The third edition of the Australian Securities Exchange (ASX) Corporate Governance Principles and Recommendations was published in March and took effect for a listed entity's first full financial year starting on or after 1 July 2014.
Principle 7 concerns the management of risk. It has been revised substantially in line with the requirements of ISO 31000 Risk management -- Principles and guidance. It is no longer concerned with just the management of material risks. The emphasis is now on the establishment and demonstration by management that there is a sound framework for managing risk, and the board or its subordinate risk committee must review that framework at least annually to satisfy itself that it is sound.
Principle 7: Recognise and manage risk
A listed entity should establish a sound risk management framework and periodically review the effectiveness of that framework.
The commentary on Principle 7 states that:
- Recognising and managing risk is a crucial part of the role of the board and management
- It is the role of management to design and implement that framework and to ensure that the entity operates within the risk appetite set by the board.
- It is the role of the board to set the risk appetite for the entity, to oversee its risk management framework and to satisfy itself that the framework is sound
- The board or a committee of the board should review the entity’s risk management framework at least annually to satisfy itself that it continues to be sound.
The ASX guidance follows ISO 31000 and defines risk management as coordinated activities to direct and control an organization with regard to risk and a risk management framework as a set of components that provide the foundations and organizational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organisation.
Because these requirements are a departure from what was required previously, listed companies will have to change what management report to their boards. Instead of just supplying information on the major risks, they must now address the contents and effectiveness of their risk management frameworks.
Grant Purdy recently addressed breakfast meetings in Sydney and Melbourne to discuss these changes and to give advice on:
- What a framework is, its components and its purpose
- How a framework fosters integration, and what this means
- How companies can evaluate the effectiveness of their frameworks and report on that.
A copy of his presentational materials can be found here.
Grant concluded by saying that:
As we naturally manage risk all the time, and every time we make a decision, we can be more confident in decision-making. We are more likely to be successful if we are more systematic in the way we consider and deal with risk.
He advised delegates that:
The risk management framework is the means to achieve and maintain effective risk management, but it will not work if some parts are missing or weak. This is why governance-related reporting must focus on the framework and its effectiveness, so that stakeholders, including shareholders, can gain assurance that their capital is being protected and exposed to the kinds and levels of risk they expect.
More advice on the development of effective frameworks for risk management and their evaluation is provided elsewhere.