Business World Intelligence - http://businessworldng.com/web
From Enterprise Risk Mgt to Governance Risk and Compliance
http://businessworldng.com/web/articles/983/1/From-Enterprise-Risk-Mgt-to-Governance-Risk-and-Compliance/Page1.html
By Business World
Published on November 9th, 2009
 
Many firms have run into trouble due to risk management failures. However, where risk management failures are accompanied by corporate governance failures, the lethal combination has caused swift demise. A good example was Enron, an AAA rated institution.
                                   
Introduction 
Many firms have run into trouble due to risk management failures. However, where risk management failures are accompanied by corporate governance failures, the lethal combination has caused swift demise. A good example was Enron, an AAA rated institution. Enron had superb risk management capabilities and was regarded as a leader in risk management in its industry. However, corporate governance was weak. Losses were concealed in off balance sheet SPV’s. When these were uncovered the firm collapsed, causing the biggest corporate failure in US history up to that point and one of the few AAA firms that ever filed for bankruptcy.
The recent CBN bailing out of weak banks in Nigeria underlined the severity of combined risk management and corporate governance failures. The positions of weak banks were most severe where corporate governance issues in addition to risk management failures were uncovered by the CBN.
Banks can have the best risk management frameworks, but if these are not underpinned by strong corporate governance practises, risk management will not protect the rights of stakeholders. The key issue for Nigerian banks going forward is how to ensure that corporate governance practises enhance and not weaken the effectiveness of the risk management framework.

Enterprise Risk Management (ERM)
ERM gained popularity in recent years as an approach to ensure that all risks to which the firm is exposed to are managed holistically across two dimensions (A) type of risk; and (B) scope of activities. A is important, because risks are inter-related. For example, inadequate operational risk management of credit processes – collateral management, disbursement, etc. have caused as many losses as credit (obligor default) risk in many banks.  B is important to ensure an aggregate view of the same risk type across various operating entities, geographic areas, etc. is obtained to assess the overall severity for the firm. Many banks, including Nigerian banks have yet to implement ERM effectively. The recent reported losses in the industry indicated that banks were taking the same stock market risks in proprietary trading, asset management (guaranteed investments) and margin lending activities, without an enterprise level risk appetite, exposure view and control across subsidiaries. Basel II applies economic capital principles i.e. addressing the economic substance of risks irrespective of the legal form of subsidiaries and thus promotes effective ERM.    

Governance, Risk and Compliance (GRC)
The global financial crisis and, in particular, the Nigerian version of the crisis has demonstrated that having risk management frameworks for various risks – credit, market, operational in place is not sufficient. What is required is an effective ERM framework integrating management of the various risk types across operating entities. In addition the ERM framework needs to be anchored by a comprehensive corporate governance framework and compliance processes to achieve a robust GRC architecture. At the centre of this GRC architecture is a control framework that governs the integrity of financial reporting.  Key to the success of the GRC architecture is complementary best practise standards that ensure the various GRC frameworks are aligned. At UBA, we have adopted King III as a corporate governance standard, Basel II as a best practises ERM standard and COSO as an internal control standard for financial reporting integrity. This will ensure soundness and robustness of the GRC architecture (figure 1).   
 
 Corporate Governance
Corporate governance codes have been in existence in Nigeria since 2003 and are currently undergoing revision as part of the financial industry reforms. To achieve a robust GRC architecture, it is crucial that the corporate governance framework explicitly addresses risk and compliance governance by defining specific responsibilities for the board in these areas.
The South African King code of corporate governance is one of the best examples of such a GRC enablement framework. The latest version of the code (King III) defines the following risk governance responsibilities for the board:
•Determining the levels of risk tolerance;
•Delegating to management the responsibility to design, implement and monitor the risk management plan;
•Ensuring that risk assessments are performed on a continual basis;
•Ensuring that frameworks and methodologies are implemented to increase the probability of anticipating unpredictable risks;
•Ensuring that management considers and implements appropriate risk responses;
•Ensuring continuous risk monitoring by management;
•Obtaining assurance regarding the effectiveness of the risk management process;
•Ensuring that there are processes in place enabling complete, timely, relevant, accurate and accessible risk disclosure to stakeholders.
The King III requirements tie in neatly with Basel II. For example, Basel II aims at providing the tools and metrics for setting risk tolerance, risk assessments, measuring unpredictable risks, etc. Basel II further defines the format and content of risk disclosure, a key board responsibility. 
In addition King III recognises that one of the most important responsibilities of the board is to monitor the institution’s compliance with all applicable laws, rules, codes and standards. It defines the following compliance responsibilities of the board in this area. The board is responsible for ensuring that:
•The firm complies with all applicable laws and considers adherence to nonbinding rules, codes and standards.
•Each individual director has a working understanding of the effect of the applicable laws, rules, codes and standards on the company and its business.
•Responsibility for implementation of an effective compliance framework and processes is delegated to management.
•Compliance forms an integral part of the company’s risk management process.
  The last requirement will promote effectiveness of compliance, as the risk of non-compliance becomes part of the universe of risks to be managed by the ERM framework.
Adoption of a comprehensive corporate governance framework is therefore crucial to ensure that all 3 legs of the GRC triangle are fortified.

Conclusion
Risk management will not protect the rights of stakeholders if corporate governance and compliance practises are weak. Nigerian banks should (a) ensure that an effective ERM framework is in place and (b) that the ERM framework is anchored by a strong corporate governance framework, compliance processes and control systems to achieve a robust GRC architecture. Crucial to the successful execution of the GRC architecture is the implementation of a comprehensive corporate governance best practises standard.
Note: COSO is an internal control framework for ensuring integrity of financial reporting. The framework was designed by the Committee of Standards Organisation in response to the US Threadway Commission of enquiry into the Enron failure. The Sarbanes Oxley Act in the US legislated the COSO requirements for US listed firms. 
 
Blaauw is the Group Chief Risk Officer, United Bank for Africa Plc.