CHAPTER 5

CORPORATE GOVERNANCE
AND RISK MANAGEMENT
REQUIREMET

RISK AND GOVERNANCE

Risk comes from not knowing what you are
doing;
if you dont understand, then dont do it.
== Warren Buffet.

The governance framework is there to

encourage the efficient use of resources and
equally to require accountability for the
stewardship of those resources. The aim is
to align as nearly as possible the interests of
individuals, corporations and society.
= = Sir Adrian Cadbury, UK, Commission Report:
Corporate Governance 1992)
2

Why? Business Case

Risks should not always be managed but

MUST BE UNDERSTOOD
NO SURPRISES
Process should enable Management to
take correct decisions
Risks are not only BAD THINGS
HAPPENING but also GOOD THINGS NOT
HAPPENING
Some identified risks may be acceptable
as they are RESOURCES ARE NOT
UNLIMITED

Risk governance
Governance refers to the actions, processes,

traditions and institutions by which authority

is exercised and decisions are taken and
implemented.
Risk governance applies the principles of good
governance to the identification, assessment,
management and communication of risks

Risk Management
What is Risk Management?

Risk management is the identification,

assessment, and prioritization of risks.
It is defined in ISO 31000 as the effect of uncertainty

on objectives (whether positive or negative) followed

by coordinated and economical application of
resources to minimize, monitor, and control the
probability and/or impact of unfortunate events or to
maximize the realization of opportunities.

The changing risk landscape

Business dynamics are changing risk profiles and
challenging traditional risk management frameworks
External Developments

Internal Demand

Investors are more

sensitive to deviation
from earnings
expectations
Trial of disasters
Heightened regulatory,
board/investor, and
accounting
requirements

Legacy of crises or
near misses
Real and perceived
rise in the number
and severity of risks
Corporate
governance
challenges

Methodological
Advances

Risk analytics
Shareholder Value
measures
Portfolio analytics
Systems and
databases

Enterprise Risk Management

Establishment of a board risk committee and/or appointment of a

chief risk officer
Realignment or organisational roles and responsibilities
Improvement in risk analytics, reporting, and early warning
systems
Application of risk management in business processes
Optimisation of risk/return performance

Improving risk quality demonstrates good corporate

governance and has clear implications for shareholder value 1
There is a clear correlation between companies risk quality
and their financial performance
Diligently pursuing property risk improvement practices is a characteristic of value
creating firms

High-quality risk
Risk quality is a
engineering was
strategic issue and
found to be highly
an essential aspect
correlated with low
of effective
cash flow volatility, a
corporate
core value driver.
governance
procedures.
Stable cash flow is a
strong
driver
of value
Operational cash flow, risk and
expected
growth
constitute the three core drivers
of shareholder value
creation.

A clear empirical
connection was
found between risk
quality and
shareholder value
performance.

Therefore, by doing one of the following, shareholder value is

enhanced.
Increasing or protecting the cash flow generated from operations.
Improving the growth rate in operating cash flow.
Reducing the risk associated with generating cash flow (i.e. the
Source: Improving Risk Quality to Drive Value - An independent research briefing commissioned by FM Global and undertaken
cost
capital).
by
Oxfordof
Metrica
in 2003.
1

Corporate governance and risk management

To achieve internal corporate governance,

organizations will often implement controls to

protect the assets of the organization.
This explains why the more usable definition
of corporate governance is a sound system
of internal controls.
In the same way that internal control is one
aspect of corporate governance, risk
management is one aspect of internal
control.
This is because a companys objectives,
internal organization and the environment in

Corporate governance and risk management

Risk management not only provides a mechanism

for treating risks that might prevent an

organisation from achieving its objectives, but
also provides the flexibility for the organisation to
respond to unexpected threats and take
advantage of opportunities. Risk management
therefore provides the resilience.
In short, corporate governance is the glue that
holds an organisation together in pursuit of its
objectives, and risk management provides the
resilience. With this resilience comescompetitive
advantage.

