Chapter 12- Risk Flashcards
Explain Principle O, and Provision 28 and 29 in relation to Risk and Internal controls.
Principle O: establish procedures to manage risk, oversee internal control, principal risks.
Provision 28: Robust assessment of the principal risks
Provision 29: Monitor the risk management and internal control systems- annually.
Define Principal Risks, Downside Risk, Upside Risk, Strategic Risk and Risk Appetitie/Tolerance.
- Principal Risks: Risks that might threaten the entity’s business model, future performance, solvency or liquidity, or result in significant value erosion.
- Downside risk: A risk that actual events will turn out worse than expected, measured in terms of the amount of profits which could be worse than expected- outcome is forecast/budget expectation.
- Upside risk: A risk that actual events will turn out better than expected- provide unexpected profits.
- Strategic Risk: Risk from unexpected events or developments in a business or in the business environment which are outside the control of management.
- Risk appetite and risk tolerance- Risk appetite is the amount of risk an organisation is prepared to accept in order to achieve its financial objectives. Risk tolerance is the amount of risk an organisation is prepared to accept to achieve its financial objectives- expressed as a quantitative measure (VaR).
Define an Internal Control System and Operational, Compliance Risk.
- Compliance Risk: Risks of failure to comply with laws or regulations and the consequences of such a failure if discovered.
- Internal Control System: Structures, policies, and procedures within an organisation related to the management of financial and operational and compliance risks- business risk. Preventative/Detective/Corrective.
- Operational Risk: Risk of an error, deliberate or otherwise, in operating system design, the risk of failures due to weak organisational structure; or risks due to human error including inefficient management- H&S, environmental risk.
- Operational Controls: Internal controls to prevent or detect errors resulting from operational risk.
What is the FRC Guidance on Board Effectiveness in Relation to Risk?
FRC Guidance on Board Effectiveness- Risk
- 11 and 12 – effective board
- 24 – monitoring culture
- 27 and 32 – decision-making
- 59 – gathering views of workforce
- 62 – board committees
- 75 – role of NEDs
- 113 – evaluation of performance
- 117, 120, 121 and 122 – Audit, Risk and Internal Control (Section 4)
- 123 and 126 b – viability statements
Board should establish procedures to manage risk, oversee the internal framework- determine nature and extent of the principal risks- risks taken to achieve LT objectives. Supported by provisions 28/29
What are the responsibilities of the Board in Risk Management according to the FRC Guidance on Risk Management, Internal Control and Related Financial and Business Reporting (2014).
Responsibilities of the board – The board should:
- ensure ‘appropriate’ systems for identifying risks and make a ‘robust assessment’ of those risks;
- determine nature and extent of principal risks and those risks company is willing to take to achieve strategic objectives (risk appetite);
- ensure appropriate culture and reward systems are embedded throughout the company;
- agree how to manage or mitigate principal risks to reduce probability and/or impact;
- review effectiveness of risk management and internal control systems and take corrective action where necessary; and
ensure there are sound processes for internal and external communications on risk management and internal control
What is the Internal Audit Function, and what are some examples of Financial Risk, Operational Risk and Compliance Risk.
Internal Audit Function:
Work of internal audit is not prescribed by regulation – it is decided by management / board/ audit committee and may include:
- reviewing internal control systems- system made up of all the of the structures, policies and procedures within an organization related to the management of financial/operational/compliance risk. Preventative/Detective/Corrective Controls.
- special investigations;
- examining financial and operational information;
- Value for Money (VFM) audits (investigates whether an operation or activity is economical, efficient and effective);
- reviewing compliance with particular laws or regulations;
- risk assessment.
Financial Risk- Errors or fraud in Accounting systems or weak controls to protect financial assets.
- Failure to record transactions
- Failure to collect money owed
- Failure to protect cash
- Failure to impose stringent payment policies
Operational Risk: Risk of losses resulting from inadequate or failed internal processes, people and systems or external events. They include:
- Risk of breakdown
- Risk of losing information
- Risk of terrorist attack
- Losses arising from mistakes by staff
Compliance Risks- Failure to comply with laws or regulations resulting in fines or legal action
What is Business Risk and Governance Risk, Cyber Risk, Internal Control Risk, and Strategic Risk.
Business Risk: The possibility of a company having lower than anticipated profits or experience a loss
- Reputational risk- risk of loss in customer loyalty, due to a damaging event
- Competition risk- risk that business performance affected by a competitor’s actions
- Business environment risks- regulatory/political/environmental changes
- Liquidity risks- risk that the company will have insufficient cash to settle all its liabilities.
Governance Risk:
- Structure- risk associated with boards/policy frameworks
- Processes- new product processes and communication channels
- Information- audit reporting, management risk and compliance reporting
- People and culture- leadership/accountability transparency
What does the Turnbull Report Recommend? What are the UK and USA Systems of Risk Management?
The Turnbull Report: Recommends that there should be financial, operational and compliance controls to deal with risks in each of these areas.
- Financial – internal controls to provide reasonable assurance around transactions, access to assets and keeping proper records
- Operational – internal controls that help to reduce risks or identify failures in operational systems. Designed to prevent, detect and/or correct operational failures
- Compliance – concerned with making sure that organization complies with all requirements of relevant legislation and regulations
UK: The Turnbull Report/Guidance (now replaced by FRC Guidance). Considers risk management and internal controls jointly
USA: Committee of Sponsoring Organisations (COSO). Considers risk management and internal controls as two separate systems
What is the ERM Model and the COSO Framework? Identify the 5 elements to a system of internal control.
