Risk Management – beyond the project

The UK Combined Code for corporate governance  says “the board’s role is to provide entrepreneurial leadership of the company within a framework of prudent and effective controls which enables risk to be assessed and managed.” (A.1)

“Non-executive directors … should satisfy themselves … [that] systems of risk management are robust and defensible” (A.1) and “The review should cover all material controls including financial ….. risk management” (C.2.1)

“The board should ensure that directors, especially non-executive directors, have access to independent professional advice” (A.5.2)

I interpret that as saying the main board must approve the processes of risk management (collectively) check that it is working, especially Non-Executive Directors (NED) and get advisors to help that assessment if needed.

The code is not specific on how this should be done or which board committee should do it.  Because NEDs who have this responsibility make up most of the board’s audit committee and their terms of reference include “internal controls” so generically it probably sits there. However, the combined code does provide for the audit committee to have other committees for a specific purpose – if risk management is important enough for at least some of the detail to be handled at board level, that would be an obvious situation for a working committee to review the higher level risks on a regular basis and report into the board.

In more generic corporate risk management practice, it is the main board’s responsibility to set the desired risk profile (appetite) for the organisation. This is not mentioned in the combined code at all (unless it is hidden in setting strategy) but is a vital part of leaders setting the tone for the organisation as a whole.  This can then be used to select projects and programmes in portfolio management.

Advertisement