Chapter 13 - Risk structures, policies, procedures and compliance Flashcards

1
Q

What does the board need to consider when deciding what structures to put in place to fulfil its responsibilities for risk and internal control?

A

The board has overall responsibility for the systems of risk management and internal controls within an organisation.

To enable the board to carry out this responsibility, it needs to ensure that the appropriate structures are put in place at the proper levels within the organisation to manage risk.

In deciding what these structures should be, the board needs to consider the following:

  1. Whether risk and internal controls should be considered by the whole board or be delegated to a committee of the board
  2. If delegating to a committee, whether risk and internal controls should fall under one committee, the audit committee, or into two separate committees, the audit committee for internal controls and the risk committee for risk.
  3. The division of responsibility between itself and management for risk management.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Why might an organisation decide to have a risk committee?

A

in some cases, the audit committee may be overwhelmed by its other duties covering financial reporting and internal controls or may not have the necessary skill set required for the governance of risk.

In these cases, the board may decide to establish a separate risk committee.

The size of the organisation and the sector the organisation is operating in may also determine whether responsibility for reviewing internal controls and risk management is dealt with in the same board committee, the audit committee, or
whether two separate committees, one for audit and the other for risk, are established.

Banks and other large financial institutions normally have separate risk committees due to the complexity of their risk exposure.

A growing number of listed non-financial companies, for example in the oil industry, are also finding it useful to establish a separate risk committee. The benefits of a separate risk committee are:

  1. It can focus solely on reviewing the organisation’s risk management and providing assurance to the board that risk management and the processes for the control over risk are effective.
  2. It can give the board advice and make specific recommendations on risk appetite, the organisation’s risk tolerance and strategies to manage risk.
  3. It can provide input into strategy formulation by helping the board to understand the key risks facing the organisation and the opportunities available to the organisation by managing those risks.
  4. The composition of the committee is not restricted by the requirements of the corporate governance code.

An audit committee is required to be composed of all independent directors.

A separate risk committee can have executive directors and non-board members to strengthen the skills and experience of the committee.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Who are the main governance players that support the board with their risk management responsibilities?

A

The governance players responsible for risk are:

  1. The board.
  2. Audit and, if separate, risk committees.
  3. company secretary.
  4. CEO.
  5. Chief Risk Officer.
  6. Internal Auditor.
  7. All management and staff.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Why should boards routinely monitor and review the organisation’s systems of risk management and internal controls?

A

The existence of risk management and internal control systems does not, on its own, indicate that risk and internal controls are being managed effectively within an organisation. The board (or audit committee) should, on an ongoing basis, monitor and review the systems to ensure that they:

  1. remain aligned with the organisation’s strategic objectives;

2.address the risks facing the organisation;

  1. are being developed, applied and maintained appropriately for the organisation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What matters should the annual review of the effectiveness of the systems of risk management and internal controls cover?

A

The FRC Guidance on Risk Management, Internal Control and Related Financial and Business Reporting, section 5 no.43 states that the annual review of effectiveness should consider:

  1. the company’s risk appetite;
  2. the desired culture within the company and whether this culture has been embedded within the organisation;
  3. the operation of the risk management and internal control systems, covering design, implementation, monitoring
    and review and the identification of principal risks;
  4. the integration of risk management and internal controls with the company’s business model, strategy, and business planning processes;
  5. the changes in the nature, likelihood, and impact of principal risks;

etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What concerns should an employee raise through a whistleblowing procedure?

A

An effective whistleblowing procedure should allow for an employee to raise concerns about illicit behaviour, usually in one of the following areas:

  1. fraud;
  2. a serious violation of a law or regulation by the company or by directors, managers or employees within the company;

3.a miscarriage of justice;

  1. offering or taking bribes;
  2. price-fixing;
  3. a danger to public health or safety, such as dumping toxic waste in the environment or supplying food that is unfit for consumption;
  4. neglect of people in care; or
  5. in the public sector, gross waste or misuse of public funds.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What areas should a whistleblowing policy and procedure cover?

