Risk Governance

Corporate governance

All organizations are “Living Systems,” they are born, grow, mature, transform, are absorbed or absorbed, and eventually die shutting down their activities.
This “Living System” is inserted in other External Systems and inserts others, among them the fundamental “Human System”.
Every organization has a Mission, a Vision and Values. In order to achieve its objectives, it must draw up a Strategy compatible with its Mission, Vision and Values.
The better structured and the better prepared the components of the Human System the better will be the elaboration of the Strategic Plan and the achievement of the Goals.
Considering that the External System is also alive bringing continuous technological, market, behavioral, values and regulatory evolution, it directly influences the code of conduct and the level of risk to which the company is exposed. This evolution has been increasingly rapid, requiring urgent responses from the companies’ Human System.
No matter the size or level of maturity of the organization, all have their Systems and are inserted in the External System.
Already for a long time organizations have dealt with the recurrent themes of their relationship with their shareholders and with all their stakeholders.
Understand by interested party any and all persons, entities or systems that affect or are affected by the activities of an organization.
To better address these issues, several entities have been discussing and presenting suggestions and regulations for the various areas of action of the most diverse organizations, on how best to build the Human System that meets the wishes of all stakeholders.
These structures support what is called Corporate Governance.
Throughout the 20th century, the economies of different countries became increasingly integrated through the dynamism of international trade, as well as the expansion of financial transactions on a global scale. In this context, the organizations underwent significant changes, since the strong pace of growth of their activities promoted a re-adjustment of their control structure, due to the separation of ownership and business management. The origin of the debates on Corporate Governance refers to the conflicts inherent in the dispersed ownership and the divergence between the interests of the partners, executives and the best interest of the company.
Corporate Governance has emerged to overcome the classic “agency conflict”. In this situation, the owner (shareholder) delegates to a specialized agent (manager) the decision-making power over the company (according to the law), a situation in which differences may arise in each group’s understanding of what they consider to be best for the company.
This type of conflict is more common in societies such as the United States and England, where ownership of companies is more widespread.
In Brazil, where property is usually concentrated, conflicts intensify as the company grows and new members, whether investors or heirs, become part of society. In this scenario, Governance also seeks to address issues for the benefit of the company.
In 1976, Jensen and Meckling published studies focused on US and British companies, mentioning what they called the agent-principal problem, which gave rise to Firm Theory or Agent-Principal Theory. According to these scholars, the principal-agent problem arose when the (senior) partner hires another person (agent) to run the company instead.
According to the theory then developed, the executives and councilors hired by the shareholders would tend to act in a way that maximizes their own benefits (higher wages, greater job stability, more power, etc.), acting in their own interests and not according to the interests the company, all shareholders and other stakeholders. To minimize the problem, the authors suggested that companies and their shareholders should adopt a series of measures to align stakeholders’ interests, aiming, above all, the success of the company. For that, measures were proposed that included practices of monitoring, control and wide dissemination of information. This set of practices was called Corporate Governance.
The concern of Corporate Governance is therefore to create an efficient set of mechanisms, both incentives and monitoring, to ensure that the behavior of managers is always aligned with the best interests of the company.
In the literature on Corporate Governance various definitions are presented by several entities involved with the theme. Due to the evolution of the dynamics and the way to transact or relate to all stakeholders, ie regulators, supervisory and control bodies, shareholders / quotaholders, managers and managers, employees, suppliers, customers and society, these definitions have been adapted / upgraded to the new business environment.

The IBGC (Corporate Governance Institute) offers us the following definition:
“Corporate Governance is the system by which companies and other organizations are directed, monitored and encouraged, involving relationships among members, board of directors, board of executive officers, supervisory and control bodies and other stakeholders. Good corporate governance practices translate basic principles into objective recommendations, aligning interests with the purpose of preserving and optimizing the long-term economic value of the organization, facilitating its access to resources and contributing to the quality of the organization’s management, longevity and very common. “

2 Basic Principles of Corporate Governance
– Transparency
It consists of making available to interested parties information that is of interest to them, not just those imposed by laws or regulations. Adequate transparency leads to a climate of trust and greater internal commitment and in the company’s relations with third parties.

– Equity
It is characterized by the fair treatment of all partners and other related parties. Discriminatory attitudes or policies, under any pretext, are unacceptable.

