Why Governance and Why Risk?

Why is Governance and Risk needed for your company?

Most of managers and administrators in Botswana already believe that Governance and Risk are important.  We believe that their problem is implementing good governance and risk systems and procedures.  If you are the one, who would like to still know about risk and governance, then this article is for you. 

Good governance means good leadership.  Good risk management means all employees and all contracted service providers make decisions properly.  With good leadership and decision making, your company sets the right objectives and follows proper methods to best achieve those objectives.  When these happen you r company is the most valuable that it can be to the shareholders and all other stakeholders.   So you need governance and risk mangmenet in order to generate and capture great value, to be efficient and effective. 

It is mandatory for parastatals and publicly traded companies.  But don't wait until you are legally forced to do it.  You should wise to embrace it voluntarily.   

When is Governance and Risk mandatory?

Publicly traded companies and Government owned parastatals have to follow recommended governance and risk management practices.  According to Financial Reporting Act, where two of the four criteria (turnover being P 200 million or more; employees being 200 or more; liabilities being P 50 million or more; and total assets employed being P 150 million or more) are met, governance and risk management practices are mandatory.  For all these entities, corporate governance and risk management practices will be subject to quality assurance by Botswana Accountancy Oversight Board.

King 3 and King4

King 3 Corporate Governance Code is widely practiced in Botswana, becasuse BAOA prescribes it as a minimum requirement.   A few companies have moved to King 4.  King 3 Code consists of 75 specific requirements that should be considered for inclusion for or omission from implementation and when a decision is made not to implement, then the reason should be specified in writing.  King 3 is therefore a "Rule Based Code" imposing "Do or Explain" requirement for each of the 75 rules. 

King 4 on the other hand is a principle based Code consisting of 16 core principles originating from 4 components namely, (1) strategy, (2) policy, (3) oversight and (4) accountability applied to 4 outcomes namely, (1) leadership (2) performance (3) quality and (4) legitimacy.  King 4 calls for "Do AND explain", as opposed to King 3.

ISO 31000

ISO 31000 gives a unique and unusual definition to risk by including "opportunity" within the ambit of "risk".  Therefore in a way, ISO 31000 explains the scientific decision making process recommended to be pursued in businesses and organisations.  ISO 31000 revolves around 8 principles applied on the basis of a 5 -component frame work to 6 key processes and 3 subprocesses as under:-

(1) Integrate, (2) Design, (3) Implement, (4) Evaluate and (5) Improve are the 5 key framework components for the risk framework context as well as for the risk (or opportunity-seeking) process.  (1) Integration, (2) structure, (3) customising, (4) Inclusivity of all stakeholders (5) dynamic nature, (6) best available information, (7) human and cultural factors and (8) continual improvement are the 8 risk management principles that need to be applied in making and implementing the framework.   At the core or the heart of risk management process are (1) Risk Assessment and (2) Risk Treatment.    Risk Assessment includes 3 sub-processes namely (1) Risk Identification (2) Risk Analysis and (3) Risk Evaluation.  Out of these two key processes, namely risk assessment and risk treatment, there are 4 essential formal organisational processes namely (1) Scope, Context and Criteria (2) Monitoring and Review (3) Recording and Reporting and (4) Communications and Consultation.

COSO Risk Framework

COSO framework is widely used.  It is not different from ISO 31000 in most aspects.  Significant differences are that the context is somewhat underemphasized in COSO.  However enterprise-wide application is recommended by COSO, while ISO 31000 also agrues for risk management practice applied to a division or a department.

Risk Management not only addresses laws and regulations particularly those relating to anti-money laundering, counter financing of terrorism, company management, immigration and business licensing, taxation, accounting, etc., but more important they make your organisation more agile, adaptable and aligned to value chain participants.