Beyond Play: A Down-To-Earth Approach to Governance, Risk and Compliance

By Dawn Pretorius

There is a lot of information available on governance, risk and compliance as separate subjects but little on the interrelation between the three components known in the industry as enterprise-wide governance, risk and compliance (eGRC).

This book brings eGRC to the reader in a way that starts with simple concepts and builds on them to provide insight and a practical guide for a holistic approach to eGRC.

Companies have to manage risk in order to remain a sustainable force in the marketplace. Efforts to reduce risk can, unintentionally, be uncoordinated, disjointed or even neglected. Through not implementing a more cohesive and systematic approach to managing risk, opportunities to benefit the company can also be missed. Beyond Play offers a practical and simple approach.

Compliance is a very specific form of risk: that of complying with the law, but the role of the compliance officer includes a lot more. Working with the law and regulators and applying a compliance methodology are explained to provide value to learners, compliance officers, managers, prescribed officers and directors.

Many companies play at corporate governance, probably because it is perceived as being too big to grasp. This book will change your thinking and will help directors pave the way for implementing a framework that can be worked with on a practical level within an enterprise wide risk management context.

The systemic nature of risk means it can spread to customers, shareholders, communities and economies as the credit bubble of 2008 has proved. Equally, a company that applies a robust an intelligent approach to eGRC has a positive influence on the marketplace, the community and a nation. Do you believe that your business, whether for profit or not for profit and on the basis on which it currently operates, is sustainable in an increasingly dynamic world?

This book uses examples from the financial services industry; it also makes reference to South African legislation and governance codes. These references do, however, focus on international best practices so the methodologies can be universally applied.

Governance, risk and compliance is an integrated concept to be incorporated within an enterprise risk framework which helps an organisation, either private or public, for profit or non profit, to direct its strategies and operations with integrity and within the law; the reason being to achieve its goals in such a way that its stakeholders and the economy as a whole are never compromised or put at risk beyond that which has been carefully defined and deemed acceptable.

• Language: English
• Publisher: Xlibris UK
• Release date: May 2, 2014
• ISBN: 9781493194513

Dawn Pretorius

Dawn Pretorius has some twenty years of running her own consultancy business focusing on governance, risk, and compliance for financial services. Her practice is registered with the Financial Sector Conduct Authority in South Africa. Her career in the corporate world focused on banking from a number of different perspectives, ranging from wealth management, international investment opportunities, estate and trust planning as well as lecturer mainly related to bankers. Her qualifications include a Master’s Degree in Commerce, B.Tech in Banking and a Wits Business School Management Advancement Program. She also holds a number of certified courses offered by the Institute of Bankers in areas related to estate and trust management. Her book Beyond Play, published in 2014 represents a down-to-earth approach to governance, risk. and compliance. Concerns around the exponential growth of money laundering globally and efforts to curtail it, led her to write this book.

Book preview

Copyright © 2014 by Dawn Pretorius.

Library of Congress Control Number:   2014907712

ISBN:      Hardcover   978-1-4931-9435-3

                Softcover     978-1-4931-9436-0

                eBook         978-1-4931-9451-3

All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without permission in writing from the copyright owner.

Any people depicted in stock imagery provided by Thinkstock are models, and such images are being used for illustrative purposes only.

Certain stock imagery © Thinkstock.

Rev. date: 06/30/2014

Xlibris LLC

0-800-056-3182

www.xlibrispublishing.co.uk

521092

CONTENTS

Foreword

Introduction

Chapter 1 The Nature Of Risk

Risk is an intrinsic part of life

The commonalities of risk

Risk represents uncertainty

Risk represents exposure

Risk represents financial loss

Risk represents opportunity

The appetite and tolerance for risk

The control and non-control of risk

The interrelatedness and systemic nature of risk

Chapter 2 Putting Risk Into A Business Perspective

Risk defined

Types of risk

Categories of risk

Financial risk

Regulatory risk/compliance risk

Physical risk

Credit risk

Market risk

Operational risk

Currency risk

Political and social risk

Economic risk

Reputational risk

Basel Accords for specific banking risks (credit, market, and operational risks)

