The Singapore Monetary
Authority has provided extensive risk management guidance that envisions a
company board risk committee and a risk compliance officer. The guidance was
provided pursuant to the Singapore Corporate Governance Code, under which the board
is
responsible for the governance of risk. The Code, in Principle
11, provides that the Board should ensure that management maintains a sound system of risk management and internal controls to safeguard shareholders'
interests and company assets. The board should also determine
the company's levels of risk tolerance and risk policies, and oversee management in the design, implementation and monitoring
of the risk management and internal control systems.
The Code also states the
board should annually review the effectiveness of the company's risk management
and internal control systems, including financial, operational, compliance
and information technology controls. Importantly, the Code says that the board
may establish a separate board risk committee.
In
its guidance, the MAS said that a board risk committee should be composed of at
least three members, the majority of whom are independent, and meet at least
twice a year. Also, the duties of the risk committee should be made clear from the onset to avoid
confusion, especially in relation to the audit committee. The MAS emphasized
the importance of maintaining communication between the board risk committee and
the audit committee, with both committees interacting as often as possible to ensure
that timely information is exchanged and appropriate action taken where necessary.
A company may also decide
to appoint a Chief Risk Officer to provide executive oversight and co-ordination
of the company‘s risk management efforts. In the view of the MAS, such a
decision would depend on various factors, including the scale, diversity and
complexity of the company‘s operations. In appointing a CRO, companies must be
mindful that ownership of risks still reside with the relevant departments and
not the CRO.
More
broadly, the Authority described the risk management process as an integral part of
good management practices that should be embedded into the company’s core
business activities.
If a board decides to set
up a separate Risk Committee to assist in its oversight of risk management, it
should consider it is the board‘s oversight duty to ensure that risks relevant
to the company are adequately addressed and mitigated. The board should also
recognize that, since risks faced by a company are constantly changing, a sound
system of risk management and internal controls depends on a thorough and
regular evaluation of the nature and extent of risks to which the company is
exposed.
The risk committee should
set policies on the company‘s system of risk management and internal controls. It
should seek regular and constant assurances that the system is functioning
effectively and further review the system for effectiveness.