Risky business: Managing risk to innovate, change and develop

March 1st, 2022

Picture source: Gallo Images/Getty

The fundamental purpose of risk management is not to help a governing body avoid all risks that the organisation faces (Organisation for Economic Co-operation and Development Risk Management and Corporate Governance (OECD Publishing 2014) (www.oecd.org, accessed 31-8-2021)).

Risks often stand between the business and reaching beneficial objectives. Without taking risks, the organisation will never have the chance to innovate, change or develop its business. The whole goal of risk management is to make sure that the organisation only takes the risks that will help it achieve its primary objectives while keeping all other risks under control (‘The importance of risk management in an organisation’ (www.careersinaudit.com, accessed 31-8-2021)).

The difference between a pure risk and a speculative risk is that the former has the possibility of a loss and there is no opportunity that can be exploited, and the latter has the possibility of either producing a gain or a loss (Entsgo ‘Risk Management – Pure Risk and Speculative Risk Explained’ (www.supgrp.com, accessed 31-8-2021)). Pure risks are those risks that a company needs to avoid if possible, since there is no potential benefit to be gained from them. Speculative risks require that one decides whether they are worth pursuing, since one can either benefit or lose depending on how one manages those risks.

According to King IV, ‘the governing body should govern risk in a way that supports the organisation in setting and achieving its strategic objectives. The nature and extent of the risks and opportunities the organisation is willing to take should be disclosed without compromising sensitive information. In addition, the following should be disclosed in relation to risk:

(c) Actions taken to monitor the effectiveness of risk management and how the outcomes were addressed’ (Institute of Directors of Southern Africa (IoDSA) ‘General Guidance Note: Summary of King IV: Disclosure requirements’ (https://saef.org.za, accessed 31-08-2021)). The risk management process starts when the practitioner sets the policies and philosophy of risk management for the practice (Chartered Secretaries Southern Africa ‘Risk Management’ (2010) (www.chartsec.co.za, accessed 31-8-2021)).

The board should determine the level of risk tolerance, ensure that appropriate risk responses are considered and implemented (Deloitte ‘Risk Committee Resource Guide’ (2014) (www2.deloitte.com, accessed 31-8-2021)). The board is responsible for making decisions regarding the –

  • implementation of corporate governance, ERM (Enterprise Risk Management) and compliance;
  • deciding who will manage the business; and
  • providing support to a person or group of persons (OECD (op cit) at p 12).

The board should guide the entity in a direction that will be beneficial to all the stakeholders of the business. The board is responsible for ensuring that stakeholders are made aware of all risk-related information (Glenn Jarrad ‘How to communicate risk to project stakeholders’ (www.safran.com, accessed 31-8-2021)). The board ensures that frameworks and methodologies set in place are implemented in such a way that they increase the probability of anticipating unpredictable risks.

When developing risk management plans, and proactively planning for designing controls etcetera, one of the key points to consider, is simply ‘to know the business’.  ‘To know the business’ can be achieved by implementing the recommendations contained in King III and King IV Codes, which make it clear that it is fundamental to understand and appreciate the context within which the risk management should be performed. To do that, the organisation should follow a top-down approach to risk management, in which the board and management take responsibility and delegate specific activities to the employees under them (Andre Brodeur and Martin Pergler McKinsey Working Papers on Risk, Number 22: Top-down ERM: A Pragmatic Approach to Managing Risk from the C-suite (2010) (www.mckinsey.com, accessed 31-8-2021)).

There is a need for legal practitioners to be hands on with the affairs of their practices and focus on the strategic, rather than operational issues. The practitioners have overarching responsibility for governance and management of the risk in their practices and may task the compliance risk officer (CRO) to assist. The role of the CRO comes into play in connecting the management and the board with the line managers who work with the CRO, and who have been trained in the management of risks and take responsibility for the risks in various departments or sections throughout the organisation. The delegation of any power, or action taken by the CRO, ‘does not alone satisfy or constitute compliance by a director with the required duty of a director to the company’ (s 72(3) Companies Act 71 of 2008). Risk managers should be adding value to the organisation by ensuring not only that risk is managed in a prudent manner, but that they provide guidance and advice in regard to proactively bettering the organisation (Deloitte ‘Finding New Ways for Risk Teams to Add Value to the Business’ (https://deloitte.wsj.com, accessed 31-8-2021).

The key to this is to ensure that you are always forward-looking, not addressing problems when (or after) they arise. ‘By developing and implementing a proactive risk management approach, supported by the right risk management tools, you can identify and minimise the negative impact of risk on your organisation’s productivity and profitability’ (Lyle Del Vecchio ‘Proactive risk management – identifying and avoiding risks’ (https://planergy.com, accessed 31-8-2021). Corporate governance standards should place emphasis on ex-ante identification of risks, and risk management should emphasise both strategic and operational risk (OECD (op cit) at p 7).

Tools typically used in compliance risk identification and analyses are –

  • escalation triggers;
  • self-assessment; and
  • audit, namely, file audits/reviews.

Escalation triggers serve to notify the relevant stakeholders of potential problems, such as processes that are increasingly prone to risk. Provided that specific triggers have been defined and agreed on by the relevant stakeholders, when a problem reaches a certain predetermined level, those stakeholders will be alerted to the problem. Rule 54.14.10 of the Legal Practice Council (LPC) Rules made under the authority of ss 95(1), 95(3) and 109(2) of the Legal Practice Act 28 of 2014, requires that a legal practitioner must immediately report in writing to the LPC should the ‘total amount of money in its trust bank accounts and money held as trust cash be less than the total amount of credit balances of the trust creditors shown in its accounting records’. Minimum operating standards, self-assessment, and file audits/reviews also assist in the risk identification and analysis process.

