Some authoritative guidance on risk management and the three lines of defense
The King Code of Corporate Governance has been a fine source of principles and practice for governance, including risk, assurance, and compliance, ever since its initial release.
The Institute of Directors in Southern Africa has released for comment the draft of King IV, Report on Corporate Governance for South Africa 2016[1]. I have written about the draft, highlighting important sections from the Introduction and Foundational Concepts section in my IIA blog[2] (at https://iaonline.theiia.org/norman-marks).
In this post, I want to talk about two areas I find interesting in the draft Code.
The first is that King IV talks about ‘Risk and opportunity management’, rather than simply risk management. Is that a good idea? Perhaps.
It is a longer phrase, which makes it clumsy in some settings.
Yet, it highlights that the management of risk (I am going to continue to use that phrase, at least until a better one becomes more globally accepted) is not limited to avoiding failures, but embraces taking opportunities.
Many people don’t realize that the COSO Enterprise Risk Management – Integrated Framework was intended to cover both potentially positive and the potentially adverse effects of uncertainty. The ISO 31000:2009 global risk management standard certainly does.
However, most are inexorably drawn to and limited by an exclusive focus on avoiding harm and failure.
King writes as if a single set of processes (and framework) addresses the identification, assessment, and treatment of both adverse and positive effects of uncertainty. I certainly believe that the setting of strategies and objectives, the definition of plans and such, as well as every decision needs to take both into account – if for no other reason that we take risks so that we can seize opportunities! Consideration of both should be inexorably linked and an integral part not only of decisions but of running the business every minute of every day.
OK, I have said that many times in this venue and in my book. We will discuss it again at RiskReimagined – please join us.
Is it time that we stopped talking about managing risk (or risk management) in a negative way, and start talking about running the business to deliver optimized, ethical performance? I read the King draft as going that way.
The other area that I welcome in the King IV draft is its discussion of the so-called Three Lines of Defense model. This is a concept I have criticized, most recently in this post, and Richard Anderson will share his views at RiskReimagined.
King IV talks about the Five lines of assurance. I think this is better, if still imperfect. It recognizes that there are more lines in play and that they are about more than defending the organization from failure – a description that fails to describe the proper operation of risk management, internal control, and management in general. This is how King describes the five lines:
- as first line of assurance: line functions that own and manage risk and opportunity
- as second line of assurance: specialist functions that facilitate and oversee risk and opportunity arrangements, such as enterprise-wide risk and opportunity management and compliance
- as third line of assurance: internal assurance providers that provide objective assurance such as internal audit, internal forensic examiners, fraud examiners and auditors, safety and process assessors and statutory actuaries
- as fourth line of assurance: external assurance providers such as external audit, sustainability and environmental auditors or regulatory inspectors, external actuaries and external forensic examiners, and fraud examiners and auditors, and
- as fifth line of assurance: the governing body, audit or other committees.
Assurance is fine, from the perspective of a regulator or perhaps a board member. But, it remains imperfect. I still prefer offense, which recognizes that the offensive players need to be careful as they move forward.
I welcome your thoughts.
By the way, for those of you in internal audit or on the board, I am still looking for answers to the question of whether your organization’s audit plan is designed to address enterprise-level risks or risks within individual locations/processes/etc. The very short survey is open at this location.
[1] My thanks to Quinton van Eeden for sharing the draft with me.
[2] The IIA post will appear on Monday March 21.
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
Hi Norman. You make the comment, ‘However, most are inexorably drawn to and limited by an exclusive focus on avoiding harm and failure’. As you know, I am in that ‘most’. That doesn’t mean that I think that, ‘opportunity management’ isn’t important and can be ignored. It cannot be ignored and failure to seize opportunities is one of the greatest risks threatening a company (remember Nokia?). But we don’t take risks to seize opportunities, we look for, and seize, opportunities to fulfil our objectives. This seizing of opportunities then has risks.
In other words, our objectives should include the need to develop the organization and the threatening risks will include:
Not identifying opportunities
Not analysing these opportunities
Not taking action to implement opportunities which move our organization forward.
