Tea Talk: Crafting an Effective and Practical SORMIC
With Ramesh Pillai, Group Managing Director, Friday Concepts Risk Consulting
The IERP® Monthly Newsletter September 2018 6
In Malaysia, the Statement on Risk Management and Internal Control (SORMIC) is a requirement from the Securities Commission, in accordance with the Malaysian Code of Corporate Governance (MCCG) 2017. On 14th September 2018, a Tea Talk was held at the IERP® International Secretariat, featuring a presentation on the topic by Mr. Ramesh Pillai, Group Managing Director of Friday Concepts Risk Consulting.
The MCCG and Defining “Risk Management”
Speaking on the MCCG 2017 as a guidance document for the SORMIC, Ramesh noted that its main contributors/authors were auditing/accounting bodies; there were no contributions by risk practitioners. He drew attention to Principle B in the MCCG, where the Intended Outcome of a Risk Management and Internal Control Framework is that:
“Companies make informed decisions about the level of risk they want to take and implement necessary controls to pursue their objectives.
The board is provided with reasonable assurance that adverse impact arising from a foreseeable future event or situation on the company’s objectives is mitigated and managed.”
Ramesh pointed out that this focuses only on the downside of risk, and does not consider opportunities nor the improvement of decision-making. Given that it is the CEO or CFO that signs off on the document, and not the CRO, and that it is mainly focused on Operational Risk Management, the SORMIC thus becomes more of a disclosure document for internal audit and finance, rather than for Enterprise Risk Management.
A participant noted that given the highest number of risks is operational, doesn’t it make sense that the MCCG focuses on Operational Risk Management? Ramesh concurred, but at the same time, there should be consideration for risk exposures with high impact, not just high frequency.