ISSN 21413436

JANURARY

Vol 2 Issue 1

INTRODUCTION
he global financial crisis which started in the latter half of 2008 has pressed the need for a vibrant corporate governance and proactive risk management further into the limelight. Time and again, the reasons given for the current unprecedented crisis of confidence has been blamed on failures of corporate governance and risk management. Re-establishing long-term confidence on the boards of public quoted companies in Nigeria will require more than government/regulators intervention and updated regulations. Corporate governance is concerned with ways in which all parties involved in the well-being of an organization try to ensure that managers and other insiders take measures or adopt mechanisms that preserve the interests of the stakeholders. According to the Cadbury report of 1992, 'Corporate Governance is a system by which companies are directed and controlled.' The Organization of Economic 1 Corporate Development (OECD) principles of corporate 2 governance grew out of the Cadbury Report definition and specify that any review of corporate governance in a country should include the roles, duties and powers of shareholders, the board of directors and company management and should also contain transparency and disclosure as well as the place of the organization in the society. The corporate governance framework of any company should ensure the strategic guidance of the company, the effective
1 Corporate governance code: OECD (2004) 2 Cadbury (1992)

monitoring of management by the board, and the board's accountability to the company and the shareholders. The balance sheet is an output of multiple structural and strategic decisions across the entire company, from stock options to risk management structures, from the composition of the board of directors to the decentralisation of decision-making powers. As a result, the principal responsibility for good governance must lie within the company rather than outside it. As liquidity dries up and lenders become more perceptive about which companies they lend to, it is vital that well-managed companies differentiate themselves from poorly-managed companies. Lenders, insurers, ratings agencies, investors, international government agencies and others are today favoring companies that can clearly articulate their approach to risk. RISK DEFINED Reward is a function of opportunity, risk and profitable execution of a plan that minimizes the risk. -John & Leigh Hendrick Risk is a function of the likelihood of a given threatsource's exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. It is characterized as reasonably foreseeable events or situations that prevents or hinders achievement of corporate objectives, or which pose threats to shareholders' interests. They represent exposure to adverse consequences, financial or physical, as a result of either corporate decision-making or the operational environment. RISK MANAGEMENT Risk Management has been seen generally as the identification, assessment, and prioritization of risk

followed by harmonized and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities. Risks can come from uncertainty in financial markets, project failures, legal liabilities, credit risk, accidents, natural causes and disasters as well as deliberate attacks from an adversary. Risk Management is the culture, processes and structures that are directed towards the effective management of potential opportunities and adverse effects within an organization. It is a process of thinking systematically about all possible risks, problems or disasters before they happen and setting up procedures that will avoid the risk, or minimize its impact, or cope with its impact. It is basically setting up a process where you can identify the risk and set up a strategy to control or deal with it. On another view, in Enterprise Risk Management, a risk is defined as a possible event or circumstances that can have negative influences on the enterprise in question. WHAT THEN IS THE CONNECTION BETWEEN R I S K M A N A G E M E N T A N D C O R P O R AT E GOVERNANCE? ways: It is the responsibility of the board of directors to look after the assets of their company and to protect the value of their shareholders' investment. This includes a duty to take measures to prevent losses through error, omission, fraud and dishonesty. Control measures are provided through a system of Internal Control. The prime responsibility for good internal controls lies with the Board . Also, a principle of the UK Combined Code is that 'The Board should maintain a sound system of
4

Risk management is relevant to corporate governance in two

3 ICSA Corporate Governance 5th edition by Brain Coyle 4 2003 SEC Code of Corporate Governance: section 8c (Reporting & Control)

internal control to safeguard shareholders' investment and the company assets'.

5

assessed. To put this study into proper viewpoint some information and recommendations are provided on governance of Risk by UK Cadbury Committee 1992, The Walkers Review of Corporate Governance in UK Banks and Other Financial Industry Entities (July 2009), The King's Reports 111, (2009) The Securities and Exchange Commission Code of Corporate Governance (2003), and The Central Bank of Nigeria Code of Corporate Governance. (2006)

It is also argued that the board of directors should be responsible for making sure that all risks are manage properly. A company should protect itself against serious downside risk (a risk that the actual events will turn out worse than expected), such as losses through fire damage, theft, accident claims by employees, and so on. The board

should be satisfied that a management system is in place for monitoring and controlling these risks. Executive managers take many business decisions where returns are difficult to predict, and there is upside risk (a risk that actual events will turn out better than expected) as well as downside risk. The board should be satisfied that in their decision-making, managers take risk into account as well as expected returns. Similarly, when the board takes major investment decisions itself or decision on corporate strategy, risk as well as expected returns are properly
5 The Combined Code (1998) www.fsa.gov.uk 6 The Cadbury Code is a code of corporate governance, published by Cadbury 000Committee in the UK in 1992 (and since superseded) 7 Cadbury Committee Report 1992

PROVISION OF UK (CADBURY COMMITTEE, 1992) ON RISK MANAGEMENT6 The Cadbury Committee described risk management7 as 'the process by which executive management under board supervision, identifies the risk arising from business and establishes the priorities for control and particular objective'. The Committee reporting on corporate governance in 1992 took the view, that risk management

should be systematic and embedded in the company's procedures and that there should be a culture of risk awareness. The importance of risk management for a company is that a failure to monitor, control and contain risks could lead to financial collapse. The Cadbury Committee argued the need not just for an effective system of internal control but also for broader risk management. This view was not generally accepted at that time, but the significance of risk management, was eventually accepted 'officially' in the UK as an element of corporate governance with the publication of the Combined Code in 1998.
8

directors should make a statement in the report and accounts on the effectiveness of their system of internal control and that auditor should report thereon. This recommendation was taken up by the Rutteman Committee which developed a framework for reporting on internal financial control. Since then, the governance debate has been moved on by Greenbury Committee , who looked at wider aspects of corporate governance and the Hampel Committee , which recommended in January 1998 that the original Cadbury recommendation for a public statement on the effectiveness of the entire system of internal control be re-affirmed. Subsequently, the Turnbull Committee
12 11 10

