Chartered Secretaries Australia (CSA) defines governance:
Governance encompasses the system which an organisation is controlled and operates, and the mechanisms which it, and its people, are held to account. Ethics, risk management, compliance and administration are all elements of governance.
CSA has argued that governance has four essential elements:
• Transparency — being clear and unambiguous about the company’s structure, operations and performance, both externally and internally, and maintaining a genuine dialogue with, and providing insight to, legitimate stakeholders and the market generally
• Corporate accountability — ensuring that there is clarity of decision- making within the company, with processes in place to ensure that the right people have the right authority for the company to make effective and efficient decisions, with appropriate consequences delivered for failures to follow those processes
• Stewardship — developing and maintaining a company-wide recognition that the company is managed for the benefit of its shareholders, taking reasonable account of the interests of other legitimate stakeholders
• Integrity — developing and maintaining a corporate culture committed to ethical behaviour and compliance with the law.
Risk governance uses the principles of good governance to identify, assess, manage and communicate risks. There are formal structures used to support risk-based decision making and oversight across all operations of an organisation. Risk governance involves the board, board committees, delegations, CEO, the management and related reporting. The governance structures must be designed to fit the size, and complexity and business type of each organisation’s operations.
ISO 31000:2018 Risk management – Guidelines emphasizes the development of a framework that will wholly integrate the management of risk into the organization. The risk management should be an active component in governance, strategy and planning, management, reporting processes, policies, values and culture. The framework should provide for the integration of risk management, reporting and accountability. It is intended to be adapted to the particular needs and structure of each organization. However, regardless of the size of the organization, the risk management system must be sufficient to:
• Provide the board, board committees and the senior management team with regular, accurate and timely information regarding the organisation’s risk profile;
• Measure, assess and report all material risks;
• Provide robust (relevant, timely, complete and accurate) data;
• Measure risk against pre-determined limits (tolerances) and promptly report and escalate when limit breaches occur;
• Provide a sound basis for making risk-based decisions.
First Line of Defence
Line/operational managers own and manage risks. They are the first line of defence. They are responsible for
• implementing corrective actions to address process and control deficiencies.
• maintaining effective internal controls
• executing risk and control procedures on a day-to-day basis.
• identifying, assessing, controlling, and mitigating risks
• guiding the development and implementation of internal policies and procedures
• ensuring that activities are consistent with goals and objectives.
Mid-level managers design and implement detailed procedures that serve as controls and supervise execution of those procedures their employees. Operational management naturally serves as the first line of defence because controls are designed into systems and processes under their guidance of operational management. There should be adequate managerial and supervisory controls in place to ensure compliance and to highlight control breakdown, inadequate processes, and unexpected event.
Second Line of Defence
Management establishes various risk management and compliance functions to help build and/or monitor the first line of defence controls. The specific functions will vary organization and industry, but typical functions in this second line of defence include:
• The risk management culture
• The understanding of the ERM framework
• The business unit’s risk capacity
• The risk appetite and tolerance allocation for each risk category
• The adequacy of the risk budgets
• The skill and capabilities of its risk resources
• The risk governance approach
• The risk monitoring and reporting activities
• The risk metrics to alert the business of the emergence of risk
• The capability to adjust the business unit’s risk capacity, appetite and risk tolerances for changing economic conditions
Management functions may intervene directly in modifying and developing the internal control and risk systems but cannot offer truly independent analyses to governing bodies regarding risk management and internal controls.
Third Line of Defence
The third line of defence is that of internal and external auditors who report independently to the senior committee-board of directors, audit committee etc.- charged with the role of representing the enterprise’s stakeholder’s relative to risk issues.
The internal and external auditors regularly review the first and second line of defence activities and results, including the risk governance functions involved, to ensure that the enterprise risk management arrangements and structures are appropriate and are discharging their roles and responsibilities completely and accurately.
The results of these independent reviews need to be effectively communicated to executive management and, more important, to the board of directors in cases in which these groups ensure that appropriate action is taken to maintain and enhance the enterprise risk management framework.
As stated earlier, the body that has the highest level of risk governance is the senior committee that is charged with the role of representing the enterprise’s stakeholders in respect to risk issues. This committee has the responsibility and accountability to provide effective oversight of the enterprise’s risk profile. In particular, this committee should ensure that the enterprise’s executive management is effectively governing and managing the enterprise’s risk environment. The senior committee is typically required to have a charter that clearly sets out its role, responsibilities and accountabilities in providing risk governance to effectively discharge the requirements delegated the board of directors.