As investors are busy flipping through the pages of corporate annual reports during the current reporting season, one of the key statements in an annual report is the statement on risk management and internal control.
The statement provides assurance to stakeholders that the risk management and internal control system is operating adequately and effectively in all material respects.
It also provides assurance that it complies with the requirements set out in paragraph 15.26(b) of the Main Market Listing Requirements and ACE Market Listing Requirement issued by Bursa Malaysia, as well as Malaysian Code Corporate Governance Report 2021 published by the Securities Commission.
In running a business or an organization, risk management is a key element in determining success or failure, especially when a catastrophic event hits a business and the business is ill-prepared to handle the risk factor.
Prior to the century-long pandemic that hit us all, few businesses had the pandemic as a risk factor because it had never been seen or thought that it could bring a business to its knees.
Well, today, based on the experience of the last two years, practitioners now include pandemic risk as one of the additional risk factors when designing an enterprise risk management framework. (ERM).
Another recent example is Malaysia’s enactment of Section 17A of the Malaysian Anti-Corruption Commission Act 2009 with effect from 1 June 2020.
All companies are required to have adequate procedures in place to ensure that they are able to capture the risk of corruption in ERM.
Therefore, within ERM, there are now three major sources of risk and they include business risk, financial risk, and hazard risk.
To recap, business risk encompasses the risk associated with compliance risk, operational risk, and strategic risk.
Compliance risk is the risk associated with government regulations and the legal framework, as well as internal policies and guidelines.
Operational risk includes the risk related to the commercial operation of the company and is mainly internal.
This includes human resources/labour risk, information technology and cybersecurity risk, security risk, environmental risk and risk related to the products/services offered by a company, and the quality risk.
In the context of strategic risk, this can include political risk, regulatory risk, cultural risk, currency risk and even country risk.
When talking about financial risk, risk here refers to market risk, credit risk and liquidity risk as well as cost control, while hazard risk encompasses corruption risk, fraud, misconduct, litigation risk, property or fire risk, and moral and reputational risk.
As ERM is an evolving framework and is not a static guideline as to how a business should assume risk, questions arise among businesses and even among practitioners as to the place of environment, Social and Governance (ESG)?
ESG, being the flavor of the most talked about single factor that determines where investors put their money or withdraw their bets, is now the focal point of compliance among companies as sustainability issues take precedence.
However, with so much focus on ESG, where is ERM headed? Is ESG part of ERM or is ESG now the mother of all ERM frameworks that companies can now ditch the latter and focus solely on sustainability and ESG issues?
We are indeed at a crossroads and a clear path is needed to ensure that companies are not mistaken about where to go.
Introduced in 2014, the FTSE4Good Bursa Malaysia Index (FAGBM) is an index developed by FTSE Russell and highlights companies capable of dealing with ESG risks.
The ESG score is derived by looking at the three key pillars of ESG and companies are scored based on an objective assessment.
To be a member of the index, a company would need to achieve a score of at least 2.9 or higher for inclusion in the index, in addition to passing certain additional screens which are negative screens.
In the environment pillar, five key themes are included and they are climate change, water security, biodiversity, pollution and resources, and supply chain environment.
Under the social pillar, the five key themes are health and safety, labor standards, human rights and communities, customer responsibility and social supply chain.
Under the governance pillar, the four key themes are anti-corruption, tax transparency, risk management and corporate governance. As a result, we now have 14 different themes under the ESG-based F4GBM which some 79 companies were able to pass with flying colors and included in the index.
On the other hand, under the ERM framework, which has three main sources of risk and perhaps more than 30 different risk factors, it is a framework designed for all companies and not just those listed or those who aspire to be included in the ESG-based index. .
Although the ESG-based F4GBM index covers risk management as well as corporate governance and anti-corruption as some of the key themes, from which ESG ratings are then derived, the assessment of the 14 themes does not take into account other key risk factors.
This includes, among others, all financial risk factors and some of the risk factors defined in the ERM framework under business risk and hazard risk, which include political, country, catastrophic, real estate and fire risk. , litigation risk and moral and reputational hazard. risk.
Obviously, the ERM framework is broader than what ESG-based evaluation is.
Additionally, the ESG score is calculated based on a company’s exposure (medium, low, high) and scores between zero and five are assigned for each applicable ESG theme.
For ERM, the goal is not to “what is the score”, but rather to identify the risk factors, to measure them as to how the risk factors can impact the business and the likelihood of them occurring, to implement control measures and to monitor risk parameters.
Essentially, an ESG-based rating assessment serves a very different purpose than what an ERM framework does for a company. Therefore, ERM is the paramount framework for the survival and sustainability of an organization.
ESG permeates the framework and forces a company to consider its risk from the external environment and its impact on the external environment.
Thus, company directors should be aware that the adoption of the ESG theme does not mean that their responsibility via the statement on risk management and internal control in the annual report is extinguished, but rather that a greater responsibility is now conferred on them to ensure full compliance.
Pankaj C Kumar is a long-time investment analyst. The opinions expressed here are those of the author.