Risk management should be at core of corporate governance

Corporate risk arises at every level in organisations. This can take the form of strategic, managerial, and operational risk. Operational risks occur within the enterprise and can come in the form of fire, accident, theft, and so on.

Managerial risks reflect hazards that could occur from the organisation’s activities: product liability, third party risks for example. Risks at these levels are typically well handled by the enterprise risk management policies and systems.

They are also readily and in many cases covered by taking out relevant insurance policies.

At the operational and managerial levels, the director’s responsibility is to ensure that appropriate policies and control systems are in place and are effective throughout the organisation.

The board acts in a supervisory role, overseeing management policies, systems, and performance. The practice is that many boards delegate such responsibilities to the audit committee; and indeed this is recommended by several exchange listing rules.

Critical strategic risk, however, is another matter. At Enron, the board failed to understand that the company had moved beyond being a supplier of energy to a business trading in financial derivatives.

In effect, Enron had become a financial institution with a quite different risk profile from that of an energy supplier.

Moreover, the outside directors seemed to be unaware of the high risk that their executive directors were taking. In the case of Northern Rock Bank, none of the non - executive directors were bankers.
The chairman was a zoologist. The executive directors, placing more emphasis on revenue generation than risk management, traded in sub-prime mortgage products.

The board failed to appreciate the risks involved. A run on a British Bank is very rare, but in September 2007 it happened to Northern Rock, the United Kingdom’s fifth largest mortgage lender.

On Friday September 14, 2007, the Bank of England, acting as the ‘lender of last resort’, provided an emergency facility to prop up Northern Rock but to no avail. BP Plc and Eskom of South Africa have not been spared the vagaries of strategic risks.

The board of BP Plc faced a strategic catastrophe when the collapse of the Deepwater Horizon oil rig led to massive pollution in the Gulf of Mexico.

The disaster, which had been treated as operational or managerial risk by the board, had political and economic impacts that more than halved the company’s market value and even put its survival at risk. Closer home, Kenya has recently suffered a great deal of institutional failures ranging from state corporations to financial institutions.

The failures can be rightfully attributed to weak or poor corporate governance practice and structures and weak enterprise management.

The policies, procedures and systems affecting the way these institutions were directed, controlled or managed fell short of expected standards. Stewardship appeared to have taken a rear instead of being at the centre stage.

There is need for a paradigm shift and this should be to put enterprise risk management at the centre stage in the direction of corporate entities.