Chapter 12 - Systems of Risk Management & Internal Control

Question 1

Why are risk management and internal controls relevant to corporate governance?

Answer 1

• Management of risk requires structures, policies, procedures to be developed, which when operationalised efficiently lead to long-term sustainable success
• This should create a culture - better performing org that is more likely to deal with shocks of the environment it operates in- which leads to its continued sustainability.
• Board, in governing, should be managing the risk the organisation is willing to take in achieving its strategic objectives.
• Level of success can affect performance/solvency of the company
• Development of internal controls - CG best practice refers to boards responsibility to ensure systems for RM and IC are effective
• CoSec should advise board on significance of RM to CG / their responsibilities re RM/IC systems

Question 2

What are 2 essential tasks re the governance aspect of RM/IC??

Answer 2

• Ensuring that robust internal controls are in place to manage risks and that these are reviewed and monitored.
• Define risk tolerance & risk appetite

Question 3

What is the CoSec’s role in respect of risk management & internal controls?

Answer 3

Advise/facilitate:

• Develop set of strategic objectives
• Identify principal risks willing to take to achieve & that may ‘threaten business model, future performance, solvency & liquidity’
• Carry out a robust assessment of principal risks
• Explain how emerging risks are mitigated / managed
• Monitor IC & RM systems
• At least annual review of RM/IC system effectiveness
• Annual assessment of the future viability company for a period to be determined by the board, considering its current position & principal risks.
• Report on all of the above in the annual report and accounts
  (Help devise, implement and monitor a whistle-blowing policy)

Question 4

What does the UKCGC have to say on the issues of risk management and internal controls?

Answer 4

• PRINC O: establish procedures to manage risk/oversee the control framework, and determine the nature/extent of principal risks willing to take to achieve long-term strategic objectives”.
• PROV.25 - AC should review the company’s internal financial controls. The review of the company’s internal control and risk management systems could be done by the board itself, AC or separate board risk committee. CoSec should advise and facilitate.
• PROV 28: - Board should carry out a robust assessment of emerging/principal risks.
  Confirm in AR it has completed assessment including descriptions of principal risks, RM procedures and explanation(s) of risk mitigation process.
• PROV 29: Board should monitor RM/IC systems
  At least annually- carry out review of effectiveness and report in the AR
  Report should cover all material controls (fin, ops, compliance)

Question 5

What are downside risk and upside risk?

Answer 5

• Downside risk – a risk that actual events will turn out worse than expected. Such risks can be measured in terms of the amount which profits could be worse than expected. The expected outcome is the forecast or budget expectation. E.G. fire, consequences of bad weather systems, earthquakes, IT breakdowns etc.
• Upside risk– a risk that actual events will turn out better than expected and provide unexpected profits. E.G. sale volume higher than expected, investment providing higher than expected returns etc.

To manage risk effectively - organisations should have processes in place to manage both.

Question 6

Define business risk

Answer 6

Possibility company will have lower than anticipated profits/experience a loss rather than taking a profit.

Question 7

What are the four types of business risk?

Answer 7

• Reputational: risk of loss of customer loyalty/support due to event damaging org’s reputation
• Competition: risk business performance will be affected due to acts of orgs competitors
• Business Environment: risk that the business environment it operates in will change significantly (ex. politics, regulation, economic factors, social & environment, technology)
• Liquidity: insufficient cash to settle liabilities on time, will be forced out of business

Question 8

What are the four types of governance risk?

Answer 8

• Structure - boards / steering groups to business models & policy frameworks
• Processes - new product processes / comms channels to operations, strategic planning & risk appetite
• Information - financial performance & audit reporting to management, risk and compliance reporting
• People & Culture - ‘the top’ to accountability/transparencythroughout org, inc. rship with regulators

Question 9

What 7 questions should boards should ask themselves when considering risks to their specific organisation?

Answer 9

• What risks?
• How measured?
• Worst-case scenario of each
• Likelihood of BAD outcome from each
• Risk appetite?
• Risk tolerance?
• How to manage?

Question 10

What is an internal control system?

Answer 10

A system made up of all structures, policies and procedures within an organisation related to the management of financial, operational and compliance risks (often known as business risk)

Question 11

What are the 3 main categories(timescale) of internal control?

Answer 11

Preventative - prevent adverse risk from occurring (ex. fraud by employees)

Detective - detect risk events as they occur so appropriate person alerted/corrective measures taken

Corrective - deal with occurrences and their consequences

Question 12

According to COSO what are the 3 categories in which internal controls/internal control systems should provide ‘reasonable assurance regarding the achievement of objectives?

Answer 12

• Effectiveness/efficiency of operations
• Reliability of financial reporting
• Compliance with applicable laws/regulations

Question 13

What are the reporting requirements in respect of IC/RM?

