12. Systems of risk management and internal control Flashcards
Best practice in risk is now concentrating on _________________________… not just on compliance with policies and procedures
the creation of risk cultures within an organisation
What does the code say on risk management and internal controls?
Principle O Board should establish procedures to manage risk, oversee the internal control framework and determine the nature and extent of principal risks to achieve long term objectives
Provision 28 Board should carry a robust assessment of the company’s emerging and principal risks. Board should confirm in AR that it has completed its assessment, including the description and procedures to identify risks and how they are mitigated
Provision 29 Board should monitor the company’s risk management and internal control systems, and, at least annually, carry out a review of the effectiveness. The review should cover all material controls, including financial, operational and compliance controls.
Provision 25 – AC should review the company’s risk management systems and internal controls
What is risk?
Risk refers to the possibility that something unexpected or not planned for will happen – can be upside or downside risks. Many organisations fail to take into account upside risk in their decision making processes.
Give some examples of business risk
- Reputational – loss of customer loyalty
- Competition – actions of competitors
- Business environment – external factors
- Liquidity – insufficient cash to settle all liabilities
Governance risk relates to what?
- Structure
- Processes
- Information
- People and culture
What are internal control systems made up of?
Internal control systems are made up of all the structures, policies and procedures within an organisation related to the management of financial, operational and compliance risks.
Internal controls can be classified into three main types:
- Preventative controls intended to prevent an adverse risk event from occurring e.g. fraud by employees
- Detective controls for detecting risk events when they occur, so that the appropriate person is alerted, and corrective action is taken
- Corrective controls for dealing with risk events that have occurred and their consequences
Internal controls are aimed at providing ‘reasonable assurance’ regarding the achievement of objectives in the following categories:
List the risk management system steps
- Risk identification
- Risk assessment
- Risk response
- Risk monitoring
- Risk reporting
List the different risk categories and give some examples
- Financial risks (internal risks) – e.g. failure to protect cash, failure to record transactions, misreporting in FS
- Operational risks – arising out of failure of organisational processes and systems – e.g. IT breakdown, terrorist act (9/11 > decentralise of facilities), errors by staff, etc.
- Compliance risk – laws not being followed
- Strategic risks tend to be external risks occurring or arising in the business environment in which the organisation operates – e.g. people risks, marketplace risks, reputational risks, supplier risks, political risks, etc
List some methods of identifying risks
- Mind-mapping – e.g. CS asks board members to write top 3 risks
- Process-mapping – mapping every process within an organisation to identify links
- Stress-testing – extreme ‘shocks’
How would you conduct a risk assessment? LSPR
Once a risk has been identified, the following should be assessed:
• The likelihood or probability of the occurrence (high, medium or low); and
• The potential size of the impact of the occurrence (significant, moderate or minor)
• Whether in their assessment, the risk qualifies as a principal risk; and
• The risk appetite and tolerance of the organisation
Once the risks have been assessed they should be ranked so that they can be prioritised. This is often done in one of two ways:
- By plotting the assessed risks on a matrix – red, amber and green – based on risk appetite
- By multiplying the likelihood ratings against the impact ratings.
What are the four main responses to risk? TARA
- Transfer: responses that transfer the risk somewhere else e.g. outsourcing
- Avoidance: response which reduces the likelihood of the risk occurring. This usually means the organisation shuts down or sells that part of the business. For example, Shell sold oil production in Nigeria due to violence against its staff and facilities
- Reduction: responses that reduce the negative impact or take advantage of opportunities for positive impact
- Acceptance: responses that retain the risk because it is deemed to be not a significant threat or the organisation has no control over it e.g. regulatory risk
When considering a response to a risk, what should the board consider?
- The ‘exposure’ to the risk – is it high, medium or low? Greater effort and resources should be put into responding to higher ranked risks
- Any negative consequences of the response
- Whether they are adding responses to existing ones rather than formulating a new response to the risk
How would you monitor risks? SIM
- Stress-testing – modelling extreme situations to see how effective the response is in reducing the risk
- Internal audit
- Measures to monitor the effectiveness of risk response. Ensure they are SMARTER – specific, measurable, achievable, relevant, time bound, ethical and rewarded
How is risk reported?
Management to the board – via risk register or dashboard to report on the principal risks, actions taken and effectiveness of those actions
Board to shareholders and stakeholders – via strategic report
What are the common failures of boards relating to risk management?
- Failure to take responsibility for risk at the board level – cosec should look to identify capacity gaps and discussing with chair – maybe board member with experience in risk
- Failure to capture the major risks of the organisation – cosec should suggest to chair that he asks CEO ‘what is currently keeping them awake at night’
- Failure to put in place the appropriate control – cosec should work with IA function to help the board identify whether appropriate IC are in place
- Failure to manage reputational risk – co-sec should make sure information is fed to the board on cases of reputational damage
What is the aim of a long-term viability statement? Provision 31
Aims to encourage companies to provide meaningful disclosure tailored to their own specific circumstances rather than producing standardised or heavily qualified statements.
Examples:
Current state of affairs. Directors should not limit their consideration of viability to medium or long-term risks, and should also look at the current state of affairs.
Sustainability of dividends. Investors would welcome the viability assessment addressing the sustainability of dividends and there may be a need to refer to other returns of value to shareholders, for example, share buybacks.
Distinguishing between risks that impact performance and those that threaten operations. The viability assessment should focus on risks threatening the company’s day-to-day operations and existence.
Separating prospects from viability. An insight into the company’s plans for the future may be separate from plans that support the viability statement.
Stating why the risks are important and how they are managed and controlled.
Viability statements should address why the disclosed risks are important, and how they are managed and controlled. Investors would welcome disclosures addressing the likelihood of a risk occurring and its possible impact.
Prioritising risks. It is for the directors to exercise their judgment in assessing which risks are important and how they should be disclosed. It would be helpful if risks were ranked (for example, low, medium, high) and indicated whether the risk has increased or decreased in likelihood from the previous year.