Although ultimate

responsibility for internal control and risk management lies with the board of directors, the task of detailed oversight might be delegated to the audit committee or even a separate board committee with specific responsibility for managing risk. The combined code also states that unless either there is a separate board risk committee consisting of independent directors or the full board considers that matter itself, the audit committee should be responsible for review of the company's internal control and risk management systems, not just financial controls. There have been significant advances in governance and risk management practices throughout the public sector in recent years. The publication of the Cadbury Report in 1992 firmly established corporate governance on the agenda of UK companies. The Cadbury Report was restricted to those aspects of corporate governance specifically related to financial reporting and accountability, namely the control and reporting functions of public liability companies (PLC) boards, and the role of auditors. Also, the Cadbury report led to an increased focus on risk management and control by recommending that
8 Provision of the 2003 Combined Code relating to risk management 9 Cadbury Report 1992 (Ref. 10)
9

was charged with putting such a framework for reporting on the broader aspects of control into place to meet the London Stock Exchange's requirements for companies

10 Central Bank of Nigeria , Marian Lagos Library - Greenbury(1995) (Ref. 11) xxx Greenbury Committee Report (Gee Publishing, 1995) 11 Hampel Committee (Ref. 12) 12 Turner Review- http://www.fsa.gov.uk/pubs/other/turner_review.pdf

who were, or who sought to be listed on the Exchange. These requirements are set out in the Combined Code of the Committee on Corporate Governance
14 13

have seen risk oversight as a compliance function essentially designed to meet regulatory capital requirements at minimum constraint on leveraged utilization of the balance sheet. There has been probably an element of Disclosure fatigue, leading to some sense that a large part of the board's obligations in respect of risk in the entity can be discharged through full disclosures. Such attitudes should have no place in the proper governance of risk in future. In essence, the obligation of the board in respect of risk should be to ensure; that risk are promptly identified and assessed; that risks are properly controlled; and that strategy is informed by and aligned with the board's risk appetite. THE BACK BOOK OF RISK AND FUTURE RISK STRATEGY: Enhanced effectiveness in the governance of risk will require in many BOFIs more dedicated board focus, above all in reviewing and deciding of the entity's risk appetite and tolerance. A key distinction here is between the responsibility of the board in the management and control of risk and decision-making in respect of risk appetite and tolerance. There is a substantial toolbox of tried and tested techniques for the management and control of financial risk. A BOFI board that failed to draw on the experienced embedded in such techniques to ensure that appropriate management and control processes are in place would be in serious breach

and the

initiatives are not only UK focused. Other countries have been establishing risk and control guidelines in parallel. For example, the Australian and New Zealand standard on risk and control underpins much of the current guidance issued by the NHS Executive for implementation in the health sector. WALKER'S REPORT - A REVIEW OF CORPORATE GOVERNANCE IN UK BANKS AND FINANCIAL INDUSTRY ENTITIES The walker's report is a review of corporate governance in UK Banks that examines corporate governance in the UK Banking industry and make recommendations, including the following areas: the effectiveness of risk management at board level, including the incentive in remuneration policy to manage risk effectively; the balance of skills, experience and independence required on the boards of UK banking institutions; the effectiveness of board practices and the performance of audit, risk, remuneration and nomination committees Etc. The review states that monitoring and management of risk in Banks and Other Financial Industry entities (BOFI) is not only a set of controls aimed at the mitigation of financial risk, as normally in non-financial business, but relate to the core strategic objectives of the entity. REGULATION AND RISK : The focus of the review is on how governance of risk by the boards of Banks and Other Financial Institutions BOFIs can be made more effective so as to enhanced regulation and supervision. In the past, some boards may
15

of its responsibilities. But many of these processes relate to business models involving exposure to financial risks that can be reasonably dependably measured. While a clear continuing responsibility of the board is to ensure that such risks are indeed appropriately managed and controlled, different and potentially much more difficult issues arise in the identification and measurement of risk

13 http://frc.org.uk/CORPORATE/COMBINEDCODE.CFM. - The Combined Code is the UK code on corporate governance, which applies to UK listed companies. It is a voluntary code rather than a regulatory requirement. However, the UK Listing Rules require listed companies to disclose in their annual report the extent of their companies or non-compliance with the Code. The Code was revised in 2003 14 Cadbury Committee (1992) Report of the Committee on the Financial Aspects of Corporate Governance, London: Gee and Co- The Cadbury Code is a code of corporate governance, published by Cadbury Committee in the UK in 1992 (and since superseded) Ref. 13 15 Governance of risk: A review of corporate governance in UK banks and other financial industry entities 16, July 2009

where past experience is an uncertain or potentially misleading guide. When risk materializes, it may do so as a risk previously thought to be understood and managed that turns out to be very different indeed, and may do so

quickly, well within normal audit cycles. The valuation of an asset or liability in a stressed market environment and the identification of other potential risks that may not previously have been encountered, pose major questions for real-time assessment that are unlikely to have been factored in to construction of the pre-existing business model. Examples of such potential new risks are liquidity in a whole market might dry up completely over an extended period, a major acquisition or organic expansion into a new product or geographic area. RECOMMENDATION : The review recommends that the board of a BOFI should establish a board risk committee separately from the audit committee with responsibility for oversight and advice to the board on the current risk exposures of the entity and future risk strategy. In preparing advice to the board on its overall risk appetite and tolerance, the board risk committee should take account of the current and prospective macro-economic and financial environment, drawing on financial stability assessments such as those published by the Bank of England and other authoritative sources that may be relevant for the risk policies of the firm. an open and wide-ranging discussion without the sometimes dominating presence of the CEO. The presumption in any event is that the executive risk committee structure, usually chaired by the CEO or Chief Finance Officer (CFO), will continue as now. But it should operate within the parameters and limits set by the board risk committee, as confirmed by the board, in implementation of the agreed strategy on a day-to-day basis. The board risk committee should have an appropriate overlap with the audit committee. The precise allocation of responsibilities between the two committees will be for decision by individual boards but this should err on the side of overlap rather than underlap on questions as critical as the capability of the executive team to manage and control risks within the agreed parameters. The NEDs on the committee cannot be expected to replicate the industry, expertise of the executive team nor will their capacity to contribute be enhanced by the expertise of the executive team nor will their capacity to contribute be enhanced by information overload. The materials presented to them should be in succinct format,
16 Recommendation 23 review of corporate governance in UK banks and other 0000financial industry entities
16