Answer 13

• DTRs - disclosure in Annual Report
• Description of main features of IC/RM systems re financial reporting
• Boards may feel obliged to report significant IC weaknesses under DTR if they feel company financial performance or position would be adversely affected as a result.
• Code/FRC Guide - do not, themselves, require any disclosure regarding failures/weaknesses of IC/RM

Question 14

What 2 reasons can internal control risks occur?

Answer 14

• Bad design: so would not be capable of achieving their purpose as a control
• Well-designed, poorly applied : human error, oversight, circumvention/ignoring (an example of operational risk)

Question 15

What are the 2 most commonly used models for rm/ic?

Answer 15

• Developed by Turnbull (UK)
• COSO (USA)

Question 16

What is the difference between UK framework for IC/RM and US (COSO)

Answer 16

• UK - based on Turnbull - considers RM and IC together
• US - COSO - 2 separate parts (Internal Control Integrated Framework / Enterprise Risk Management - Integrating Strategy With Performance)

Question 17

What is the responsibility of the board for risk and internal controls as per the UKCGC?

Answer 17

Principle O
‘board establishes processes for managing risk, overseeing internal control frameowork and determining the nature and extent of principal risks willing to take in order to achieve the company’s long-term strategic objectives

Supported by:

• Prov.28 - robust assessment of emerging and principal risks, confirmed in AR including describing principal risks and processes put in place to identify emerging risks and how these are managed and mitigated.
• Prov.29:- must monitor both & at least annually evaluate the effectiveness of both systems and report on this in the AR. It should monitor and review all material controls (operational, financial, compliance)
• review tocover ALL MAT CONTROLS (fin, ops, compliance)

Question 18

For the purposes of identification what are the 6 categories of risk?

Answer 18

• Financial
• Liquidity
• Credit
• Operational
• Strategic
• Reputational

Question 19

What are the main categories of risk?

Answer 19

Financial - internal (ex. failure to protect cash, credit risk, liquidity risk, operational risks)

Compliance - important laws/regs not complied with leading to legal action/fines

Strategic - tend to be external occuring/arising due to business environment (ex. people risks, reputation, marketplace risks, ethical risks)

• Board should be aware the controls themselves can create risk if they fail.
• When identifying risk - SHOULD AIM TO DEFINE AS SPECIFICALLY AS POSSIBLE - so it is correctly managed.

Question 20

What are 4 main methods of identifying risk?

Answer 20

• Mind mapping – involves thinking of all the risks to an organisation;
• Process mapping – involves mapping every process within an organisation to identify independent, critical and vulnerable functions and activities within an organisation;
• Stress testing – organisations stress test their ability to withstand extreme ‘shocks’ or unexpected events in the business environment they operate;
• Use of internally generated documents – typically business impact studies, market research reports, expert reports etc

Question 21

What is the main challenge in identifying risks?

Answer 21

Risk of identifying business problems rather than identifying risk associated with the problem = results in time/resource used on perceived financial risk but may actually be another type (ex. people risk)

Question 22

What are risk appetite and risk tolerance?

Answer 22

• Risk appetite is the level of risk that an organisation is willing to take in the pursuit of its objectives. It should be set by the board, who should review its level regularly as the business environment changes.
• Risk tolerance is the amount of risk that an organisation is prepared to accept in order to achieve its financial objectives. It is expressed as a quantitative measure; for example, in banks, the value at risk (VaR) for a portfolio.

Question 23

What are the 5 main stages of developing a risk management system?

Answer 23

• Definition & Identification
• Assessment
• Response
• Monitoring
• Reporting

Question 24

What are the 2 main methods of assessing risk

Answer 24

• Matrix plotting all risks - probability against severity of consequences
• Multiplying likelihood/Probability Rating X Size Impact Rating = sub-categorisation to RED/AMBER/GREEN

Question 25

What are the 4 forms of risk response?

Answer 25

• AVOIDANCE: reduce likelihood. Usually means shut down/sell part of business creating risk.
• REDUCTION: reduce negative impact/take advantage of opportunities of positive impact
• TRANSFER: move risk elsewhere (e.g. insurance or outsourcing)
• ACCEPTANCE- retain risk as deemed not to be significant threat

Question 26

What are the 3 main / common ways of monitoring risk?

Answer 26

• Stress testing – the organisation assesses the robustness of the risk response by modelling extreme situations;
• Developing SMART measures to monitor effectiveness of the risk response;
• Use of the internal audit function.

Question 27

How should risk be reported on?

Answer 27

• USE OF RISK REGISTER OR DASHBOARD

MANAGEMENT TO BOARD

• Board needs information from management on principal risks and effectiveness how these aremanaged.
• Enables the board to then evaluate effectiveness.

BOARD TO SHAREHOLDERS
* Strategic Report - description of principal risks/uncertainties and how they are to be managed or mitigated.

Extra strategic report equirements for PIEs
* Business model
* Products/services which could have adverse effect on principal risks re environment
* Employees
* Social matters
* Respect for human rights
* Anti-bribery
* Anti-Corruption

Question 28

What are the benefits of risk management systems?