– Accountability
The agents of governance (partners, advisers and managers) must be accountable for their actions, fully assuming the consequences of their acts and omissions.

– Corporate Responsibility
Governance agents must ensure the sustainability of companies, aiming at their longevity and incorporating social and environmental considerations in the definition of business and operations.
The above principles apply to all organizations regardless of the size or maturity stage of their governance structure.
What is important is to start applying the principles and evolve over time to structures that provide greater security in the pursuit of objectives, sustainability and sustainability of companies.
Of course, the more developed the governance structure, and thus the maturity of governance, the assignments will be better distributed, thus avoiding agency conflicts.

2.1- Structure of the Corporate Governance System


governança 1

2.1.1 Statute / Social Contract
It is the contract that complements the legislation, governs and establishes the way the organization operates, including the responsibilities and responsibilities of each agent of governance. It should contribute to the transparency of the organization’s governance system and thus foster trust in the relationship with all relevant stakeholders.

2.1.2 Shareholder/Quotaholder Agreement
The agreements between shareholders / quotaholders, without jeopardizing the interest of the organization, govern such issues as:
– Purchase and sale of shares / quotas by the signatories;
– Preference to acquire the interests of other partners / quotaholders;
– Mechanisms to resolve conflicts of interest;
– Conditions for leaving partners/quotaholders;
– Exercise of the right to vote and control power in assemblies, among others.

2.1.3 General Meeting / Meeting of Members / Quotists
It is the direct participation body through which the partners / quotaholders deal with the major decisions of the organization.
This occasion is also the relevant moment of accountability and transparency exercise by the administration.
The General Assembly also gives members the valuable opportunity to contribute to the organization by presenting their questions, ideas and opinions.

In order to have a good General Meeting we will highlight some practices:
– The rules of convening the general meeting (agenda, including the agenda, place, date, time and possible forms of participation) should favor the presence of as many members as possible and allow adequate time, at least 30 days, for they prepare for deliberation;
– The organization shall facilitate participation in the general meeting;
– It is recommended that members of the corporate bodies (eg, be present at the ordinary general meeting to provide clarifications, if necessary (board of directors, audit committees, risk committees and others that may be of interest to the agenda, fiscal council and board);
– In the absence of a conflict of interest, the General Meeting shall be chaired by the Chairman of the Board of Directors;
– Members must attend the general meeting in a diligent and informed manner. Because of their responsibility to the organization, they should exercise their right to vote in the best interests of the organization;
– Managers must have a clear and effective accountability that allows the members an evaluation of the performance of the organization;
– Administrators of third-party resources (investment funds institutional investors, etc.) have the duty to attend the meetings, exercising their vote in the best interests of the organization.

Among the main competencies of the general meeting are:
– Increase or reduce social capital and reform the social contract / statute;
– To elect or dismiss, at any time, the directors and tax advisors;
– Annually take the accounts of the administrators and deliberate on the financial statements;
– Decide on the transformation, merger, incorporation, spin-off, dissolution and liquidation of the organization;
– Deliberate on the evaluation of assets that come to pay the capital stock;
– Approve the remuneration of the administrators and fiscal councilors.

2.1.4 Fiscal Council
The fiscal council is an integral part of the governance system of Brazilian organizations.
Represents an independent monitoring mechanism for members’ reporting, installed by decision of the general meeting, whose purpose is to preserve the value of the organization.
Fiscal council members have the power to act individually despite the collegiate character of the body.
The main duties of the fiscal council are set forth in Article 163 of Law 6,404 / 76 and Article 1,069 of Law 10,406 / 2002.
The fiscal council’s priorities should be set by its members considering the expectations of the members and the interests of the organization.