COMPOSITION AND ROLE OF THE BOARD RISK COMMITTEE

The board risk committee should, like the audit committee, be a committee of the board and should be chaired by a Non-Executive Director (NED) with a majority of non-executive members, but additionally with the Finance Director (FD) as members or in attendance and with the Chief Risk Officer (CRO) invariably present. Whether the Chief Executive Officer (CEO) should be present will be for decision between the chairman of the committee and the CEO. But the CEO will invariably be involved in the board's deliberations on risk matters and there may be merit for the board risk committee in having

highlighting major issues. They should not distract from or dilute the focus of the committee on major issues, with other matters left to be resolved through the executive risk structure within the overall risk parameters set by the board and board risk committee. On this basis, and with appropriate briefing and training on particular key risk topics (an important responsibility of the CRO), a NED with substantial financial experience should be in a position to make an insightful contribution through wellprepared discussion with and challenge to the executive. While up-to-date industry and market industry knowledge is with the executive, board experience of review, challenge and commonsense should be expected from the NEDs whose informed detachment alongside sound financial industry experience should b an important counterweight to what can otherwise become executive or board group think. The role of the risk committee should be to advise the board on risk appetite and tolerance for future strategy, taking account of the board's overall degree of risk aversion, the current financial situation of the entity and drawing on assessment by the audit committee- its capacity to manage and control risks within the agreed strategy. This would importantly include responsibility for qualitative and quantitative advice, to the remuneration committee on risk weightings to be applied to performance objectives incorporated within the incentive structure for the CEO and executive. In preparing its advice to the board on overall risk appetite and tolerance, the board risk committee should take account of the current and prospective macro-economic and financial environment drawing on reviews and areas of concern that are raised in relevant financial stability assessments such as those published by the Bank of England and other authoritative sources relevant for the risk policies of the entity. Drawing in part on such assessments, the board risk committee should decide, in consultation as appropriate with the board, on rigorous stress and scenario testing.

Within the context of stress testing, the board risk committee and board should understand the circumstances under which the entity would fail and be satisfied with the level of risk mitigation that is built in. INDEPENDENCE OF THE ENTERPRISE RISK FUNCTION In support of board-level risk governance, a BOFI board should be served by a CRO who should participate in the risk management and oversight process at the highest level, covering all risk across the organization, on an enterprise wide basis, it should have a status of total independence from individual business units. Apart from interface with business units, this role will also require clear understanding and collaboration at corporate level, for example and in particular with the treasury function. The treasurer has day-to-day responsibility for liquidity matters but it should be understood that on specific risk aspects of the liquidity position and policies of the entity, the CRO has a decisive role.

have been historically a tendency for business units to be Alongside an internal line to the CEO or FD the CRO should report to the board risk committee an explicit and what is clearly understood to be direct access to the chairman of the committee in the event of need, for example if there is a difference of view with the CEO or FD, and should be accorded both status and remuneration reflective of the key importance of the role. The tenure of the CRO should be underpinned by a provision, as in many companies for the company secretary, that removal from office requires the prior agreement of the board. The remuneration of the CRO should be subject to the specific approval of the chairman or the chairman of the board remuneration committee with the purpose of ensuring that the overall package is appropriate to the significance of the role. The CRO is expected to assess, independently of the executive in individual business units, whether a proposed product launch or the pricing of risk in a particular transaction is consistent with the risk tolerance determined by the risk committee and board and should be able to exercise a power of veto where necessary. On a continuing basis the CRO should seek to ensure that risk originators in individual business units within the entity are fully aware of and aligned with the board's appetite for risk. There may In a case of the board risk committee, the need is for effective distillation of key issues in a thematic way, and delivering should be the responsibility of the CRO. This supportive role of the board risk committee is of key importance for the effective functioning of the committee and will not be met by a sequence of impenetrable slides. A CRO who is incapable of commissioning effective analysis and of boiling the essentials down to a succinct presentation is probably the wrong individual for the role. RECOMMENDATION: The review recommends that the tenure and independence of the CRO should be underpinned by a provision that removal from office would require the prior agreement of the board. The remuneration of the CRO The remit of the board risk committee calls for a high degree of rigour and judgement and members must have dependable access to whatever material they need to enable them to discharge their responsibilities. But this should not require data and paper flow on the scale of that for the audit committee. The audit committee is unavoidably confronted with very substantial data input, in particular in preparation of the financial accounts and interim reports on a half-yearly and, increasingly, quarterly basis, The necessary independence of the CRO within the entity's executive team means that he or she will be in position to provide the board risk committee with the advice on strategic proposal from the executive which may call for challenge. An atmosphere of well-informed questioning and challenge in the committee should be seen as a desirable and healthy part of the process. resistant to the CRO, who is seen as getting in the way of their ability to undertake what they see as attractive business. Any residual attitude of this kind must be changed and the independent authority of the CRO put beyond doubt.

