12 + 13 - Risk Flashcards
8 responsibilities of the CoSec re. internal management and internal control
- Develop strategic objectives
- Identify principal risks (to strategic objectives)
- Carry out ‘robust’ assessment of principal risks
- Explain how risks are being managed/mitigated
- Monitor risk man. and int. control systems
- Review effectiveness of systems at least annually
- Assess future viability of company re current position and principal risks
- Report on above in annual report
Define internal control system
Structures, policies and procedures relating to management of business risk
3 benefit of having an internal control system for managing business risk
- Ensuring financial records and reports are reliable and reducing the risk of financial fraud
- Improving effectiveness of operations
- Ensuring compliance with applicable laws and regulations
What is FRC’s additional guidance on risk man. and int. control called?
Guidance on Risk Management, Internal Control and Related Financial and Business Reporting
Define risk
The possibility that something unexpected or not planned for will happen
What are the two types of risk an organisation should plan for?
- Downside risk
- Upside/opportunity risk
3 examples of downside risk
- Fires
- Earthquakes
- IT breakdowns
2 examples of upside risk
- Sales volumes being higher than expected
- Investment decision yielding better than expected results
Define business risk
The possibility that a company will have lower than anticipated profits or will make a loss rather than a profit
4 categories within ‘business risk’
- Reputational
- Competition
- Business environment
- Liquidity
Explain reputational risk as a form of business risk
The risk of loss in customer loyalty or support in an event that had damaged the company’s reputation
Explain competition risk as a form of business risk
The risk that business performance will be affected because of the actions of competitors (often competitor innovation)
Explain business environment risk as a form of business risk
The risk that the business environment in which the company operates will change significantly, due to:
political factors
regulatory factors
economic factors
social and environmental factors
technological factors
Explain liquidity risk as a form of business risk
The risk that the company will have insufficient cash to settle all of its liabilities on time, so will be forced out of business
Governance risk relates to risks associated with: (4)
- Structure
- Processes
- Information
- People and culture
Internal controls can be classified into which 3 main types?
- Preventative controls
- Detective controls
- Corrective controls
Explain preventative controls as a type of internal control
Intended to prevent an adverse risk from occurring - e.g. fraud by employees
Explain detective controls as a type of internal control
For detecting risk events when they occur, so that the appropriate person is alerted, and corrective action taken
Explain corrective controls as a type of internal control
Dealing with risk events that have occurred and their consequences
Who is ultimately responsible for managing risk?
The Board
2 reasons why internal controls may fail
- They are badly designed, so incapable of achieving their purpose as a control
- They are well-designed, but are not applied properly, due to human error or oversight
What are the 5 categories of risk?
- Financial
- Operational
- Compliance
- Strategic
- Reputational (often treated as falling within strategic)
3 examples of financial risks
- Risk of errors or fraud in accounting systems
- Liquidity risk
- Credit risk
3 examples of operational risks
- Theft of information from the org
- Inefficient or ineffective use of resources
- Errors and omissions by staff
What is a strategic risk?
Usually an external risk occurring or arising in the business environment in which the organisation operates
What is a compliance risk?
Non-compliance with important laws or regulations, leaded to legal action and/or fines
5 examples of strategic risks
- Political risks
- Environmental risks
- Stakeholder risks
- Reputational risks
- Supplier risks
4 methods of identifying risks
- Mind mapping
- Process mapping
- Stress testing
- Use of internally generated documents
Which method or risk identification/assessment is most important re. exam?
Stress testing
3 examples of internally generated documents to identify risks
- Business impact studies
- Market research reports
- Expert reports (such as on H&S)
What is process mapping as a method to identify risks?
Involves mapping every process within an org to identify interdependent, critical and vulnerable functions and activities within org - related risks can then be managed
What is stress testing as a method to identify risks?
Modelling a series of hypothetical circumstances to assess ability to withstand unexpected events or shocks.
Benefits of stress testing as a method to indicate risks (2)
- Company can assess worst-case impact of particular events, and principal risks in relation to those events
- Company can assess the effectiveness of proposed measures to reduce or manage risk
What should organisation consider to determine wither a risk is a principal risk?
- Likelihood or probability of occurrence (high, medium or low)
- Potential size and impact of the occurrence (significant, moderate or minor)
2 things that should be considered by management when establishing criteria for risk assessment
- Risk appetite
- Risk tolerance
Define risk appetite
The level of risk an org is willing to take in the pursuit of its objectives
Define risk tolerance
The amount of risk in org is prepared to accept in order to achieve its financial objectives
* Quantitative measure *
What should board consider after having assessed risks, to decide how to respond? (2)
Risk tolerance and risk appetite
2 methods by which risks can be ranked so they can be prioritised
- Plotting them on a matrix measuring probability against severity
- Multiplying likelihood against impact ratings
4 main response to risks, once they have been identified
- Avoidance
- Reduction
- Transfer
- Acceptance
- note these could all be used in response to same risk *
What is meant by reduction as a response to risk?
Reducing the negative impact of the risk
What is meant by avoidance as a response to risk?
