1

RISK MANAGEMENT
M-10. Additional Topics for Review & Mastery:
Challenges of Risk Governance, Risk Assurance and Risk Reporting

Governance refers to the actions, processes, traditions and institutions by which authority is exercised
and decisions are taken and implemented. Risk governance applies the principles of good governance to
the identification, assessment, management and communication of risks.

The challenges of risk governance in the 21st century

Today’s globalised world is characterised by increasing interconnectedness, social networking, and

fast-paced technological change, which, in addition to opportunities, also have the potential to increase
vulnerabilities and to create new risks with impacts on a much larger scale, and sometimes over a longer
timespan.

Because the evolution of governance mechanisms occurs much more slowly than the processes driving
technological and social change, there are serious concerns from governments, the private sector, as well
as the general public about the lack of governance mechanisms to lefficiently deal with risks (such as
climate change and biodiversity loss); to resolve trade-offs between diverse, sometimes conflicting,
needs and interests (such as those that have encouraged the development of biofuel production); or to
deal with potential risks from new technologies in the context of global trade (for example, nanoparticles
and food additives).

Policymakers have subsequently become increasingly conscious of the importance of risk communication
and of meeting public expectations of risk governance.

Risk Assurance

Risk Assurance is the internal process or methodology we employ to create the 'checks and balances'
within our governance and risk frameworks by identifying a "gap" between the ideal risk state vs the risk
in real terms. The initial engagements with risk assurance focuses on a 'discovery' period in order to
create a scope of works which usually takes a great deal of time.

Assurance is a process that provides a level of confidence that objectives will be achieved within an
acceptable level of risk.

Assurance services provide independent professional opinions that reduce information risk (the risk of
having incorrect information). Another way to describe Internal Audit is an "objective examination of
the evidence for the purpose of providing an independent assessment on governance, risk management,
control processes for the organisation"

Organisation for Economic Co-operation and Development (OECD) Principles of Corporate Governance

The six OECD Principles are:

1. Ensuring the basis of an effective corporate governance framework.

2. The rights and equitable treatment of shareholders and key ownership functions
3. Institutional investors, stock markets, and other intermediaries
4. The role of stakeholders in corporate governance
5. Disclosure and transparency
6. The responsibilities of the board.

1
 2

Ensure the basis of an effective corporate governance framework. The corporate governance framework
should promote transparent and efficient markets, be consistent with the rule of law and clearly
articulate the division of responsibilities among different supervisory, regulatory and enforcement
authorities.

The rights and equitable treatment of shareholders and key ownership function. ‘The corporate
governance framework should protect and facilitate the exercise of shareholders’ rights and ensure the
equitable treatment of all shareholders, including minority and foreign shareholders. All shareholders
should have the opportunity to obtain effective redress for violation of their rights.’

Basic shareholder rights should include the right to:

● Secure methods of ownership registration;

● Convey or transfer shares;
● Obtain relevant and material information on the corporation on a timely and regular basis;
● Participate and vote in general shareholder meetings;
● Elect and remove members of the board; and
● Share in the profits of the corporation.

The Institutional investors, stock markets, and other intermediaries. ‘The corporate governance
framework should provide sound incentives throughout the investment chain and provide for stock
markets to function in a way that contributes to good corporate governance.’

● All shareholders of the same series of a class should be treated equally

● Insider trading and abusive self-dealing should be prohibited
● Members of the board and key executives should be required to disclose to the board whether
they, directly, indirectly or on behalf of third parties, have a material interest in any transaction
or matter directly affecting the corporation.

The role of stakeholders in corporate governance. The corporate governance framework should recognize
the rights of stakeholders established by law or through mutual agreements and encourage active
cooperation between corporations and stakeholders in creating wealth, jobs, and the sustainability of
financially sound enterprises.

Disclosure and transparency. The corporate governance framework should ensure that timely and
accurate disclosure is made on all material matters regarding the corporation, including the financial
situation, performance, ownership, and governance of the company.

The responsibilities of the board. The corporate governance framework should ensure the strategic
guidance of the company, the effective monitoring of management by the board, and the board’s
accountability to the company and the shareholders.

Operational Risk Management

Operational risk is the risk of loss resulting from ineffective or failed internal processes, people, systems,
or external events that can disrupt the flow of business operations. The losses can be directly or
indirectly financial. For example, a poorly trained employee may lose a sales opportunity, or indirectly a
company’s reputation can suffer from poor customer service. Operational risk can refer to both the risk
in operating an organization and the processes management uses when implementing, training, and
enforcing policies.