should be subject to approval by the board chairman or chairman of the board remuneration committee. EXTERNAL ADVICE TO THE BOARD RISK COMMITTEE Given the priority and complexity of the risk monitoring

widely drawn. In board where such external advice has not been sought hitherto, there may be reservation or skepticism about the potential capability of another group of external advisers to contribute in a value-adding way and related concern that the CRO's key relationship with the risk committee could be undermined if an internal advice is regularly subjected to second-guessing from outside. Such external advice to the board risk committee and the board will not in any event provide any guarantee that a wholly unforeseen fat-tail shock will not exert a significant negative impact on the entity at some future point. In particular, analysis of the cause of the recent crisis suggests that there is a limit to the extent to which risk can be identified and offset at a level of the individual firm. RECOMMENDATION: The review gave a recommendation that the board risk committee should have access to and, in the normal course, expect to draw on external input to its work as a means of taking full account of relevant experience elsewhere and in challenging its analysis and assessment. ROLE OF THE BOARD RISK COMMITTEE IN A

role, external advice to the board risk committee and board may make a significant contribution to the quality of decision-taking. Risk matters are, of course, key to BOFI's strategy and a necessary condition is plainly that any such engagement with an external adviser should be on a dependably confidential basis. But where this condition is satisfied, recourse to a high quality source of external advice might be found to serve the board risk committee as a sounding board and to assist the NEDs through articulation of core issues as far as possible in succinct format questioning, supplementing or validating the input to the committee from the executive. The external adviser should be asked for specific input to the stress and scenario-testing of a business strategy, addressing in particular whether the array of low probability, high impact events taken into such testing has been sufficiently

STRATEGIC TRANSACTION The nature of any external input and reliance that can be placed on it may be critically important in a transactional situation, in particular where the executive is proposing a significant merger, acquisition or disposal. In such a situation and in particular where investment banking

advice is being provided on the basis of a contingency fee, so that the adviser is only paid the full fee if the transaction is completed. Specifically, the transition into execution mode on a proposed strategic transaction should not be authorized until the board has determined on the basis of a rigorous due diligence appraisal that the deal would be likely to benefit the entity and its shareholders if it can be brought off within an agreed framework. It will be for the board to settle on a due diligence process appropriate to the circumstance of the proposed transaction. But given the potential importance of conducting such a process with an appropriate degree of detachment from advocacy on the part of the CEO (and executive team), it proposed that this role should as a matter of good practice be discharged by the board risk committee, which would then of course report on its findings to the whole board. RECOMMENDATION - In respect of a proposed strategic transaction involving acquisition or disposal,

it should as a matter of good practice be for the board risk committee to oversee a due diligence appraisal of the proposition, drawing on external advice where appropriate and available, before the board takes a decision whether to proceed. RISK DISCLOSURE AND RISK GOVERNANCE Requirements for financial disclosure by banks and other financial institutions have grown inexorably in the recent past. Major specific accounting issues like those related to the valuation of assets and liabilities for the purpose of the financial accounts have generated very substantial discussion, and international resolution on agreed approach and standards is still incomplete in some areas. But despite the high profile of this accounting debate, it has less substantive relevance for the determination of the risk appetite and tolerance of a BOFI than the quality and scope of the internal risk assessment process within the entity. Recent experience suggest that the form and content of external financial disclosures have been much higher priority than the internal processes and capabilities of boards, above all, the quality, coverage and timeliness of the internal information flow, informing discussion and decision-taking on the entity's risk strategy. This imbalance needs to be addressed, not through constraint of external disclosure (though some of this now seems excessive, driven in part by litigation concerns) but through material strengthening of the board risk process. The proposal is that the board risk committee should produce a separate report on its work in the company's annual report and accounts, focusing on the entity's governance of risk. In international Financial Reporting Standard 7 (IFRS7) and the existing disclosures made in the business review in respect of risk management and risk information, potential overlap between reporting by the audit and risk committees. IFRS7 requires an entity to make both qualitative and quantitative disclosures are intended to

include the types of risks arising from its financial instruments. Qualitative disclosures are intended to include the type of risk to which the entity is exposed and how they arise, the entity's objectives, policy and processes for managing the risks, methods used to measure the risks, and changes from the previous reporting period. The quantitative disclosures include summary data about the exposure to risk as at the reporting date. Similar information is also required in the business review and, for BOFIs which are also listed in US, in the management discussion and analysis. RECOMMENDATION: - The board risk committee (or board) risk report should be included as a separate report within the annual report and accounts, the report should describe the strategy of the entity in a risk management context, including information on the key exposures inherent in the strategy and the associated risk tolerance of the entity and should provide at least high level information on the scope and outcome of the stress-testing programme. An indication should be given of the membership of the committee, of the frequency of its meetings, whether external advice was taken and, if so its source. PROVISION OF THE KING'S REPORT 111 (2009), ON GOVERNANCE OF RISK BOARD'S RESPONSIBILITIES FOR RISK MANAGEMENT THE BOARD SHOULD BE RESPONSIBLE FOR THE GOVERNANCE OF RISK : A policy and plan for a system and process of risk management should be developed. board should comment in the integrated report The on the effectiveness of the system and process of the risk management. boards' responsibility for risk governance The should be expressed in the board charter. induction and ongoing training programmes of The board should review the implementation of the The risk management plan at least once a year. The board should ensure that the implementation of the risk management plan is monitored continually. THE BOARD SHOULD DETERMINE THE LEVELS OF RISK TOLERANCE board should set the levels of risk tolerance The once year board may set limits for the risk appetite The board should monitor that risk taken are The within the tolerance and appetite levels THE RISK COMMITTEE OR AUDIT COMMITTEE SHOULD ASSIST THE BOARD IN CARRYING OUT ITS RISK RESPONSIBILITIES The board should appoint a committee responsible risk management policy should be widely The distributed throughout the company the board should incorporate risk governance. board's responsibility for risk governance The should manifest in a documented risk management policy and plan.

for risk. The committee should: Consider the risk management policy and plan and monitor the risk management process; as its members executive and non- executive Have directors, members of senior management and independent risk management experts to be invited, if necessary; a minimum of three members; and Convene Have meeting at least twice a year. performance of the committee should be The evaluated once a year by the board. MANAGEMENT'S RESPONSIBILITY FOR RISK MANAGEMENT: The board should delegate to management the responsibility to design, implement and monitor the risk management plan: board's risk strategy should be executed by The management by means of risk management systems and processes.

