Good governance is critical for good enterprise risk management (ERM). It is important for the effective embedding of ERM into an organization’s everyday activities hence should be one of the board’s primary aims and responsibilities.
It is essential for the board to understand that good governance is not a rigid set of rules to be followed, nor is it a box ticking exercise, but the foundation of good business conduct to establish an effective system that promotes effectual accountability on the part of the board to investors and other stakeholders.
By having effective governance, the board and senior management are able to encourage conversation on enterprise risks up and down the organization, guide and direct ERM strategy, and review its effectiveness. Good governance does not come on its own. There is need to have a sound ERM framework and an ERM policy.
A framework for ERM helps to effectively implement good governance. The framework which details how the organization identifies, assesses, measures, monitors and manages its exposure to enterprise risks invaluably helps the board and senior management communicate to all staff the primary elements of the organization’s ERM processes.
Working alongside the ERM framework, the ERM policy enables the board and senior management to communicate enterprise-wide the organization’s approach to ERM. The organization’s culture, typical structure of its policies, its scale, nature and complexity all influence the contents of its ERM policy. The ERM policy should contain and make references to:
- A definition of enterprise risk management
- Categories and sub-categories of enterprise risk
- A statement of enterprise risk appetite
- An overview of the ERM processes
- A statement of the roles and responsibilities of various personnel departments
- The role that ERM plays in the organization as opposed to taking a “siloed” approach
- How to deal with deviations from the policy
- How issues are escalated and resolved
- Risk reporting flows of information
- A glossary of terms used in ERM
Having a clear ERM policy developed, reviewed and commented on (by senior management) and approved and implemented (by the board) supports the organization in achieving its short, medium and long-term business objectives.