‘The identification, evaluation and mitigation of risks can be carried out with both formal and informal tools and techniques’ (DueDil ‘Tools and techniques for risk management’ (www.duedil.com, accessed 31-8-2021). Risk analysis is finding out more about the risk and developing an understanding of the potential impact that it may have. Risk identification is highlighting risk to be able to prepare yourself for addressing them if they materialise and preparing to capitalise on them if they present opportunities. Risk evaluation is comparing the level of risk found during your analysis with the risk criteria that you established when you determined the context of risk management within the organisation.

Detect control, action plans and the flow of information are control-frame-work elements that should be reviewed and engaged with on a highly frequent basis (weekly or daily). Detect controls are typically developed to identify problems that have occurred within a short period of time to minimise any loss that may result from them. Client complaint procedures to alert you at an early stage where there is any client dissatisfaction, are detect controls that are regularly engaged with in a legal practice. Back-stop controls are used during the monitoring of risk and are infrequent reviews, such as the quarterly compliance report, that are intended to minimise the loss incurred from risk-related problems. Proper induction, training and development of staff, and effective knowledge management, are also crucial in risk management.

Key Risk Indicators (KRIs) ‘helps a company work toward its goals without incurring the sting of non-compliance or breaches’ (Comply ‘Risk Management: What are Key Risk Indicators?’ (www.v-comply.com, accessed 31-8-2021). The KRIs allow the compliance functionary to monitor risks related to business processes and, as such, are a useful tool for highlighting inefficiencies or poor performance in business processes. An analysis of the KRIs can help a compliance functionary develop better processes throughout the business and improve the process of risk monitoring.

The main consideration when determining the frequency with which core compliance reviews of business processes should be conducted, are the risk ratings attached to those processes, and the extent to which the processes are likely to have changed. Risk ratings are based on your own opinion (Katie Yahnke ‘How to use a risk assessment matrix’ (https://i-sight.com, accessed 31-8-2021). The risk rating assigned to each process provides the organisation with a reasonable idea of its probability and seriousness, which should allow the risk to be prioritised appropriately and scheduled for review as needed (Integrity Governance Advisory ‘Compliance monitoring plan’ (https://igadvisory.co.za/, accessed 2-2-2022)).

The compliance mandate is to mitigate risk with an understanding of compliance law (David Strachan and Rebecca Walsh ‘Targeting compliance: The changing role of compliance in the Financial Services Industry’ (www2.deloitte.com, accessed 31-8-2021)). During the monitoring phase the compliance function should aim to assist management in focusing on how business processes operate to identify areas where the quality of those processes can be improved. The compliance function should, to the extent that it is feasible, align its activities with those of the organisation, and improving the quality of business processes is one such opportunity (Deloitte ‘Compliance modernisation is no longer optional: How evolved is your approach?’ (2017) (www2.deloitte.com, accessed 31-8-2021). It is a sure way to demonstrate the value of the compliance function, which could help foster a company culture that is supportive of its work.

Risk policies and procedures implemented by the board and management should not be challenged. ‘Creating a culture of risk is a step towards progress and innovation. While not easy or quickly done, it will improve every aspect of an organisation’ (Jon Siegler ‘Creating a culture of risk throughout the organisation’ (www.logicgate.com, accessed 31-8-2021)). Practitioners should set the tone for the organisation’s risk culture. Employees should be held accountable for any conduct or actions that disregard or subvert the company’s risk culture. Risk culture determines the organisation’s attitude towards risk, how the organisation integrates it, how important you consider it, and how people will engage with the risks they encounter in the pursuit of business objectives. Poor risk culture can result in financial crisis.

Risk can come from both internal and external sources. The external risks are those that are not in direct control of the management. The key difference between regulatory risk and compliance risk is that the former describes the potential loss or damage that a company could incur through failing to comply with the regulatory requirements, while the latter describes the risk that the systems and process that have been put in place to ensure compliance with those regulations are proven to be inefficient or ineffective (IRBA Guide for Registered Auditors (Revised, 2020) (www.lssa.org.za, accessed 31-8-2021)). The contributing factors to high risk of non-compliance with applicable legislation are the large number of regulatory requirements that organisations are obliged or expected to comply with, industry-specific regulations, and the regulations could be difficult to interpret.

The different types of risks that organisations have to contend with in the pursuit of business objectives are operational, strategic, legal and reputational (Tasneem Suliman Joosub Risk Management Strategies to Maintain Corporate Reputation (MCom thesis, UNISA, 2006) (https://core.ac.uk, accessed 31-8-2021). The imprisonment of employees because of misconduct, or non-compliance, would have the most severe impact on the long-term standing of a business. In many instances, it would entail bad press coverage, and possibly, the suspension of business activities. The reputational damage that would result from having the business’s misconduct published in a popular newspaper would do more long-term harm to a business than a temporary suspension of activities. Additionally, the financial loss that stems from suspension is still likely to be larger and more detrimental to a business than the imposition of a minor fine.

Sipho Nkosi BProc (UKZN) (CISA) is a Risk Governance Practitioner at Integrity Governance Advisory in Ekurhuleni.

This article was first published in De Rebus in 2022 (March) DR 12.