Management is accountable for integrating risk in the day-to-day activities of the company. CRO should be a suitably experienced person The who should have access and interact regularly on strategic matters with the board and/or appropriate board committee and executive management. GOVERNANCE ELEMENTS FOR RISK: The King's Report also provides principles and recommendations for the following governance elements for Risk: RISK ASSESSMENT The board should ensure that risk assessments are performed on a continual basis; board should ensure effective and ongoing risk The assessments are performed. systematic, documented, formal risk assessment A should be conducted at least once a year. Risks should be prioritized and ranked to focus responses and interventions. risk assessment process should involve the risk The affecting the various income streams of the company, the critical dependencies of the business, the sustainability and the legitimate interests and expectations of stakeholders. assessments should adopt a top-down approach. Risk board should regularly receive and review a The register of the company's key risk. board should ensure that key risks are quantified The where practicable. board should ensure that frameworks and The methodologies are implemented to Increase the probability of anticipating unpredictable risks: board should ensure that a framework and The processes are in place to anticipate unpredictable risks. RISK RESPONSE The board should ensure that management considers and implements appropriate risk responses Management should identify and note in the risk register the risk responses decided upon. Management should demonstrate to the board that

the risk response provides for the identification and exploitation of opportunities to improve the performance of the company. RISK MONITORING The board should ensure continual risk monitoring by management The board should ensure that effective and continual monitoring of risk management takes place The responsibility for monitoring should be defined in the risk management plan. RISK ASSURANCE The board should receive assurance regarding the effectiveness of the risk management process Management should provide assurance to the board that the risk management plan is integrated in the daily activities of the company. Internal audit should provide a written assessment of the effectiveness of the system of internal controls and risk management to the board. RISK DISCLOSURE The board should ensure that there are processes in place enabling complete, timely, relevant, accurate and accessible risk disclosure to stakeholders Undue, unexpected or unusual risks should be disclosed in the integrated report. board should disclose its view on the The effectiveness of the risk management process in the integrated report. CENTRAL BANK OF NIGERIA In Nigeria, the Central Bank of Nigeria (CBN) stated that the late 1980s and early 1990s witnessed rising non-performing credit portfolios in banks and this significantly contributed to the financial distress in the banking sector. Also identified was the existence of predatory debtors in the banking system whose modus operandi involved the abandonment of their debt obligations in some banks only to contract new debts in other banks. Furthermore, the use of status enquiries on bilateral basis between banks was characterised by some weaknesses. Status enquiries were regarded as business courtesies to which some banks either did not respond to or gave vague replies. In spite of the systemic weakness, many banks continued to extend fresh facilities to customers who already had hardcore and un-serviced debts with other banks and financial institutions. On the part of the regulators, the paucity of credit information had inhibited consistent classification of credits granted to certain borrowers and their
17 http://www.cenbank.org/supervision/crms.asp

associated companies.

17

Consequently, the need for a central database from which consolidated credit information on borrowers could be obtained became imperative. It was against this background that the Central Bank of Nigeria (CBN) Credit Risk Management System [CRMS] or Credit Bureau was established. The decision to establish a Credit Bureau in Nigeria featured in the Presidential Budget Speech of 1990. Thereafter, it was given a legal backing by the CBN Act No.24 of 1991 [sections 28 and 52] as amended. The enabling legislation empowered the CBN to obtain from all banks, returns on all credits with a minimum outstanding balance of N100, 000.00 (now N1.m and above of principal and interest), for compilation and dissemination by way of status report to any interested party (i.e. operators or regulators). The Act made it mandatory for all financial institutions to render returns to the CRMS in respect of all their customers with aggregate outstanding debit balance of N=1,000,000.00 (One million naira) and above. It also required banks to update these credits on monthly basis as well as make status enquiry on any intending borrower to determine their

eligibility or otherwise. Banks are penalized for noncompliance with the provisions of the Act. The Central Bank of Nigeria through its Guidelines for Developing Risk Management Framework for Individual Risk Elements in Banks states the risk management requirements as follows: Board should be responsible for establishing The the bank's overall strategy and risk element to which it is exposed. board should ensure that the bank maintains The the various risks facing it at prudent levels board should ensure that the bank implements The sound fundamental principles that facilitate the identification, measurement, monitoring and control of all risk facing it. BRMC in order to complement his oversight role as the Chief board should ensure that appropriate plans and The procedure for managing individual risk are in place. Its goes on to state guidelines of Board Risk Management Committee (BRMC). They should be responsible for ensuring adherence to the bank's risk management policy and procedures as set out by the board as well as review the bank's risk strategy for appraisal by the board. In order to secure the independence of the BRMC, the Chairman of the Board shall not be a member of the committee in line with the Code of Corporate Governance for Banks in Nigeria. Membership of the BRMC shall include at least (2) non-executive directors, one of whom should be an independent director. One of the non-executive directors shall serve as Chairman. Managing Director/CEO shall be a member of the The Executive Officer of the bank. CENTRAL BANK OF NIGERIA Code of Corporate Governance for Banks in Nigeria Post Consolidation (2006) One of the challenges of corporate governance for Banks post consolidation, as stated in the CBN Code of Corporate Governance for Banks in Nigeria Post Consolidation 2006, is the increased levels of risk. Currently, very few banks have a robust risk management system in place. With the huge amount of funds that will be available to them and significantly increased legal lending limits, banks will be financing more long-term mega projects in the real sectors of the economy as opposed to the existing working capital/trade financing. Given the expected significant increase in the level of operations, the banks will be facing various kinds of risk which, if not well managed, will result in significant losses. The management of risk in a transparent and ethical way will thus present some issues bordering on 8.1.1 Corporate Governance. 8.4 Provision of the CBN Code of Corporate Governance on Risk Management Board Risk Management Committee The should establish policies on risk oversight significant policies relating to the management of individual