Answer 28

OPERATIONAL
- Increase likelihood of achieving business objectives
- Incidents used to highlight risk environment and helps management enhance risk awareness
- Facilitatesmonitoring/mitigation of risk for key projects / initiatives
- Provides platform for regulatory compliance and building goodwill

FINANCIAL
- Protects/enhances value - prioritises/focuses attention on managing risks across org
- Contributes to better** credit rating** - increasingly focus on RM by agencies
- Increases confidence (invs, stakeholders, regs)/ builds SH value
- Reduction of insurance premiums - demos a structured approach to risk

DECISION-MAKING
- Shares risk info across org- contributes to informed decisions
- Facilitates assurance & transparency of risk at board level
- Decisions can be made in light of the impact of risks and the org’s risk appetite/tolerance guidelines

Question 29

What is the board’s main responsibility (overall role) regarding risk management and internal controls?

Answer 29

THE BOARD HAS OVERALL RESPONSIBILITY FOR RISK MANAGEMENT & INTERNAL CONTROLS
Examples:
* Decide risk appetite
* Ensure management manage risk within their guidelines for risk appetite
* Monitor management performance to ensure risk managed within board guidelines set
* Monitor RM system : ensure effective/achieves its purpose

Responsibility for evaluating the effectiveness of RM/IC systems can be delegated to audit committee, or risk committe if it has one.

Question 30

Why are boards becoming more interested in risk management?

Answer 30

• Increased speed of change within operating = greater response speed needed
• Increased transparency (social med etc)/24hr news = companies operate in glass bubble which has its associated risks
• Change in TYPE of risks - tangible to intangible (ex. reputation, cyber) - require new methods of assessment/mitigation
• Risks more interconnected - more integrated/holistic approach required
• RM not just seen as a compliance discipline - building relationships/developing behaviours and culture of risk management - requires a different skill set
• Growing awareness that RM should support better decision-making and strategy development
• Appreciation of board’s role in RM - have appropriate systems in place to support integration of RM throughout the org / foster collaboration in RM - both vertically and horizontally within the organisation.

Question 31

What are the common failures of boards in relation to risk management and internal controls?

Answer 31

• Failure to take responsibility at board level
• Failure to see the importance of risk to the organisation as a whole
• Failure to capture the major risks of the organisation
• Failure to consider the integrated nature of risk
• Failure to put in place appropriate controls/other mitigants
• Failure to manage reputational risk
• Failure by board to map out clearly who is responsible for what at different levels of the organisation
• Failure to consider, decide, or articulate effectively, the risk appetite of the organisation
• Failure to obtain and share timeley and good quality information.

Question 32

Who must make a long-term viability statement and what is it?

Answer 32

• UK Listed companies (in addition to whether appropriate they adopt the ‘going concern’ basis of accounting)

Prov 31
“….take into account current position/principal risks… explain in AR how assessed prospects / over what period / why period appropriate. Whether board has reasonable expectation company can continue to be in operation/meet liabilities as fall due over period under assessment …drawing attention to any qualifications/assumptions as required….”

Question 33

What should the long-term viability statement robustly assess?

Answer 33

• Principal risks
• Future performance
• Solvency
• Liquidity

Question 34

What factors should the board consider when determining the time period to be covered by its long-term viability statement?

Answer 34

• Stewardship responsibilities
• Previous statements has made made (especially in raising capital)
• Nature of business / stage of development
• Investment / planning periods

Question 35

What is corporate sustainability?

Answer 35

Corporate sustainability is ensuring the long-term survival of the organisation.

Question 36

What does corporate sustainability planning recognise?

Answer 36

The interactivity of economic, social and environmental impacts on strategic planning and risk management within the organisation.

Question 37

What is the main challange of corporate sustainability planning?

Answer 37

Balancing current needs with long-term/future needs.

Question 38

What does the board need to determine for corporate sustainability planing?

Answer 38

• What ARE current/future needs?different stakeholders will have differing views)
• Time period to be considered for ‘future generations’
• Who for? (company alone, country it operates in, all countries and peoples?)

Question 39

How does the board deliver Principle A (UKCGC) “to promote the long-term sustainable success of the company…..value for shareholders and contributing to wider society” ?

Answer 39

• Determine sustainability needs
• Once established- identify potential threats to supply/maintenance
• Sustainability objectives/policies developed in conjunction with management
• Develop a sustainbility Plan/BCP dev based on sustainable objectives and policies- this should align with org’s ethical values (will include IT, DRP, buildings etc) / (CoSec may sometimes lead on developin)
• Once plan is complete, should be reported to board and approved by them
• Determine which bits of BCP to communicate to who (externally and internally) - confidentiality factors / will differ based on type of organisation
• Agree channels of communication - will depend on types of recipient/what tech is available
• Develop/monitor sustainability indicators - which will work to assess if plans are effective
• Board evaluate BCP annually - that it is still the right plan / operating as expected
• Key stakeholders informed re sustainability planning (inc. strategic planning/RM)