The objective of this document is to indicate the importance of having a structured approach of managing information as a valuable asset, with a view of applying a structured approach in business systems planning to enable a successful and effective implementation of architecture principle in mitigating organisational risk.
a. Risk Management
Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
b. Rewarded risk
Rewarded risk can be defined as those risks associated with value creation, eg, introducing new product in the market.
c. Unrewarded risk
Unrewarded risk can be defined as those risks associated with protection of existing organisational value, eg, compliance with Acts, laws, regulations, policies and procedures, etc.
d. IT architecture
Technology architecture is the structured design of the technology within the organisation or enterprise. Often, technology architecture includes software systems, hardware systems and networking infrastructure as three separate sub-sets. Other items that could be included are security and data.
e. Corporate governance
Corporate governance refers to the structures and processes for the direction and control of companies.
Key principles of corporate Governance (King lll):
* Good governance is essentially about effective leadership. Leaders need to define strategy, provide direction and establish the ethics and values that will influence and guide practices and behaviour with regard to sustainability performance.
* Sustainability is now the primary moral and economic imperative and it is one of the most important sources of both opportunities and risks for businesses. Nature, society, and business are interconnected in complex ways that need to be understood by decision-makers. Incremental changes towards sustainability are not sufficient – we need a fundamental shift in the way companies and directors act and organise themselves.
* Innovation, fairness, and collaboration are key aspects of any transition to sustainability – innovation provides new ways of doing things, including profitable responses to sustainability. Fairness is vital because social injustice is unsustainable and collaboration is often a prerequisite for large-scale change.
* Social transformation and redress is important and needs to be integrated within the broader transition to sustainability. Integrating sustainability and social transformation in a strategic and coherent manner will give rise to greater opportunities, efficiencies, and benefits, for both the company and society.
* King II required companies to implement sustainability reporting as a core aspect of corporate governance. Since 2002, sustainability reporting has become a widely accepted practice and South Africa is an emerging market leader in the field. However, sustainability reporting is in need of renewal in order to respond to:
* The lingering trust deficit among civil society of the intentions and practices of big business.
* Concerns among business decision-makers that sustainability reporting is not fulfilling their expectations in a cost-effective manner.
C. Relationship between IT architecture, risk management and corporate governance
A risk intelligent enterprise will balance the rewarded and unrewarded risks focusing on value creation (rewarded risk) to the exclusion of value protection (unrewarded risk) will quickly lead to the slippery slope of non-compliance, litigation, reputational risk, etc.
D. Failure taboo
Taboo is simply the fear to unveil all possible business failures in existing and new business ventures. In most cases, boardroom discussions centre on positive aspects of the company strategies and the need to rally around said strategy, with scant consideration of the downside possibilities.
Effective risk management requires:
* First acknowledging and then analysing risks and uncertainties that threaten the achievement of corporate objectives, can companies manage them effectively?
* Challenging the assumptions that underlie strategic planning, can the prospect for success be strengthened?
* Recognising the potential for failure to avoid failure itself.
* Addressing failures in advance to prevent feeling the effects later.
Fundament questions that must be asked, not avoided, include the following:
What could cause us to fail in:
* Attaining and sustaining revenue growth?
* Increasing our operating margins and improving the efficiency of our assets?
* Meeting the expectations of our key stakeholders?
By asking these questions, and by understanding how the enterprise can fail, planners and decision-makers can then decide:
* How to prevent it;
* How to more readily detect early warning signs; and
* How to implement course corrections.
E. Components of enterprise risk management
Enterprise risk management consists of eight interrelated components. These are derived from the way management runs an enterprise and are integrated with the management process. These components are:
1. Internal environment – The internal environment encompasses the tone of an organisation, and sets the basis for how risk is viewed and addressed by an entity’s people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate.
2. Objective setting – Objectives must exist before management can identify potential events affecting their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risk appetite.
3. Event identification – Internal and external events affecting achievement of an entity’s objectives must be identified, distinguishing between risks and opportunities. Opportunities are channelled back to management’s strategy or objective-setting processes.
4. Risk assessment – Risks are analysed, considering likelihood and impact as a basis for determining how they should be managed. Risks are assessed on an inherent and a residual basis.
5. Risk response – Management selects risk responses – avoiding, accepting, reducing, or sharing risk – developing a set of actions to align risks with the entity’s risk tolerances and risk appetite.
6. Control activities – Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out.
7. Information and communication – Relevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and up the entity.
8. Monitoring – The entirety of enterprise risk management is monitored and modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both.
F. Integrating risk management in strategy execution
A strategic risk management action plan should consider how risk assessment and risk management can be integrated into strategy-execution processes. This would include integrating risk management into strategic planning and performance measurement systems. The Kaplan-Norton Strategy Execution Model describes six stages for strategy execution and provides a useful framework for visualising where risk management can be done.
Stage 1 – Develop the strategy:
This stage includes developing mission, values, vision; strategic analysis; and strategy formulation. At this stage, a strategic risk assessment could be included that could use the Return Driven Strategy framework to articulate and clarify the strategy and the strategic risk management framework to identify the organisation’s strategic risks.
Stage 2 – Translate the strategy:
This stage includes developing strategy maps, strategic themes, objectives, measures, targets, initiatives, and the strategic plan in the form of strategy maps, balanced scorecards, and strategic expenditures. Here the strategic risk management framework would be used in developing risk-based objectives and performance measures for balanced scorecards and strategy maps. It would also be useful for analysing risks related to strategic expenditures. You could also consider developing a risk scorecard at this stage.
Stage 3 – Align the organisation:
This stage includes aligning business units, support units, employees, and boards of directors. The Strategic Risk Management Alignment Guide and Strategic Framework for GRC would be useful for aligning risk and control units toward more effective and efficient risk management and governance, and for linking this alignment with the strategy of the organisation.
Stage 4 – Plan operations:
This stage includes developing the operating plan, key process improvements, sales planning, resource capacity planning, and budgeting. In this stage, the strategic risk management action plan can be reflected in the operating plan and dashboards, including risk dashboards.
Stage 5 – Monitor and learn:
This stage includes strategy reviews and operational reviews. Strategic risk reviews would be part of the ongoing strategic risk assessment, which reinforces the necessary continual, closed loop approach for effective strategy risk assessment and strategy execution.
The strategic risk assessment can complement and leverage the strategy-execution processes in an organization toward improving risk management and governance.
Stage 6 – Test and adapt:
This stage includes profitability analysis and emerging strategies. Emerging risks can be considered part of the ongoing strategic risk assessment in this stage. The strategic risk assessment can complement and leverage the strategy-execution processes in an organisation toward improving risk management and governance.