Basel I Accord

Basel II Accord

Basel III Accord

The human risk category

Chapter 3 Working With Risk To Make It Less Risky

Getting smart about risk

A framework for managing risk

Identifying risk

Assessing risk

Treating risk

Risk avoidance (eliminate the risk)

Risk mitigation (reduce or minimise the risk)

Risk transfer (outsource or insure against the losses that the risk threatens to cause)

Risk retention (accepting and budgeting to cover any losses associated with the risk)

Risk control and monitoring

Post-risk event analysis

Risk reporting

Risk control self-assessment

Chapter 4 Generic Risk Mitigation Initiatives

Company policies

Processes and procedures

Segregation of duties

Insurance

Risk management plans

Key risk indicators

Job training

Risk awareness among staff

Inculcating a culture of risk awareness

Encouraging the reporting of possible risk issues

Chapter 5 Business Continuity Planning

Business disruption or interruption

Business continuity defined

The business continuity plan

Business impact analysis

Developing a business continuity plan

Analyse the business

Assess the risk

Develop a strategy/design a solution

Develop the plan

Test and exercise

Maintain

Cloud computing and business continuity

The risk of bankruptcy (business rescue)

Chapter 6 Enterprise Risk Management

The concepts of enterprise risk management

The enterprise risk management framework

The internal environment

Objective setting

Event identification

Risk assessment

Risk response

Control activities

Information and communication

Monitoring

The Equator Principles

Risk intelligence

Risk and quality: ISO 31000 and 31010

The governance of risk

The risk practitioner

Conclusion on risk

Chapter 7 Compliance—The Risk That Is Certain

Compliance then…

. . . And now

Compliance risk defined

Compliance in the context of risk

The compliance function

Working with the law

Law-making and how laws are structured

Interpretation of the law

The role of legal specialists

Chapter 8 Key Concepts And Principles Of Compliance

Key concepts

Effective leadership

Sustainability

Triple bottom line reporting

Principles of compliance

The profile of a compliance officer

The requirements to be a compliance officer

Building relationships

Problem-solving and decision-making

Managing change

Independence, objectivity and authority

The notion of independence

Compliance structure and responsibilities to the board

Hierarchical oversight value chain and responsibilities

Compliance audits

The compliance officer and the regulator

Fines and penalties

The compliance officer and treating customers fairly

The impact of international financial services regulation on compliance

Job stress

Creating a compliant culture

The cost of compliance

Managing conflicts of interest

Chapter 9 The Devil Is In The Detail

Documents and document control

Mapping the compliance universe

The compliance risk management framework

The compliance charter/policy

Other policies and standards

Compliance procedures and standards

The compliance manual

The compliance plan

Compliance risk management plans

Chapter 10 Holding The Reins

Managing regulatory risk

Phase I: Risk identification

Phase II: Risk assessment and risk analysis

Phase III: Risk management (control optimisation)

Risk maps and process flows

Key risk indicators

Leading and lagging indicators

Escalation triggers

Breach logs and near-miss logs

Internal audit reports, ratings, and recommendations of the internal audit function

Phase IV: Compliance risk monitoring

Role players in the monitoring process

The monitoring process

Report findings (internal review process)

Regulatory reporting

General compliance reporting to the audit committee/board of directors

Changes and updates of regulatory risk

Professional standards

Managing change

Guidelines for dealing with unknown situations

Guidelines for giving advice

Conclusion on compliance

Chapter 11 Fraud And Corruption

An endemic problem

Corruption

Fraud

Insider trading and market abuse

Whistle-blowing

Establishing a citirep culture

Enterprise fraud management

Why are people fraudulent and corrupt?

Fraud risk management

On policies and procedures

On monitoring

On whistle-blowing and control

On internal investigations

On the offensive

Chapter 12 Corporate Governance: Who You Are Matters More Than What You Deliver

What is all the fuss about?

