Part 1 Introduction: Risk Governance and risk management processes.
This blog is part 1 of a series of blogs aiming to help SMEs understand, select and implement good governance practices within their management framework to identify and optimise risks within their business. Part 1 explicitly covers framework selection and critical design principles. Parts 2 and 3 will discuss implementing the framework and reviewing best practice case studies in action.
Which frameworks give effective risk management?
Effective risk management for small and medium-sized businesses (SMEs) can be hard to achieve. Additionally, good governance over your risk processes is a critical practice that your senior management or executive team should implement on behalf of the business owners or shareholders, but it can also be challenging. It is hard to determine where to start and how many resources your corporate governance will need.
Corporate governance has the potential to ensure that your strategic objectives are delivered consistently. It can also test how your business operations will respond to external risks, such as a natural disaster or external events like the significant increases we are currently seeing in fuel and energy prices. It can also create a quality internal audit of your operational risk.
Such a system will check the health of how you are identifying risks, complete your risk assessments, incorporate these into a risk management plan, and finally, how well your risk mitigation is working. So there is value in achieving good corporate governance and risk management, even for small businesses. It just depends on how you choose to implement it.
Where to start when designing your corporate governance
We feel it's critical to understand which stakeholders in your business (owners, shareholders, board members, employees, customers) see your corporate governance as necessary and work to understand their views. They will likely be diverse views and sometimes be at odds with one another. For example, employee views may be centred on ensuring their health and safety, whilst customers may seek objective assurance that your product or services will always be reliable and available. Shareholders may be focused on ethics. It will vary, and these views will change over time.
Once stakeholder views are clear, start thinking about which risk management and governance processes you need to meet their objectives. Owners and shareholders should then ensure there is a governing body they entrust to oversee the whole business. The design of the governing bodies could be different for private sector businesses compared with public companies. Organisational size, market risk, growth plans, company history and regulatory environments all are factors that affect impact and how that body is designed to give effective governance.
What resource mechanisms to think about when managing risk
With the governing body in place, they can then start to delegate resources to the business to assist in managing risk. For example, they can establish a business process for internal audit, an audit committee, project teams, risk managers, or even a chief risk officer if the business is large enough. However, best practice use of these resources usually relies on a guiding framework that meets the company's and stakeholders' appetite for risk.
Which frameworks help when building risk management structures and processes?
At everfocus, we like the revised Three Lines Model defined by the Institute of Internal Auditors (iia Australia) after a significant global review in 2018 and 2019. It is consistent with the international professional practices framework (IPPF), which includes the only standards relevant to the internal audit profession within Australia.
Frameworks should give clarity to a business, but they also need to allow flexibility in application. Flexibility is crucial for SMEs, who may have a unique challenge or face many different scenarios for large organisations. Most companies will undertake some form of strategic planning (informal, facilitated or internally). Still, many may not have the capacity to have support functions dedicated to managing risks or even be able to take part in the governance process.
Benefits of the Three Lines Model
That's why we like the Three lines model - you can adjust the principles-based approach to fit your current business structure. You do not need new resources. You do not need to change employee role titles. But you can use the principles to change how you do the work to undertake risk management so that it starts building good governance practices. Same resource, but applying a different way of doing things to limit the potential risks to your organisational objectives.
Before we break down the fundamental principles of the three lines model, here is what it looks like overall. If you are like us, the first thing that jumps out from the model is one key component of an Internal Audit resource. It is unrealistic to have this capability in small businesses. Still, there are ways to achieve the intent without extra resources for small businesses, and we will cover that later.
Principles of the three lines model
Governance
Corporate governance within a business should use systems to create a point of accountability with the governing body to stakeholders of the company (shareholders, owners, employees). The governing body should demonstrate integrity, leadership and transparency when overseeing what happens within the business.
The same governance system should enable the business's management team to take whatever actions are required to achieve the company's objectives. It should assist their decision-making to be risk-based and also guide them in where they use the resources they have at their disposal.
Independant assurance
And finally, the governance system should create independent assurance and advice aimed at giving clarity and confidence to management, the governing body and stakeholders that the quality risk-based decision-making within the business. The assurance and advice communicated to the company should create positive insight and helps drive continuous improvement.
