“The biggest risk is not taking any risk. In a world that is changing really quickly, the only strategy that is guaranteed to fail, is not taking any risks.” – Mark Zuckerberg
Risk, due to the uncertainty it relates to, is a term that is sometimes feared and sometimes embraced. Although a natural instinct might be the avoidance of risk, as Mark Zuckerberg stated above, this might be the biggest risk of all. Risk management therefore is a crucial component of an entity’s management plan. Risk management might sound daunting and it does comprise a lot of elements.
The KING IV report on corporate governance in South Africa was launched on 1 November 2016 and is effective for financial years starting on or after 1 April 2017. The main purpose of the latest KING IV report is to assist an entity in ensuring that its corporate governance practices are sufficient. The KING IV report could however also assist an entity in its risk management process.
The risk management process consists of the following five steps:
- Identify risks
- Analyse risks identified
- Evaluate the risks
- Respond to the risks
- Monitor the risks and review the outcomes
Principle 8 of the KING IV report states that: “The governing body should ensure that its arrangements for delegation within its own structures promote independent judgement, and assist with balance of power and the effective discharge of its duties” (Institute of Directors Southern Africa, 2016). One of the specific committees mentioned in principle 8 that a governing body could delegate some of its responsibilities to is a committee responsible for risk governance. It should however be emphasized while the risk governance function may be delegated to a specific committee, the governing body remains solely responsible for risk governance.
In addressing the manner in which such risk governance is to take place, Principle 11 of the KING IV report states that, “The governing body should govern risk in a way that supports the organisation in setting and achieving its strategic objectives” (Institute of Directors Southern Africa, 2016). It is therefore clear that the function of risk governance should not hinder an entity in achieving its strategic objectives but rather support an entity in achieving them.
In addition to the abovementioned principles, The KING IV report sets out the risk management process as the identification of possible risks, determining the impact of these risks on the organisation’s goals and the mitigation of these risks according to the entity’s risk appetite and tolerance. This process correlates to the risk management process mentioned earlier. The determination of an entity’s risk appetite and tolerance also lies with the governing body as set out in the KING IV report.
Given that the KING IV report’s primary focus with regards to risk management is that the responsibility of risk management that lies with the governing body, all other functions and responsibilities of the governing body that are implemented via an organisation’s policies and procedures should be considered where the management of risk is concerned. The risks that will be most effectively managed by the implementation of sound corporate governance principles are internal risks, with specific reference to the risk of fraud. Internal risks are risks that occur in an organisation as a result of their self-developed business practices, which means that these risks could be mitigated by proper governing principles within an entity. It must be noted that this might mean that external risks will not necessarily be as easily mitigated solely by good corporate governance principles since these risks are outside of the control of the entity, they could however be managed effectively by the process set in place by the proper implementation of the KING IV report.
The effective management of risks can be assisted by good corporate governance principles as set out in the KING IV report. Organisations are therefore encouraged to not take the biggest risk of all by taking some risks and ensuring they are managed effectively.