Reduces likelihood of risk occurring - usually by shutting down or selling part of business causing the risk
What is meant by transfer as a response to risk?
Transfer the risk to somewhere else - eg. insurance or outsourcing
What is meant by acceptance as a response to risk?
No action is taken as it is deemed to be insignificant or uncontrollable
3 considerations of board when determining response to risk
- The ‘exposure’ (ranking) of the risk
- Any negative consequences to the response(s)
- Whether they are responding to the original risk or responding to the response (leads to ineffective use of resources and creation of new risks)
How does risk management benefit operational performance? (3)
- Increases likelihood of achieving business objectives
- Provides platform for regulatory compliance
- Facilitates monitoring and mitigation or risk in key projects and initiatives
What must be included in strategic report re. risks and uncertanties?
Description of principal risks and uncertainties facing the company, with an explanation of how they are to be managed or mitigated
How does risk management benefit financial performance? (2)
- Contributes to better credit rating/reduces insurance premium
- Builds investor, stakeholder and regulator confidence
How does risk management benefit decision making? (2)
- Facilitates assurance and transparency of risks at board level
- Enables decisions to be made in light of impact of risks and in consideration of risk appetite and tolerance
How to ensure board can effectively carry out responsibilities in relation to risk?
Ensure board members have an understanding of risk and risk management through training
Role of board re. risk
- Deciding risk appetite
- Ensuring management manage risk with board’s guidelines for risk appetite
- Monitoring performance of management, to ensure business is being managed within the risk guidelines
- Monitoring risk management system for effectiveness
9 common failures of boards re. risk
Failure:
- To take responsibility at board level
- To see importance of risk to org as a whole
- To capture major risks
- To consider integrated nature of risk
- To put in place appropriate control or other mitigants for risk
- To manage reputational risk
- To map out who has responsibility for what, at each level of org
- To consider, decide or articulate risk appetite
- To obtain and share timely and good quality info
What is meant by failure to consider integrated nature of risk?
Board may split risk into silos (eg. legal risks dealt with by legal department), in doing so failing to understanding how a risk would affect the org as a whole
2 main frameworks of risk management accepted globally
- UK system
- US COSO frameworks
Risk management - Main difference between UK system and US COSO framework
UK integrates risk management and internal control systems whereas COSO framework deals with them separately
Look at Code - which provision related to long-term viability statement
Provision 31
What is the assessment period expected to be for risk? - re. long term viability statement
Significantly longer than 12 months
Long-term viability statement requires ‘reasonable expectation that company will continue’ - expand on this
No requirement for certainty, so the board need not produce a detailed justification
Which types of qualifications and assumptions should be stated in annual report in relation to long-term viability statement?
Company specific - not generic statements that are relevant or highly unlikely
What is the purpose of corporate sustainability?
Ensuring the long-term survival of the organisation
What does sustainability require?
- What are current and future needs?
- Time period to be considered when looking towards future
- Should sustainability be for company along, or the country and people within the country
5 key elements (phases) in how a Board should plan for sustainability
- Determining sustainability needs by examining critical resources, assets and processes
- Identifying potential threats to the above
- Development of sustainability objectives and policies
- Development of business continuity plan based on above
- Sustainability indicators developed and monitored to assess effectiveness of plans
Look at Code - which provision sets out responsibilities of audit committee?
Provision 25
8 headings if answering question on reassessing specific risk and disclosures in annual report
- Role of the Board under Code
- Role of Audit committee under code
- Role of Board in reviewing and disclosing risks
- Role of Audit Committee in reviewing and disclosing principal risks
- Application to specific risk
- Link with viability statement
- Consequences of failing to assess correctly
- Disclosures in Audit Committee Report
2 considerations of the board when deciding whether to establish an audit committee
- Whether there is a requirement (listed co’s and fin. institutions)
- Whether the level of discussion and monitoring required on risk management and internal controls is beyond the boards capabilities
Why might companies establish a separate risk committee in addition to the audit committee?
If the audit committee is overwhelmed by its duties covering financial reporting and internal controls
2 key benefits to establishing a separate risk committee in addition to audit committee
- It can focus solely on reviewing risk management, improving effectiveness and efficiency
- Composition of committee is not restricted by CG Code
4 of the responsibilities of the risk committee
- Monitoring risk areas faced and reporting on them
- Monitoring behaviour of management to ensure there is not excessive risk taking
- Recommending changes in risk management policies
- Reviewing and approving statements in the annual report concerning risk management
3 risks/disadvantages associated with establishing risk committee
- Conflict between audit and risks committees leads to undefined roles and danger of overlooking some risks
- Senior management gets impression that they are not responsible for risk
- Smaller boards may not have sufficient directors with the required skills to constitute separate committee
What is a ‘co-sourced’ internal audit function?
