Page 49 - The Corporate Report Pack
P. 49
How risky is your business?
of trouble, and to implement an exception/escalation process that ensures that problems that are signi cant, large, aged or growing are dealt with at increasingly higher levels of management.
Questions on operational risk the board should ensure are asked include:
• Are operational risk priorities reported to the
board or a similar senior committee?
• Are qualitative risk assessments required for every
big project, new product, and business practice
change and so on?
• Does the organisation promote self-governance at
every level?
• Are the right yardsticks used to measure risk
management competence in all manager performance reviews? Measures used by di erent organisations to track and manage individual performance levels are a key driver to human behaviour (‘balanced scorecard’).
Wrapping up risk
e board cannot and should not be expected to get involved in actual day-to-day risk management but concrete steps that boards should put in place include:
1. e board should, through their risk oversight role, constantly satisfy themselves that the risk management policies and procedures designed and implemented by the organisation’s senior executives and risk managers are consistent with the organisation’s strategy and risk appetite.
2. e board must be given the correct feedback that these policies and procedures are functioning as directed. Audit reports should ensure that the
necessary steps are taken to foster an enterprise- wide culture that supports appropriate risk awareness, behaviours and judgements about risk, and risk-taking beyond the organisation’s determined risk appetite is recognised and escalated correctly within accepted time limits.
3. The board should establish that the CEO and the senior executives are engaged in risk management and have strategies in place to manage and monitor the type and magnitude of the organisation’s principal risks that underlie its risk oversight.
4. Communicating that the risk programme is one of the integral components of strategy, culture and business operations is crucial throughout the organisation.
5. Board committees overseeing specific categories of risk should be annually reviewed to ensure that, taken as a whole, the board’s oversight function is coordinated and comprehensive.
Changing the operating environment of a large organisation takes at least two to three years, as individuals come up against specific processes such as policy decisions, project approvals, or even personnel reviews that require change in line with risk-culture principles.
There are two major challenges the board will face: building consensus among senior executives and sustaining vigilance over time. The board must continually send a message to management and employees that comprehensive risk management is essential to the conduct of business.
The Corporate Report 25
