A great deal of time and effort is devoted to define and document policies and procedures, that meet compliance, risk management, and governance requirements, while maintaining agility and functionality within the particular business process and within the organisation.

To meet the popular demand, the current rule based compliance burden of SOX will probably be shifted to a more principle-based approach as in Europe and other countries. This relaxation places added focus on particular internal controls that are associated with the greatest material risk. In addition companies will be required to provide documentation and support of their high-risk controls.

The documentation and testing of these high-risk internal controls require an understanding of their strategic content and component. This approach in a nutshell is Risk Governance.

Risk Governance is a structured and comprehensive compliance exercise. Its primary focus is on mitigating the risks by assessing, compiling, identifying, understanding, monitoring and evaluating a variety of control activities, to achieve strategic goals and objectives.

Companies must bridge the gaps between the various compliance, risk management and Governance requirements. Identify and manage the organization’s total risk portfolio of:

  • Strategic Risk
  • Operating Risk
  • IT Risk
  • Compliance Risk

In order to coordinate risk mitigation efforts with compliance activities within the organisation, management must address the following questions:

  • Does the board of directors and management have proper oversight on risk?
  • Does management look for material exposures with resources that meet the risk profile?
  • Are the current risk-assessment procedures and processes comprehensive and effective?
  • Are there gaps or overlaps in your risk coverage?
  • Are decisions based on relevant data to achieve a better return on our risk investments?

It is advisable to design a checklist to address the following issues in depth relevant to the operations of the company.

  • Principles, definitions and the human dimensions of risk governance.
  • Key elements of COSO integrated framework in the context of risk governance.
  • Managing stakeholders - expectations, stewardship, politics, strategic and operational risks.
  • Management’s responsibilities for monitoring and reporting, disclosures and sign off.
  • The Risk Governance Processes. Risk identification, analysis and evaluation
  • Developing, controlling and monitoring responses to risk or taking calculated risks
  • Functions, processes, interdependence, parallels, methodologies and techniques
  • Upgrade data management as a compliance discipline. Focus on data protection driven by the data-breach possibilities e.g. USB sticks.
  • Set clear identity and access management controls in relation to their respective transactions.
  • Psychological aspects of risk management. Individuals, organisations or cultural barriers.
  • Roles of the Risk Manager, Chief Compliance Officer, Risk Management Pofessionals
  • Roles of independent assurance – internal and external
  • External risk reporting – requirements.