Corporate governance and risk management

Management practices that provide governance

are at the same time control activities to address

risks. Looking at it another way, control activities
establish the control environment which provides
governance, i.e. the management of risks is also
governance.
Governance frameworks provide the structure
within which the control activities operate.
RM is based on a set of principles that are
essential for the development of good risk
management practice. These are all derived from
proven corporate governance principles in the
recognition that risk management is a subset of
any organizations internal controls.

HOW DOES RM SUPPORT CG?

Principle:

CG Principle

RM Principle

Organizati
onal
context

A companys system of internal

control will reflect its control
environment and should be
capable of responding quickly
to evolving risks to the business
arising from factors within the
company and to changes in the
business environment.

The starting point for risk

management is to
understand the context of
the organization or
activity under examination
and hence avoid blind
spots. Context includes the
political, economic,
social, technological, legal
and environmental
backdrop.

Stakeholde
r
involveme
nt

The board as a whole has

responsibility for
ensuring that a satisfactory
dialogue with
shareholders takes place. The
annual report and accounts
should include such
meaningful, high-level
information as the

Risk management should

engage with all primary
stakeholders to ensure that
the objectives of the
organization or activity
under examination are
established and agreed.

HOW DOES RM SUPPORT CG?

Principle:

CG Principle

RM Principle

Organizati
onal
objectives

A companys objectives, its

internal organization and the
environment in which it
operates are continually
evolving and as a result, the
risks it faces are continually
changing. A sound system of
internal
control therefore depends on a
thorough and
regular evaluation of the nature
and extent of the risks which
the company is exposed.

As the purpose of risk

management is to strive to
understand and manage
the threats and
opportunities arising from
the objectives of the
organization or activity, risk
management can only
commence when it is clear
what these objectives are.

RM
approach

The board of directors is

responsible for the
companys system of internal
control. It should set
appropriate policies on internal
control and seek regular
assurance that will enable it to

Organizations should
develop an approach tot he
management of risk that
reflects their unique
objectives. It is common for
organizations to
describe their approach

HOW DOES RM SUPPORT CG?

Principle:

CG Principle

RM Principle

Reporting

The reports from management

to the board should, in relation
to the areas covered by them,
provide a balanced assessment
of the significant risks and the
effectiveness of the system of
internal control in managing
those risks. Any significant
control failings or weaknesses
identified should be discussed
in the reports, including the
impact that they have had, or
may have, on the company and
the actions being taken to
rectify them.

The governing body of the

organization should
receive, review and act on
risk management reports.
As a result, a fundamental
aspect of risk management
is the timely
communication of risk
information to the
management team to
enable it to
make informed decisions.

Roles and
responsibil
ities

All employees have some

responsibility for internal
control as part of their
accountability for achieving
objectives. They, collectively,

Organizations should
establish clear roles and
responsibilities for the
management of risk in
terms of leadership,

HOW DOES RM SUPPORT CG?

Principle:

CG Principle

RM Principle

Support
structure

People in the company (and in

its providers of outsourced
services) have the knowledge,
skills and tools to support the
achievement of the companys
objectives and to manage
effectively risks to their
achievement.

A risk management team is

required to ensure that the
policies are adhered to, the
process is followed,
appropriate techniques are
adopted, reports are issued
to meet senor management
and
board requirements, the
regulators guidelines are
adhered to and best
practice is followed all at
the
appropriate time.

Early
warning
indicators

A sound system of internal

control therefore
depends on a thorough and
regular evaluation of the nature
and extent of the risks which

Organizations should
establish early warning
indicators for critical
business activities to
provide information on the

HOW DOES RM SUPPORT CG?

Principle:

CG Principle

RM Principle

Review
cycle

The directors should, at least

annually, conduct a review of
the effectiveness of the groups
system of internal control and
should report to shareholders
that they have done so. The
review should cover all material
controls, including financial,
operational and compliance
controls and risk management
systems.

As with an organizations
objectives, its internal
organization and
environment within which it
operates are continually
evolving. A sound and
effective risk process is
contingent on regular
reviews of the risks faced
and the policies, processes
and strategies it is adopting
to manage them.

Overcomin
g
barriers to
RM

The companys culture, code of

conduct, human resource
policies and performance
reward systems support the
business objectives and risk
management and internal
control system.

There needs to be
recognition that even
though an organization has
risk management policies,
processes and strategies in
place, this will not
automatically lead to
robust, effective and

HOW DOES RM SUPPORT CG?

