The Singapore Monetary Authority has provided extensive risk management guidance that envisions a company board risk committee and a risk compliance officer. The guidance was provided pursuant to the Singapore Corporate Governance Code, under which the board is responsible for the governance of risk. The Code, in Principle 11, provides that the Board should ensure that management maintains a sound system of risk management and internal controls to safeguard shareholders' interests and company assets. The board should also determine the company's levels of risk tolerance and risk policies, and oversee management in the design, implementation and monitoring of the risk management and internal control systems.
The Code also states the board should annually review the effectiveness of the company's risk management and internal control systems, including financial, operational, compliance and information technology controls. Importantly, the Code says that the board may establish a separate board risk committee.
In its guidance, the MAS said that a board risk committee should be composed of at least three members, the majority of whom are independent, and meet at least twice a year. Also, the duties of the risk committee should be made clear from the onset to avoid confusion, especially in relation to the audit committee. The MAS emphasized the importance of maintaining communication between the board risk committee and the audit committee, with both committees interacting as often as possible to ensure that timely information is exchanged and appropriate action taken where necessary.
A company may also decide to appoint a Chief Risk Officer to provide executive oversight and co-ordination of the company‘s risk management efforts. In the view of the MAS, such a decision would depend on various factors, including the scale, diversity and complexity of the company‘s operations. In appointing a CRO, companies must be mindful that ownership of risks still reside with the relevant departments and not the CRO.
More broadly, the Authority described the risk management process as an integral part of good management practices that should be embedded into the company’s core business activities.
If a board decides to set up a separate Risk Committee to assist in its oversight of risk management, it should consider it is the board‘s oversight duty to ensure that risks relevant to the company are adequately addressed and mitigated. The board should also recognize that, since risks faced by a company are constantly changing, a sound system of risk management and internal controls depends on a thorough and regular evaluation of the nature and extent of risks to which the company is exposed.
The risk committee should set policies on the company‘s system of risk management and internal controls. It should seek regular and constant assurances that the system is functioning effectively and further review the system for effectiveness.