The Responsibilities of the Board

Ensure growth and continued existence through proactive risk management

Effective Corporate Governance Requires Risk Management, Too

Establish appropriate risk management systems

The Danish Stock Exchange's Committee on Corporate Governance recommends:

»Effective risk management is a prerequisite for the Board of Directors to be able to perform the tasks that it is responsible for in the best possible way. It is therefore important that the Board of Directors ensures that appropriate risk management systems are established, and otherwise ensures that such systems meet the company's needs at all times.«

 

Setting goals with risks in mind

The board should set goals, prepare a strategy and appoint sub-goals based on the overall vision for the organization. The goals are a prerequisite for the Board of Directors and the Executive Board to be able to identify events with potential impact on the achievement of these goals.

This can be summarized as follows:

  • Every company faces a number of different risks from external and internal sources that partly stem from the company's strategy.
  • It is a prerequisite for effective risk management that goals are set for the company.
  • Goals are set at a strategic level and are the basis for goals regarding operations, reporting, and compliance.
  • The goals are adjusted according to the company's willingness to take risks.

 

Benefits to risk management

No company operates in a risk-free environment, but with controlled operational risk management, the Board of Directors and the Executive Board can enable themselves to maneuver effectively in risky environments. Appropriate risk management strengthens the ability to:

  • Adjust risk appetite in relation to strategy
  • Link growth, risk, and return
  • Strengthen decisions on response to risks that exceed your risk appetite
  • Minimize operational surprises and losses
  • Identify and manage risks across the company
  • Ensure complete management of diverse risks

Execution in Real Life

The internal risk management environment

The company's internal environment provides the foundation for risk management and sets the tone of the company. The internal environment affects employees' risk awareness, is the basis for the entire risk management, and determines how risks are identified, assessed, and managed.

Factors in the internal environment include:

  • The company's philosophy on risk management
  • Risk appetite and risk culture
  • Management philosophy and management style, as well as the way that management distributes powers and responsibilities
  • The risk competence level of employees 

 

Event identification

As part of identifying events that may affect the realization of the company's objectives, the Executive Management should consider both external and internal factors:

  • Identification of potential events (internal and external) that may affect the company's ability to implement the strategy and achieve the established goals
  • The distinction between risks and opportunities:
    • events that may have a negative impact are indicative of risk
    • events that may have a positive effect, reflect opportunities that management can channel back to the strategy and goal-setting process. 

 

Risk assessment

Carrying out a risk assessment allows the company to identify the extent to which possible events may affect target achievement:

  • In carrying out the risk assessment, the company shall consider the extent to which possible events may affect the achievement of the target
  • Risks should be assessed both based on probability and likely consequence
  • Both qualitative and quantitative methods should be applied
  • The time horizon is the same as the time horizon for goal achievement.

 

Risk response

Management should establish a risk management policy within which the company must act. The risk management policy should partly contain the organizational framework for risk management and partly set clear goals for the company's risk appetite and policy for control and monitoring.

In addition, the policy should identify the areas - externally and internally in relation to the company - that have the management's special attention, as well as set requirements for how reporting regarding risks should take place.

Management's risk response in the form of options for hedging risk can be outlined as follows:

  • Avoid risks by choosing another strategy
  • Reduce the likelihood of risks occurring through preventive measures
  • Reduce the consequences of an incident through the establishment of emergency preparedness and daily routines.

Control activities

Control activities are the principles and procedures that help to ensure that a risk response is implemented appropriately and that it is carried out throughout the organization, at all levels, and in all functions.

The control activities are part of the process by which a company strives to achieve its business goals, and include a number of activities:

  • Verifications
  • Approvals
  • Polls

 

Information and communication

All organization levels need proper information to identify, assess, and react to risks to reach the goals of the company:

  • Management identifies, collects, and communicates relevant information in a way and within a time frame that enables employees to perform their work tasks
  • Everyone in the organization understands their role in relation to risk management.
  • The management uses a reporting and communication tool that through their setup automatically shares the necessary information with the right functions.

Relevant information comes from both internal and external sources and can be presented in either quantitative or qualitative form. The information must make it possible to adapt risk management promptly in response to changed circumstances, and not only when the year has passed.

 

Monitoring and reporting

The risk management process should be monitored through a process in which both the presence and the quality of the individual risk management measures are assessed over a period of time.

Monitoring takes place through a combination of:

  • Automatic, recurring monitoring activities
  • Separate and specific assessments
  • Risk management shortcomings must be reported upwards and across the organization
  • Reporting systems should automatically notify the Executive Board and the Board of Directors of serious matters