Avoiding the pitfalls of "gotcha" moments
At everfocus, we think ensuring the assurance is given with positive intent and focus on continuous improvement is where businesses can get significant traction. Too often, giving assurance feels like a "gotcha" moment for management, and if this occurs, it starts to limit participation and information flow. These moments ultimately amplify the negative impact by limiting the chance to rectify them or minimising the likelihood of taking full advantage of a value creation opportunity presented to the business.
Governing body roles
When we talk about governing bodies, boards are the first things that come to mind. First, however, it's essential to understand that the three lines model defines governing bodies as those individuals accountable to stakeholders for the organisation's success. So for an SME, this could be an executive team, a risk management committee, or a selection of executives (CFO + CEO); however, the business stakeholders want to set it up. For a family-run company, the governing body may be the family members active in the business who report back to the broader family set of stakeholders.
Governing body goals
For any approach you select for your business, the governing body should ensure two things;
Appropriate structures and processes are in place for effective governance.
Organisational objectives and activities are aligned with the prioritised interests of stakeholders.
Governing body objectives and actions
Two key actions the governing body must take to help meet these goals are;
To delegate responsibility and provide resources to the management team to deliver the business objectives whilst meeting regulatory, legal and ethical expectations.
Establish an independent and objective method of assuring the business is progressing towards its objectives and creating confidence for the governing body and business stakeholders.
Management, first and second-line roles
First and second-line roles are where the rubber hits the road. Management of the business is responsible for delivering on the organisational objectives. In the three lines model, this comprises both first and second-line roles.
First-line roles are the people within the business who are directly active and aligned in delivering the business service or product to customers. It includes people who work 'back office' like HR, administration, and health and safety functional roles. They all focus on ensuring the business product or service processes are working as they should be.
Second-line roles focus on assisting with managing risk. Second-line positions look at the risk management process design to ensure it is working as it should be. It is typical to see a finance team member play this role or a dedicated risk professional if the business is big enough.
Second-line roles ensure compliance with regulations, laws, and internal control processes (e.g. spending authority limits followed) and secure business information and technology systems. They also verify that the risk management system meets its objective of being sustainable and creating reasonable quality assurance within the business. We like to think of this role as an "enabler" - designing and maintaining the risk system to add value to the first-line positions and the management team and allow them to meet their responsibility to manage risks.
Confusion between first and second lines is common for all businesses, big and small. If there is one area your business needs clear clarity for, it is in the distinction between those who work on the actual risks to the company and those that make sure the risk management process is fit for purpose and healthy. If you achieve this and have excellent collaboration, coaching, and communication between these roles, your business will be in a solid position to deliver on its objectives.
Third-line roles and their independence
The third line role provides independent and objective assurance on your risk management and governance effectiveness. Third-line positions must have high levels of competence and expertise and apply a systemic approach to giving assurance. They should communicate their findings to both the management team and governing body.
This role is challenging for SMEs to incorporate into their structure due to their organisational size. So it is appropriate for businesses that can't afford this full-time resource to use external providers to give them independent assurance. Still, ensuring they have clear accountability to the governing body, not management, is essential, and they can understand your business in detail.
In this light, these external providers typically build a relationship with the governing body over many years. However, be warned that using an external provider for too long can make the relationship too close. Therefore you lose the independence crucial to giving the governing board and the business stakeholders confidence in the assurance.
Creating and Protecting Value
Collaboration is perhaps the most valuable principle to adopt when developing your corporate governance approach—ensuring that each part of the three lines model is aligned and works together to ensure BOTH the creation and protection of value in the prioritised interests of the stakeholders.
Communicate, collaborate and cooperate to ensure everyone's work activity is aligned. As a result, you will see far more reliable results, increased transparency of information and ultimately, the best risk-based decision-making for the business.
This principle highlights that when you identify potential risks, be positive, don't just think about natural disasters or business problems; think about opportunities for your business. Where can you create new value? How does the whole enterprise work together to achieve it?
Start to focus on implementation.
Now that we have covered framework selection and critical design principles for risk governance, the next step is understanding the key roles in implementing the system. Part 2 of this blog will discuss how you can approach this phase of work. Stay tuned!