We can then identify responses (controls) which should manage these risks, such as competitor reviews, research and development, employee suggestion schemes.
So the approach of considering all risks as harmful does address the failure to seize opportunities but does it within the normal risk framework.
I will read the King Report draft to see how it addresses the management of opportunity.
David, I see the merit in your argument. But will it lead people to follow a similar discipline in identifying, assessing, and responding to opportunities as it does to (negative) risks? More to the point, we need to understand and assess ALL potential effects, as few decisions, events, or situations are one-sided.
Norman, I can also see merit in your argument. I think it particularly applies to organizations subject to political pressure, such as government departments and local authorities. Not only do they fail to look at opportunities but they want to eliminate risks, as opposed to just managing them.
I certainly agree that we need to understand and assess ALL potential effects and need to ‘start talking about running the business to deliver optimized, ethical performance’. My methodology tries to do this by focussing on the objectives of the organization but I admit this does lead to a negative approach. However King still refers to ‘internal controls and other risk and opportunity responses’ (page 53 point 9) so there is nothing really to suggest a radical new audit approach.
King reinforces what we have been saying for some time: internal audit must concentrate on the strategies and objectives of the organization before getting involved in the detail.
I agree with the Risk & Opportunity concept because it is in line with ISO and gives a positive view.
I also agree with the 5 lines of defence. This concept has to be taught to board members.
Norman,
Thank you for the posting. I will download and read the draft report. Hopefully it will provide clarity on my comment below.
My first reaction on the “lines of defense” is where is the executive management? They should be setting the tone at the top.
Protiviti has a model which five lines ( http://www.protiviti.com/en-US/Documents/Newsletters/Bulletin/The-Bulletin-Vol-5-Issue-4-Applying-5-Lines-Defense-Managing-Risk-Protiviti.pdf). I like the inclusion of executive management and explicit mention of top at the top. Protiviti doesn’t consider external providers as part of their five lines which is part of KIng IV.
Norman, an interesting suggestion from King, and a subject that is very much top of mind for me at present. The heart of the issue is that the concept of ‘risk with positive outcomes’ is so at odds with the concept of risk as understood and applied in the real world by 100% of the general population. Any plain-English printed or online dictionary will confirm that interpretation, and yet we risk practitioners expect all of our business and corporate colleagues to put their 20 or so years of common usage aside and suddenly start talking about ‘risk that can have both negative and positive consequences’. Corporate investment committees tend to think in terms of either ‘opportunity realisation’ or ‘risk reduction’ when deciding on where to allocate scarce financial resources. Don’t get me wrong here – I personally have great respect for ISO 31000 and even more so for HB 436, but are we just trying to swim against the tide in our choice of terminology?
Ray, I think all practitioners should try to talk about intelligent, informed decisions instead of risk. Enhancing or realizing optimal performance or other words that are in the language of the business.
Hi Norman,
Personally, I believe there are three types of risks: preventable (i.e. compliance), external (i.e. regulation) and strategic.
With the first two, it is all about the level of preparedness and mitigation that the firm wants to put in place. There is usually very little upside associated with taking these types of risk.
Strategic risk is a risk that the firm takes in order to accomplish its mission/vision. In this case, it is all about balancing an opportunity with the risks associated to it when the firm makes strategic decisions. Here, opportunity and risk cannot be dissociated since this relationship is the backbone of any business’ strategy. (e.g. Why are we going to this new market? What risks are we facing by doing so? Is it worth it given our risk appetite?)
Then, if a clear risk culture is defined at the top management’s level and spread out across the organization (not an easy task!), all firm’s members are to some extent a line of defense with regard to risk.
If the aim is to run better businesses, why not start and end there?
I work in strategic planning. As part of that we look at all the threats and opportunities together. Finally we make scorecards. People get rewarded according to how well they achieve objectives. This creates intense awareness of what might hurt achieving the objectives from top to bottom. So risk management is embedded without calling it risk management. It works very very well.