II.

Introduction: The recent global economic crisis has proved that good corporate governance is crucial to financial security. The GFC caused some of the biggest companies to collapse, even though some of them thought that their risks were accounted for and that their financial position was secured. The GFC highlighted the fact that some risk management and internal control systems are not efficient, so a lesson that we learned from the GFC is that simply having a framework of corporate governance is not enough, as most of the collapsed companies had a governance structure, but were not robust enough in terms of risk management. This can also be noticed in what Warren Buffet wrote to shareholders about his companys risk management system, he said it's only when the tide goes out that we realise who's been swimming naked (Berkshire, 2001). So, running any kind of business today means dealing with risk in one way or another, the only way to avoid risk is to stop moving and do nothing. The International Organisation for Standardisation (ISO) defines risk as the combination of the probability of an event and its consequences (IRM, 2002), this means that risk can be measured in terms of consequences and likelihood, so any action taken to deal with risk should address the likelihood of an event occurring, and the degree to which it can affect the organisation, this effect could be negative in terms of threats, or positive in terms of chances or opportunities. Business leaders always seek ways to add value to shareholders, so they started to look for ways on how risk management is linked to value creation, it is noticed in every industry that risks are not merely dangers that should be avoided, but in many cases opportunities to be taken, as what Suzanne Labarge, the Chief Risk Officer (CRO) at Royal Bank of Canada argues, Risk in itself is not bad, what is bad is risk that is mismanaged, misunderstood, mispriced, or unintended (KPMG, 2001). It is believed that risk creates opportunity, which creates value, which ultimately creates shareholder wealth, so how to manage risk to derive that value has became a critical question in the world of business today. This leads to the definition of risk management, which is defined by the Australian Transaction Reports and Analysis Centre (AUSTRAC) as the process of recognising risk, and developing methods to both minimise and manage the risk (AUSTRAC,

2011). The Australian Standard defines "risk management" as "the culture, processes and structures that are directed towards the effective management of potential opportunities and adverse effects" (AUSAID, 2006). This definition includes the culture, which indicates that risk management is not only about processes and structures, it is also about having and fostering an organisational culture of ethics and integrity which will ensure that the risk management strategy is not based on detecting mistakes and punishments, but also based on having an environment of trust and staff personal responsibility towards the organisations interests. In summary, it can be said that Managing risk is a way of confidently taking the right risks and then managing the outcomes for success (TBS, 2004). III. Risk Management in ASX Corporate Governance Recommendations: Australian Securities Exchange (ASX) corporate governance council issued the Australian Corporate Governance Principles and Recommendations, which includes the principles of good corporate governance, principle 7 is about recognising and managing risk, it requires that a sound system of internal control and risk management should be established. This system should perform the following tasks, it should identify, evaluate, monitor, and manage the risks that a company may face, and it should keep the investors informed about the companys risk profile (Group100, 2003). This principle includes some recommendations to achieve best practice, these can be summarised as the following: - Recommendation 7.1: requires that the appropriate board committee to establish policies on risk management and design a system of internal control and risk management. - Recommendation 7.2: requires that the board should review and asses the effectiveness of the execution of the system for management of material business risks at least annually. This can be achieved through the use of internal auditors, which should be independent of external auditors, and should have direct access to the audit committee, and both should have access to information and explanations. And the use of a risk management committee, which can be a separate committee, or included in the audit

committee, but having such a committee doesnt mean that other board members are not responsible for the duties of monitoring and assessing the risk management systems and the internal control systems of the company. - Recommendation 7.3 requires management (CEO and CFO) to provide an assurance to the board on the integrity of financial statements, that they are built on a sound risk management system. - Recommendation 7.4: companies should include a description of its risk management system and internal control system in its annual reports, and that this information should be publicly available through the companys website (ASX, 2002).

