One of the board’s most important ongoing roles is to ensure areas of significant business risk are identified and that management has put arrangements in place for managing these risks. Your board should ensure it understands the organisation’s overall risk profile and is informed of high-level risks and changes so they can identify key concerns.

Risk management issues include financial reporting and legal and regulatory requirements as well as marketing, technology and operational matters.

An effective board and/or committee should:

* ensure there is an effective on-going process to identify risk, measure its potential impact against a varied set of assumptions and proactively manage it;

* ensure management has reached consensus on the objectives, linked to the enterprise wide framework, of each business unit, and which managers “own” which process. Risk management should be integrated into the way management runs the business. Performance metrics and compensation plans should be linked to risk management effectiveness

* ensure that management does not just look at existing risks, but also has processes in place to identify new risks as they emerge

* be certain it is informed of the most significant risks and can determine whether the right actions are in place.

What are the risks in business?

Strategic risk: failure to achieve intended goals

Transactional risk: isk of fraud, failure or security breach

Compliance risk: ie breaches or non-compliance

Reputation risk

There are also risks in dealing with third 3rd party providers and business continuity in the event of a disaster or accident.

A risk analysis template is attached to this page. Risk Analysis Template.doc

What is a compliance framework?

An organisation’s management of the regulatory and legal requirements affecting it is often achieved through a number of specific compliance programs, for example, a trade practices compliance program or an environmental compliance program. These programs may include training and a range of other communications to ensure the relevant obligations are understood and complied with.

A well designed compliance program will aim to prevent and to respond to breaches of specific laws, regulations, codes or organisational standards occurring in the organisation and contribute to a culture of compliance within the organisation.

A compliance framework integrates the specific compliance programs and the needs of the component business units to provide a comprehensive and consistent approach to compliance.

A key feature of an effective compliance framework is that it makes compliance every employee’s responsibility and allows the business to focus on the future and not waste time, effort and money in crisis management.

Is a risk management approach to compliance appropriate? While compliance is a type of risk, you cannot prioritise it and weigh compliance against costs; compliance with the law is not negotiable.

The Board should must ensure management:

* understands the external and internal compliance requirements facing the organisation;

* has comprehensive policies and procedures is place that, when followed, will ensure compliance

* creates a business environment that encourages compliance with policies and procedures

* integrates compliance risks and opportunities into the core business strategy.

Either the audit committee or a separate risk management or legal and regulatory affairs committee must have oversight of the compliance framework and any emerging or other compliance issues including litigation and contact with regulators.

The risk management oversight in your organisation will depend on the size and complexity of your organisation and the needs of the board.

The Board's oversight of the compliance framework should include:

* reviewing the effectiveness of the organisation’s system for monitoring compliance with laws and regulations;

* receipt of periodic reports;

* ensuring testing of compliance with laws, regulations and organisational policies is incorporated into the internal audit plan;

* understanding the nature of any significant issues that come to light and management’s investigation and follow-up, including disciplinary actions;

* reviewing trends in compliance and management’s plans to address systemic issues;

* reviewing findings and reports of examinations by regulators;

* ensuring that management has reflected the impact of significant issues in the financial reports.

Periodic briefings and information from the internal auditor, general counsel, compliance officer, external auditors and management can provide much of the information the board needs.

In addition, each director should ensure he/she has a good understanding of the legislative and regulatory environment in which the company operates.

OUTSOURCING RISKS

Outsourcing arrangements typically involve an organisation entering into an agreement with another party (including a related company) to perform a business activity which currently is, or could be, undertaken by the organisation itself. Service arrangements involve the provision of services by a contracting party either to the organisation or on its behalf to members.

Outsourcing or the contracting out of a business activity does not transfer all of the risks associated with that activity to the service provider. The services remain the responsibility of the organisation, which must ensure that all risks associated with the business activity are addressed in the same way as if the activity was performed by the organisation.

The organisation must agree with the service provider on the processes that will be in place for the monitoring, reporting and reviewing of services provided to the organisation.

The organisation must ensure that the service provider adheres to the organisation’s relevant policies and procedures. The organisation must also ensure that the service provider has staff who are sufficiently trained and competent to provide the services.

A sample Contracts Register is attached.Contracts Register.doc