1

BBK3253 | Risk ManagementPrepared by Khairul Anuar

Lecture 3 – Risk Management & Corporate Governance

– Case studies – Singapore Airlines & Vodafone plc

www.notes638.wordpress.com

Risk Environment and Context

• The first step in managing risk is to scan all factors contributing to the environment in which risk has to be managed.

• Normally, the factors are divided into two: external and internal factors.

2

External Factors

• Establishing the external factors involves familiarisation with:

1. Laws and Regulation

• Laws and regulation can have an effect on the capability of an organization to achieve the objective and targets. For example, some laws and regulation may prevent the organisation from doing certain things that they normally do. On the other hand, some laws and regulations can benefit the organisation.

2. Economy

• Some countries may have very volatile economies which can affect the market while some other countries may have a matured economic environment. Other effects like economic cycle, inflation, unemployment will have an impact on businesses

3

External Factors

3. Corporate Governance Requirements

• In Malaysia, the Securities Commission Malaysia has released the Malaysian Code on Corporate Governance (MCCG); this is to be implemented by companies listed in the Bursa Malaysia to foster a strong culture of corporate governance. All organisations listed under the Bursa Malaysia are required to comply with the MCCG.

4. Government

• Many organisations have relationships with government bodies such as ministries, which they are dependent on in terms of policies, financing and operations.

4

External Factors

(5) Stakeholders’ Expectations

• Most organisations have a number of interdependencies which impact the organization’s risk management. These interdependencies are called extended enterprise.

• Some example of interdependencies include government bodies, partner organisations, customers, contractors, suppliers, employees and others.

• Stakeholders’ expectations may affect the way we normally deal with specific risks. They may be unwilling to accept the risk management actions which appear effective for the organisation.

• It is quite common for organisations to overlook stakeholders’ expectations when managing risks.

5

Internal Factors

• Once you are familiar with the external factors, you need to assess the internal factors which involves understanding the following:

1. Organisation’s capabilities in terms of resources and knowledge;

2. Internal stakeholders;3. Objectives and the organization’s strategies to achieve

them;4. Values and cultures;5. Policies and processes; and6. Governance structure, business structure, roles and

accountabilities.

6

Corporate Governance in Malaysia

• Let us look into how Risk Management is applied in the Malaysian Code of Corporate Governance (MCCG).

• MCCG was first issued in March 2000 by the Securities Commission Malaysia in order to strengthen the corporate governance culture among public listed companies. It was later revised in 2007.

• The latest issuance in 2012 is focused on strengthening the structure and composition of the Board.

7

Corporate Governance in Malaysia

8

Corporate governance:

1. Is an obligation placed on the board of an organisation; and

2. It ensures stakeholders’ confidence in the ability of the organisation to achieve outcomes (revenue, profit, market share, etc.).

• MCCG is compulsory for companies listed under Bursa Malaysia. • However, other organisations are encouraged to adopt the

principles and recommendations of the MCCG 2012. This is to ensure those companies achieve the desired financial target and are sustainable.

Corporate Governance Principles and

Recommendation

9

• The MCCG has identified 8 principles of good corporate governance culture.

• Along with the principles, it has addressed several recommendations to be implemented by the Board of Directors (BOD) and management team of an organisation.

Corporate Governance Principles and

RecommendationPrinciple 1: Establishing clear roles and responsibilities;

Principle 2: Strengthening composition;

Principle 3: Reinforcing independence;

Principle 4: Fostering commitment;

Principle 5: Upholding integrity in financial reporting;

Principle 6: Recognising and managing risk;

Principle 7: Ensuring timely and high quality disclosure; and

Principle 8: Strengthening the relationship between company and shareholder.

10

Implementation of Principle 6: Recognising and

Managing Risk

11

• Principle 6 is related to risk management in which it requires the BOD of an organisation to establish a sound framework to manage risk.

“Risk management framework and internal controls system

The board is required to establish a sound framework to

determine the company’s level of risk tolerance and actively

identify, assess and monitor key business risks.”

• In doing so, the BOD has to ensure that the organization’s risks are being identified, assessed and monitored actively to safe guard shareholder’s investments and the organsation’s assets.

• The BOD also needs to disclose in the annual report the main

features of the organization’s risk management framework.

Principle 6 : RECOGNISE AND MANAGE RISKS

12

Principle 6 : RECOGNISE AND MANAGE RISKS

13

Recommendation 6.1

The board should establish a sound framework to manage risks.

CommentaryThe board should determine the company’s level of risk tolerance and actively identify, assess and monitor key business risks to safeguard shareholders’ investments and the company’s assets. Internal controls are important for risk management and the board should be committed to articulating, implementing and reviewing the company’s internal controls system. Periodic testing of the effectiveness and efficiency of the internal controls procedures and processes must be conducted to ensure that the system is viable and robust. The board should disclose in the annual report the main features of the company’s risk management framework and internal controls system.

Principle 6 : RECOGNISE AND MANAGE RISKS

14

Recommendation 6.2The board should establish an internal audit function which reports directly to the Audit Committee.

CommentaryThe board should establish an internal audit function and identify a head of internal audit who reports directly to the Audit Committee. The head of internal audit should have the relevant qualifications and be responsible for providing assurance to the

Evaluation of Compliance

• It is common that the BOD establish a risk and compliance committee with responsibilities to:

(a) Oversees the risk profile;

b) Make its annual declaration on risk; and

(c) Approve policies and processes for managing risk.

• The committee has free access to senior management, risk and financial control personnel in carrying out its duties.

15

Implementation of Principle 6: Recognising and

Managing Risk

16

• Figure 1.5 illustrates the interrelation between corporate governance, risk management and the risk assessment process.

Interrelation between corporate governance, risk management and the risk assessment process

17

Interrelation between corporate governance, risk management and the risk assessment

process

Figure 1: The interrelation between corporate governance, risk management and

the risk assessment process Source: Chapman (2013)

18

The Board Of Directors (BODs) faces a challenging task of effectively overseeing the organization’s enterprise-wide risk management to balance the way risks is being managed and to add value to the organisation.

In principle, risk oversight is the role of the BODs. However, many approaches to risk oversight fail to link risks to strategic business objectives.

Figure 2 shows an example of an effective risk oversight structure of Smith Group plc.

Effective Risk Oversight

19

Figure 2: Example of effective risk oversight structure

Source: http://www.smiths.com

Effective Risk Oversight – Smiths Group plc

20

Figure: Example of effective risk oversight structure

Source: http://www.smiths.com

Effective Risk Oversight – Smiths Group plc

Managing risk

The diagram summarises how we manage risk

• The Board has ultimate responsibility for our risk

management policies and for ensuring we have an

effective system of internal control.

• The executive and operational management assess the

risks facing our businesses and respectively create and

implement our risk management policies.

• The Audit Committee ensures appropriate oversight of

risk management and is supported by our internal audit

function, which tests the effectiveness of our controls and

identifies areas for improvement.

21

1. Risk Management in Vodafone plcRefer pages 51, 32 – 37 of 2015 Annual Report

2.. Singapore AirlinesRisk Management Framwork

Case studies