In Malaysia, the Statement on Risk Management and Internal Control (SORMIC) is a requirement from the Securities Commission, in accordance with the Malaysian Code of Corporate Governance (MCCG) 2017. On 14th September 2018, a Tea Talk was held at the IERP® International Secretariat, featuring a presentation crafting an effective and practical SORMIC – by Mr. Ramesh Pillai, Group Managing Director of Friday Concepts Risk Consulting.
The MCCG and Defining “Risk Management”
Speaking on the MCCG 2017 as a guidance document for the SORMIC, Pillai notes that its main contributors/authors were auditing/accounting bodies; there were no contributions by risk practitioners. He drew attention to Principle B in the MCCG, where the Intended Outcome of a Risk Management and Internal Control Framework is that:
“Companies make informed decisions about the level of risk they want to take and implement necessary controls to pursue their objectives.
The board is provided with reasonable assurance that adverse impact arising from a foreseeable future event or situation on the company’s objectives is mitigated and managed.”
Pillai pointed out that this focuses only on the downside of risk, and does not consider opportunities nor the improvement of decision-making. Given that it is the CEO or CFO that signs off on the document, and not the CRO, and that it is mainly focused on Operational Risk Management, the SORMIC thus becomes more of a disclosure document for internal audit and finance, rather than for Enterprise Risk Management.
A participant noted that given the highest number of risks is operational, doesn’t it make sense that the MCCG focuses on Operational Risk Management? Pillai concurs, but at the same time, there should be consideration for risk exposures with high impact, not just high frequency.
The statement is necessary, but the guidance on creating it is unclear and self-contradictory. Its current shortcomings point to existing misunderstandings in the GRC disciplines regarding the distinctions between risk management and internal control, the former being more future-oriented and the latter being focused on day-to-day operations. Focusing only on operational risk implies a narrow view of risk management, both within the organization as well as to stakeholders and the public.
The Practicality of a SORMIC
During Q&A, participants expressed uncertainty about the actual value of the document. Considering the lack of clarity from the MCCG, most were used to utilizing whatever they had on risk management in their organization, removing confidential data, and calling it a SORMIC – which makes for an overly long document with mostly unnecessary information.
Pillai concurred with the skepticism surrounding SORMIC’s usefulness, but stated that at the end of the day, it’s vital to consider the function and purpose of your organization’s SORMIC as well as its audience. The average layperson will most likely not bother to read it thoroughly in the first place, while for serious investors with larger vested interests, the SORMIC can provide a starting point for further discussions in private.
Within the organization, what is laid out within the SORMIC can also be used as a benchmark to improve on or establish processes. Case in point, it is a requirement to disclose the process applied to review the risk management or internal control system. To this end, organizations can perhaps look to implement a Risk and Control Self Assessment (RCSA) – a useful tool in risk management best practice, regardless of the requirement.
At the same time, crafting a SORMIC requires you to balance between writing about the processes, and divulging too much information that inadvertently expose organizational vulnerabilities. It is also of interest to note that external auditors are only required to check for completion; they are not required to ensure that the SORMIC is accurate or fit for purpose. Thus, fundamentally, the SORMIC is intended as a document to showcase that your organization does have an assurance function, that there is Board oversight in place, and that existing processes are reviewed and revisited annually in order to reach strategic objectives. It is about maintaining investor confidence by telling the public what you do to manage risk, and not necessarily how you do it.
Going forward, there perhaps should be a review of the intended outcomes of MCCG requirements. If the goal of the MCCG is to help ensure the future sustainability of organizations, its disclosure requirements should focus less on internal control and more on risk management, to improve the quality of decision-making and ensure that organizational objectives are being met.
We invite you to join us at our next tea talk on 12 October, Creating Value Out of Enterprise Risk Management, which will delve into how to use an ERM framework to take advantage of strategic opportunities. Alternatively, contact us for any further queries on risk management or risk oversight.