13. Risk structures, policies, procedures and compliance Flashcards
The board has overall responsibility for the systems of risk management and internal controls within an organisation. To enable the board to carry out this responsibility it needs to ensure that the appropriate structures are put in place to manage risk. What factors should be considered?
- Whether risk and internal controls should be considered by the whole board or delegated to a committee of the board
- If delegating to a committee, whether risk and internal controls should fall under one committee i.e. audit committee or two separate committees i.e. audit and risk
- The division of responsibility between itself and management for risk management
What is internal audit?
Internal audit is an independent objective assurance and consulting activity designed to add value and improve an organisation’s operations.
What are the advantages of an in-house IA function?
- Understands the organisation, its culture, operations and risk profile
- Can build networks throughout the organisation
- Provide assurance to stakeholders on the integrity of the organisation’s system of IC and RM
- Become an essential part of the checks and balances
- Could be a lower-cost option, depending on the make-up of the team
What are the benefits of co-sourcing an IA function?
• Leverage of external resources, technology, skills and experience which may not be available in-house
What is the role of the co-sec on risk management?
- The committee has a terms of reference
- The committee follows the terms of reference
- The committee follows its procedures and governance best practices
- A report is written for the chair of the committees of the recommendations to the board for approval
- Minutes of the meeting are drafted and that a list of actions are developed and monitored
- A regular evaluation should be carried out
- Agendas are drafted for each meeting reflecting the annual plan
What is the CEOs role in risk management?
responsibility to ensure proper execution of the risk management strategies and policies laid down by the board
A chief risk officer (CRO) is usually held in large companies such as banks and other financial institutions. What would their typical responsibilities be?
- Appointing risk champions
- Creating an integrated risk framework for the entire organisation
- Ensuring that sufficient resources are made available for risk management
- Organizing training on risk management
What are the responsibilities of an internal auditor?
- Reviewing the internal control system
- Special investigations – particular aspects of the organisation’s operations
- Examination of financial and operating information
- Value for money (VFM) audits – whether an operation or activity is economical, efficient and effective
- Reviewing compliance against laws and regulations
- Risk assessment
What should a cybersecurity policy cover?
- Physical security of the technology – keeping physical assets secure – locking doors, surveillance, alarms, etc
- Personnel management – password management, use of the internet, keeping confidential information confidential, etc
- Hardware and software – technology admins on what type of technology and software to trust
How has market abuse regulation impacted companies when there is risk involved?
Listed companies are required to disclose an incident which was significant enough to be considered price sensitive i.e. have a significant effect on the company’s share price. The board will need to ensure that there is a process in place to identify significant breaches and raise them to board level so that this reporting requirement is met
What is a disaster recovery plan and what should be included in one?
• Specify which operations are essential and must be kept going
• Identify and analyse all potential threats to essential operations
• Identify possible reactions to the threats to essential operations:
o Where operations rely on IT systems, identify the computers or networks where this system can be transferred
The UK Bribery Act 2010 has made bribery a criminal offence. What three offences did it create?
- Offering bribes (active bribery) and receiving bribes (passive bribery)
- Bribery of foreign public officials for business benefit
- Failure to prevent a bribe being paid on the organisation’s behalf
What steps can a company take to prevent bribery?
- Having bribery policies and procedures
- Communicating and implementing its bribery policies and procedures effectively across the company
- Training staff on its bribery policies and procedures
- Having a whistleblowing policy for the reporting of any breaches
- Conducting risk assessments for bribery in relation to the company’s activities on a type of transaction and country basis
- Carrying out due diligence on third parties that the company deals with, for example, suppliers
- Monitoring and reviewing bribery policies and procedures on a regular basis
- Ensuring that the board and senior management are committed to preventing bribery and foster a culture in which bribery is considered to be unacceptable
