risk never been
higher
Hallmarks of advanced ERM include the importance of:
board-level commitment to ERM as a critical
framework for successful decision making and for
driving value
the engagement of all stakeholders in the
development of risk management strategy and
policy setting
a move from focusing on risk avoidance and
mitigation to leveraging risk and risk management
options to extract business value.
Tricker: Corporate Governance, 3rd edition
 US COSO framework for ERM

COSOs Enterprise Risk Management Integrated

Framework highlights four areas for board oversight
of ERM
understand the entitys risk philosophy and concur
with the entitys risk appetite
know the extent to which management has
established effective enterprise risk management of
the organization
review the entitys portfolio of risk and consider it
against the entitys risk appetite
be apprised of the most significant risks and whether
management is responding appropriately.

Tricker: Corporate Governance, 3rd edition

 Corporate Risk Assessment

Corporate governance codes require systems

to assess and manage corporate risk
Turnbull Report UK governance codes 1999
Sarbanes-Oxley Act US 2002
Basel ll agreement for the financial world 2003.

Tricker: Corporate Governance, 3rd edition

 New emphasis on corporate risk

OECD recognize boards responsibility for defining

strategy and risk appetite needed to be extended
Risk management system was not compatible with
companys strategy and risk appetite
Building on OECD Principles, 2010 report proposed
good practice for risk management function to report
to the board
the risk management function to consider any risks
arising directly from the compensation and incentive
systems in place
the effectiveness of the risk assessment and
management process to be monitored and the results
disclosed.

Tricker: Corporate Governance, 3rd edition

 New emphasis on corporate risk

2010 International Corporate Governance Network

enhanced its Global Corporate Governance
Principles with a set of Corporate Risk Oversight
Guidelines, emphasizing:
the risk oversight process begins with the board
corporate management is responsible for developing
and executing an enterprises strategic and routine
operational risk programme
shareholders, directly or through designated agents,
have a responsibility to asses and monitor the
effectiveness of boards in overseeing risk at the
companies in which they invest.

Tricker: Corporate Governance, 3rd edition

 Levels of risk

Corporate risk arises at a number of levels:

Strategic level risks
- threats from outside organisation
Management level risks
- risks from the firm's activities
Operational level risks
- hazards within the enterprise

Tricker: Corporate Governance, 3rd edition

 Corporate Risk Assessment

Key question for every director:

What is our corporate strategic exposure?

Enron
BP oil rig disaster
Toyota supply chain failure
Northern Rock

The crucial question should be what if ?

Tricker: Corporate Governance, 3rd edition

 Corporate Risk Assessment

What if competitors:

Launched new product or service

Changed manufacturing technology
New pricing or distribution strategy
Changed ownership
Expand into new markets

New entrants into significant products or

markets.

Tricker: Corporate Governance, 3rd edition

 Corporate Risk Assessment

What if customers

Adopted substitute product or service

Major customer became bankrupt and
collapsed
Changed ownership

Legal actions for damages

Catastrophic failure of our product in use
Alleged patent, trademark or copyright
infringement.
Tricker: Corporate Governance, 3rd edition
 Corporate Risk Assessment

What if major suppliers

Could not deliver because of a physical
disaster
Failed to deliver through bankruptcy or
takeover
Corruptly lowered product specifications
Used trade secrets to their advantage
Manufactured for your competitors.

Tricker: Corporate Governance, 3rd edition

 Corporate Risk Assessment

What if government introduced

New regulation of our industry

Tariff barriers, protectionism, border controls
New environmental or hazard limitation laws
Monopoly, anti-trust or pricing inquiries

Cost-cutting by government
Political threats in overseas countries.

Tricker: Corporate Governance, 3rd edition

 Corporate Risk Assessment

What if, in the information technology area

Failure of overall IT system

Hacking of our systems for fraud, spying, or
mischief
Loss of e-links with customers, suppliers
or shareholders
Effect of terrorism, criminal activity, political
activity.

Tricker: Corporate Governance, 3rd edition

 Corporate Risk Assessment

What if in financial field

Currency or interest rates shifted dramatically
- currency peg becomes a basket?
- exposure to off-balance sheet debt?
Predators made hostile approach
- listed company or private equity
Sources of finance recalled debt
Share price collapse following media revelations
Reputational loss following an adverse law case
Errors in trades (unintentional or deliberate).

Tricker: Corporate Governance, 3rd edition

 Risk strategy, profiling, policy and supervision

Every board has a duty to ensure that:

significant risks are recognized
risk assessment systems exist and are
effective throughout the organization
risk evaluation procedures are operational
risk monitoring systems are robust, efficient
and effective
business continuity strategies and risk
management policies exist, are regularly
updated and applied in practice.

Tricker: Corporate Governance, 3rd edition

 Risk strategy, profiling, policy and supervision

Risk analysis
The analysis of risk has iterative phases:
risk recognition
risk assessment
risk evaluation
risk management policies
risk monitoring.