Background to corporate governance

Corporate governance defined

The foundation of corporate governance in South Africa

King Codes of Corporate Governance and Practice Notes

The Companies Act 2008

Committee on Responsible Investing by Institutional Investors in South Africa (CRISA)

The King Code and rule of corporate governance

Principle 1: Ethical leaderships and corporate citizenship

Principle 2: Boards and directors

The composition of the board

The performance of the board

The role of the chairman and the CEO

The role of the company secretary

Governance committees

Duties, rights, and responsibilities of the board

Directors’ liability

Principle 3: Audit committee

Principle 4: Internal audit

Principle 5: Risk management plan

Principle 6: Compliance with laws, rules, codes, and standards

Principle 7: Information technology

Principle 8: Stakeholder relationships

Principle 9: Integrated reporting and disclosures

Chapter 13 Making Corporate Governance Come To Life

The custodians of corporate governance

Implementation of corporate governance

Measurement of corporate governance

From silo to enterprise-wide

The nature of self-regulation

Ethical considerations

Conclusion on corporate governance

Annexure

Endnotes

To my sons, Lyle and Dale, who are always there for me irrespective of how trying I can be, and a very special thanks to Vivienne O’Hare, a seasoned compliance officer, who took the trouble to read every word for me.

However, I have made some changes so anything that is incorrect would solely rest with me.

FOREWORD

This book is intended for any person wanting to understand how a business should operate ethically and lawfully, taking into account how to manage or mitigate its risks on an enterprise-wide basis.

The book unashamedly focuses on the financial services industry, which is probably the most compliant-driven and risk-aware industry in South Africa. It is not intended to be an academic account but a practical account of governance, risk, and compliance which should be at work in a company. Although all three elements of governance, risk, and compliance are discussed, compliance and corporate governance should be viewed as categories of risk within an enterprise risk management framework.

However, what is applicable to the financial services industry is applicable to any industry in terms of an approach to governance, risk, and compliance. The principles apply to every company, big or small, for profit or for non-profit and it also applies to government both nationally and provincially.

I have written this book to give the reader (whether it be students, practitioners, or directors and officers) a connected enterprise and holistic view of governance, risk, and compliance (eGRC). For anybody in the position of compliance or risk manager, there is a lot more detail to investigate, learn, and experience. For directors, senior management, line managers, and other prescribed officers, the book will provide an alert regarding the components of governance, risk, and compliance.

I have taken the liberty of including many valuable articles from institutions and individuals on the subject, and I have also added some of my own thoughts learnt over the years in banking and in the field of governance, risk, and compliance.

22 October 2013

INTRODUCTION

Governance, risk, and compliance are known in the industry as GRC, and these three aspects are grouped together for a reason. All three should be embedded in an organisation to the extent that they become part of a culture of the ‘way we do things around here’. The more successfully they are embedded, the more seamless the delivery of the products or services to the final consumer will be.

Governance, risk, and compliance cannot and should not be viewed separately. They are interdependent and symbiotically linked to one another to the extent that governance and compliance should be incorporated into an enterprise-wide management initiative or framework, referred to as eGRC. But interdependency brings with it the danger of conflict, unwanted overlaps, and potentially disturbing gaps if integration and alignment are not achieved.

Governance, risk, and compliance issues make headlines with increasing frequency. The regulatory landscape is constantly changing, resulting in greater emphasis and focus on the accountability and responsibility of those at the helm. Executive management are challenged and pressurised to find practical solutions to improve the way in which their organisations are being managed and controlled, to manage various risks to an acceptable level and to ensure compliance with laws and regulations.

Risk identification is the very first thing any department, business line, business unit, or company should embark on at the introduction of a business model, a new product or service, a new system, and even at the very first stage of research and development of a business idea. Risk management is a set of processes through which management identifies, assesses, and chooses how to respond to risk. Risk is embedded in the very core of any business whether it is an information security risk, a commercial risk, a safety risk, a financial risk or any other type of risk. It is for this reason this book starts with the concept of risk.