and management. Banks should put in place a risk management framework including a risk management unit that should be headed by a Senior Executive, in line with the directive of the Board Risk Management Committee. internal control system should be The documented and designed to achieve efficiency and effectiveness of operations; reliability of financial reporting, and compliance with applicable laws and regulations at all levels of the bank. External auditors should render reports to the CBN on banks' risk management practices, internal controls and level of compliance with regulatory directives. However, the recent case of risk management and corporate governance failures that led to the exit of the managing directors of five Banks (Oceanic Bank Plc, Afribank Plc, Finbank Plc, Union Bank, of Nigeria Plc and Intercontinental Bank Plc) has again brought to the spotlight the issue of Risk Management in Nigeria. In his statement, the CBN Governor Mr. Sanusi Lamido, stated that although they committed no crimes, the affected managing directors had by the way they ran their institutions lost the franchise of the institutions and put shareholders and depositors funds at risk. SECURITIES AND COMMISSION EXCHANGE 9.1.3 9.1.2

framework and the risk-reward strategy determined by the Board. The functions of the Committee should be guided by written terms of reference or a charter and should include the following: (a) review and approval of the companies risk management policy including risk appetite and risk strategy; (b) review the adequacy and effectiveness of risk management and controls; (c) oversight of management's process for the identification of significant risks across the company and the adequacy of prevention, detection and reporting mechanisms; (d) review of the company's compliance level with applicable laws and regulatory requirements that may impact the company's risk profile; (e) periodic review of changes in the economic and business environment, including emerging trends and other factors relevant to the company's risk profile; and (f) review and recommend for approval of the Board risk management procedures and controls for new products and services. To enhance the risk management function, a senior management staff should be detailed to perform the

PROVISIONS OF THE REVIEWED 2003 SEC CODE OF CORPORATE GOVERNANCE ON RISK MANAGEMENT
9.1.1 The Risk Management Committee - The Board may establish a Risk Management Committee to assist it in its oversight of the risk profile, risk management

New Listing in 2010 The number of securities listed on The Exchange in 2010 dropped to 264 from 265 in 2009. The following are the listed securities in 2008, 2009 and 2010:

S/n 1

20 08 N igeria Bag M anu factu rin g Co mp any P lc

2 00 9 H IS N igeria

20 10 U nio n H om es Real Es tate In vestm ent Tru sts Plc N PF M icrofina nce ban k Plc Paints and Co ating s M anufacturers N igeria Plc M ulti-T rex In tegrated Fo ods Plc D ang ote Cemen t Plc

As Savin gs & L oan Plc

C ourtevi lle In vestm ent Plc

In vest ment & A llied In su ran ce Plc

A fr omed ia p lc

Reg en cy A lliance Insu rance P lc

Pin ancle P oin t G ro up Plc

Fids on H ealth care Plc

M -T ech C om mu nicatio n Plc

O matek V ent ures Plc

Po rtland Paints & P ro du ct Plc

2 FG N Bo nd

Ta ntalizers P lc

A frican A llian ce Insu rance Plc

5 State G ov ern ment Bon ds

E -T rans act Internatio nal Plc

4 Indus tria l
Lo ans: C & I L easin g Plc Lo an Sto ck

B eco P etro leu m Pro duct Plc

10

H o neyw ell Flo ur M ills Plc

11

G u aran ty T ru st A ssu rance Plc

1s t G uaran ty T rust Ban k Plcs F ix ed Rate Senior U ns ecu red N o nCon v ertib le B on d, 20 14 Series 1 U AC N Property D ev elop men t Co. Plcs 1 5 B il lion 10 % Fixed R ate U ns ecu red N o nU BA Plcs N 2 0 billi on 1 3 p er cen t Fixed R ate Su bordi nate U ns ecu red N o tes (S eries 1) 20 17 .

12 13 14

R es ort Savin gs & Lo ans Plc U n it y K apital A ssu rance P lc M cN icho ls Co nso lidat ed Plc (2n d tier s ecu rities Mk t) 1 2 FG N Bon ds

Delisting in 2010 In all, sixteen (16) securities were delisted during the year compared with sixty-five(65) in 2009: Council approved the delisting of three companies: ? Aboseldehyde Laboratories Plc was delisted

Billion Fixed Rate Bond) ? Two Industrial Loans (Carnaudmetal Box Nigeria Plc Bond and Access Bank Plc's N13.5 billion Redeemable Convertible Bond) ? Benue Cement Company Plc was delisted following the merger with Dangote Cement Plc.

following the non-compliance to post-listing requirements ? Afrprint Nigeria Plc was delisted following

Change of Name in 2010 The exchange was notified by the companies below their intention to change the name of their respective companies, as recommended by the Board of Directors: ? ? Multiverse Resources Plc was changed to Multiverse Plc Chevron Oil Nigeria Plc changed to MRS Oil Nigeria Plc ? National Sports Lottery Plc changed to Secure Electronics Technology Plc. New Issues The Primary Market was more active during 2010 than in 2009. This can be attributed to the relative stability recorded in the stock market, which boosted investors' confidence. The Exchange considered and approved 31 applications for new issues valued at N2.44 trillion or 9.83% of GDP, as against 30 applications for new issues valued at N279.25 billion or 1.2% of GDP in 2009. Top five new issues approved in 2010

applications by the Board of Directors of the respective companies to Council ? Incar Nigeria Pc was delisted following applications by the Board of Directors of the respective companies to Council. Twelve (12) others are in the final stage of being delisted five in Emerging Markets and one in First Tier, seven in the Firsttier Also delisted were: Twelve fixed income securities on account of maturity. This was made up of: ? Nine FGN Development Stocks ? One State Government Bond (Lagos State N15

S/n 1 2 3 4 5

Issues Dangote Cement Bayelsa State Government Ecobank Nigeria Plc Flour Mills Nig. Plc Unity Bank Plc

Amount (N) 2.1trillion 50.0billion 46.63billion 37.5billion 29.13billion

Type of Issue Mergers Bond Pla cing Bond Rights Issue

The Nigerian Capital Market The harsh operating environment hampered the performance of most companies as shown in the quarterly results of quoted companies. Rising unemployment, weakened purchasing power and weakened investor confidence further exerted downward pressure on the stock market. The impact of the global economic meltdown worsened the scenario as foreign investors shunned assets

considered risky while local investors sought refuge in shortterm securities. Also, the initial negative reaction to the decision of most banks and insurance companies to make full provisions for their non-performing assets dampened investors' appetite and slowed down market recovery. In the long term, the decision is healthy for the market, in the sense that it would show a true and fair position of the institutions concerned.