Company hires a small team of internal auditors and uses an outside professional firm to supplement the team and provide strategic direction
3 benefits of having in-house internal audit function
- Better understanding of the organisation, its culture, operations and risk profile
- Can build networks throughout the organisation, ensuring integration through business
- Could be a lower-cost option
3 negatives to internal audit function
- Potential loss of external resources, experience and skills of external professional team
- Potentially less cost effective for a smaller company, as only adhoc service may be needed
- In house internal audit team may lose independence as may find it difficult to criticise their superiors
Aim of internal audit
Help organisation accomplish its objectives by bringing systematic, disciplined approach to evaluate and improve effectiveness of risk management, control and governance processes
How often should internal audit function be reviewed?
Annually
Review of risk management and internal control systems should ensure that they: (3)
- Remain aligned with org’s strategic objectives
- Address risks facing the org
- Are being developed, applied and maintained appropriately for the org
A whistleblowing policy should cover: (6)
- Purpose, scope and coverage
- Procedures for reporting a matter
- What happens when a report is a received
- Anonymity (or non-anonymity) of the whistleblower
- Communication with the whistleblower
- Protection of the whistleblower
5 key features of effective whistleblowing policy
- Matters can be raised anonymously
- Employees confident they will be protected and not disadvantaged
- Matters raised are treated seriously and investigated promptly
- Board should receive regular reports
- Employees should be aware through induction and ongoing training
Define whistleblowing
Process by which company’s employees can raise matters of concern in the workplace, such as fraud, safety or misbehaviour, which they do not feel able to raise through normal internal controls or procedures
Importance of governance of information (2)
Governance of information is a critical risk and compliance issue for organisations, in particular, for companies with shares traded on the Stock Exchange.
Information must be managed effectively, and confidential information must be protected.
3 key parts of governance of information
- Cyber security
- Data protection
- Compliance with requirements for disclosure of information
Three parts to cybersecurity policy
- IT hardware and software systems need to be secure and resilient to latest forms of viruses and malware
- Regular item on Board agenda
- Employees should receive induction and ongoing training
Resilience of systems to cyber attacks needs to be reviewed and tested regularly
- Procedures and policies should be in place for responding to a cyber-attack including disaster recovery plans
3 regulators requiring organisations to take cybersecurity seriously or to make disclosures following cybersecurity issues
- Market abuse regulation
- GDPR / Information Commissioner’s office
- Network and Information System Regulations 2020
What must companies do re. data protection?
Ensure compliance with all UK data protection laws, including in particular the UK GDPR
3 key features of procedures co’s should have in place to comply with inside information requirements
- Ensuring inside information is disclosed immediately, unless exception applies
- Announcing to market via a Regulatory Information Service at first instance
- If release is delayed, ensure it is disclosed internally only on a need to know basis
3 examples of disasters - disaster recovery plans
- Natural disasters
- IT disruptions
- Major terrorist attacks
In which industries are disaster recovery plans most needed?
Where a lengthy or widespread shutdown of operations could be catastrophic
Eg. banking or energy supply industry
What should a disaster recovery plan do? (5) - key elements
- Specify which operations are essential and must be kept going
- Identify and analyse all potential threats to essential ops
- Identify possible reactions to potential threats (both immediate and ongoing)
- Identify who the essential staff are needed to keep essential operations running
- Identify who should be responsible for external communication about impact of disaster and recovery
Purpose of a disaster recovery plan
Set out what should be done after a disaster event to try to manage and mitigate the negative effects, and effectively recover from the event
3 offences under UK Bribery Act 2010
- Offering and receiving bribes
- Bribery of foreign public officials for business benefit
- Failure to prevent a bribe being paid on organisation’s behalf
What is considered a valid defence of a charge against failing to prevent bribery?
Evidence that adequate procedures were in place to prevent bribery
6 key principles in preventing bribery (Ministry of Guidance justice)
Proportionate procedures (procedures in place appropriate to risk of bribery)
Top-level commitment
Risk assessment (regular)
Due diligence (of third party intermediaries and agents acting on behalf of org)
Communication (within org to ensure policies are embedded and understood)
Monitoring and review (of procedures to identify weaknesses)
Board should plan for internal conflicts because they can have the following impacts: (3)
- Take considerable time to resolve
- Financial losses
- Reputational harm
What should the board do in response/in relation to conflicts?
- Plan ahead by anticipating potential disputes
- Ensure policies, procedures and legal docs are aimed at minimising risk of conflict
- Ensure there is evidence that policies and procedures are integrated into culture
- Identify a person to manage the dispute resolution process (cosec or lawyer)
- Review effectiveness of dispute resolution process
- Be prepared for mediation and possibly litigation to resolve conflicts
5 steps CoSec should take to avoid board conflict
- Ensure roles are clearly set out in clear and concise way
- Ensure there is no misunderstanding as to what is expected from board members
- Delegation of authority to CEO is clearly documented
- Proper flows of information to and from board
- Encouraging creation of a good culture within the board
To prove ‘adequate processes’ defence to bribery, a company needs to (among other things) (4)
- Have a specific bribery policy and procedures in place
- Have evidence of communication and implementation of policy, including training
- Have a mechanism for reporting breaches of policy
- Show evidence of discussions of high-risk activities and relationships and reasons for continuing or terminating them
