Chapter 12. Risk Management & Internal Controls Flashcards
What is risk*
The effect of uncertainty on objectives (positive or negative)
Corporate governance role in risk* (5)
D.M.U.C.C.
- DEFINE risk appetite
- Ensure risks are MANAGED and understood
- Ensure robust INTERNAL CONTROLS to manage risks
- Create a RISK culture.
Why is risk becoming more important?
- Speed of change in environment in which companies operate.
- Increased transparency (social media)
- More intangible risks (rep/Cyber)
- More interconnection of risks
- Risk isn’t just a compliance discipline (it is building relationships within the business/developing behaviours and a culture of risk management)
What are the 3 main types of internal controls, and what do they seek to provide?**
- Preventative controls
- Detective controls
- Corrective controls
According to COSO, they seek to provide reasonable assurance regarding the achievement of objectives in the following areas:
- Effectiveness and efficiency of operations
- Reliability of financial reporting
- Compliance with laws/regulations
What are the risks associated with internal controls?**
They may fail to achieve their purpose of preventing /detecting and risk which can occur due to:
- Badly designed
- Not properly applies
- Circumvention of control (op risk)
An internal control system must have procedures to identify weak/ineffective internal controls.
Types of risks**
BUSINESS RISKS
Lower anticipated profit due to:
1. Reputation risk (loss of loyalty/support)
2. Competition risk
3. Business environment risk (politicial/regulatory changes)
4. Liquidity (not enough cash to settle liabilities)
GOVERNANCE RISKS
1. Structure (board/policies)
2. Processes (new proolducts/strategic planning)
3. Informstion (financial reporting/MI)
4. People and culture (leadership/accountability/transparency)
UKCGC and RISK / Internal controls
(O) Board should establish procedures to manage risk, oversee internal control framework & and determine nsture/extent of principle risk its willing yo take to achieve its long term strategic objectives
(28) assess emerging/principle risks and confirm in AR&A Inc description of main risks, procedures to identify risks & how they’re being managed/mitigated.
(29) board should monitor risk management/internal controls. At least annually, review their effectiveness and report in AR&A. Monitoring and controls should include material controls- finance, operational and compliance.
See also (25) AC role/responsibility. And 31 Viability
Code/guidance doesn’t require reporting of failure/weakness of internal controls but DTR requires in annual report details of internal control and risk management systems.
What are the 5 steps of developing a risk management system?**
- DEFINE AND IDENTIFY
> What is the risk? i.e. liquidity/ competition / reputation
> How to identify (mind mapping / process mapping / stress testing/ internal docs) - ASSESS
to see if it’s a principle risk… liklihood x impact provides rating.
Consider risk appetite/ risk tolerance - RESPONSE
Avoid
Reduce
Transfer
Accept - MONITOR
Process to monitor response to risk I.e.
> stress testing
> internal audit reviews
> SMART (specific, Measurable. Achievable, relevant, time based) - REPORT
Board: via risk register/dashboard
Shareholders: via strategic report - risks/ uncertainties / management and mitigation.
What are internal controls?**
The structure, policies, procedures in a company to manage finance, operational and compliance risk.
Role of the company secretary in risk
Develop strategic objectives relating to risk.
Identify principle risks company is willing to take to achieve objectives and those which could threaten the business.
Robust assessment of principle risks
Explain how principle risks are being managed/mitigated
Monitor and annually review the effectiveness of the risk management and internal control system
Annual Viability assessment (code 31) for period determined by Board
Report on above in AR&A
What are the 3 main types of internal controls?
- Preventative controls
- Detective controls
- Corrective controls