Corporate Governance - Systems of Risk Management and Internal Control

Question 1

What is Risk?

Answer 1

The effect of uncertainty on objectives, whether positive or negative. - International Standards Organisation.

Question 2

Why is Risk increasingly Important?

Answer 2

1. Speed of change.
2. Increased transparency.
3. Change in type of risks (tangible => intangible).
4. Interconnectedness of risks.
5. No longer only a compliance discipline.

Question 3

What are the four key Roles of Corporate Governance as part of Risk?

Answer 3

1. Defining organisational risk appetite for strategy delivery.
2. Ensuring risks are managed and understood.
3. Ensuring robust internal controls exist to manage risk.
4. Creating a risk culture.

Question 4

What are the Key UKCGC Provisos concerning Risk?

Answer 4

1. Board responsible for establishing risk management procedures, overseeing internal controls, and determining nature/extent of risks it is willing take for achievement of long-term strategy (Principle O, Code).
2. Board should undertake robust assessment of company emerging and principal risks, confirming in AR&A this has been completed together with emerging/principal risks and mitigants (Provision 28, Code).
3. Board should monitor company risk management and internal controls; at least annually, performing effectiveness review and reporting on this within the AR&A (Provision 29, Code).
4. Audit committee should review internal controls and risk management systems, unless separately addressed by another committee or board, and monitoring/reviewing effectiveness of internal function or considering annually if one should be established, if none exists (Provision 25, Code).

Question 5

What the three Principal Types of Internal Controls and what is the Overarching Purpose of these?

Answer 5

1. Internal controls may be:
   - Preventative;
   - Detective; or
   - Corrective.
2. Internal control systems aim to provide reasonable assurance as to operational effectiveness, reliability of financial reporting, and legal and regulatory compliance.

Question 6

What are the two Principal Forms of Risk?

Answer 6

1. Business risk (that company will have lower than anticipated profits).
2. Governance risk.

Question 7

What are the Key Components of a Risk Management and Internal Control System?

Answer 7

COSO Enterprise Risk Management:
1. Governance and culture (values, behaviours, risk understanding).
2. Strategy and objective-setting.
3. Performance (risks impacting strategy and business objectives).
4. Review and revision (by review of entity performance).
5. Information, communication and reporting (continuous and multilateral).

Question 8

What are the Five Steps involved in establishing and operating and Risk Management System?

Answer 8

D-A-R-M-R:
1. Definition and identification.
2. Assessment.
3. Response.
4. Monitoring.
5. Reporting.

Question 9

What does the Definition and Identification Stage entail?

Answer 9

1. Identification of the following seven risks:
   - Financial.
   - Liquidity.
   - Credit.
   - Operational.
   - Strategic.
   - Reputational.
   - Compliance.
2. Identification methodology:
   - Mind-mapping.
   - Process-mapping.
   - Stress-testing.
   - Use of internally-generated documents.

Question 10

What does the Risk Assessment Stage involve?

Answer 10

1. Risk should be apprised according to (i) the probability of the risk materialising and (ii) potential impact of the transpired risk.
2. The board should determine the company’s (i) risk appetite (risk type/level) and (ii) its risk tolerance (amount of risk).

Question 11

What does the Risk Response Stage involve?

Answer 11

1. Avoidance of risks.
2. Reduction of negative risk impacts (or use of risk improvement measures).
3. Risk transfer.
4. Risk acceptance (of residual or uncontrollable risks).

Question 12

What does the Risk Monitoring Stage involve?

Answer 12

1. Stress-testing (via modelling of extreme but plausible risks and responses).
2. Development of SMART measures for risk response monitoring.
3. Use of internal audit.

Question 13

What does the Risk Reporting Stage involve?

Answer 13

1. Board reporting - via risk register or dashboard.
2. Shareholder reporting - via strategic report description of principal risks and uncertainties.

Question 14

What are six Principal Benefits of adopting a Risk Management System?

Answer 14

1. Increased likelihood of achieving business objectives.
2. Facilitation of monitoring/mitigation in key projects/initiatives.
3. Provision of platform of regulatory compliance.
4. Development of investor, regulator and stakeholder confidence.
5. Contribution to informed decision-making by deployment of shared risk information.
6. Reduction of insurance premia due to structured risk management process.

Question 15

What is the Role of the Board in terms of Risk Management?

Answer 15

1. Determining organisational risk appetite and tolerance.
2. Ensuring management manage risk within board risk appetite.
3. Monitoring performance of management (re. risk guidelines).
4. Monitoring effectiveness of risk management systems.

Question 16

What is the Role of the Company Secretary in relation to Risk Management?

Answer 16

1. Development:
   - Development of strategic objectives concerning risk.
   - Identification of principal risks that may be accepted for achievement of objectives (and those that may jeopardise the company).
   - Performance of robust assessment of principal risks.
2. Advise how principal risks are managed or mitigated.
3. Monitor:
   - Risk management and internal controls.
   - Review, annually, effectiveness of risk management and internal controls.
   - Perform, annually, assessment of company’s future viability for board-determined period (»12 months), considering current position and principal risks.
4. Communicate on above via AR&A within ‘long-term viability statement’ (Provision 31, Code).