12. Systems of risk management and internal control

Question 1

Best practice in risk is now concentrating on _________________________… not just on compliance with policies and procedures

Answer 1

the creation of risk cultures within an organisation

Question 2

What does the code say on risk management and internal controls?

Answer 2

Principle O Board should establish procedures to manage risk, oversee the internal control framework and determine the nature and extent of principal risks to achieve long term objectives

Provision 28 Board should carry a robust assessment of the company’s emerging and principal risks. Board should confirm in AR that it has completed its assessment, including the description and procedures to identify risks and how they are mitigated

Provision 29 Board should monitor the company’s risk management and internal control systems, and, at least annually, carry out a review of the effectiveness. The review should cover all material controls, including financial, operational and compliance controls.

Provision 25 – AC should review the company’s risk management systems and internal controls

Question 3

What is risk?

Answer 3

Risk refers to the possibility that something unexpected or not planned for will happen – can be upside or downside risks. Many organisations fail to take into account upside risk in their decision making processes.

Question 4

Give some examples of business risk

Answer 4

1. Reputational – loss of customer loyalty
2. Competition – actions of competitors
3. Business environment – external factors
4. Liquidity – insufficient cash to settle all liabilities

Question 5

Governance risk relates to what?

Answer 5

1. Structure
2. Processes
3. Information
4. People and culture

Question 6

What are internal control systems made up of?

Answer 6

Internal control systems are made up of all the structures, policies and procedures within an organisation related to the management of financial, operational and compliance risks.

Question 7

Internal controls can be classified into three main types:

Answer 7

1. Preventative controls intended to prevent an adverse risk event from occurring e.g. fraud by employees
2. Detective controls for detecting risk events when they occur, so that the appropriate person is alerted, and corrective action is taken
3. Corrective controls for dealing with risk events that have occurred and their consequences

Internal controls are aimed at providing ‘reasonable assurance’ regarding the achievement of objectives in the following categories:

Question 8

List the risk management system steps

Answer 8

1. Risk identification
2. Risk assessment
3. Risk response
4. Risk monitoring
5. Risk reporting

Question 9

List the different risk categories and give some examples

Answer 9

• Financial risks (internal risks) – e.g. failure to protect cash, failure to record transactions, misreporting in FS
• Operational risks – arising out of failure of organisational processes and systems – e.g. IT breakdown, terrorist act (9/11 > decentralise of facilities), errors by staff, etc.
• Compliance risk – laws not being followed
• Strategic risks tend to be external risks occurring or arising in the business environment in which the organisation operates – e.g. people risks, marketplace risks, reputational risks, supplier risks, political risks, etc

Question 10

List some methods of identifying risks

Answer 10

• Mind-mapping – e.g. CS asks board members to write top 3 risks
• Process-mapping – mapping every process within an organisation to identify links
• Stress-testing – extreme ‘shocks’

Question 11

How would you conduct a risk assessment? LSPR

Answer 11

Once a risk has been identified, the following should be assessed:
• The likelihood or probability of the occurrence (high, medium or low); and
• The potential size of the impact of the occurrence (significant, moderate or minor)
• Whether in their assessment, the risk qualifies as a principal risk; and
• The risk appetite and tolerance of the organisation

Once the risks have been assessed they should be ranked so that they can be prioritised. This is often done in one of two ways:

1. By plotting the assessed risks on a matrix – red, amber and green – based on risk appetite
2. By multiplying the likelihood ratings against the impact ratings.

Question 12

What are the four main responses to risk? TARA

Answer 12

1. Transfer: responses that transfer the risk somewhere else e.g. outsourcing
2. Avoidance: response which reduces the likelihood of the risk occurring. This usually means the organisation shuts down or sells that part of the business. For example, Shell sold oil production in Nigeria due to violence against its staff and facilities
3. Reduction: responses that reduce the negative impact or take advantage of opportunities for positive impact
4. Acceptance: responses that retain the risk because it is deemed to be not a significant threat or the organisation has no control over it e.g. regulatory risk

Question 13

When considering a response to a risk, what should the board consider?

Answer 13

• The ‘exposure’ to the risk – is it high, medium or low? Greater effort and resources should be put into responding to higher ranked risks
• Any negative consequences of the response
• Whether they are adding responses to existing ones rather than formulating a new response to the risk

Question 14

How would you monitor risks? SIM

Answer 14

• Stress-testing – modelling extreme situations to see how effective the response is in reducing the risk
• Internal audit
• Measures to monitor the effectiveness of risk response. Ensure they are SMARTER – specific, measurable, achievable, relevant, time bound, ethical and rewarded

Question 15

How is risk reported?

Answer 15

Management to the board – via risk register or dashboard to report on the principal risks, actions taken and effectiveness of those actions

Board to shareholders and stakeholders – via strategic report

Question 16

What are the common failures of boards relating to risk management?

Answer 16

• Failure to take responsibility for risk at the board level – cosec should look to identify capacity gaps and discussing with chair – maybe board member with experience in risk
• Failure to capture the major risks of the organisation – cosec should suggest to chair that he asks CEO ‘what is currently keeping them awake at night’
• Failure to put in place the appropriate control – cosec should work with IA function to help the board identify whether appropriate IC are in place
• Failure to manage reputational risk – co-sec should make sure information is fed to the board on cases of reputational damage

Question 17

What is the aim of a long-term viability statement? Provision 31

Answer 17

Aims to encourage companies to provide meaningful disclosure tailored to their own specific circumstances rather than producing standardised or heavily qualified statements.

Examples:

Current state of affairs. Directors should not limit their consideration of viability to medium or long-term risks, and should also look at the current state of affairs.
Sustainability of dividends. Investors would welcome the viability assessment addressing the sustainability of dividends and there may be a need to refer to other returns of value to shareholders, for example, share buybacks.

Distinguishing between risks that impact performance and those that threaten operations. The viability assessment should focus on risks threatening the company’s day-to-day operations and existence.

Separating prospects from viability. An insight into the company’s plans for the future may be separate from plans that support the viability statement.

Stating why the risks are important and how they are managed and controlled.

Viability statements should address why the disclosed risks are important, and how they are managed and controlled. Investors would welcome disclosures addressing the likelihood of a risk occurring and its possible impact.
Prioritising risks. It is for the directors to exercise their judgment in assessing which risks are important and how they should be disclosed. It would be helpful if risks were ranked (for example, low, medium, high) and indicated whether the risk has increased or decreased in likelihood from the previous year.