A

Typically, a whistleblowing policy and
procedures would cover the following:

  1. purpose, scope and coverage;
  2. procedures for reporting a matter;
  3. what happens when communication is received from a whistle-blower;

4.anonymity of the whistle-blower;
* communication with the whistle-blower; and

5.protection of the whistle-blower

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What areas should be covered in a cybersecurity policy?

A

The cybersecurity policy should inform employees and other authorised users of the company’s technology the requirements for protecting that technology and the information it contains from a cyberattack.

The policy is usually made
up of three parts:

  1. Physical security of the technology. This section explains the importance of keeping the physical asset secure – locking doors, surveillance, alarms etc.
  2. Personnel management. This section explains to employees how to conduct their day-to-day activities – password management, keeping confidential certain information, the use of the internet, the use of memory sticks etc.

Some organisations go as far as restricting access to the internet and sealing the ports of computers for UBS devices in an attempt to stop viruses and malware from being introduced into their systems.

  1. Hardware and software. This section explains to the technology administrators what type of technology and software to use and how networks should be configured to ensure they are secure.

Due to the technical nature of this part of the policy, boards may wish to get independent advice on the recommendations of management in this area.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What matters should the company secretary consider when handling insider information?

A

Managing insider information is a major part of the company secretary role.

The following are some of the matters that the company secretary may consider when handling insider information:

  1. Confidentiality of board papers. Extra care should be taken when distributing paper board packages.

This might mean using double envelopes, anti-tear envelopes, and even hand delivery rather than email or courier.

If documents are made available electronically through a board portal, the company secretary should make sure the system is as secure as possible, for example, by encrypting documents.

  1. Careful consideration may have to be given to securing the computers used to prepare the papers to be included in the package.

If shared drives are used or computers are networked, the company secretary should know who has access to these drives and networks.

If a password is needed to access certain drives, the company secretary should know that usually the administrator of the system (often an IT person or sometimes an outsourced person) can access the drive/folder.

It has been known in highly sensitive transactions for the papers to be prepared and kept on an offsite server usually maintained by the company’s law firm.

  1. Confidentiality of board discussions. The company secretary should consider the following:

– Is the room in which the board is meeting soundproof?
– Can anyone see into the room from outside? Especially, if a PowerPoint presentation is made, will it be visible?
– Some listed companies even check for listening devices and coat windows so that no one can see in to ensure confidentiality.

  1. Insider lists. These lists are often required by regulators for listed companies, although they can be used by any company involved in a commercially sensitive project.

To control the spread of confidential information, insider lists contain the names of people, internally and externally, who are aware of the project.

Only those on the list can discuss the project. If someone else needs to be consulted, they have to be added to the list. The company secretary is often the holder of the insider lists.

  1. The communication plan for the project. The company secretary may be asked on behalf of the board to work with management to produce a communication plan for the project.

This will indicate who should be communicated to, how, and when. If the company is listed or is a regulated business, then any regulations for communications should be reflected in the plan. For example a listed company may have to make a regulatory announcement before it can release information to others

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is the difference between disaster recovery planning and business continuity planning?

A

A disaster recovery plan is a plan of what needs to be done immediately after a disaster to recover from the event.

The disaster is of a nature unconnected with the company’s business and outside the control of management. Examples of disasters are:

  1. natural disasters, such as major fires or flooding or storm damage to key installations or offices;
  2. IT disruptions; and
  3. major terrorist attacks.

Business continuity planning goes beyond procedures that should be taken in an emergency, such as a fire or explosion in a building.

It is intended to establish, in advance, a plan of what a company needs to do to ensure that its key products and/or services continue to be delivered in the longer-term, i.e. a plan for the sustainability of the business.

A business continuity plan should be developed from the disaster recovery planning and the risk management process.

It should seek to make the company ready to take advantage of the longer-term threats to the business, thus giving the company competitive advantage over competitors who are not planning for the future sustainability of their business.

It is important for the board to be involved in both disaster recovery and business continuity planning as both are critical to the on-going activity of the business.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are the six principles of the Ministry of Justice Guidance on the UK Bribery Act 2010?

