A crisis of corporate governance?
During the last twelve months there have been a staggering number
of national and international reports, reviews and studies published
regarding deficiencies in approaches to corporate governance.
Analysis of the fall-out from the global financial crisis has unearthed
a broad range of governance failings and, according to one report,
“the widespread failure of risk management”.
What lies at the core of many of these reports and reviews is the fact
that short-term, unrealistic, profitdriven business objectives have
over-ridden internal risk management structures designed to monitor
risk appetite, limit excessive risk taking and enable longer-term
growth and sustainable profitability.
Control mechanisms were found to be ineffective, reporting structures
inadequate and board members incapable of comprehending the risks
their organisations faced, while risk managers were unable to influence
strategic decision-making due to their lack of authority.
In summary the key recommendations of the various reports
were as follows:
- The risk management strategy must be compatible with the
overall corporate strategy of the organisation and its risk appetite
- Risk management must be considered on an enterprise-wide basis
and not on an individual business unit level
- Risk management must be integral to every process within the
organisation and not be viewed as a ‘bolt-on’ to existing practices
- Effective control mechanisms should be in place to limit excessive
risk taking
- The risk management function must have sufficient authority to
be able to influence the activities of the risk takers
- The risk management function should be independent of any
“profit centres” within the organisation
- Clear lines of responsibility must be established, with the board
having ultimate responsibility for the organisation’s overall risk
strategy
- Board members should have a full understanding of the risks
faced by their organisation
- The risk expertise within the organisation must be sufficiently
broad to encompass the full range of risks faced by the
organisation, rather than simply those considered priority risks
- Risk management processes and compliance procedures should
be audited on a regular basis
- A “fit and proper person test” should be conducted regularly to
ensure that all persons responsible for implementing and
maintaining the organisation’s risk management strategy are
capable of doing so
- Structures should be in place to facilitate access to real-time
information on risks to allow for a more rapid and effective
response in the event of a risk materialising
- The risk management processes and information on any risk
assessments should be appropriately disclosed
- Any potential risks arising from compensation and
incentive schemes should be assessed
What is perhaps most alarming about this extensive and far-reaching
list of recommendations (and as mentioned this only a summary of
some of the main findings) is that these are in effect the basic
principles of effective risk management that we have been aware of
for some time. There is nothing new in this list. Risk management
must be enterprise wide, aligned with business objectives, have
strategic influence, be all-encompassing, be carried out by those
qualified to do so and be continually assessed.
What the financial crisis has revealed is not a failing on the part of
risk management, but rather a failure in the ability of leaders of organisations to implement and maintain the standards which any
effective risk strategy must adhere to.
Should you wish to speak to a Kane expert about any of the issues
raised in this case study, please contact:
Wafa Al Ammadi
Executive – Insurance and Risk Management
T+973 1711 1020
E wafa.al-ammadi@kane-group.com |
