In the preceding parts of this article, the focus was on where Zimbabwe is, in terms of corporate governance and also some of the key parts within the National Code on Corporate Governance. This week, the focus is on risk and the governance thereof. Chapter 4 details the structure and manner in which risk management should be carried out and whose responsibility it is to manage said risk.
The code places emphasis on business leaders understanding risk and how it can be measured, eliminated or mitigated. It then lays down principles and recommendations on best practice for risk management.
Risk management
The responsibility is placed on the board to ensure that principal risks are identified timely, managed and to establish an efficient and effective system for day to day supervision of the business’ operations.
The board is tasked with ensuring that:
- Risk assessments are performed on a continual basis
- A framework is established to increase the likelihood of anticipating unpredictable risks
- Management considers and implements appropriate risk responses
- This is expected to be covered through the company’s risk management policy which is management’s responsibility.
- The board should receive assurances regarding the effectiveness of the policy in meeting its objectives.
- Risk monitoring is carried out continuously by the risk committee and management.
Recommendations
The board is expected to:
- Determine the levels of risk tolerance, determine whether or not it is desirable to establish a risk management committee, formulate and ensure implementation and review of the company’s risk management policy and to integrate that policy into the company’s day to day activities
- Ensure that processes allow for relevant and timely risk disclosures to shareholders.
- Appoint a risk management committee to assist in the discharge of its duties in respect of risk management if it deems this as desirable.
- The role and composition of this committee should be clearly defined
- Considerations that the committee should make in discharging its duties are specified in the Code.
- The Code outlines the risk committee’s responsibility regarding risk, the risk management policy, setting tolerance levels, and the mitigatory measures which the committee will recommend to management.
Independent External Audit, Methodology and Mandate
A company’s financial statements must be audited by independent external auditors who must be independent, they should have no material relationship with the company. The external auditors prepare an audit report for consumption by the company and its stakeholders.
Recommendation
- External auditors need to assess the soundness of internal financial controls and making recommendations. Their report should cover the scope of work performed as well as their opinion on the financial statements.
- The audit committee should recommend, to the board, the appointment, retention and replacement of external auditors.
- There should be recommendations from external auditors that include a discussion of the main accounting policies, material weaknesses and significant flaws of internal controls and procedures. It should also include instances of disagreement with management, risk assessment and analysis of possible fraud.
- Re-appointment of external auditors should follow a formal and documented assessment of their independence and performance.
- External auditors should not be allowed to provide consultancy work to the company which they audit.
Internal Audit Function, Methodology and Mandate
The board, through the audit committee, should be assisted by a competent internal audit unit to provide assurance on internal controls, risk management and governance processes. The audit committee should oversee the internal audit function evaluating its performance and ensuring that is subjected to an independent quality assurance review.
Recommendations
The board is to ensure that there is a continuous and effective risk and results-based internal audit. The code details the mandate of the Internal Audit function and how it is to discharge its mandate. It also outlines how the internal audit plan should be structured. The board should define, approve and put in place an internal audit charter. The internal audit should adhere to International Internal Auditing Standards (IIAS) and Code of ethics.
Audit Committee
Depending on the nature, size of the company, complexity and diversity of operations, the board should establish an audit committee. The purpose of this committee is to assist the board to fulfil its obligations, strengthen the independence of the external auditors and enhance public confidence in the integrity of the company’s financial statements.
The audit committee functions which invariably apply to companies such as: recommending the nomination and remuneration of external auditors; reviewing the company’s internal control environment and reviewing financial statements prior to their approval by board are some of the functions detailed in the Code.
Recommendations
The board is to ensure that, among other points;
- It builds and sustains an ethical corporate culture in the company
- It clearly articulates the ethical standards and ensures that measures are taken to meet them
- Ethical risks and opportunities are incorporated in the risk management process
- The company’s performance regarding ethics is assessed and monitored
The audit committee should ensure that a combined assurance model is applied to provide a coordinated approach to all assurance activities, which should cover significant functions within the organisation. The model aims to optimize the assurance coverage obtained from management, internal assurance and external assurance providers on the risk areas affecting a company. The combined assurance process should be aligned to the risk management process in the organization.
Every listed company must put in place a Combined Assurance to:
- Coordinate the work of all assurance providers
- Provide a communication forum for the work of internal audit, external audit and third-party assurance providers and management.
- Standardize risk management processes and;
- Ensure that a combined assurance report is presented to the risk committee quarterly.
The code also contains a Whistle-Blower policy and recommendations that should be followed in coming up with and implementing one. A whistle-blower system that is independent, trusted and anonymous is key to the effective implementation of an ethical corporate culture and fraud risk management strategy.
The board should take measures to manage whistle-blowing in terms of set procedures, proper analysis of reports received and acting to correct the misconduct reported upon.