Consistent with the ERM Model, the COSO Framework (2013) identifies 5 elements to a system of internal control:
- The control environment- set of standards, processes, and structures that provide the basis for carrying out internal control across the organization.
- Risk assessment- identifying and analyzing risks to achieve the Company’s objectives
- Control activities- performed at all levels, actions established by the policies and procedures- management directives to mitigate risks.
- Information and communication- internal and external- information is necessary for the organization to carry out its internal controls function.
- Monitoring activities - evaluations and communication of deficiencies of the internal control system.
What are the Elements of an effective Risk Management System (COSO Enterprise Risk Management (ERM) Model, 2017):
- Governance and culture- Governance sets the organization’s tone on oversight responsibilities and culture pertains to ethical values, desired behaviors and understanding of risk
- Strategy and objective-setting- Process for setting objectives for the company that are consistent with the organization’s aims and the board’s risk appetite
- Performance- Risks that may impact the achievement of strategy and business objectives need to be identified and assessed
- Review and revision- By reviewing performance an organization can consider how well the risk management components are functioning and what revision are needed over time
- Information and communication- Continual process of obtaining and sharing necessary information from internal and external sources, and flowing up, down and across the organization
What are the steps taken in developing a Risk Management System? What is Risk Reporting?
- Risk identification- board has ultimate responsibility in determining the nature and extent of the principal risks. Mind Mapping/Process Mapping/Stress Testing/Internally generated Documents.
- Risk categories – Strategic (external risks), (Internal) Financial/Operational/Compliance- Internal control system will manage COSO.
- Risk assessment: does the risk qualify as a principal risk of the organization? What is likelihood or probability of occurrence; and what is the potential size of the impact of the occurrence?
- Risk response – avoid/reduce/transfer(insurance/outsourcing) /accept
- Risk monitoring- Monitoring the effectiveness of the responses, Stress Testing/Internal Audit.
- Risk reporting- Board needs information from management on the principal risks and the effectiveness of how they’ve been managed.
Risk Register-
- Recording Risks that have been identified
- Actions taken to identify the risks
- The outcome of the investigation and assessment of risks
- Identifying the person with management responsibility for the risk
- Recording measures taken to deal with the risk
- Recording the effects of control measures to assess whether control is effective or new measures required
- Recording regular reviews of risk to determine whether it is becoming more significant or less significant
What should the Strategic Report, and DTR Disclosure contain in relation to Risks.
Strategic Report- Must contain a description of the principal risks and uncertainties facing the company, how they are to be managed/mitigated. PIE (Large public interest entities)- Company’s business relationships/products/services likely to cause adverse impacts on principal risks.
DTR- Disclosure of internal control weaknesses- The board of a listed company has an obligation under the DTR to report significant internal control weaknesses, when the occur if the company’s financial performance/position will be badly affected as a result
What are the benefits of Risk Management?
Benefits of Risk Management-
- Operational Performance- increases the likelihood of achieving business objectives, uses incidents to highlight the risk environment- enhance risk awareness- develop performance indicators or risk indicators to improve business performance and processes. Facilitates monitoring and mitigation of risk- provides a platform for regulatory compliance and building goodwill.
- Financial Performance- Protects and enhances value, contributes to a better credit rating, builds investor, stakeholder and regulator confidence and shareholder value. Reduces insurance premiums.
- Decision Making- Informed decisions are made, facilitates assurance and transparency of risks at board level, enables decisions to be made in light of risk appetite/tolerance risk impact.
What are the Common Risk Failures of the Board, and how should they be prevented?
What is the Risk Committee? What are its benefits? What are the disadvantages of forming a Risk committee?
The Risk Committee- Focus exclusively on risk issues - No Restriction on composition, but according to ICSA guidance note:
- Should consist of a majority of NEDs and the Chairman should be a NED
- Finance Director should be a member or attend regularly
- Chief Risk Officer should attend
- CEO may be asked to attend the meetings
- Good Communication between the Risk Committee and the Audit Committee
Para 120 FRC Guidance on Board Effectiveness:
- Companies in some sectors may be required to create a separate risk committee with responsibility for ensuring risk is effectively managed. Where this is not a requirement, the board may wish to consider having a separate risk committee, particularly if it has concerns about whether the audit committee has sufficient time to deal with both issues or whether the composition of the audit committee is suitable.
Risk committee has benefits as it can focus solely on reviewing the organisations risk management, give specific advice to the board on risk appetite/tolerance/management- composition is not restricted by the Code- can have non-board members and Executive directors.
- Risks associated with forming a risk committee- conflict between the audit and risk committee- roles will have to be clearly defined and outlined, regular reports from the Committee meetings.
- Danger of overlooking some risks- as each committee might think the other is looking at the risk- effective communication is required, the chair of each Committee should be the member of the other- AC should retain responsibility for monitoring financial risks as well as effectiveness of internal control/ as they have responsibility for audit and financial reporting.
- A message is sent to senior management that risk is no longer their responsibility – to ensure this does not happen an organisation should have a risk manual roles/responsibility of the board clearly listed.
- Having sufficient directors with required skills, source directors with relevant experience- source non board members to sit on the Committee- CFO/Advisor.