Zimpapers Logo

ZimCode Secretariat

Key messages:

• Risk management and mitigation
• Risk reporting and disclosure
• Independent external auditors
• Whistle-blower policy

Governance of risk is an area that many entities are now focusing on because of various catastrophes that have affected businesses since the turn of the century. The traditional perception of risk that mainly focused on financial risk as well as ad hoc approaches has since been eroded by the changing times. Today’s globalised world is characterised by increasing interconnectedness, social networking, and fast-paced technological change, which, in addition to opportunities, also have the potential to increase vulnerabilities and to create new risks with impacts on a much larger scale, and sometimes over a longer time span.

We are now living in a volatile, uncertainty, complexity and ambiguous (VUCA) world which require companies to continuously review their risk management policies. Governance of risk has become increasingly important for boards as it is closely related to corporate strategy. Risk governance applies the principles of good governance to the identification, assessment, management and communication of risks.

The ZimCode advices that it is the board’s responsibility to oversee the company’s risk management policy as well its internal control systems. Boards are encouraged to effectively monitor and understand treatment of risk, and thereby reach good decisions that appropriately take risk into account.

Ever since the financial crisis, the responsibility of the board to provide risk management has received increased scrutiny. This is because the crisis uncovered extremely deficient risk oversight and management practices even at highly sophisticated corporations.

Further research on the crisis discovered that in many cases, risk was not managed on an enterprise basis and not adjusted to corporate strategy. Most important of all, boards were in a number of cases ignorant of the risk facing the company. It is from this understanding that the ZimCode encourages the board to take a central role in the management and mitigation of risk.

A company should have a risk management policy and plan that is reviewed from time to time to ensure that it remains relevant and up to date. It is therefore imperative for the board to play a key role in both establishing and overseeing the risk management structures and policies. The Board should appoint an audit committee or risk management committee to assist it in the discharge of its duties and responsibilities in respect of risk management as well as the development and monitoring of risk management policy and plans.

Internal controls should be established not only over financial matters, but also over operational, compliance and sustainability issues. The Board should ensure that principal risks are timely identified and managed.

The board should also review and provide guidance about the alignment of corporate strategy with risk-appetite and the internal risk management structure. Effective implementation of risk management requires an enterprise-wide approach rather than treating each business unit individually. (see fig 1&2)

Proper disclosure of risk is another important element that can assist the board in governance of risk. When a company undertake ambitious strategies without clearly identifying, assessing or duly reporting on the related risks, it may lead to inappropriate strategic decisions and unexpected financial losses.

Disclosure of risk factors should be focused on those identified as more relevant and should rank material risk factors in order of importance on the basis of a qualitative selection whose criteria should also be disclosed.

Reporting on risk should cover all forms of risks that may be faced. A series of new risks such as political, climatic, operational and exchange rate risks should be taken into account when reporting. The process of risk management and the results of risk assessments can be appropriately disclosed without revealing any trade secrets.

Reporting should also cover risk management strategies as well as systems put in place to implement them. Proper reporting and full disclosure on risk enables the board to be equipped with correct information and can therefore make the right decisions at all times.

It should be fully understood that effective risk management is not about eliminating risk taking, which is a fundamental driving force in business and entrepreneurship.

The aim is to ensure that risks are understood, managed and when appropriate, communicated. It enables the company to reduce damage and losses that are associated with risk. The board has to be wary of risks that emerge from relationships that are forged by the company and its stakeholders.

The ZimCode advices that relationships between the external auditors and the CEO, management and the company are to be closely monitored and guided by professionalism and independence. Good corporate governance ensures that these relationships are reliable, efficient and ethical so that there is no room for ‘unholy alliances’ that can undermine the company.

In the same vein the board ensures that conflict of interest is identified and properly managed. This entails that both internal and external auditors have to be independent and provide assurance of their independence to the company. It ensures that internal and external controls that are established to manage risk are not compromised and can therefore adequately assist the board in risk governance.

The company should have an independent whistle blower system that encourages honest reporting of activities that are of significant risk to the company. This provision enables individuals to still report cases outside the normal lines if the management is deemed to be unreachable or not responding to them.

The board should ensure that a whistle blower policy is developed and its provisions protect and respect individuals who blow the whistle. It should also discourage malicious and unjustifiable accusations from employees against their superiors. Employees who make such false claims should be subjected to disciplinary measures which should be clearly outlined in the whistle-blower policy.

For more information on the ZimCode contact: [email protected].