Tricker: Corporate Governance, 3rd edition

 Risk strategy, profiling, policy &supervision

Figure 8.1: The

risk analysis and
management
process

Tricker: Corporate Governance, 3rd edition

 Corporate Risk Assessment

A risk assessment programme enables firms to:

Recognise risks
Develop appropriate risk management policies
Support ongoing business activities by causing
staff to recognise risks and thus avoid them
Enable directors to appreciate the nature and
extent of their risk profile and make appropriate
judgements
Enable the firm to report confidently to
shareholders and other stakeholders that
corporate risks are being well managed.

Tricker: Corporate Governance, 3rd edition

 Risk recognition and assessment

A number of tools are available to conduct a risk

assessment
A simple tabular approach, identifying risk analysis
centres and listing risks and effects
A matrix with estimated costs and numerical
probability estimates.
A questionnaire designed to identify risks and
hazards. This format can also be used to document
compliance and non-compliance with risk
management policies.
Software programs developed to provide on-line
identification and reporting of risks.
Proprietary programs and systems, available form
software houses and consulting firms.
Tricker: Corporate Governance, 3rd edition
 Critical success factors
Sponsorship and oversight at board level
Top management commitment
Involvement throughout management and in all parts of the enterprise
Company-wide definition of procedures, documentation and reporting
Identification of risk management centres throughout the organization
Definition of responsibilities for identifying and recommending risk
responses
Risk management centres are given appropriate responsibility
Areas of risk are carefully defined and bounded, each one limited in
scope
Involvement of experts with relevant risk assessment experience
Document at all stages, regularly up-dated and building on experience
Define authentication and approval, confidentiality levels, access
control, availability, audit and overall administration responsibilities
The creation of a risk awareness, not risk avoidance, throughout
organization
Ensuring participation by identifying risk 'ownership' throughout the
organization
Board level leadership and approval of risk management policies is
vital.
Tricker: Corporate Governance, 3rd edition
 Corporate Risk Assessment

Risk Management Committee

Standing Committee of main board or sub-committee
of Audit Committee
Chairman, CEO, CFO, INEDS plus attendance of
CRO, profit unit heads, external experts
Responsible for risk management policies,
procedures and plans
Produces risk management plan for main board
approval
Meets 3 or 4 times a year or when facing exceptional
risks
Linked with internal and external audit.
Tricker: Corporate Governance, 3rd edition
 Corporate Risk Assessment

The Risk Management Officer or Chief Risk Officer

A senior executive
Reporting to CEO or CFO
Responsible for working with the board Risk
Management Committee or Audit Committee
Develops risk management policies, assessment
methodologies, and infrastructure
Oversees risk assessment and management procedures
Produces risk management reports
Liaises with insurers
Keeps in touch with external risk management
developments.
Tricker: Corporate Governance, 3rd edition
 Corporate Risk Assessment

Enterprise risk management information

systems
Vital to record risk factors
- Nature of risk
- Possible effects of occurrence
- Likelihood of occurrence
- Decisions of CRO, Risk Management
Committee, Audit committee, Board
- Experience over time.

Tricker: Corporate Governance, 3rd edition

 Corporate Risk Assessment

Various professional experts are available to assist

in enterprise risk management
Auditors (not experts in risk but in assessment of
control systems)
Consultants (some specialize in this field)
Insurance brokers and companies
(benefit of bench marks by industry, country and
company).

Tricker: Corporate Governance, 3rd edition

 Corporate Risk Assessment

Risks unrecognized in companies in Asia

- business interruption risk
- earthquake, typhoon or tsunami
- kidnap of executives
- merger and acquisition risks
Failure to take broad strategic perspective
Need for rigorous systems and due diligence.

Tricker: Corporate Governance, 3rd edition

 Risk evaluation

The extent of any risk (R) is a function of the

magnitude of the potential cost or loss (L) and
the probability (p) that the uncertain future
event will occur

Specific risk Ri = Li p(L)i

Total risk exposure R(total) = L i p(L i)

Tricker: Corporate Governance, 3rd edition

 Corporate Risk Assessment

High

Loss

Low High
Probability

Tricker: Corporate Governance, 3rd edition

 Corporate Risk Assessment

Both extent of loss and probability of

occurrence can be difficult to assess
A risk with high loss but low chance of
occuring, should be treated differently than
one with a lower cost but geater probability
Need to identify the risk or hazard and face
up to the reality of the situation.

Tricker: Corporate Governance, 3rd edition

 Risk transfer

Boards face four choices in managing risk

Avoid risk by avoiding the activity

Transfer risk to 3rd party
insurance, hedging, outsourcing
Mitigate risk preventive controls
Accept the risk to generate shareholder
value.

Tricker: Corporate Governance, 3rd edition

 The Governance of Corporate Risk

- We have considered
- the US COSO integrated framework for enterprise risk
management (ERM)
- the global financial crisis: a new emphasis on corporate risk
- levels of risk the concept of enterprise risk management
- responsibility for risk profiling, risk strategy, risk policy,
and risk supervision
- identifying types of risk
- risk analysis,
- risk recognition and assessment,
- risk evaluation
- risk management information systems
- risk transfer.

Tricker: Corporate Governance, 3rd edition