2
 3
Operational risk can be viewed as part of a chain reaction: overlooked issues and control failures —
whether small or large — lead to greater risk materialization, which may result in an organizational
failure that can harm a company’s bottom line and reputation. While operational risk management is
considered a subset of enterprise risk management, it excludes strategic, reputational, and financial risk.

Examples of operational risk include:

● Employee conduct and employee error

● Breach of private data resulting from cybersecurity attacks
● Technology risks tied to automation, robotics, and artificial intelligence
● Business processes and controls
● Physical events that can disrupt a business, such as natural catastrophes
● Internal and external fraud

Supply Chain Risk Management Strategies

Supply chain risk management refers to the process by which businesses take strategic steps to identify,
assess, and mitigate risks within their end-to-end supply chain. There are both internal and external risks
that can disrupt your supply chain, so it is helpful to understand the difference between the two.

External Supply Chain Risks

As the name implies, these global supply chain risks come from outside of your organization.
Unfortunately, that means that they are harder to predict and typically require more resources to
overcome. Some of the top external supply chain risks include:

Demand Risks: Demand risks occur when you miscalculate product demand and are often the product of
a lack of insight into year-over-year purchasing trends or unpredictable demand.

Supply Risks: Supply risks occur when the raw materials your business relies on aren’t delivered on time
or at all, thereby causing disruption to the flow of product, material, and/or parts.

Environmental Risks: Environmental risk in the supply chain is the direct result of social-economic,
political, governmental, or environmental issues that affect the timing of any aspect of the supply chain.

Business Risks: Business risks occur whenever unexpected changes take place with one of the entities
you depend on to keep your supply chain running smoothly — for example, the purchase or sale of a
supplier company.

Risk Reporting: A Cornerstone of Effective Risk Management

Risk reporting is the process of communicating information about an organization's risks to relevant
stakeholders. It's a crucial component of a robust risk management framework, providing insights into
potential threats, vulnerabilities, and opportunities.

Why is Risk Reporting Important?

1. Informed Decision-Making:
○ Enables executives and decision-makers to make informed choices by understanding the
potential risks and their implications.
○ Helps allocate resources effectively to mitigate critical risks.
2. Risk Awareness:

3
 4
○ Fosters a culture of risk awareness throughout the organization.
○ Encourages employees to identify and report potential risks.
3. Regulatory Compliance:
○ Ensures adherence to regulatory requirements and industry standards.
○ Demonstrates a commitment to good governance and risk management practices.
4. Strategic Planning:
○ Supports strategic planning by identifying potential roadblocks and opportunities.
○ Helps align business strategies with risk tolerances.
5. Investor Confidence:
○ Provides transparency to investors and other stakeholders.
○ Builds trust and confidence in the organization's ability to manage risks.

Key Elements of Effective Risk Reporting

1. Clear and Concise Communication:

○ Use simple language and avoid technical jargon.
○ Present information in a clear and concise manner.
○ Tailor the report to the specific audience.
2. Focus on Key Risks:
○ Prioritize the most critical risks and their potential impact.
○ Avoid overwhelming stakeholders with excessive detail.
3. Visualizations:
○ Use charts, graphs, and other visual aids to enhance understanding.
○ Highlight trends and patterns in risk data.
4. Actionable Insights:
○ Provide specific recommendations for mitigating risks.
○ Include key performance indicators (KPIs) to track progress.
5. Regular Reporting:
○ Establish a regular reporting cadence to ensure timely updates.
○ Adapt the frequency to the nature and severity of the risks.

Common Risk Reporting Techniques

1. Risk Registers:
○ A centralized repository of identified risks, their likelihood, and potential impact.
○ Used to track and prioritize risks.
2. Key Risk Indicators (KRIs):
○ Metrics that measure the level of exposure to specific risks.
○ Used to monitor risk trends and trigger early warning signals.
3. Risk Heat Maps:
○ Visual representations of risks based on their likelihood and impact.
○ Used to identify high-priority risks.
4. Scenario Analysis:
○ A technique for exploring potential future outcomes.
○ Used to assess the impact of different risk scenarios.

By effectively implementing risk reporting practices, organizations can strengthen their risk management
capabilities, improve decision-making, and enhance their overall resilience.

4
 5
References:

Hopkin, P. (2018). Fundamentals of risk management: understanding, evaluating and implementing effective risk management.
Kogan Page Publishers.

Fraser, J. R., Quail, R., & Simkins, B. . (2021). Enterprise risk management: Today's leading research and best practices for
tomorrow's executives. John Wiley & Sons.