IRM Qatar chapter workshop/seminar on role of risk committees in corporate governance
Held on - 2 October 2019
SUMMARY REPORT ON SEMINAR PROCEEDINGS
Authored By Aarn Wennekers, Dylan Campbell, Hatem Elsafty, Rahat Latif, Sean Gotora.
The IRM Qatar Regional Group organized, with support of Hatem Elsafty a seminar on “IRM Event - The role of Risk Committee in Corporate Governance in Qatar on 2nd October 2019. It was a panel discussion, bringing Qatar experts in the field:
- Aarn Wennekers, Director – Governance and Planning, Qatar Free Zone Authority
- Dylan Campbell, Risk Manager QCHEM
- Sean Gotora, Risk Manager QAPCO
- Rahat Latif, Risk Manager, Qatargas, IRM Board member
The specific objectives of the seminar were the following:
- Discuss the role of Risk Committee in Governance of an organization
- Understanding different risk governance structures
- Discussing the types of reports committee expects
- Authority risk committees have and do they understand their authority
- Discuss the recommendations to make risk committee and governance more effective
Summary of the session
The seminar was attended by experts in the field of risk management, governance and audit from Qatar from various industries like oil & gas, insurance, construction, and Government sectors.
The seminar constituted a good opportunity to foster networking among risk management and Governance practitioners and the sharing of knowledge in the context of improved governance, accountability, and effective Risk management and related topics.
Following a very active and lively seminar, delegates were encouraged to remain in contact and exchange information on the topic of risk management.
Lessons learned and the way forward
Some of the lessons learned included:
There is no one size fits all model for setting up risk governance committees for an organization. The committee structures should be designed to fit the culture, size and complexity of the organization.
There is no one way for risk governance BUT, after the Board, the highest risk governance body (the Board Risk Committee/ GRC) should be chaired by a board member. The Board is ultimately responsible for providing governance and oversight, including defining what is expected in terms of risk management.
To be effective, risk committees should be comprised of competent members who understand the business and should be a blend of executive and non-executive board members. They do not necessarily need to be experts in risk management, but they should understand the key vulnerabilities and challenges of the business.
Risk committees should take a predictive approach i.e. looking at risk today, every quarter, general trend line and depicting the future expected risk and course of action. (It may change every week depending upon how big the risk is and upon the related risk champions). Quarterly reporting at least once every quarter, dash boarding and showing KPI,s and Risk trends from the previous quarter and predictive for the next quarter.
Fear is the main reason why people hide risks in an organization. It can be -the fear of reputation damage, fear from reporting to management. Though now in some organizations this culture is changing and people are willing to highlight risks, but still, it needs to be embedded in an organizations’ risk culture. It can be done only by communication, by building trust by the risk committee - convincing people that there are no issues on reporting and identifying risks, make people understand the value of doing this today, and what will be achieved by it. Change in culture is very important to avoid fear and should be fostered by the risk committee.
Additional risk structures may be established down the organisation as required to meet the organisations risk management needs.
There are definite pitfalls to avoid though, for example, a combined risk and audit committee should ensure that the risk management function does not only exist to serve the needs of the audit function but should be seen as a value adding component in its own right, that helps to ensure that business objectives are met. On the other hand, where the risk and audit committees are separate, it is essential that good communication between the two committees exist. This is facilitated by good working relationships between the risk and audit functions within the organization.
Risk reporting was observed to be effective when they are in a summary high level reporting form. Typically these reports should highlight major trends, key risks, mitigation and other factors that needs to be considered. As far as possible, it is the risk owners who should explain what’s going on, what’s needed and what support is required, rather than the risk manager. Such summary level reports facilitate discussion and action, and in the panelists opinion trumps detailed narrative type reports in this regard.
Communication and trust is the key for effective risk management - risk managers have to develop a lot of trust in the business so that people are comfortable in sharing the information with them. They have to act as a trusted advisor and build relationships with all decision makers such as if anything important happens they can turn to them.
Building relationship is also very important- talk and understand what is important to whom, be persuasive, make people comfortable in sharing information with you, getting the right information in real time is important
Effective risk management requires that the risk function communicates with various stakeholders in the business. There is no substitute for face to face engagement. While risk data analysis is important, it would not be effective if this is not supported by discussion and engagement.
Acting on behalf of the Board, the risk committee’s primary role is to:
- Assess the effectiveness of the ERM Program
- Review the status of top risks and mitigation efforts to be funded in the annual budget planning cycle, clearing ‘road blocks’ where this is required.
- Request management investigation, where potential challenges and deficiencies are identified. Care must be taken not to direct management on how to address these, but to request management to investigate, and if required, remediate these.
- Liaise closely with other governance committees to exchange information relevant to enterprise risk management
- Report to the Board on the above activities.
Factors that made organizations bounce back from risk events are:
- Speaking up
One of the questions raised was how to align strategy and the risk department?
The answer to this was perfect to explain the whole concept of having strategies and risks in any organization.
Strategy and risk go hand-in-hand as strategies are designed to manage the identified risks.
Every strategy development department conduct risk analysis before formulating any strategy thus they can develop the strategies to target the identified risk, risk and strategy are intrinsically linked therefore the right information must be brought for decision-making
Another question raised was an event like blockade happened which may have been seen as a risk before it happened, but since it has now occurred, it has become a reality. Why do companies still talk about blockade risk?
This was again answered perfectly by our speakers: Every event has a cause, consequence and thus it creates more uncertainties. The blockade, before the event it was a risk now that we are within the context of blockade the risk of operating within this environment should be considered.
This risk has changed the environment and thus we may focus on new opportunities and threats that were raised due to the new situation.
The last question which was very interesting and got very good answers what is the difference in audit and risk management? Why have both if they are the same.
To this answer question, our panellists shared a very good example to explain both the concepts in a simple way.
Risk and Audit are two sides of the same coin, have similar objectives but approach it from different directions.
- Objective = attend a meeting at destination X
- Strategy = travel via road (i.e. drive to destination X)
- Objective – arrive at destination X within two hours, safely and attend the meeting
- Understand the risks to the objectives & strategy (things that may stop you from attending the meeting or arriving safely on time to the location for the meeting). Such risk may include and are not limited to:
- Traffic congestion
- Failure of safety equipment, Seatbelts, breaks, etc.
- Reliability of the vehicle
- Speed etc.
Things that do not impact your ability to arrive at the desired destination (achievement of the objective) are not risks. (i.e. a tsunami in an unrelated location does not impact my objective, therefore, it is not a risk.)
Risk management, before you depart, identify and assess the risks, assess how to manage your risk, and implement controls (Avoid, Accept, Treat, Terminate).
The audit follows - while on your way or after you arrive, an audit may come and check/verify if the controls you are stating are working, i.e. Does the seatbelt work, do the brakes work, are you following the speed limits, are you following the planned route? As an organisation audit wants to ensure repeatability of process and ensure that the controls to the important processes which address the most pertinent risks are implemented and working (effective). If there are deficiencies in the process or controls they are identified addressed or later considered in the risk assessment.
Thus we can say both (audit and risk) have the same objective but risk management is future oriented addressing things that could happen in the future while the audit is about is dealing with how things were done in the past.
It was a very informative Seminar for all the attendees and we are really grateful to all the speakers- who are experts in the field of risk management for sharing their valuable experiences and ideas with all.
Right to left, (Aarn, Dylan, Sean, Rahat & Hatem)