A
  1. Proportionate procedures. The procedures of a commercial organisation to prevent bribery should be proportionate to the risk of bribery that it faces and the nature and scale of its commercial activities.
  2. Top-level commitment. Top-level management should be committed to preventing bribery and should foster a culture in their organisation in which bribery is considered unacceptable.
  3. Risk assessment. There should be periodic, informed and regular assessment by organisations of the nature and extent of potential bribery by people associated with it.
  4. Due diligence. There should be due diligence of third party intermediaries and local agents who will act on behalf of the organisation, with a view to identifying and mitigating bribery risk.
  5. Communication (including training). Commercial organisations should seek to ensure that policies against bribery are embedded and understood, by means of communication and training that is proportionate to the bribery risk that
    the organisation faces.
  6. Monitoring and review. There should be monitoring and review of the procedures designed to prevent bribery, and improvements should be made when weaknesses are detected
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What should the company secretary do to minimise boardroom disputes?

A

The company secretary can take the following steps to minimise boardroom disputes:

  1. Ensure that the roles of the board members have been set out in a clear and concise way in their appointment letter.
  2. On appointment, a comprehensive induction programme should be held to ensure that there is no misunderstanding as to what is expected from the board members.
  3. There is a board charter/governance manual setting out what the roles of the board, board committees and senior management team are.

4.Delegation of authority to the CEO is clearly documented.

  1. Proper flows of information to and from the board. The board requires sufficient information to make informed decisions. Management require prompt communication of board decisions.
  2. In agenda development, ensuring that there is plenty of time allowed for discussion, debate and deliberation of the matters brought to the board.
  3. Advising the chair to agree with the board ground rules for behaviour, attire etc. during board meetings.
  4. Creating the right environment within the boardroom for calm, effective meetings and decision making. This can include:

– Shape of the table
– Seating arrangements
– Lighting and heating
– Make sure there are plenty of breaks
– Being prepared to break a tense situation by advising the chair to take a break, asking for clarity for the minutes etc.

  1. Encouraging the creation of a good culture within the board. This can be achieved by building relationships and trust between board members. Giving plenty of opportunity for board members to get to know each other through lunches or dinners, annual board retreats, board trainings etc.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the constution of a Risk Committee?

A

CONSTITUTION

  1. The risk committee should consist of at least three members, all of whom should be independent directors.
  2. The Committee should include at least one member of the audit committee and/or remuneration committee and/or include one non-executive director specifically responsible for risk.
  3. Members of the committee should have appropriate knowledge, skills, and expertise to fully understand risk appetite and strategy/members as a whole should have relevant risk expertise.
  4. The committee as a whole should have relevant competence relevant to the sector in which the company operates.
  5. The finance director/CFO and the chief risk officer should attend committee meetings regularly.

‘Terms of reference for a risk committee’, CGI 2020

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are the benefits of a risk committee?

A
  1. Focused only on Risk
  2. Audit Committee may not have the required skills and experience
  3. The composition of the committee is not restricted by the requirements of the corporate governance code.
  4. It can give the board advice and make specific recommendations on risk appetite, the organisation’s risk tolerance and strategies to manage risk.
  5. It can provide input into strategy formulation by helping the board to understand the key risks facing the organisation and the opportunities available to the organisation by managing those risks.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What does a risk committee focus on?

A

To focus solely on reviewing the organisation’s risk management and providing assurance to the board that risk management and the processes for the control over risk are effective.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

The role of the Risk committee

A

The role of a risk committee is:

  1. Providing assurance to the board that risk management and processes for control over risk are effective.
  2. Monitoring risk areas faced by the company by receiving period reports on them and their management and, making recommendations to the board where appropriate.
  3. Overseeing the CRO’s role and responsibilities and providing direction on them.
  4. Providing information to the board to help with strategy formulation, for example with regard to risk appetite in the company’s strategy. This is achieved by helping the board to understand the key risks facing the company, its risk tolerances and its defences against those risks.
  5. Monitoring the behaviour of management to ensure that there is not excessive risk taking and take appropriate actions if such behaviours are discovered.
  6. Recommending to the board changes in the risk management policies.
  7. Considering risk opportunities and making recommendations to the board.
  8. Reviewing and approving statements to be included in the annual report concerning internal controls and risk management.

‘Terms of reference for a risk committee’, CGI 2020,

15
Q

What is an internal audit?

