BarnOwl Info Sharing Insight: Risk Governance with Christelle Marais

March 5, 2019

BarnOwl Info Sharing session: 28 February 2019

Risk Governance

Presented by Christelle Marais, Managing Director, Lucidum

Thank you very much Christelle for your enlightening presentation at our BarnOwl info sharing event held at the BarnOwl offices in Bryanston on the 28 February 2019.


Some of the largest corporate failures in both the public and private sectors have been laid at the door of Boards of Directors. At the same time, many Directors voice the concern that they are not able to provide adequate governance and oversight due to the disparate approach in which the various assurance providers submit information and reports to the Board.

In addition to this, there is also recognition of the need to pursue ethical and good governance outcomes as opposed to assurance providers ticking boxes in isolation. This session provides delegates with an overview of what each player in the “Risk Governance”-value chain should contribute in terms of the King IV outcomes of (i) ethical culture (ii) good performance (iii) effective control and (iv) legitimacy, and how these should all come together in a robust combined assurance model and transparent integrated reporting.

In Summary:

Risk managers cannot add value or demonstrate their “skin in the game” without understanding who they serve and what their expectations are. A key client of the risk manager is obviously the board of directors (or its equivalent), who owes its fiduciary duties to the organisation and must always act with due care and skill. Unfortunately, in most organisations, risk managers only have access to directors via executives (usually the CEO or the company secretary). In addition, directors receive their appointment and mandate from shareholders (who do not owe any fiduciary duty towards the organisation), failing which criminal and/ or civil action can be taken against them in their capacity as directors. It is in this complex environment that risk managers can contribute significantly to the success of their organisations, if they understand how the executive’s and the board’s expectations interlink and how they use risk-related information to execute their duties.

In South Africa, directors have to deliver on the following four duties: (i) steer set strategic direction, (ii) approve policy and planning, (iii) oversee and monitor and (iv) ensure accountability. While executing these duties, directors have to take into account the organisation’s triple context (“people, planet and prosperity”), the six capitals that the organisation uses and affects (financial, manufactured, intellectual, social & relationship, human and natural capital), the seventeen sustainable development goals and how the organisation contributes to these (or not) and lastly the five principles of responsible investment in South Africa. The King Report on Corporate Governance provides directors with a “text book” of seventeen principles based on the seven foundation stones of (a) ethical leadership, (b) the organisation in society, (c) corporate citizenship, (d) sustainable development, (e) stakeholder inclusivity, (f) integrated thinking and (g) integrated reporting. While keeping all of this in mind, directors’ ultimate duty is to ensure that their organisation achieve four key outcomes: (1) ethical culture, (2) good performance, (3) effective control and (4) legitimacy.

This context within which directors operate, is therefore the starting point for a good risk management framework. Whether an organisation uses ISO 31 000, COSO ERM or any other risk management standard, it should always be informed by and deliver on shareholders’, directors’ and executives’ expectations. One of the most important tools in this context is a comprehensive and properly understood risk appetite framework, bespoke to the specific organisation. Whereas many complex models for the formalisation of risk appetite have been suggested, the basic requirement should always be that it must be able to practically inform decisions. Sadly, many organisations have not been able to get this right and perhaps the reason for this is, that the formal “numbers” that they come up with is not compatible with what business leaders intuitively judge as appropriate for their organisations. This disconnect is a key challenge for risk managers and one of the most important ones to address.

Once an appropriate risk appetite framework is in place, organisations should understand how to govern risk (this goes beyond the steps included in standards such as ISO 31 000, COSO ERM, etc.). “Risk governance” encompasses the appropriate application of all that is required to ensure that risks and opportunities stemming from the organisation’s sustainability reality is appropriately addressed in its strategy, is then translated appropriately into the risk appetite statement, is then managed effectively during execution of operations, is then optimally assured in a good combined assurance model, is accurately and appropriately reported to the board and lastly, is honestly and transparently reflected in the organisation’s annual integrated reports.

In closing, the board’s view on the use of risk reports can be compared to a sport, such as football. While there are many risks that should be managed while selecting players, preparing for tournaments and playing matches, directors expect that management should be able to identify, manage and report on these risks as a matter of course (e.g. injuries, yellow cards, competition for players). In the broader context however, directors are worried about the “not so obvious” risks, i.e. spectator violence, societal/ government actions (e.g. sanctions), terrorism using matches as platforms, etc. The risks inherent to the game should be effectively managed by the executive with oversight from the board. In addition, those non-traditional and emerging risks that can derail the match should be identified early and mitigated as far as possible while keeping the board fully informed.

Presentation and Video links:

Please see attached presentation here as well as video link here for more information.
image_03 image_04

Associated articles:

The following are useful links relevant to Christelle’s presentation: (The journey from King I to King IV: Why King IV is not another layer of regulation but creates add-on value presented by Michael Judin. (King IV is copyrighted to The Institute of Directors Southern Africa).  


Once again thank you Christelle for your time and for your informative presentation and thank you to all those who braved today’s traffic and attended the info sharing session. We look forward to seeing you at our next info sharing session.
Kind regards
Jonathan Crisp
Director – BarnOwl GRC and Audit software

About Christelle Marais:

Since 1991, Christelle has been active in various roles within corporates such as Marsh, Department of Science & Technology, Sasol, South African Post Office and various clients across Africa in governance, company secretarial services, risk management, ethics, business continuity management, risk financing (insurance, cell captives, etc.), litigation, economic crime as well as asset and liability management. Christelle’s career has provided her with experience in various industries including financial services, manufacturing, healthcare, logistics, retail, agriculture, energy, mining and government entities.

 She has served in various capacities at subsidiary, joint venture and group levels and has often been co-opted to conduct risk management for major organisational change and restructuring projects. Christelle’s focus is to enable Boards, Risk Committees, Audit Committees, Social & Ethics Committees, EXCOs and divisional teams through risk intelligent programs to govern risk and make informed decisions. She has developed risk management frameworks (policy, strategy, standards, processes and risk maturity evaluations) for various entities and serves as independent Board or committee member.

About BarnOwl:

BarnOwl is a fully integrated governance, risk management, compliance and audit software solution used by over 200 organisations in Africa, Australasia, Europe and the UK. BarnOwl is a locally developed software solution and is the preferred risk management solution for the South African public sector supporting the National Treasury risk framework.

Please see  for more information.