20 MOST ACTIVE STOCKS (BY TURNOVER VOLUME) IN 2010:

Five subsectors were represented in the most active list compared to four in 2009. They are Banking, Insurance, Conglomerates, Information and Communication Technology (ICT) and Second-Tier Securities Market (SSM). The Banking sector contributed fourteen (14) of the twenty most active equities with traded volume of 44.2 billion or 47.5 percent while the Insurance subsector contributed two (2) with traded volume of 3 billion shares or 3.2 percent. Consequently, the two subsectors contributed sixteen (16) of the top 20 most active equities. In 2009, the two subsectors contributed eighteen (18) of the Top 20 most active equities. The Information and Communication Technology, Maritime, Conglomerates and SSM subsectors had one representative each to complete the Top 20 list.

trillion, seventeen (17) subsectors recorded increased market capitalization of between 3.9% and 622.05%, while sixteen subsectors suffered a reduction in market capitalization of between 2.8% and 48%. At the end of the year 2010, the following 20 companies emerged with the highest market capitalization, in descending order;

MARKET CAPITALIZATION

The total market value of 264 securities listed on the Exchange increased by 41.12%, (as a result of new listings (equities and government bonds) and price appreciation of equities) from N7.03 trillion to stand at N9.92 trillion at year-end. The increase in market capitalization resulted mainly from equity price appreciation. By year-end (2010), the market capitalization of the 217 listed equities accounted for N9.92

TWENTY COMPANIES WITH THE HIGHEST MARKET CAPITALIZATION AS AT DECEMBER 2010

S/ N Company NSE Classification Sector % of total Market Capitalization MKT Capitalization (N Billion ) (6.15trillion) of The top 20 Companies 30.23 1,859.3 583.1 471.3 448.04 414.11 281.1 243.44 236.7 192.0 172.5 169.94 155.02 129.7 122.2 122.03
9. 48 7.66 7.29 6.73 4.57 3.96 3.85 3.12 2.81 2.76 2.52 2.11 1.99 1.98

% of Total MKT Capitalization (N9.92 Trillion) 18.74 5.88 4.75 4.25 4.17 2.83 2.45 2.39 1.94 1.74 1.71 1.56 1.31 1.23 1.23

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

Dangote Cement Building Materials Plc Nigerian Breweries Brewer ies Plc Zenith Bank Plc Banking First Bank of Nigeria Plc Guaranty Trust Bank Plc Guinness Nigeria Plc Nestle Nigeria Plc United Bank for Africa Plc Dangote Sugar Refinery Plc Sta nbic IBTC Bank Plc Access Bank Plc Ecobank Transnational Inc. Flour Mills of Nigeria Plc Lafarge Cement WAPCO Nig. Plc First City Monument Bank Plc Oando Sky Bank Plc Diamond Bank Plc Unilever Plc Nigeria Banking Banking Breweries Food & Beverages Banking Food & Beverages Banking Banking The Foreign Listings Food & Beverages Building Materials Banking

16 17 18 19

Petroleum (Marketing) Banking Banking Conglomerate

119.5 116.33 108.56 101.8

1.94 1.89 1.77 1.66

1.21 1.17 1.09 1.03

20

P.Z Cusson Plc

Conglomerates

100.1

1.63

1.01

The above 20 most capitalized companies as at year end FOREIGN PORTFOLIO INVESTMENT accounted for N6.15 trillion or 77.6% of the equity market Following modest recoveries in their home markets, some of capitalization and 62% of the total market capitalization of The the foreign investors returned while new investors sought Exchange. In 2009, the Top 20 equities by market opportunities, considering the key attributes of high returns, liquidity and safety of investments. Hence, despite the global capitalization accounted for 69.5% of the equity market recession, the Stock Exchange market remained attractive to capitalization and 49.4% of the total market capitalization. foreign investors and portfolio managers seeking cheap Consequently, changes in the prices of these stocks impact equities and high-yielding bonds. Interim statistics show substantially on the total market capitalization and the All- purchases (inflow) by foreign investors during 2010 to be in Share Index. The share of market capitalization by Federal and excess of N350 billion, representing 52.18% of the aggregate turnover an increase, when compared with the N229.986 State Government Bonds with forty (40) listed securities was billion recorded in 2009. Concurrently, total sales (outflow) N1.943 trillion (or 19.6% of market capitalization), down by during the year were in excess of N178.81 billion, 4.33% from the N2.031 trillion (or 28.9%) recorded in culminating in a net inflow of N171.04 billion, a reversal of December 2009. Also, the value of Preference Shares and the net outflow of N33.403 billion in 2009, a staggering Industrial Loans with seven listed securities stood at N56.4 increase of 412.05%. billion in 2010, up by 600.4% from the 8.05 billion recorded in Presently, the Nigerian Stock Exchange has three companies listed in foreign stock exchange; December 2009. The combined share of market capitalization Two (2) companies are listed on London Stock Exchange of the four security-types was N2 trillion (or 20.15% of market Diamond Bank Plc and Guaranty Trust Bank Plc, capitalization), down by 2% from the N2.04 trillion (or 29%) Oando Plc is listed on Johannesburg Stock Exchange recorded in December 2009. ENFORCEMENT OF RULES AND REGULATIONS SUSPENSION In 2010, 74 dealing member firms was suspended for failure to submit their audited accounts, 42 companies were also placed on technical suspension for infractions of listing rules, as at January 10, 2011, 17 of the 42 companies are no longer on suspension. However, 15 companies were placed on full suspension for violation of listing rules and 7 companies were recommended for delisting SUMMARY AND COMMENTS In assessing the overall provision of governance of Risk (Risk Management) above, there are mixed signals about the effectiveness of risk management in Nigeria. While reports (Walkers report, Cadbury and King Report 111) starts clearly the principles for effective risk management and the responsibilities of board / board risk committee in performing