IV. Principles of Sound Risk Management Strategy:

A sound and effective risk management strategy requires the management to have a strategic focus, proactive approaches and forward thinking, and a balance between the anticipated benefits and costs of managing risks. Some of the key principles of sound risk management strategy are discussed below: 1. Risk management should be an integral part of effective corporate governance, based on accountable and transparent processes, risk management should be applied to the development and implementation of policies and future strategies of the organisation (CEBS, 2010). 2. A strong organisation-wide risk culture, this can be achieved through the establishment of a risk management system that is independent, and comprehensive (covers all types of risks), under the responsibility of the CRO, or the senior management if a CRO is not appointed. All staff should be committed to behave and perform their duties based on analysis of risks and opportunities, and their effect on the organisation as a whole (CEBS, 2010). 3. Senior management and executive commitment to the proactive risk management in a systematic way. Managers at all levels should be accountable for risk management. 4. Every member of the organisation should be aware of their responsibilities with regard to identifying and reporting risks, not only financial or operational risks, but also non-financial risks, such as reputational risks (CEBS, 2010).

5. An effective communication policy should be adopted to support the risk culture across the organisation, therefore a risk management information system should be used for reporting and communicating risks (CEBS, 2010). 6. Risks should be monitored and reviewed by the board or related committees to measure the effectiveness of risk management. Members of these committees should collectively have an understanding and experience of the business and relevant risks (CEBS, 2010). 7. The governance of risk should be documented. All the staff shall be informed on the risk governance arrangements taking into consideration their information needs based on their positions in the organisation (CEBS, 2010). 8. Understanding the companys risk tolerance: An organization's tolerance for risk depends on its culture and other internal and external conditions. An organization's and its key stakeholders risk tolerance should be understood, as the two will influence and guide Decision-making. Management must determine which risks the organization should accept at which levels, these choices should be re-evaluated, at least annually. V. Challenges of Introducing a Successful Risk Management Strategy: Implementing a successful risk management strategy will likely face a number of challenges, such as: 1. Board and CEO support: the challenge is to demonstrate risk managements tangible benefits in order to gain the support of key stakeholders, so to the board, risk management should be seen as a way to reduce or avoid costs, not to add costs. 2. Risk Measurement: it is hard to have a specific scale to measure the probability of the occurrence of some events, and the size of their effects. The transition or risk measurement from qualitative perspective to quantitative estimates is a main challenge. 3. Linking risk management to corporate strategy: the challenge here is to integrate the risk management with business strategy. 4. Responsibility and accountability: answering questions such as where does risk management fit within the organisation?

5. Common risk language: there should be a consistent system for communicating and reporting risks, and for applying risk management methods. Appropriate reports should be designed to make it easier for management to use risk management systems to make decisions. 6. Management buy-in: the resistance to change should be reduced, in order to gain buy-in to accept responsibilities and proactive participation in risk management, as risk takers and risk makers, should be risk managers. 7. Technology: a consistent technology should be applied in warehousing, reporting, and retrieving risk management data captured across the organisation, and the ability to integrate such technology within the organisations information systems. 8. Globalization and new business trends: globalization introduced new risks to firms, and changed the way firms can manage risks. New business trends such as outsourcing also expanded the range of risks to include other parts of the supply chain. E-commerce also changed the nature of risks a company needs to manage. All these factors represent a challenge in implementing a successful risk management strategy.

VI. Benefits of Risk Management:

Risk management is getting more and more attention in the world of business today, despite the fact that it can be a challenging costly process, the experience proved that the benefits exceeds the costs of having a sound risk management system, some of the benefits relate to improving the quality of strategic planning, and improving the quality of decision making through more transparency, better cost control through the increased knowledge and understanding of both personal and organisational risk exposure, and through lower insurance premiums as the trend for insurers is to provide cover to organisations that dont represent a high risk. It also enables the organisation to prevent risks, rather than responding to them. Risk management can also help in protecting the organisation from legal liability.

