However, an ecoDa guidance document for audit committees, issued last September, stated: “It is important that risk management and control are not seen as a burden on the institution, but rather the means by which opportunities are maximised and potential losses associated with unwanted events reduced.

“Risks manifest themselves in a range of ways and the effect of risks crystallising may have a positive as well as a negative outcome for the institution. It is vital that those responsible for the stewardship and management of an institution be aware of the best methods for identifying and subsequently managing such risks.”

However, views differ on how risk should be managed. For example, the Federation of European Risk Management Associations (Ferma) said, in a submission last year to the European Commission consultation on a corporate governance green paper: “The company board should bear primary responsibility for defining the risk management profile of the company, endorsing the company’s strategy and monitoring its operation for effectiveness.”

Although Ferma and the European Confederation of Institutes of Internal Auditing (ECIIA), in joint guidance for company boards and audit committees, say that risk management is everyone’s responsibility, they call for ‘a centralised risk management function for coordinating and helping [to] effect risk management across the organisation’.
Organisations can, if large enough, appoint a chief risk officer, who should report through the chief executive to the board, adds the Ferma/ECIIA guidance.

It also calls on the internal audit function to provide ‘objective assurance to the board and senior management that risks are understood and managed appropriately’.

A good internal audit function is seen as particularly important in smaller organisations, which may not have the resources for ‘a full organisational structure to ensure the effectiveness of its governance and risk management processes’, argues the Ferma/ECIIA guidance.

Ferma and the ECIIA believe that compliance with the directive requires a three-line approach: management; a risk management function, perhaps with a separate compliance function for risks associated with regulations and laws; and a risk-based internal audit function. External auditing could be considered a fourth line of defence, they add.
An audit committee should receive information on risk governance—including steering committee reports, definitions of acceptable and accepted risk limits, benchmarks and controls—in order to assess the effectiveness of risk management systems.

However, there are concerns more widely about how much audit committees should be involved with risk processes. “What about market risk?” asks Klaus Struwe of the Danish Shareholders’ Association. “Is the audit committee the right division of the full board to look at the market risk?”

Bearing in mind the wish for risk management to be the responsibility of all employees, Ferma and the ECIIA have also issued article 41 as guidance for senior executives.

For example, executives should question whether there is enough time on executive committees to present risk management results, internal control and internal audit reviews, according to the guidance. They should also determine if risk management and control processes are in line with the company’s objectives and policies.

Ferma and the ECIIA also address the question of independence of risk management, internal controls and internal audit. Openness and easy contact are important for early warnings of major risks, they say.

The ecoDa guidance states: “It is essential that there be openness of communication by management with the audit committee on matters relating to risk and control.”

The Ferma/ECIIA guidance also asks: does audit planning take account of major risks and critical control processes? Is information shared regularly between risk management, internal control and audit? And, how are major risks or control failures escalated through the company and to whom are they reported?

However, Eddie Best, Business Risk Services Partner in the professional services business at accounting firm Grant Thornton, stresses that risk management is really good business practice and should be embedded in an organisation, if only to allow that organisation to grab business opportunities. “It’s almost a cultural thing. It’s thinking about things in that particular way,” he told Commercial Risk Europe.

Mr Best distinguishes the risk management carried out by financial institutions, which have often hard to understand products or processes, with that of most other firms. Mining companies, for example, can point to tangible reserves, geologists’ reports and other hard information to allow risk assessments and management—as part of good business practice. “It’s complex, but it’s transparent and you can understand it,” said Mr Best.

Risk management should not be seen ‘in the abstract’ according to Mr Best. “It is about things like authorisations and structures.” You need to allow concerns to be communicated to boards, audit committees and chief executives, for example, he added.

Kristian Koktvedgaard of the BusinessEurope grouping of federations that represents some 20 million companies in 35 countries, is confident about gradual improvement. “We have seen an increasing emphasis on increased professionalism in the boardroom,” he said.

Grant Thornton International’s submission on the Commission’s corporate governance green paper states: “Auditors should provide better communication to investors. Auditors could give a degree of assurance on risk data and could provide investors with assurance on increased narrative disclosures in audit committee reports and on non-financial information.”

The submission adds: “We also believe that the company’s risk appetite, profile and strategy should be reported to shareholders, and on specific matters the board or the risk committee may wish to consult with shareholders. Matters such as risk identification, risk assessment and risk mitigation will often form meaningful elements of communication by the board to shareholders.”

Mr Best at Grant Thornton said that he has seen steady improvement in risk management and audit in recent years. However, he says that an analysis shows that most of those who chair firms may be missing a trick, even though they should be steering their businesses and setting the culture.

For only 10% of chairmen address governance and risk management in their annual statements. “That’s a missed opportunity,” commented Mr Best.

Please sign up here to our full-time mailing list to ensure that you receive our weekly newsletter.

• More Corporate Governance News