the risk management responsibilities of the company management in Nigeria and the board at least annually diligently and achieving a high level of effectiveness. The include a high level summary of top risks for the enterprise as provision of risk management in Nigeria indicates a non robust a whole and its operating units' a periodic overview of management's methodologies used to assess, prioritize and processes and guidelines. However, the provision of risk management by the Central measure risk; and a summary of emerging risks that warrant Bank of Nigeria is somewhat better for the banking sector board attention. Among those not received annually by most compare to the Securities Exchange Commission, apparently boards include scenario analyses evaluating the effect of because of the believe that they are proactive in their risk changes in key external variables impacting the organization; efforts. The 2003 SEC Code of Corporate a summary of exceptions to management's established Governance, did not take conversant of risk management policies or limits for key risks; and a summary of significant process as such no specific section was dedicated for risk gaps in capabilities for managing key risks and the status of management unlike audit committee initiatives to address those gaps. We recommend a mandate The outcome of this report reveals a number of areas for for organizations to improve the risk reporting process and improving in the provision of risk management and corporate increase the regularity of reporting according to the nature of governance for public quoted companies in Nigeria. This organization's operations and risk profile as well as the improvement will enable the boards to advance the board's specific needs. There is need to improve the Risk Appetite Dialogue development of their risk processes. The points are stated e) Organ - we recommend that companies in Nigeria resolves to below; There is a need to improve the robustness of risk comply with the revised 2003 Securities and Exchange management provision by the regulatory bodies mandating Commission Code of Corporate Governance a) compliance to all Plcs there should be more and outlined Who's responsible for risk governance at global companies? structured process for monitoring and reporting key risks to the Boards and senior management, at the urging of regulators, board listed in the code. b) are taking a fresh and far more rigorous approach to defining The role of the board (or board risk committee) in risk and institutionalizing a robust risk appetite. As they move We recommend as a provision in existing code, that unless through the process, they are discovering that risk appetite is a either there is a separate board risk committee consisting of powerful management tool. independent directors or the full board considers the matter A company's statement of risk appetite should complement itself, the board should be responsible for the review of the the firm's vision and strategy and set the rules of the road for company's internal control and risk management systems. c) the entire organization, clarifying the board and senior The board's statement on internal control- We management's overarching views on what constitutes recommend that all codes should require listed companies to acceptable risk at all levels within the business. include in their annual report and accounts statement the board So who's responsible? of directors statement on internal control as a compliance requirement to the effect that there exist, a process of identifying, assessing and evaluating risk. d) There is need to enhance Risk Reporting to the board the most common types of risk and regulatory bodies

reporting received by the regulatory body (CBN,) is on credit risk, which have been the focus when regarding to risk

There is need to improve monitoring of the Risk R i s k a p p e t i t e g o v e r n a n c e r e s p o n s i b i l i t i e s a) Ownership of risk appetite starts at the very top of the Management Process While this report focused exclusively organization and systematically cascades downward to the on the comparing different risk management report, the link front line business managers. The key players in the risk between risk management and corporate governance is appetite development and implementation process include: ? inextricable. According to our review provision on risk Board of directors. The role of the board in risk management of public companies in Nigeria is not stated. We management has evolved significantly post-crisis, from pure recommend a implementation of reporting standard of risk oversight to active participation in defining risk appetite and appetite and management of all public quoted companies by regulatory bodies corporate affairs commission, securities approving the broad risk parameters for the enterprise. Risk committee. More and more banks are adding or and exchange commission, central bank of Nigeria. The risk strengthening the mandate of board risk committees to focus governance frame work or processes should be clearer stated ? and enhance their risk oversight responsibilities, including in the annual report of companies There is a need to strengthen risk identification active monitoring of the level of risk exposure for the b) institution versus the parameters set in the risk appetite. ? processes: we recommend that public quoted companies CEO. Ultimately the CEO is responsible for managing should be looking at risk holistically and assuming a more risk throughout the organization. The CEO, together with the vigilant stance on risk identification policies and procedures board, is responsible for creating the risk framework and Improvements in this area include: daily real-time monitoring of risks; stricter portfolio risk-grading systems; and tighter articulating and enforcing the appropriate risk appetite. CRO. The chief risk officer plays a central role in the screening of on-boarding procedures for new clients. Several risk appetite development and monitoring process driving the institutions have formed new cross-functional risk ? discussions between the board, business management and identification committees composed of managers from independent control groups. The CRO is concerned with finance, risk, technology, compliance, treasury, accounting identifying disconnects between strategy and operations. This and the business units. Many companies have upgraded their role owns the internal assessment of tolerances, limits and product approval policies and procedures, increasing the indicators to support measurement against the risk appetite, as involvement of the risk group in developing, approving and monitoring products throughout their life cycle. well as plan development, execution and management. Business unit leaders. Business unit leaders must Developing the depth in Nigeria's capital markets is key to the communicate their business and competitive imperatives and future growth of the economy and achieving the 2020 ? related inherent risks to achieving those objectives during the aspirations. Existence of sound Risk Management and risk appetite development phase. Once the risk parameters are Corporate Governance Practices is crucial to promote formulated and communicated, business unit leaders are investors confidence required for a capital market accountable for ensuring that limits, escalation triggers and development. Board of Directors, Top Management and other provisions are aligned with the risk appetite and Regulators of public quoted companies should therefore take a lead role and adopt the international best practice corporate meticulously observed in the execution of strategy. ? Independent risk management and control groups. governance and risk management requirements for Control and oversight groups must have sufficient knowledge implementation by the public quoted companies as a national

of the business activities of the organization and have the clout priority. Risk management is a culture and every successful to force a review or escalation when risk parameters have been business owner must learn the every aspect of managing risk breached. in order to stay in the business.