A

An independent objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes’.

16
Q

What is the role of an internal audit

A
  1. Value for Money (VFM) audits. This is an investigation into an operation or activity to establish whether it is economical, efficient and effective.
  2. Reviewing compliance by the organisation with particular laws or regulations. This is an investigation into the effectiveness of compliance controls.
  3. Risk assessment Internal auditors might be asked to investigate aspects of risk management, and in particular the adequacy of the mechanisms for identifying, assessing and controlling significant risks to the organisation, from both internal and external sources.
  4. Suitability of controls
  5. Reports To Audit Committee/Risk Committee and Board
17
Q

BENEFITS OF AN IN-HOUSE INTERNAL AUDIT FUNCTION?

A
  1. Understands the organisation, its culture, operations and risk profile and can add value to the organisation’s processes
  2. Can build networks throughout the organisation, become integrated into the company’s business and as such become the ‘eyes and ears’ of the board
  3. Provide assurance to stakeholders on the integrity of the organisation’s systems
  4. Become an essential part of the checks and balances within the organisation
  5. could be a lower-cost option, depending on the make-up of the team.
18
Q

BENEFITS OF AN OUTSOURCED INTERNAL AUDIT FUNCTION?

A

The organisation can leverage resources, technology, skills and experience which may not be available to it with an in-house team.

19
Q

Internal audit - review of effectiveness?

A

In its annual assessment of the effectiveness of the internal audit function the audit committee should:

  1. Meet with the head of internal audit without the presence of management to discuss the effectiveness of the function
  2. Review and assess the annual internal audit work plan
  3. Receive a report on the results of the internal auditors’ work
  4. Monitor and assess the role and effectiveness of the internal audit function in the overall context of the company’s risk management system
20
Q

Business risk is the possibility a company will have lower than anticipated profits, broken down into the following categories:

A

Business risk is the possibility a company will have lower than anticipated profits, broken down into the following categories:

  1. Reputational risk: the risk of loss in customer loyalty or support due to an event that has damaged the company’s reputation.
  2. Competition risk: the risk that business performance will be affected because of the actions of the company’s competitors.
  3. Business environment risks: the risk that the business environment in which the company operates will change significantly. This may be due to political factors, regulatory factors, economic factors, social and environmental factors or technological factors.
  4. Liquidity risk: the risk that the company will have insufficient cash to settle all of its liabilities on time.
21
Q

Governance Risk?

A

Governance risk relates to the risks associated with the following:

  1. Structure – from boards and steering groups to business models and policy frameworks.
  2. Processes – from new product processes and communication channels to operations, strategic planning and risk appetite.
  3. Information – from financial performance and audit reporting to management, risk and compliance reporting.
  4. People and culture – from leadership at the top to accountability and transparency throughout the organisation, including relationships with regulators.
22
Q

An internal control system is made up of all of the structures, policies and procedures within an organisation related to the management of financial, operational and compliance risks.

Internal controls form that part of the internal control system which manage these risks.

A

There are three main types:

  1. Preventative controls intended to prevent an adverse risk event from occurring, e.g. fraud by employees.
  2. Detective controls for detecting risk events when they occur, so that the appropriate person is alerted, and corrective action taken.
  3. Corrective controls for dealing with risk events that have occurred and their consequences.

Internal controls and the internal control system seek to provide ‘reasonable assurance’ regarding the achievement of objectives in the following categories:

  1. Effectiveness and efficiency of operations
  2. Reliability of financial reporting
  3. Compliance with applicable laws and regulations.
23
Q

How would you Developing a Risk Management System?

A
  1. Definition & Identification
  2. Assessment
  3. Response
  4. Monitoring
  5. Reporting
24
Q

Responses to risk?

A
  1. Avoidance: responses which reduce the likelihood of the risk occurring. This usually means that the organisation shuts down or sells that part of the business that is causing the risk.
  2. Reduction: responses that reduce the negative impact or take advantage of opportunities for positive impact.
  3. Transfer: responses that transfer the risk somewhere else.
  4. Acceptance: responses that retain the risk because it is deemed to be not a significant threat or the organisation has no control over it.