Chapter 13 - Risk Structures, Policies, Procedures & Compliance Flashcards
Why is risk becoming increasingly important?
- Speed of change of business environments needs faster speed of response
- Increased transparency of social media etc., means companies are in a ‘glass bubble’
- Change in types of risk from tangible to intangible such as reputation/cyber risks - these require new methods of assessment and mitigation
- Risks are becoming more interconnected - need a holistic integrated approach
- Increasing recognition RM is not just a compliance discipline - about building relationships and developing behaviours and a culture of risk management which require a different skillset
- Growing awareness RM supports better decision-making and strategy development
- Appreciation of the board’s role - need appropriate systems to integrate RM/need to foster RM both vertifically and horizontally within the organisation
What are the 5 stages of developing a risk management system?
- Definition / identification
- Assessment
- Response
- Monitoring
- Reporting
What key considerations should board make when putting risk management structures in place?
- Whether to be considered by whole board or delegated to a committee (one committee or two)
- Division of responsibility between itself / management re risk management
- CoSec should play a role in advising on this which will differ from company to company.
What does the Code require in spect of Audit, Risk & Internal Control?
- Princ.M - formal and transparent policies and procedures to ensure the independence and effectiveness of internal and external audit functions and satisfy itself on the integrity of financial and narrative statements.
- Princ.N - board to present a fair, balanced and understandable assessment of the company’s position and prospects.
Princ.O requires the board to:
* Establish procedures to manage risk;
* Oversee the internal control network; and
* Determine the nature and extent of the principal risks the company is willing to take in order to achieve its long-term strategic objectives
Why are the issues of risk management and internal controls often delegated to committees?
- Complexity of risks
- Level of interest of stakeholders re org’s ability manage threats/taking advantage of risk opportunities
Why might companies establish a separate risk committee?
- AC overwhelmed / may not have necessary skill
- Size/sector of org may determine where responsibility for IC/RM lies
- Banks/large financial institutions - usually a separate RM - complexity of risk
- Growing number non-listed financial co’s (ex. oil industry) find useful to have RC
What are the benefits of having a separate risk committee?
- Can focus solely on risk management
- Can provide assurance to board that RM processes are effective
- Can advise board/make specific recs on risk appetite/tolerance & strategies to manage risk
- Provide input into strategy formulation - help board understand risks/opportunities by managing them
- Composition not restricted by UKCGC - can have exec, NED, whatever helps
`
Per CGI’s ‘Terms of Reference for a Risk Committee’ (2020), what are some composition suggestions where company has a separate risk committee?
- At least 3 members - all independent directors
- At least one member of AC and/or RemCom / 1 NED specifically responsible for risk
- As a whole - appropriate skills, knowledge, expertise
- As a whole - relevant competence in organisation’s operating sector
- FD/CFO and CRO should attend meetings reguarly - others when invited as and when
What are some potential duties/roles of a risk committee?
- Provide assurance to board - RM / processes for control effective
- Monitor risk areas by receiving periodic reports - make recs to board where approprtiate
- Oversee CRO role/responsibilities and provide direction
- Provide information to the board board to help with strategy formulation
- Monitor management behaviour to ensure no excessive risk taking/taking appropriate action if so
- Recommend changes in RM policies and/or processes to the board
- Consider risk opportunities and make recommendations to the board
- Review/approve statements to be included in AR that concern IC/RM
What are the risks of setting up a separate risk committee?
- Potential AC v RC conflict- if roles/responsibilities not clearly defined (need to be set out clearly in ToR)
- Danger of overlooking some risks - if one thinks the other might be considering
- Message sent to snr management - risk no longer their responsibility (having a risk manual can help this)
- Need for SUFFICIENT DIRECTORS with sufficient/required skills - small/medium companies may find this hard to overcome
- Directors end up being appointed without sufficient risk management skills and knowledge
What is the purpose of an internal audit function?
“…independent objective assurance/consulting activity designed to add value and improve an organisation’s operations…helps achieve objectives by bringing systematic, disciplined approach to evaluate/improve effectiveness of RM, control and governance processes” (IIA)
What are the benefits of an in-house internal audit function?
- Understands the company, its culture, operation and risk profile - should be able to add value
- Can build networks within organisation - become integrated into business & become ‘eyes and ears’ of the board
- Provide assurance to stakeholders as to the integrity of the organisation’s internal control system
- Become essential to checks/balances within organisation’s internal control system
- Could be lower-cost - depending on makeup of the team
What is the main benefit of co-sourcing or out-sourcing the internal audit function?
Organisation can leverage external resources, tech, skills and expertise which may not be available to it with an in-house team.
How does FRC Guidance on ACs recommend that the independence/objectivity of the internal audit function be preserved?
- AC should approve appoint/term of head of internal audit
- Internal audit should have access to AC/chair of board where needed
- AC to ensure internal audit has a reporting line which enables it to be independent from the executive and so can exercise indepedent judgement
How often does the IIA recommend the IA function carries out an indepedent review of their function?
Every 3 years.
What issues should the CoSec ensure are on the board’s agenda re IC/RM?
- Approval of policies and framework
- Management reports - implementation/effectivenessk
- Assurance reports from int/ext audt and any compliance officers on effectivenesss of implementation
- IA reports on suspected non-comp/ineffectiveness
- Info on key risks facing org & how managed effectively
- RM system evaluation - at least annually
Where there is a separate risk committee, what might the company secretary do to aid/facilitate their purpose?
- Ensure clear ToR and followed - work with chair to develop annual work plan
- See that committee follows procedures/governance best practice and advise committee chair where not the case
- Write report for committee chair of recommendations to the board to approve
- Drafting of minutes with list of actions - deliver feedback at next meeting on action points
- Consider the regular evaluation on the effectiveness of the committee
What other duties might the cosec take on in respect of risk and internal controls?
- Assist with assessment of effectiveness of RM/IC systems
- Draft/review statements in reports setting out attitude to risk/management of risks
- Collate info from management/staff to support board assessment of system’s effectiveness - verification of info
- Manage process for production of annual report and accountson behalf of the board
- Advise board on business continuity - maybe draft BCP and/or communicate the plan
What 2 reasons are there that the Company Secretary has an important part to play in strengthening the control environement?
- Linking various people, structures and processes within the control environment into a strong culture of control and risk management
- Ensuring various structures and processes within the control environment are integrated effectively in overall workflow and decision-making process of the board.
What should the CEO ensure in relation to RM/IC?
- Proper execution of RM/policies laid down by the board
- That RM/IC frameworks extend into the organisation
- That resources are available and work efficiently
- That the organisation’s culture reflects the risk appetite developed
What types of organisation most commonly have a CRO?
Large companies such as banks and other financial institutions; oil companies.
What is a CRO?
Chief Risk Officer- specialist executive manager responsible for risk.