VII. The Process of Risk Management:

The risk management process involves a number of iterative phases, the process starts with risk recognition, where risks are identified at all levels of the organisation, this can be achieved through the use of a risk register, which lists all potential risks, suggested solutions, and setting ownership of the risk (who is responsible for taking action against each risk), all members of the organisation should add items to this register, which can be the base of an Enterprise Risk Management System (ERMS). The next step is to analyse the identified risks in terms of likelihood and effect, in order to rank them, then coming up with policies to deal with risks, the final phase would be monitoring and reviewing the results of risk treatment policies used, in order to improve. Figure 1 below summarises the process and the responsibilities for each part.

Figure-1: Risk Analysis and Management Process

VIII. Enterprise Risk Management (ERM):

ERM is defined as the process of identifying and analysing risk from an integrated, company-wide perspective. It is a structured and disciplined approach in aligning strategy, processes, people, technology and knowledge with a purpose of evaluating and managing the uncertainties the enterprise

faces as it creates value (KPMG, 2001). The great innovations in IT took part in every aspect of business, and risk management is no exception, the recent years witnessed a broad use of Enterprise Risk Management Systems (ERMS) by many companies to implement the ERM concept of risk management, due to the great capabilities, stability, and security offered by IT systems, so it is rare today to see an effective risk management strategy that is not based on the use of ERMS, in fact a survey by the Economist Intelligence Unit on 500 executives showed that technology infrastructure was one of the most aspects of risk management that companies invest in (Economist Intelligence Unit, 2010). According to Arthur Anderson business risk management process (BRMP), the process of ERM comprises the following elements: (i) establish the business risk management process, (ii) assess business risks, (iii) develop business risk management strategies, (iv) design / implement risk management capabilities, (v) monitor risk management performance, (vi) continuously improve risk management capabilities, (vii) information for decision making (Woon et al, 2008). So the recommended risk management strategy will be based on the use of an effective ERMS, in terms of software and hardware, which can be integrated with the companys ERP or information system. The use of such system can overcome some of the challenges mentioned earlier. ERM offers an integrated, holistic, process oriented, and future focused approach that can help organisations all business risks and opportunities in order to maximise share holder value for the organisation as a whole (KPMG, 2001). ERMS can provide management with required information that can help in responding to crises quickly and efficiently, which can help companies to protect the stock price if there is a scandal or other issues that affect reputation. This aligned with the development of a culture of ethics and integrity as well as suitable policies, the companys risk can be managed in an effective and efficient way. So, we can think of the ERM approach not only as a way to prevent risks, but also as a way to promote growth, through discovering business opportunities, revealing new ways to gain efficiencies, and delivering on strategy

IX. The Strategy: Risk Management, Culture, and Ethics:

The discussion above was about the recommended approach to risk management, which is the ERM, and the tools that are used to implement it, such as the use of ERMS. This part looks at an important issue that cant be neglected if we want to have a sound risk management strategy, which is the role of organisational culture and ethics. The riskminds 2009 risk managers survey found that most risk professionals believe that the banking crisis was caused not so much by technical failures as by failures in organisational culture and ethics (SOA, 2010). ERM can help in building a solid control system with a culture of ethics, the Ethics Resource Centre issued a paper on Ethics and Compliance Risk Management which suggests the following five steps to build a solid control system: 1. Defining business ethics and compliance risks to create a comprehensive risk profile. 2. Preventing failures of ethics and compliance: Hard and soft controls should be used. Old reforms focused on preventing misconduct through processes that can be quantified and measured (hard controls), while recent reforms focus on soft controls, through communicating procedures and standards to employees, and through business ethics and corporate compliance training. 3. Detecting noncompliance of any kind (regulations, laws, and code of ethics) via multiple reporting methods such as anonymous reporting. Management should respond to whistleblowers and other reports promptly and effectively. This requires confidential and non-confidential communication lines, such as telephone lines and e-mails or intranets, and protecting the whistleblowers. 4. Respond swiftly and publicly to allegations and potential violations: The company should establish protocol and guidelines to ensure quick responses to allegations and potential violations. This is an important step, as the amended U.S. Sentencing Guidelines state: The two factors that mitigate the ultimate punishment of an organization are: (i) the existence of an effective compliance and ethics program, and (ii) self-reporting, cooperation, or acceptance of responsibility (Ethics Resource Centre, 2007). 5. Evaluate results and make continuous improvements. Some risk handling will be governed and controlled by rules and regulations, while most risks will be governed by culture, in cases where rules do not