Compliance in business means conforming to the laws of the country in general and those specifically pertaining to an industry. An organisation, therefore, has to put in place a structure and processes to identify the laws and regulations that affect the business, assess those requirements in terms of the risks they represent to the company, and initiate any actions deemed necessary to ensure the organisation complies. Compliance is, in fact, just a specific form of risk.

Governance is akin to self-regulation but with accountability to all stakeholders for its decisions and actions and in itself poses a risk. Governance should form the essence of how a board of directors directs and controls the organisation by defining a hierarchical structure to ensure that the control of information, activities, and deliverables according to its mission and values are comprehensive and efficient and protect the integrity and reputation of the organisation. Corporate governance should go much further: it should add business value through improving strategic planning and decision-making to the extent that it positively impacts all stakeholders including communities, society as a whole, and the economy. Any company leaves an indelible footprint in its sphere of influence, and its legacy will be judged by those affected accordingly.

There are a number of definitions worldwide on GRC (and some of those definitions tend to suit a vendor’s offering of its GRC products and services), but my version is as follows:

Governance, risk, and compliance is an integrated concept to be incorporated within an enterprise risk framework which helps an organisation, either private or public, for profit or non-profit, to direct its strategies and operations with integrity and within the law; the reason being to achieve its goals in such a way that its stakeholders and the economy as a whole are never compromised or put at risk beyond that which has been carefully defined and deemed acceptable.

Sadly, many companies do not apply GRC holistically; most times, the intention is there but the implementation is challenging and, because of that, somewhat haphazard. The question is this: is your business, on the basis on which it currently operates, sustainable in an increasingly dynamic world?

CHAPTER 1

THE NATURE OF RISK

Risk is an intrinsic part of life

At the heart of managing any business is the management of risk.

In earlier days, heads of business units, senior managers, chief executive officers (CEOs), and directors automatically took on the role of managing risk without actually referring to it as such. In a sense, managing the elements of risk was embedded in the organisation to the extent that if there were risks, they were simply accepted as part of the business and what was taken for granted in managing a business. It was seldom a separate item on the meeting agenda.

In the same way, we manage risks, sometimes without even conscious thought, as a given part of our personal daily lives.

It is part of who we are and how we live. We see or perceive risk differently from one person to another; we manage it differently from one person to another, and we have a different tolerance towards it from one person to another.

But the risk itself stays the same; it is how we perceive it and how we react or respond to it that makes it distinctive to each one of us. Almost any human endeavour carries some risks, but some are much more risky than others. Also, risks that may seem significant to us one day may not seem as important another day.

We face risks each day, and depending on our lifestyle, they may be quite different.

The wealthier we become, the more likely we are to take on more risks since we believe the consequences may not impact us as much. But the more we have at risk, the more we have to lose. Risk is risky, but the distinction lies in the extent to which we perceive it and can prevent or manage those risks on a daily basis. The more resources and educated thinking we can throw at those risks, the better we are likely to manage our exposure to them and the more likely we are to take on more risks.

Why? Because we know that to take a risk, but a calculated one, is to take advantage of an opportunity to improve or enrich our lives. Why otherwise would we drive in traffic, invest in shares, study for an exam, or photograph gorillas?

Risk is, therefore, an inherent and unavoidable element of life for us in order to move forward and improve our lives; to do this with as little or no harmful or debilitating effects is the trick.

The concept applies in an organisation in exactly the same way.

The stronger an organisation is, the more risks it is likely to take or have, but the organisation is stronger because it has taken more risks. The distinction lies in how the organisation views and manages its risk.

The commonalities of risk

All forms of risk have some aspects in common, and these commonalities are discussed below:

Risk represents uncertainty

The future is uncertain. The word ‘risk’ comes from the Latin ‘to dare’. When we dare to do something, there is a chance of the outcome not being what was intended or anticipated.

Risk refers to the probability of something uncertain taking place in the future. It is concerned with both the probability of an event happening in the future and the seriousness of the consequences if, in fact, the event actually takes place.