2.1.5 Board of Directors
The board of directors is a collegiate body composed of 5 and at most 11 advisors (recommendation), depending on the sector of performance, size, complexity of the activities, stage of the organization’s life cycle and the need to create committees.
The members of the board of directors are elected by the members.
The board of directors is in charge of the decision-making process of an organization in relation to its strategic direction.
It also exercises the role of guardian of the principles, values, social object and the system of governance of the organization.
In addition to deciding the strategic direction of the business, it is incumbent upon the board of directors, always taking into account the best interest of the organization, monitor the board (managers), acting as a link between the board and its partners.
As directors, trustees have fiduciary duties to the organization and are accountable to shareholders at meetings, and more broadly and periodically, and accountable to partners and other stakeholders through periodic reports.
The board member has his duties before the organization and to comply with his commitments the board of directors must:
– Discuss, format, clearly define the vision, mission and values of the organization and watch over them;
– Preserve, strengthen or, if necessary, promote changes in the culture and identity of the organization;
– Provide the strategic direction, actively participate in its elaboration, monitor and support the board in the implementation of the strategic actions;
– To stimulate the continuous strategic reflection and to be attentive to the movements in its business environment, seeking to guarantee the organization’s realignment capacity;
– Ensure that the board identifies, mitigates and monitors the risks to which the organization is exposed, as well as the integrity of the internal control system;
– Continuously strengthen organizational skills and add new ones that are necessary to address strategic challenges arising from external changes;
– To select the CEO and approve the appointment of the other members of the board suggested by the latter;
– Plan the succession process of the directors, the CEO and the board of directors;
– Adopt policies and guidelines that affect the organization as a whole;
– Define the remuneration policy and incentives of the board of directors as a whole. – Define the objectives and goals of the CEO and evaluate their performance. – In conjunction with the CEO, define the objectives, goals and evaluation of the other board members;
– Ensure that the board develops a talent attraction, development, and retention policy that is aligned with the organization’s strategic needs;
– Monitor the financial and operational performance of the organization;
– Ensure that sustainability issues permeate strategic choices, decision-making processes, issues that impact the value chain and periodic reports;
– Ensure that all employees of the organization are permanently attentive to the externalities generated by the company’s performance, as well as listen carefully to the interested parties, if necessary, to adjust their performance;
– Ensure the search and implementation of innovative technologies and processes that keep the organization competitive, updated to market practices and governance;
– Participate in the decision of capital investment projects that have a significant impact on the value of the organization;
– Approve mergers and acquisitions;
– Ensure that the financial statements express with fidelity and clarity the economic, financial and patrimonial situation of the organization;
– Choose and evaluate the independent audit firm;
– Evaluate periodically whether the governance practices adopted meet the needs of the organization or whether they should be modified. Committees of the Board of Directors
Committees are statutory or non-statutory bodies that advise the board of directors, which do not have the power to deliberate, and their recommendations are not binding on the deliberations of the board of directors.
Specific committees carry out various activities within the competence of the board of directors that require a time not available at the meetings of this governing body.
Among the most commonly created committees are:
· Audit
· Finance
· Human capital
· Scratchs
· Sustainability
For specific matters, working groups or committees may be created and not necessarily committees.

2.1.6 Board of Directors
The board is the body responsible for the management of the organization, whose main objective is to make the organization fulfill its purpose and its social function.
The board executes the strategy and general guidelines approved by the board of directors, administers the assets and conducts the business of the organization.
Through formalized processes and policies, the board of directors enables the dissemination of the organization’s vision, mission and values.
It is also responsible for the preparation and implementation of all procedures, operational and financial processes, including those related to risk management and communication with the market and other interested parties.
It is the responsibility of the board of directors to ensure that the organization is in full compliance with the legal provisions and other internal policies to which it is submitted (compliance).
If there are subsidiaries, it is your responsibility to ensure that the other companies in the group are also operating accordingly.
The monitoring and reporting, as well as the correction / mitigation of possible deviations, whether arising from non-compliance with the procedures, legislation and / or internal or external regulation, risk management, auditing or internal controls, is also the responsibility of the board of executive officers.
As directors, directors have fiduciary duties to the organization and are accountable for their actions and omissions to the organization itself, the board of directors and the stakeholders.

governança 2

2.2- Corporate Governance and Risk Management
fraud, business ethics, reputation, discriminatory actions, sexual harassment, abuses of short-term incentives for executives and investors, cyber security, new regulations, legal changes, environmental issues, the emergence of alternative solutions that endanger your business, among others.

Therefore all activities, whatever they may be, embody risks and uncertainties.

For a better understanding, I think we should know some related practical definitions:
Risk is the potential for loss in a given action (or absence of a given action), its occurrence uncertain and what happens when a threat encounters a vulnerability or a set of vulnerabilities in the protection systems and critical processes, allowing the realization of the event that will cause destruction of value or deviation from the goal, goal, or pre-set pattern.
Uncertainty: Identified future event for which it is not possible to associate a probability of occurrence.

