A crisis of governance

During the last twelve months there have been a staggering number of national and international reports, reviews and studies published regarding deficiencies in approaches to corporate governance.

Analysis of the fall-out from the global financial crisis has unearthed a broad range of governance failings and, according to one report, “the widespread failure of risk management”.

What lies at the core of many of these reports and reviews is the fact that short-term, unrealistic, profitdriven business objectives have over-ridden internal risk management structures designed to monitor risk appetite, limit excessive risk taking and enable longer-term growth and sustainable profitability.

Control mechanisms were found to be ineffective, reporting structures inadequate and board members incapable of comprehending the risks their organisations faced, while risk managers were unable to influence strategic decision-making due to their lack of authority.

In summary the key recommendations of the various reports were as follows:

• The risk management strategy must be compatible with the overall corporate strategy of the organisation and its risk appetite

• Risk management must be considered on an enterprise-wide basis and not on an individual business unit level

• Risk management must be integral to every process within the organisation and not be viewed as a ‘bolt-on’ to existing practices

• Effective control mechanisms should be in place to limit excessive risk taking

• The risk management function must have sufficient authority to be able to influence the activities of the risk takers

• The risk management function should be independent of any “profit centres” within the organisation

• Clear lines of responsibility must be established, with the board having ultimate responsibility for the organisation’s overall risk strategy

• Board members should have a full understanding of the risks faced by their organisation

• The risk expertise within the organisation must be sufficiently broad to encompass the full range of risks faced by the organisation, rather than simply those considered priority risks

• Risk management processes and compliance procedures should be audited on a regular basis

• A “fit and proper person test” should be conducted regularly to ensure that all persons responsible for implementing and maintaining the organisation’s risk management strategy are capable of doing so

• Structures should be in place to facilitate access to real-time information on risks to allow for a more rapid and effective response in the event of a risk materialising

• The risk management processes and information on any risk assessments should be appropriately disclosed

• Any potential risks arising from compensation and incentive schemes should be assessed

What is perhaps most alarming about this extensive and far-reaching list of recommendations (and as mentioned this only a summary of some of the main findings) is that these are in effect the basic principles of effective risk management that we have been aware of for some time. There is nothing new in this list. Risk management must be enterprise wide, aligned with business objectives, have strategic influence, be all-encompassing, be carried out by those qualified to do so and be continually assessed.

What the financial crisis has revealed is not a failing on the part of risk management, but rather a failure in the ability of leaders of organisations to implement and maintain the standards which any effective risk strategy must adhere to.

Wafa Al Ammadi, is an executive in Kane’s insurance and risk management practice
.