There is an uncertain element in almost anything we undertake in business. Uncertainty exists not only when there is more than one probable outcome but also where the probability of any particular outcome occurring is unknown. For this reason, a company has to understand its business thoroughly in order to identify the possible risks it faces.

There are three aspects of risk regarding any undertaking:

•  The perception (because it is how it is perceived) that some risk event could happen.

•  The uncertainty whether the risk event will ever take place.

•  The uncertainty of the consequences of that risk event if it does happen.

The greater the uncertainty, the greater the potential risk. From a time perspective, if we try to predict something happening in the next three months, we may well be able to predict certain outcomes: for example, how new legislation is likely to affect the organisation, what the likely movement of interest rates will be, and what the benefits are of buying a software programme.

But if we want to predict something that is likely to happen in five years, the further we look into the future, the more factors come into play. Because the future is uncertain and because of the constant changes which give rise to further uncertainty, the more uncertainty increases as we attempt to plan further into the future.

Think of some predictions made in the past of which, of course, we now have the benefit of hindsight:

•  Even if the Wright brothers do get the plane in the air (reported an eminent scientist), there is no conceivable way they will be able to bring the plane down without crashing it (1902).

•  In less than twenty-five years, the motor car will be obsolete (1928).

•  The problem with TV is that people must sit and keep their eyes glued to the screen; the average family hasn’t got time (1939).

•  There is a world market for five computers (1943).

•  Computers will not get much faster (1964).

•  Rock and roll seems to have run its course (1962).

•  1 January 2000 (Y2K)—the day all organisations prepared for and nothing happened (2000)!

What event or events, for example, will trigger a change in your business? The demise of Kodak is good example of not adapting to change. The company declared bankruptcy on 26 February 2012 and ended a splendid chapter in the history of photography. Some 100 years ago, photography was confined to professional photographers, but then the first automatic snapshot camera came on the scene and changed photography from studio stills by professionals to being an integrated part of daily life. When digital cameras hit the shelves along with other electronic gadgets, Kodak made excuses for not adapting to a new generation of consumers who did not necessarily care for a photograph to be printed.

When we take a risk, how likely is it that we will receive an outcome that is different from the one we expect (or want)? The following examples demonstrate such uncertainty:

•  The value of money will change during a project that will take longer than, say, three years to complete. But by how much is uncertain. The longer the project takes, the more the uncertainty.

•  The Arab uprising: the fight for freedom from an existing regime in some of the countries may have been achieved, but the uncertainty of a sustainable democratic solution remains.

•  The credit crunch of 2008 came suddenly after a number of years of good growth. Bailouts of big banks, and then countries, have patched the potential harm. But we do not know (at the time of writing) whether enough has been done to stave off further recessions and whether austerity measures will indeed be the right way to pay off the trillions of dollars in debt held around the world.

‘. . . There are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know.’ (Source: Donald Rumsfeld, for a time Defence Secretary of the United States, Known and Unknown: A Memoir)

Taking and managing calculated risks is necessary for companies to create profits and hence to grow shareholder value. Every organisation, regardless of its size or corporate structure, must, at some level, anticipate the business risks it may face so as to improve the prospects for its long-term survival. Decision-making must take risk and uncertainty into account—just because the future is uncertain, it does not mean that it should not be planned for.

Note that risk and uncertainty is not the same thing, however.

Uncertainty arises from a person’s imperfect knowledge about what will happen in the future. There is uncertainty in decision-making situations if the decision-maker does not have complete knowledge or understanding of, or information about, the decision and its possible consequences. The level of uncertainty depends on the information that individuals can use to evaluate the likely outcomes and their ability to evaluate this information. In other words, uncertainty is present in various levels or degrees (see the table below).

The Certainty—Uncertainty Continuum

If damage or the outcome of a risk event is inevitable, it is no longer considered a risk. (I will be dead in sixty years. Because that is inevitable, there is no risk involved. The same goes for business. If the company is declared bankrupt, then there can be no further risk of bankruptcy. However, if I want to achieve something before I die, then there is the risk that I may not achieve it.)