Ignorance: Future events, which at the time of analysis, could not be identified.

In general Risk is understood as a possibility that something does not work, however, the current concept goes much further and involves the quantification and qualification of uncertainty, both with regard to losses and gains by individuals or organizations that take such risks.

Being the risk inherent in any activity and impossible to eliminate, its administration (Risk Management) is a key element for the success and survival of organizations.

To achieve their goals, all organizations develop a Strategic Plan that is compatible with their mission, vision and values, defines Critical Success Factors to achieve the objectives of the strategy and should consider their risk appetite to better exploit the opportunities, accept and manage risk, transfer risks and avoid risks that exceed the defined limits.

In addition to setting business objectives, a well-defined strategy leads to efficient allocation of resources and efficient decision-making.

Risk Management does not create the organization’s strategy, but fundamentally influences its development. Having knowledge of the risks involved and the impact they may have on the organization, it is possible that alternative strategies will have to be developed if risks are identified that surpass the determined limits.

Even for organizations that already have a high level of maturity and a long presence in their markets, constant and rapid changes in the business environment can cause new or old identified risks to present a possibility of such a significant impact that new strategies for its development and sustainability.

For this to become possible, it is necessary for organizations to have a Risk Management and Corporate Governance structure.

Therefore, we can say that Risk Management integrates a company’s governance, since risk must be identified, measured, monitored, and the information collected will feed into the decision-making process by different agents, whether from the executive body or the members of the board of directors.
Each company must shape its functional structure and the internal structure of responsibilities according to its possibilities.

By integrating governance, GRCorp (Corporate Risk Management) also has advantages in the field of governance, such as increased transparency and accountability, improved internal controls and greater commitment to corporate responsibility.
Erroneously many organizations before the implementation of GRCorp see it as another cost factor and can not see the advantages of this deployment.

For a better understanding, we highlight some of the Benefits of Risk Management integrated to Corporate Governance:

  • Maximizing business efficiency and effectiveness;
  • Better basing in decision making;
  • Identification of new opportunities;
  • Meeting the expectations of shareholders and stakeholders;
  • Alignment of strategy with organizational culture;
  • Improved asset efficiency;
  • Improvement of internal controls;
  • Greater commitment to corporate responsibility;
  • Improved accountability;
  • Greater transparency;
  • Reduction in the cost of risk transfer;
  • Reduction of the cost of capital.

GRCorp also needs governance, since the GRCorp process will identify the risks, quantify them, and monitor them. The information obtained must necessarily be used for decision making by the administration.
The issues below are the subject of GRCorp’s governance, that is, the system by which risks are identified, measured and monitored, which will be responsible for protecting and guiding the strategies defined by the responsible bodies.

  • What will be done from these data? As already seen, the company can avoid, transfer or accept and manage risks.
  • Who will make these decisions?
  • Who will monitor the risks?
  • Who will oversee the process as a whole?
  • What are the responsibilities and responsibilities of each corporate governance officer with respect to risks?
  • How and by whom are the risk mitigation solutions addressed?
  • Who will be responsible for drafting internal rules on identified risks?

When elaborating the Strategy, each organization should reflect as broadly as possible about the business environment in which it is inserted (eg, political, social, regulatory, applicable legislation, marketing, sales, competing technologies, disruptive technologies, supply chain , economic situation, competitors, etc.).
For the construction of the appropriate governance model of GRCorp we exemplify some reflections to be discussed by top management:

  • What can compromise compliance with performance strategies and targets?
  • Where are the greatest opportunities, threats, and uncertainties?
  • What are the main risks (perception / exposure)?
  • How reliable are the information for a decision making?
  • How does the organization respond to risks?
  • How to ensure that risks are kept at an acceptable level?
  • Are executives and managers aware of the importance of the risk management process?
  • How to spread and permeate the entire risk culture organization?
  • Does the organization have the necessary skills to manage the risks involved?
  • Who actively identifies and monitors the risks of the organization?
  • What standards, tools, and methodologies will be or will be used?

The answers to these questions will be the basis for the creation of the most appropriate GRCorp model for the organization.

