Chapter 12 - Test yourself Q&A's - Systems of risk management and internal control Flashcards
What is risk appetite and risk tolerance?
Risk appetite is the level of risk that an organisation is willing to take in the pursuit of its objectives. It should be set by the board who should review its level regularly as the business environment changes.
Risk tolerance is the amount of risk that an organisation is prepared to accept in order to achieve its financial objectives. It is expressed as a quantitative measure. For example, in banks, the value at risk (VaR) for a portfolio.
What are the main categories of risk?
financial risks
operational risks
compliance risks
strategic risks:
– people risks
– marketplace risks
– ethical risks
– reputational risks
– suppliers/outsourcers risks
– environmental
List the responses to risk.
avoidance
reduction
transfer
acceptance
You are the company secretary of a clothing retail business and as the person responsible for risk, you have been asked to complete the risk register for the following risk, which has been related high.
Propose a treatment and a method of measuring the effectiveness of the treatment: theft of clothes from the store.
Treatment – security tags on each item.
Monitoring – stock auditors carrying out regular audits.
What are the benefits of risk management to an organisation?
For operational performance:
* Increases the likelihood of achieving business objectives.
* Uses incidents to highlight the risk environment and helps management to enhance risk awareness and develop
performance indicators or risk indicators to improve business performance and processes.
* Facilitates monitoring and mitigation of risk in key projects and initiatives.
* Provides a platform for regulatory compliance and building goodwill.
For financial performance:
* Protects and enhances value by prioritising and focusing attention on managing risk across and organisation.
* Contributes to a better credit rating, as rating agencies are increasingly focusing on the risk management of organisations.
* Builds investor, stakeholder and regulator confidence and shareholder value.
* Reduces insurance premiums through demonstrating a structured approach to risk.
For decision making:
* Shares risk information across the organisation, contributing to informed decisions.
* Facilitates assurance and transparency of risks at board level.
* Enables decisions to be made in the light of the impact of risks and the organisation’s risk appetite and tolerance.
List four common failures of boards in relation to risk management.
Failure to take responsibility for risk at the board level.
Failure to see the importance of risk to the organisation as a whole.
Failure to capture the major risks of the organisation.
Failure to consider the integrated nature of risk.
Failure to put in place the appropriate control or other mitigants for risk.
Failure to manage reputational risk.
Failure by the board to map out clearly, often in a risk manual, who has responsibility for what at what level of the organisation.
Failure to consider, decide or articulate effectively the risk appetite for the organisation.
Failure to obtain and share timely and good quality information can lead to heightened risk within an organisation.
Failure of the board to appropriately challenge management on the proposals brought to the board can create risk.
What is the responsibility of a board of directors for risk and internal controls?
Principle O of the UK Corporate Governance Code states that:
‘The board should establish procedures to manage risk, oversee the internal control framework, and determine the nature and extent of the principal risks it is willing to take in order to achieve its long-term strategic objectives.’
The Principle is supported by the following Provisions:
‘28. The Board should carry out a robust assessment of the company’s emerging and principal risks. The board should confirm in the annual report that it has completed this assessment, including a description of its principal risks, what
procedures are in place to identify emerging risks, and explanation of how these are being managed or mitigated.
- The board should monitor the company’s risk management and internal control systems and, at least annually, carry out a review of their effectiveness and report on that review in the annual report. The monitoring and review should cover all material controls, including financial, operational and compliance controls.’
Explain the difference between downside and upside risk?
Downside risk is the risk of something bad happening that affects an organisation’s ability to meet its strategic objectives.
Examples are a fire or an IT breakdown. Upside risk is where an organisation performs better than expected, which creates its own risks – for example, the take-up of a product being more than anticipated which could lead to a risk that
the product will not be available, and the organisation may be seen as unreliable.
What is the difference between the UK and US models of risk management and internal control systems?
The US system separates the two systems whereas the UK model considers risk management and internal control systems jointly.