Where there is a high degree of uncertainty, prediction of possible outcomes would be difficult, but where there is complete uncertainty, prediction of possible outcomes is out of the question.

The degree of uncertainty surrounding the event, therefore, determines the level or degree of risk.

The degree of risk is interpreted in terms of the frequency (how often) an event is likely to occur and the probability that there will be a certain outcome when the event does occur.

Risk represents exposure

The greater the exposure to risk, the greater the risk is likely to be. Exposure is relative to the situation or how the situation is perceived.

A simple analogy is standing in the wind: the stronger the wind, the more likely it is that you will blow over. Some people will love the feeling and others will fear it. The longer a person is exposed to its harshness will determine how a person will respond to protect himself. But the fact that there will be a cloud in the sky tomorrow is not a real risk since there is no real negative impact. However, if it rains tomorrow, that poses a risk for someone who plans a sports event.

What kind of exposure to risk does an organisation face?

Exposure in the business environment is constantly changing. A change in any aspect of the environment will mean that the organisation must realign itself with the change. So an organisation has to continuously and consciously scan the environment for possible changes and respond strategically.

Managers cannot manage their companies effectively if they do not understand their exposure to the environment, the threats and opportunities that exist in the environment, and the trends that appear and disappear.

Exposures to external forces which a company cannot control but that can seriously affect a company are the following:

Technological environment

The use of technology is a means of being able to get things done efficiently, accurately, and quickly. Well-designed technology also reduces risk in that it minimises and, if possible, avoids manual intervention. It changes the bases for competing organisations that live or die by their reputation. Imagine a bank that is unable to transfer funds electronically for a day (remember the debacle caused by the Royal Bank of Scotland).

‘. . . The error is understood to have occurred after a software update froze part of the banks’ computer systems last Wednesday, affecting 17 million customers.

Although the problem was resolved on Friday, it created a backlog of more than 100 million transactions that were not paid in or out of bank accounts as they should have been.

Deleted information then had to be painstakingly re-entered into the bank group’s computer system…’ (Source: http://www.newscientist.com/article/dn20263-japans-record-of-nuclear-coverups-andaccidents.html#.UwrEQ_uVpI0.)

Information technology (IT) risks are many: what software or hardware does the company invest in? What would the likely life of the hardware or software be and will it be sufficient to obtain a return on the investment? Will staff and clients find the technology user-friendly or frustrating? What do we have to put in place to recover quickly enough so that our clients and the business are not materially compromised?

Economic environment

An organisation operates within an economic framework. But the economy is in turn influenced by technology, legislation, politics, the ecology, and the social and international environment. These cross-influences constantly cause changes in the economic growth rate, interest rates, levels of employment, and consumer income, as well as the rate of inflation, the exchange rate, and general state of the economy. Such economic forces ultimately result in prosperity or adversity for all its stakeholders to different degrees and have specific implications for an organisation and its management.

Some examples:

•  The introduction of a system of toll roads will affect transport companies and finally the consumer buying the goods because the cost of increased prices will be passed on.

•  Should the European Union or the United States dip into recession, any company in China exporting to those countries can be put out of business in months.

•  Inflation can climb rapidly causing interest rates to increase and a company will require a bigger monthly cash flow to pay for its financing; at the same time, consumers will resist buying because of the high costs, also affecting the company’s inflow of cash and ultimately its profitability.

But a miserable economy is not necessarily bad for some companies. Chewing gum, coffee, liquor, cigarettes, and lipstick (a feel-good brigade of products) may pick up during a recession, and the manufacturing of weapons will increase during a civil war.

Sociocultural environment

The sociocultural environment affects an organisation indirectly through people (as consumers, investors, and employees), and the ultimate effect should not be underestimated. People are products of their society and adopt a certain language, values, faith, and laws.