Principle:

CG Principle

RM Principle

Supportive
culture

Senior management should

demonstrate, through its
actions as well as its policies,
the necessary commitment to
competence, integrity and
fostering a climate of trust
within the company.

Organizations should
establish the right culture
to support management of
risk throughout the
organization. A supportive
culture will be one that
embeds risk management
into day-to-day operations
and recognises the benefits
of risk management.

Continual
improvem
ent

The boards annual review of

the effectiveness of the groups
system of internal controls
should cover all material
controls, including financial,
operational and compliance
controls and risk management
systems.

Organizations that are

interested in continual
improvement should
develop strategies to
improve their risk maturity
to enable them to plan and
implement step changes in
their risk management
practices

Risk Management & Corporate Governance

Corporate governance and risk management are

interrelated and they are interdependent.

The stability and the improvements of the companys
performance are highly depended on the effective
role of both components.
The element of control is one of the corporate
governance roles, while a controlled environment is
developed from the risk management process.
Corporate governance may be regarded as the glue
which holds an organisation together in pursuit of its
objective. Risk management provides the resilience.
Knight (2006))
In fact, the EWRM concept and practice have been
observed as a vital engine for strengthening
corporate governance (Bowling & Rieger, 2005).

Risk Management & Corporate Governance

Good corporate governance is an environment where

the boards and the top management provide quality

management to enhance companys performance in
the interest of shareholders (Mobius, 2002).
It is the systems and processes that are used to
protect shareholders as well as other stakeholders,
and risk management is one of the components of
corporate governance.
Thus, Knight (2006) defined corporate governance in
relation to risk management as the way in which an
organisation is governed and controlled in order to
achieve its objectives. The control environment
makes an organisation reliable in achieving these
objectives within an acceptable degree of risk.

Corporate Governance Compliance and Risk

Management Requirement in Malaysia
Internal control becomes one of principles of

the MCCG under the responsibility of the

BOD. Detailed provisions of the MCCG
(Finance Committee on Corporate
Governance, 2000) on internal control and
risk management are stated in Principle DII in
Part 1 and Best Practice Provision AAI in Part
2.
Principle DII in Part 1
The board should maintain a sound system
of internal control to safeguard shareholder
investment and the companys asset.

Corporate Governance Compliance and Risk

Management Requirement in Malaysia
Best Practice Provision AA1 in Part 2
The board should explicitly assume the following principle
responsibilities:
Identifying principal risks and ensure the implementation

of appropriate systems to manage this risk (the 3rd

principle).
Reviewing the adequacy and the integrity of the

company's internal control systems and management

information systems, including system for compliance
with applicable laws, regulations, rules, directive and
guidelines (the 6th principle).

Corporate Governance Compliance and Risk

Management Requirement in Malaysia
The Code was incorporated into the new Bursa

Listing Requirements and it is applied to all PLCs

in Malaysia.
The requirements impose upon the listed
companies the mandatory obligation to make
immediate disclosure of material information
including risk management practices in the annual
report to the shareholders and other stakeholders.
With the requirements, it would possibly assist the
public listed companies to successfully implement
the risk management and achieve their objectives.

Corporate Governance Compliance and Risk

Management Requirement in Malaysia
Paragraph 15.26
A listed issuer must ensure that its board of directors
make the following statements in relation to its
compliance with the Malaysian Code on Corporate
Governance in its annual report:

a narrative statement of how the listed issuer must ensure has applied the
principles set out in Part 1 of the Malaysian Code on Corporate
Governance to their particular circumstances; and
a statement on the extent of compliance with the Best Practices in
Corporate Governance set out in Part 2 of the Malaysian Code on
Corporate Governance which statement shall specifically identify and give
reasons for any areas of non-compliance with Part 2 and the alternatives
to the Best Practices adopted by the listed issuer, if any.

Paragraph 15.27(b)
A listed issuer must ensure that its board of directors
includes in its annual report a statement about the
state of internal control of the listed issuer as a group.

QUESTION
Is Risk Management a tool in good
corporate governance or a good corporate
governance is essential through proper
controls over risk management?

24