Tuesday, August 11, 2009
King III and Corporate Governance from 2010
I am sure we are all aware of the King II report and its impact on the approach to Risk Management in South Africa. The draft King III report was published for comment in April this year and will more than likely be legislated early next year. The following key issues stand out in the King III report as opposed to the King II report: 1.It has adopted an "apply or explain" basis instead of the previous "comply or explain". This in part is because the report has been expanded to include all entities and not only JSE listed ones. This will allow medium to small entities to apply the principles selectively, but with an explanation as to why certain principles have not been met or implemented. It thus has a more self regulatory basis. 2. The code will be legislated, whereas the previous report merely served as a code of best practice. 3. It has a risk based approach rather than a pure legal compliance concept. KPMG have summarized the Risk Management portion of the report as follows: Risk Management Risk management is inseparable from company’s strategic and business processes. The Board is responsible for the risk management process (including company’s risk appetite,capacity and tolerance limits) and may delegate risk management to a Risk Committee. The Risk Committee: Can be comprised of executive, nonexecutive directors, management and independent risk management experts with a minimum of three members - Should be chaired by a non-executive director and meet at least twice per annum - Consider risk maturity, risk management activities, significant risks, material losses or changes in risks, due diligence activities, IT risks and risk reporting. Management is responsible for implementing the risk management process and risk management should be embedded in the company, practised daily by staff, and risks should be assessed on an ongoing basis. The Board should: - Ensure regular (at least annual),comprehensive risk assessments and must review the risk register - Ensure risk identification is directed towards company objectives - Ensure quantification, appropriate response to key risks and validation with stakeholders - Adopt a risk management plan and approve the company’s chosen risk philosophy - Approve key risk indicators and tolerance levels. (Internal audit to provide independent assurance on the risk management process) - Disclose risk tolerance and report on the effectiveness of risk management in the annual report - Ensure the company’s reputational risk is protected - Determine the extent sustainability issues are addressed and reported (e.g. through stakeholder risk assessment, ethics risk assessment, environmental risk assessment and human capital considerations) - Take ownership of IT governance including IT security.