For example, if a company produces a product which causes an animal activists’ outcry—such as the use of shark fins in soup as an expensive delicacy of Chinese cuisine—or produces a product which loses appeal because of new research findings on the products (such as cigarettes) or because it just goes out of fashion, then the company will obviously suffer.

Ecological/physical environment

The ecological or physical environment contains limited natural resources, and there is increasing pressure, despite increased costs, on organisations and countries to ‘go green’ and conserve the limited resources of our natural environment.

So organisations are urged to build green, throw away those plastic cups, recycle the paper, and separate the waste. And if they are emitting carbon from their factories, they should be trading their carbon emissions. ‘Going green’ means taking the organisation and its activities to a whole new level of being environmentally conscious (usually expensive at the outset but essential for remaining relevant in the twenty-first century).

Political environment

Organisations can be affected by the course of a country’s politics, especially political pressures exerted by the ruling government and its institutions in the business environment through changing rules and regulations. The desire for mines and banks to be nationalised by an opposing political party looms from time to time in South Africa.

Market environment

Organisations are exposed to the environment that immediately surrounds them (not necessarily only physically but virtually too), and this is known as the market environment. More specifically, this environment contains those variables that revolve around competition which either poses threats or creates opportunities for organisations. An organisation’s decision influences the market environment through the strategies that it applies to protect, maintain, and extend its share of the market.

The variables in this environment include the following:

A dynamic market: the market for the company’s products or services consists of increasingly sophisticated consumers who have needs to be satisfied and the financial means to satisfy them.

You may remember Fred Finn, who was recognised for setting a world passenger record of travelling the most miles in an aircraft. Fred worked for an American licencing company and travelled the world building international relations during which time he covered 15 million miles, the equivalent of travelling to the moon and back thirty-one times. In an interview, he was asked about his impressions of the service given by airlines. One of his many comments included that customers contribute to making services more difficult to deliver: they keep raising the bar.

Aggressive competitors: every company that endeavours to market a service or product in the market environment is constantly up against competition, and it is often competitors and not consumers who determine the actual quantity of a particular product to be marketed, including the price levels for the product.

Suppliers: if we consider that some 60 cents in every rand can be spent on purchases from suppliers, their importance as a variable in the market environment becomes clear. Many companies rely on easy access to, and quality of, their suppliers which in turn can be affected by strikes, political and legal intervention at any time.

Companies are also totally dependent on suppliers of capital, like banks and shareholders, both of which can have a substantial effect on whether a company survives or not.

Intermediaries: besides consumers and competitors in the market environment, intermediaries, such as brokers, play a vital role in bridging the gap between the manufacturer or product provider and the consumer. Intermediaries have to be attracted or enticed by the company to sell its wares and are exposed to their scrutiny.

Generally, companies are strongly influenced by world trends in terms of their exposure to the external and market environment. For example:

•  Investors will increasingly scrutinise companies for their transparency, environmental and social efforts, and how they manage their risks.

•  International organisations will be pressurised to consider and apply environmental and social conditions to their entire operations and for emerging market projects.

•  Weak emerging market regulations and law enforcement will spawn more informal environmental and social ‘regulators’.

•  Best practices will be increasingly documented.

International environment: businesses that operate internationally operate in a far more complex environment since they are affected by both local and international trends, regulation, and economic events. Companies with overseas interests, therefore, compound their possibilities of being affected by all types of risk. It all depends on what kind of business operates there, what it hopes to achieve, and whether the country’s political and legal system will aid or hinder its operations during a particular time.

Risk represents financial loss

We have seen that risk is linked to uncertainty about a future outcome. It is clear, then, that if an outcome is different from what is expected, there is always the possibility that the outcome will be worse than was expected and so can involve financial loss.

