The Danish Stock Exchange's Committee on Corporate Governance recommends:
»Effective risk management is a prerequisite for the Board of Directors to be able to perform the tasks that it is responsible for in the best possible way. It is therefore important that the Board of Directors ensures that appropriate risk management systems are established, and otherwise ensures that such systems meet the company's needs at all times.«
The board should set goals, prepare a strategy and appoint sub-goals based on the overall vision for the organization. The goals are a prerequisite for the Board of Directors and the Executive Board to be able to identify events with potential impact on the achievement of these goals.
This can be summarized as follows:
No company operates in a risk-free environment, but with controlled operational risk management, the Board of Directors and the Executive Board can enable themselves to maneuver effectively in risky environments. Appropriate risk management strengthens the ability to:
The company's internal environment provides the foundation for risk management and sets the tone of the company. The internal environment affects employees' risk awareness, is the basis for the entire risk management, and determines how risks are identified, assessed, and managed.
Factors in the internal environment include:
As part of identifying events that may affect the realization of the company's objectives, the Executive Management should consider both external and internal factors:
Carrying out a risk assessment allows the company to identify the extent to which possible events may affect target achievement:
Management should establish a risk management policy within which the company must act. The risk management policy should partly contain the organizational framework for risk management and partly set clear goals for the company's risk appetite and policy for control and monitoring.
In addition, the policy should identify the areas - externally and internally in relation to the company - that have the management's special attention, as well as set requirements for how reporting regarding risks should take place.
Management's risk response in the form of options for hedging risk can be outlined as follows:
Control activities are the principles and procedures that help to ensure that a risk response is implemented appropriately and that it is carried out throughout the organization, at all levels, and in all functions.
The control activities are part of the process by which a company strives to achieve its business goals, and include a number of activities:
All organization levels need proper information to identify, assess, and react to risks to reach the goals of the company:
Relevant information comes from both internal and external sources and can be presented in either quantitative or qualitative form. The information must make it possible to adapt risk management promptly in response to changed circumstances, and not only when the year has passed.
The risk management process should be monitored through a process in which both the presence and the quality of the individual risk management measures are assessed over a period of time.
Monitoring takes place through a combination of: