Corporate governance and regulatory control continue to dictate to businesses the need for a risk appetite, as well as risk aversion. The reality is that these decrees are not all negative.
The ongoing roll out and improvement of the King report, now in its third iteration, has brought accountability and a culture of governance – including risk and compliance management – to the fore in South Africa.
The fact remains, however, that corporate governance is fast being viewed by organisations as the most topical and pressing issue of the 21st century. So why are corporate governance and controls, such as the King III report, important for business?
“The early and systematic management of risk exposures and disclosures not only assists with the detection of possible violations of all applicable laws, regulations and policies, but more importantly, aligns strategy with key stakeholder expectations, external obligations and risk appetite,” says Colin Hill, principle risk consultant at SAS.
“While laws that govern can create a culture of strict risk aversion, business must be careful that this does not limit its appetite for risk and constrain its ability to differentiate between good and bad risk,” he adds.
“What is needed from the onset is a risk management framework that gives management the right degree of comfort and the ability to capitalise on business development without the fear of transgressing any law, regulation, good practice or policy.”
Looking at the IT department within the requirements laid out by King III, it is now subject to the same regulatory controls as the rest of the business. However, this in itself presents an opportunity as it is in a unique position to start providing a reliable and forward-looking view of risk exposures and compliance obligations for the business as a whole.
IT now has the capability to span the organisation and provide a co-ordinated approach to continuous risk monitoring and reporting, which lends itself to the ability to gauge an organisation’s combined risk exposures.
Where King III states that information systems were previously viewed as a business enabler, they now need to morph into the role of being more pervasive. They also need to assist business with managing the governance, risk and compliance efforts within statutory requirements. The challenge is that IT itself can now also be viewed as an operational and compliance risk.
“It comes as no surprise that IT departments and systems need to stand up and be accounted for; they are the lifeblood of a business, and should adhere to the same governance, risk guidelines and policies the rest of business has to,” adds Hill.
“If IT and data governance is to be formalised through a series of policies, it must be worked into the operational risk framework; then appropriate management controls must be developed, and it must follow industry standards such as COBIT and ISO 28000.
“As an imperative, IT must be incorporated in an integrated enterprise risk management approach, as it must ultimately be a sustainable and secure part of the business.”
According to Hill, the systems that will drive this cohesion exist in the form of enterprise risk management solutions that offer multi-dimensional reporting and dashboards, assist in the management of incidents, control effectiveness measuring and offer internal audit including continuous auditing and compliance capabilities.
This will then assist in managing a company’s measurement of compliance with the numerous acts that need to be adhered to.
“It may be daunting, but if applied appropriately, IT can offer a better view of ‘business activity’ and help balance risk and reward; it can also embed risk management into everyday business processes and it can spot, avoid and counter fraudulent activities within an organisation. Isn’t that what all businesses want?
“It is imperative to understand that a flexible IT infrastructure can be the key to better management and understanding of a fast changing regulatory environment,” ends Hill.