Many circumstances can put a company at risk of financial loss. What better example of financial loss experienced by banks than the worldwide recession and double-dip recessions experienced by many countries since 2008? This economic downturn was largely due to the fact that banks had been reckless with lending money. It all started with the aspiration of the US government during the Clinton regime to provide homes for all people, including those with limited financial resources (sub-prime mortgages). During the boom years leading up to 2007, all was well. But then demand pushed up inflation, and mortgage interest rates rose accordingly. People struggled to pay off their loans, and the demand for housing fell and so did their values to the extent that bonds were well in excess of the house values. Owners defaulted on their mortgage repayments, left their homes, and left their keys with the banks. The banks, in turn, could not sell the houses. Because of debt ‘parcels’ (securitised debt¹) being sold to other banks around the world, the debt contagion spread and many banks were in real trouble.

Banks were then bailed out by governments to avoid their collapse and the subsequent destabilising of economies. The story did not end there. What followed were governments defaulting on their debts, leaving a world in turmoil and unsure of an uncertain future.

Any of the risks indicated below can result in a financial loss:

•  Fraud caused both through internal or external circumstances.

•  Negligence on behalf of staff members performing transactions incorrectly or not following processes and procedures.

•  Staff members who lack training and so perform the job incorrectly.

•  Legislation not followed (intentionally or unintentionally) resulting in penalties.

•  Changes in legislation which could negatively impact business performance in the short or long term.

•  Hackers accessing the organisation’s data.

•  War and politics (e.g. impacting international trade agreements).

•  Change in economic factors such as interest rates, property values, and exchange rates.

•  Debtors’ defaults (that affect cash flow and hamper projects or business opportunities).

Risk represents opportunity

‘If you want higher returns, you have to accept the thrills and spills that accompany them.’ (Source: ‘The Upside of Risk’ by James K Glassman, Kiplinger’s Personal Finance magazine, November 2007.)

Being enterprising is undertaking risk for reward. The problem with using the word ‘risk’ is that it is linked to the idea of danger or insecurity. A better term is ‘risk and opportunity’. Taking risk into account from the perspective of taking opportunities in all aspects of the business is sound business policy and contributes to the success of the company.

If we think about the impact of the risk, we will establish which effects are favourable and which are less so. If the sales of a new product are lower than expected, this might be a bad thing overall, but the company might now have the opportunity to make changes to the product. If the sales are higher than expected, this might be a good thing overall, but it might have the unfavourable result of the company not having sufficient quantities of stock to meet the demand. This would lead to loss of reputation and clients cancelling orders.

Spending money on advertising could mean success or failure. On the one hand, if a company puts a substantial amount of money into an advertising campaign, it could be a failure because that advertising may not bring about new sales. Therefore, the amount spent would be a loss to the company.

On the other hand, if the company takes what we often refer to as a ‘calculated risk’, where the company has done extensive research and ensures its advertising is directed at the right target market using a medium suited to reaching that target market effectively, then the risk taken represents an opportunity and the company budgets accordingly. If the risk element is taken into account, the company will ensure that the advertising spend is something the company can afford without negative consequences.

So although the outcome is uncertain, risk planning has taken into consideration the possible outcomes and its effect on the company and its stakeholders in the short term and in the long term.

Look at it this way: if individuals, companies, and entrepreneurs avoided taking risks, business would not have progressed to what it is today. Of course, progress has brought with it other problems, but if there is sufficient collective will to solve a problem, there is little that cannot be done.

The appetite and tolerance for risk

Each one of us as individuals has an appetite for risk and a tolerance for risk. Here are three examples:

•  I would not choose to skydive for the fun of it, but if I thought my life depended on it, I would do it. Another will do it for the sheer adrenalin rush and do it again and again.

•  I do not know much about snakes, so fear ones that could bite me with fatal results, but the person who has studied snakes, understands the risks, and knows how to handle snakes, keeps a snake bite kit at hand and can treat snake bites has none of that fear. Rather, that person has respect for the dangers and is well prepared.

•  I will say I can do something, even if I cannot, and will find out afterwards how to do it. Another person will agree to do it only if he or she is absolutely certain he or she can do it.

In the same way, again, an organisation establishes its own culture in terms of how it views risk. The culture will stem from the leader