Chapter 13 - Test yourself Q&A's - Risk Structures, policies, procedures and compliance Flashcards
What does the board need to consider when deciding what structures to put in place to fulfil its responsibilities for risk and internal control?
The board has overall responsibility for the systems of risk management and internal controls within an organisation. To enable the board to carry out this responsibility, it needs to ensure that the appropriate structures are put in place at the proper levels within the organisation to manage risk. In deciding what these structures should be, the board needs to consider the following:
- Whether risk and internal controls should be considered by the whole board or be delegated to a committee of the board.
- If delegating to a committee, whether risk and internal controls should fall under one committee, the audit committee, or into two separate committees, the audit committee for internal controls and the risk committee for risk.
Why might an organisation decide to have a risk committee?
In some cases, the audit committee may be overwhelmed by its other duties covering financial reporting and internal controls or may not have the necessary skill set required for the governance of risk. In these cases, the board may
decide to establish a separate risk committee.
The size of the organisation and the sector the organisation is operating in may also determine whether responsibility for reviewing internal controls and risk management is dealt with in the same board committee, the audit committee, or
whether two separate committees, one for audit and the other for risk, are established.
Banks and other large financial institutions normally have separate risk committees due to the complexity of their risk exposure. A growing number of listed non-financial companies, for example in the oil industry, are also finding it useful to establish a separate risk committee.
The benefits of a separate risk committee are:
* It can focus solely on reviewing the organisation’s risk management and providing assurance to the board that risk management and the processes for the control over risk are effective.
- It can give the board advice and make specific recommendations on risk appetite, the organisation’s risk tolerance and strategies to manage risk.
- It can provide input into strategy formulation by helping the board to understand the key risks facing the organisation and the opportunities available to the organisation by managing those risks.
- The composition of the committee is not restricted by the requirements of the corporate governance code. An audit committee is required to be composed of all independent directors. A separate risk committee can have executive directors and non-board members to strengthen the skills and experience of the committee.
Who are the main governance players that support the board with their risk management responsibilities?
- The board.
- Audit and, if separate, risk committees.
- company secretary.
- CEO.
- Chief Risk Officer.
- Internal Auditor.
- All management and staff.
Why should boards routinely monitor and review the organisation’s systems of risk management and internal controls?
The existence of risk management and internal control systems does not, on its own, indicate that risk and internal controls are being managed effectively within an organisation. The board (or audit committee) should, on an ongoing basis, monitor and review the systems to ensure that they:
- remain aligned with the organisation’s strategic objectives;
- address the risks facing the organisation;
- are being developed, applied and maintained appropriately for the organisation.
What matters should the annual review of the effectiveness of the systems of risk management and internal controls cover?
The FRC Guidance on Risk Management, Internal Control and Related Financial and Business Reporting, states that the annual review of effectiveness should consider:
- the company’s risk appetite;
- the desired culture within the company and whether this culture has been embedded within the organisation;
- the operation of the risk management and internal control systems, covering design, implementation, monitoring and review and the identification of principal risks;
- the integration of risk management and internal controls with the company’s business model, strategy and business planning processes;
- the changes in the nature, likelihood and impact of principal risks;
- the company’s ability to respond to changes in its business and the external environment;
- the extent, frequency and quality of management’s reporting on the organisation’s risk management;
- the issues dealt with by the board throughout the year under review;
- the effectiveness of the company’s public reporting processes.
What concerns should an employee raise through a whistleblowing procedure?
An effective whistleblowing procedure should allow for an employee to raise concerns about illicit behaviour, usually in one of the following areas:
* fraud;
* a serious violation of a law or regulation by the company or by directors, managers or employees within the company;
* a miscarriage of justice;
* offering or taking bribes;
* price-fixing;
* a danger to public health or safety, such as dumping toxic waste in the environment or supplying food that is unfit for consumption;
* neglect of people in care; or
* in the public sector, gross waste or misuse of public funds.
What areas should a whistleblowing policy and procedure cover?
Typically, a whistleblowing policy and procedures would cover the following:
* purpose, scope and coverage;
* procedures for reporting a matter;
* what happens when communication is received from a whistleblower;
* anonymity of the whistleblower;
* communication with the whistleblower; and
* protection of the whistleblower.
What areas should be covered in a cybersecurity policy?
The cybersecurity policy should inform employees and other authorised users of the company’s technology the requirements for protecting that technology and the information it contains from a cyberattack. The policy is usually made
up of three parts:
- Physical security of the technology. This section explains the importance of keeping the physical asset secure – locking doors, surveillance, alarms etc.
- Personnel management. This section explains to employees how to conduct their day-to-day activities – password management, keeping confidential certain information, the use of the internet, the use of memory sticks etc. Some
organisations go as far as restricting access to the internet and sealing the ports of computers for UBS devices in an attempt to stop viruses and malware from being introduced into their systems. - Hardware and software. This section explains to the technology administrators what type of technology and software to use and how networks should be configured to ensure they are secure. Due to the technical nature of this part of the policy, boards may wish to get independent advice on the recommendations of management in this
area.