2.2.1 Culture of risks

One of GRCorp’s goals is to anticipate exposure to corporate risk and use that information to make decisions. The Board of Directors considers the risks in the definition of the business strategy to be followed and, thereafter, grants a clear mandate to the board of directors to manage it.
It is up to the board to lead the process of understanding business risks arising from the choice of strategy and permeation to all levels of the organization, making GRCorp part of the organization’s culture.
The risk profile shows the level of risks associated with each level of performance and the trend of risk behavior when the organization advances in the exploration of opportunities seeking to increase its performance.
A implantação de um modelo de GRCorp requer o envolvimento ativo do conselho de administração e dos gestores, de forma a aprimorar o processo de tomada de decisão da organização, tanto no contexto da elaboração do seu planejamento estratégico, quanto na sua execução e monitoramento.
The risk culture of an organization relates to all its ethical standards, values, attitudes and behaviors accepted and practiced, and the dissemination of risk management as part of the decision-making process at all levels.
The key elements of success for the implementation of GRCorp are the example and involvement of the Board of Directors in its role of determining the organization’s performance parameters within its risk profile and risk appetite and the example and commitment of the executives (managers) in their role of conducting actions to seek the performance associated with these parameters.
In order to do so, we can summarize the responsibilities of these two senior management bodies involved as follows:

Administrative Council:
– Understand the risks of the organization
– Define the acceptable amount of risk
– Define expectations related to risk management
– Know the risk management plan
– Integrate risk discussions with strategic planning
– Monitor risk and metric reporting

Board of Directors:
– Identify, map and assess risks
– Develop, implement and monitor the risk management plan.
– Prepare risk management information for the Board of Directors.

All managers, in order to fulfill their objectives, need to know and manage the risks related to the processes under their responsibility.
In each area of the organization, an executive is designated by the senior management as the person responsible for identifying and effectively managing risks in his area of activity.
Risk management is inherent to the responsibilities of each manager and must be incorporated into the operational process in such a way that controls are integrated with operations as a natural component, and the risks thus controlled are no longer perceived as a separate decision criterion.
Good risk management presupposes clear definitions and rules of limits and objectives, and procedures for handling any occurrence or near occurrence that has been detected.
A GRCorp governance framework model, represented by the distributed functions in the organizational structure, assists risk management at different levels of the organization.

This model aims to ensure that information from the risk management process is properly communicated and used as the basis for decision making and accountability at all organizational levels applied.

The functions of GRCorp shall be described, formalized, approved and disclosed in GRCorp’s policy of corporate scope. This should represent the set of principles, actions, roles and responsibilities necessary to identify, evaluate, respond and monitor the risks to which the company is exposed.

Three documents may be the framework for communicating GRCorp’s practices:

1) Risk Management Policy, disclosed to the market;

2) Internal Risk Disclosure Management Standard that establishes procedures, responsibilities, communication, reporting, segregation of functions, operating boundaries, and the general governance system of risk management;

3) Code of Conduct, internal and external disclosure, whose objective is to promote ethical principles and reflect the identity and culture of the organization, complementing legal and regulatory obligations.

The processes and activities that involve GRCorp, as well as its monitoring, should be exercised:
i. By the various agents of the governing bodies such as the Board of Directors and its advisory committees, the board of executive officers and the fiscal council when it exists. In cases where there is no board of directors it is usual that the attribution of this is exercised by the members of the organization.

ii. By the three lines of defense:


governança 3

1ª. Line of defense – carried out by the unit managers and direct process managers: it includes the functions that manage and have responsibility for the risks;

2ª. Line of defense – performed by GRCorp corporate managers, compliance or other control practices, which include functions that monitor the integrated risk view;

3ª. Line of defense – conducted by internal audit: provides independent assessments by monitoring internal controls.

In order for the structure described above to adequately perform its role, it is still necessary to make a survey of the risks of the organization, the critical risks are identified, evaluated and classified (Parametrized Risk Analysis 2.0).

This information will support the following phases, such as vulnerability analysis (gaps) in protection systems, analysis of costs versus benefits of possible solutions to be adopted in response to risks, definition of risks to be eliminated, assumed and transferred, preparation of plans to reduce the gaps identified and finally the prioritization of the implementation of the solutions.

By developing GRcorp based on the strategic objectives and incorporating GRcorp into Corporate Governance and organizational culture, Corporate Governance is achieved.

governança 4