apply, not effective, or fail. Such risk management culture needs some basic components, such as: 1. Ethics: the company should have a high ethical standards, this can be fostered through the behaviour of senior management, through training, and through new employees boarding programmes. 2. Leadership: leadership should clearly explain the risk culture and risk tolerance, and should set the tone. 3. Encouraging transparency and openness. 4. The companys risk culture should fit with the vision and mission. 5. Governance: The board should monitor the companys risk culture. 6. Alignment between personal incentives to encourage risk management and risk taking, and the companys risk appetite. 7. Prompt engagement: risks should be identified, assessed and managed promptly (SOA, 2010). Business literature showed that the most important area for improvement in risk management is the culture in which it takes place, this includes values, vision, management style, and standard operating procedures, so it is a recommended practice for organisations to encourage and develop a riskaware culture. Such culture usually have features like: strong leadership, participative management style, the ability to capture risk at all levels of the company, encouraging employees to be accountable and responsible for their actions, encouraging team work, improved communication channels, setting controls before risks occurrence, and encouraging awareness of risk all over the organisation (SOA, 2010). It is important to know that creating a risk-aware culture shouldnt depend on detecting mistakes and punishments through the carrot and stick approach, instead management should make efforts to build a culture of trust and self accountability among employees, this can be noticed by the new approach in reforms and regulations, which is mandating organisations to promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law (LRN, 2010). This approach is justified by

the fact that laws cant cover every possibility, thats why organisations are required to prevent unethical behaviour (which may not be illegal) through developing soft controls. The National Business Ethics Survey conducted by the Ethics Resource Centre in 2007 identified ethical leadership as an important component of a strong organisation-wide culture, such culture reduces misconduct, increases the likelihood of whistle-blowing or reporting, and ensures protection to whistleblowers against retaliation (Ethical Resource Centre, 2010). Having a sound whistleblower system is important in creating a risk-aware culture that is built on ethics and trust, the following suggestions can help in building such system, first of all, the whistleblower system shouldnt replace other regular reporting systems, it should complement them. Anonymous reporting should be reserved for serious complaints. Management should establish trust through keeping promises and protecting whistleblowers. Transparency by employees encourages management to buy-in. Designers of whistle-blowing systems should be careful not to let them make the company lose the consideration of self-reporting. And finally, investigations should be conducted as quickly as possible (LRN, 2010). Ethics and compliances should be monitored, it is recommended to have annual ethics and compliance surveys. Using investigations on compliance and ethics violations to create a database of lessons learned would be a good practice for monitoring and improving. Finally, it is recommended to communicate the importance of ethics to employees regularly, this can be achieved through the use of tactics such as creating an effective communication plan, using as many media channels as possible, weaving ethics and compliance into regular communication, and making an emotional appeal to ethics (LRN, 2010).

X. Conclusion:
The recent crisis alerted the business world to the importance of combining risk management with an ethical organisational culture, which proved to be a good way to protect companies from financial losses and reputational damage. Ethics and compliance can add value to the organisation, as customers are considering ethical issues when making business decisions. Companies are more and more convinced that holistically managing risks, ethics, and compliance, can give them a great opportunity to outperform their competitors. So most companies are adopting the ERM approach to risk management, which assesses risk in a company-wide fashion, by gathering information on all risks faced by all parts of the company, to create a larger picture that can let the company uncover risks affecting multiple areas. The use of consolidated risk reports through ERM facilitates the creation of standards and processes for dealing with risks. This report showed that the involvement of ethics and compliance in ERM is important to achieve a successful risk management strategy that can protect the company from criminal liability and reputational damage that could arise from misconduct by staff in all levels within the organisation.