What matters should the company secretary consider when handling insider information?
Managing insider information is a major part of the company secretary role. The following are some of the matters that the company secretary may consider when handling insider information:
- Confidentiality of board papers. Extra care should be taken when distributing paper board packages. This might mean using double envelopes, anti-tear envelopes, and even hand delivery rather than email or courier. If documents are made available electronically through a board portal, the company secretary should make sure the
system is as secure as possible, for example, by encrypting documents. - Careful consideration may have to be given to securing the computers used to prepare the papers to be included in the package. If shared drives are used or computers are networked, the company secretary should know who
has access to these drives and networks. If a password is needed to access certain drives, the company secretary should know that usually the administrator of the system (often an IT person or sometimes an outsourced person) can access the drive/folder. It has been known in highly sensitive transactions for the papers to be prepared and kept on an offsite server usually maintained by the company’s law firm. - Confidentiality of board discussions. The company secretary should consider the following:
– Is the room in which the board is meeting soundproof?
– Can anyone see into the room from outside? Especially, if a PowerPoint presentation is made, will it be visible?
– Some listed companies even check for listening devices and coat windows so that no one can see in to ensure
confidentiality. - Insider lists. These lists are often required by regulators for listed companies, although they can be used by any company involved in a commercially sensitive project. To control the spread of confidential information, insider lists contain the names of people, internally and externally, who are aware of the project. Only those on the list can discuss the project. If someone else needs to be consulted, they have to be added to the list. The company secretary is often the holder of the insider lists.
- The communication plan for the project. The company secretary may be asked on behalf of the board to work with management to produce a communication plan for the project. This will indicate who should be communicated to, how, and when. If the company is listed or is a regulated business, then any regulations for communications should be reflected in the plan. For example, a listed company may have to make a regulatory announcement before it can release information to others.
What is the difference between disaster recovery planning and business continuity planning?
A disaster recovery plan is a plan of what needs to be done immediately after a disaster to recover from the event. The disaster is of a nature unconnected with the company’s business and outside the control of management. Examples of
disasters are:
* natural disasters, such as major fi res or flooding or storm damage to key installations or offices;
* IT disruptions; and
* major terrorist attacks.
Business continuity planning goes beyond procedures that should be taken in an emergency, such as a fire or explosion in a building. It is intended to establish, in advance, a plan of what a company needs to do to ensure that its key products
and/or services continue to be delivered in the longer-term, i.e. a plan for the sustainability of the business. A business continuity plan should be developed from the disaster recovery planning and the risk management process. It should
seek to make the company ready to take advantage of the longer-term threats to the business, thus giving the company competitive advantage over competitors who are not planning for the future sustainability of their business.
It is important for the board to be involved in both disaster recovery and business continuity planning as both are critical to the on-going activity of the business.
What are the six principles of the Ministry of Justice Guidance on the UK Bribery Act 2010?
- Proportionate procedures. The procedures of a commercial organisation to prevent bribery should be proportionate to the risk of bribery that it faces and the nature and scale of its commercial activities.
- Top-level commitment. Top-level management should be committed to preventing bribery and should foster a culture in their organisation in which bribery is considered unacceptable.
- Risk assessment. There should be periodic, informed and regular assessment by organisations of the nature and extent of potential bribery by people associated with it.
- Due diligence. There should be due diligence of third party intermediaries and local agents who will act on behalf of the organisation, with a view to identifying and mitigating bribery risk.
- Communication (including training). Commercial organisations should seek to ensure that policies against bribery are embedded and understood, by means of communication and training that is proportionate to the bribery risk that
the organisation faces. - Monitoring and review. There should be monitoring and review of the
What should the company secretary do to minimise boardroom disputes?
The company secretary can take the following steps to minimise boardroom disputes:
- Ensure that the roles of the board members have been set out in a clear and concise way in their appointment letter.
- On appointment, a comprehensive induction programme should be held to ensure that there is no misunderstanding as to what is expected from the board members.
- There is a board charter/governance manual setting out what the roles of the board, board committees and senior management team are.
- Delegation of authority to the CEO is clearly documented.
- Proper flows of information to and from the board. The board requires sufficient information to make informed decisions. Management require prompt communication of board decisions.
- In agenda development, ensuring that there is plenty of time allowed for discussion, debate and deliberation of the matters brought to the board.
- Advising the chair to agree with the board ground rules for behaviour, attire etc. during board meetings.
- Creating the right environment within the boardroom for calm, effective meetings and decision making.
This can include:
– Shape of the table
– Seating arrangements
– Lighting and heating
– Make sure there are plenty of breaks
– Being prepared to break a tense situation by advising the chair to take a break, asking for clarity for the
minutes etc. - Encouraging the creation of a good culture within the board. This can be achieved by building relationships and trust between board members. Giving plenty of opportunity for board members to get to know each other through lunches
or dinners, annual board retreats, board trainings etc.
