Exam Questions - Chapter One - June 2022 - Question 1 Flashcards
One of the key findings from the external audit relates to buy-in to the risk management process and you have been asked to support Sally with a presentation she is giving at the next Board meeting to try and improve engagement in the process. You and Sally have decided that the best approach is to start by focussing on why it is important for any organisation operating within a highly regulated sector to comply with regulations, to make sure that the Board and the rest of the organisation understands and engages in risk management.
Write a briefing paper, to support the Board presentation, examining the need for, and benefits of, risk management regulation for industries such as gaming.
To give context to the presentation, the paper should include three examples of international regulations or standards that are relevant to BETS and related (even indirectly) to risk management, such as environmental regulation or Enterprise Risk Management (ERM) Frameworks.
Answers should provide confidence to the markers that the candidate has understood and demonstrated their learning in relation to the risk management regulation. In particular, candidates should provide three examples of international regulations or standards that are related to risk management – either indirectly, such as Financial or Health and Safety regulations, or directly, such as ISO 31000 and COSO.
Candidates will attract one additional mark where they bring in regulation specific to the case study, i.e. the gambling industry.
The answer should be formatted as a briefing paper for the Board and include clear links to the case study. It is not expected that all aspects of the mark scheme and the detail provided from the study text are included in the answers. The information is given to provide depth of data for the markers to award relevant marks where appropriate.
Answers could include the following content:
Reasons for risk-management regulation
As noted in the case study, Matthew and Oliver are not engaging in risk management, considering that their good luck is a sign of good management. However, BETS operates in a heavily regulated industry, with compliance a key part of their operation and strategic approach. As such, one way to approach the issue of buy-in to and engagement with risk management could begin with this regulatory approach.
The risk-management decisions of an organisation are subject to a range of regulations. Common regulations include health and safety regulation, environmental regulation and legal-liability regulations (such as compulsory insurance for employee and public liability).
Certain industries, such as financial services, are subject to additional risk-management regulation aimed at protecting the overall financial system and preventing financial or legal misconduct (protecting consumers from being mis-sold financial products that do not meet their needs). Much of this regulation is now global, as global financial markets become more interconnected. Although BETS does not operate in the financial services industry, it is closely related to it.
The case for regulation is not clear, even given the importance of effective risk-management for organisations and their stakeholders and allowing for occasional conflicts of interest. Compliance with regulation can also be very time consuming and expensive. However, regulation is necessary because organisational stakeholders are not always able to ensure an optimal level of risk management on their own, primarily because of issues around self-regulation and market failures. This is relevant to BETS, especially with the resistance to risk management from Matthew and Oliver.
Costs and benefits of risk-management regulation
The primary benefit of risk-management regulation is that it intends to help mitigate market failures and to protect stakeholders from the consequences of excessive risk exposures. This does not mean that such regulation should seek to eliminate all risk. A degree of risk – even potential downside risks like pollution – is an inevitable consequence of all organisational activity. Excessive risk-management is rarely cost effective, and few risks can be reduced to zero without stopping beneficial activities. The reasonable needs of different stakeholder groups must also be balanced, such as the need for shareholders to receive a fair return on their investment.
The costs of regulation come from over-regulation or ineffective regulation, where organisations are required to reduce risk below the optimum level that balances the needs of different stakeholder groups or where organisations face excessive costs related to compliance and enforcement, without much benefit. Over-regulation is relatively rare, but different groups of stakeholders have conflicting opinions on this. In all cases compliance costs can be considerable and these costs may both decrease the profitability of an organisation and increase the price of goods and services.
Compliance costs include the cost of maintaining a compliance function or providing information to regulators. This means that the stakeholder groups that regulation is designed to protect may end up paying some or all of the associated costs of compliance.
If the Board, notably Matthew and Oliver, can see the benefits of risk management regulations in the gambling industry, there will hopefully be more engagement with the need to apply risk management in BETS.
The need for international regulation and standards
International regulations and standards are required because risk exposures often cross national boundaries. The removal of trade barriers, easier travel and resources such as the internet mean that organisations are now more multinational in terms of their operations and markets. Major risks to public goods – such as the environment or the financial system – can have far-reaching effects. Diverse risks may be connected: for example, major environmental pollution events and weather events may affect financial markets across the world. In addition, problems in financial markets and institutions can affect the supply of credit and cause global economic problems, as is still happening in the wake of the global financial crisis.
The interconnected world has also led to the development of international standards for risk-management. There is much to learn from risk-management experiences around the globe, as good risk-management practice in one country or organisation is likely to be useful for improving practice elsewhere.
The need to explain international regulations and standards is not required for this answer, however, it does provide the recognition that all organisations have cross-national boundaries, even when operating in one country, such as BETS. Recognising these boundaries and risks related to them is important in ensuring comprehensive nature of Enterprise Risk Management.
International regulation and standards in relation to risk-management
Many international regulations and standards cover key areas such as governance, the environment, financial stability, and health and safety. They are only indirectly focused on risk-management in organisations. The following key areas – subject to international regulations and standards – have relevance in a risk-management context:
- corporate governance
- environmental regulation
- financial stability
- health and safety.
As BETS is subject to regulations related to all key areas noted here (some more than others, i.e. Financial) this information can be used to explain that BETS is already undertaking detailed risk management in key aspects of organisational activities. The Board paper could highlight the way that ERM can connect these different approaches.
Corporate governance
Effective corporate governance is an important element in today’s business environment. Weak corporate governance can lead to corruption, costly scandals, organisational failure and even systemic breakdowns that damage the interests of all stakeholder groups. International regulations and standards on corporate governance help to promote sustainable economic growth on a global level, ensuring that stakeholders are treated fairly and that organisations have cost-effective access to global capital markets. Without good governance, access to global capital would be limited.
One of the most influential international standards on corporate governance is the G20/Organisation for Economic Co-operation and Development (OECD) 2015 Principles of Corporate Governance. These principles are often referenced by countries developing local governance codes or guidelines and have been adopted by international agencies such as the World Bank and Financial Stability Board (FSB). The principles exist to provide a worldwide benchmark for good corporate governance practice and supervisory assessments of this practice. The principles cover issues such as the design of effective corporate governance arrangements, ensuring the fair treatment of shareholders and other stakeholder groups, and the disclosure of corporate governance and associated risk-management information on key risk exposures.
Environmental regulation
Environmental risks such as ground, water and air pollution, along with global warming, do not respect national borders and are therefore a key part of the global risk environment. National regulation and standards in an area of significant global concern requires careful co-ordination to ensure that weaknesses in one national regulatory regime are not exploited to the detriment of stakeholders in other nations.
Organisations that may be a pollution risk, or who contribute in other ways to environmental concerns, may be subject to international laws and regulations on environmental risk-management. These laws and regulations cover, among other things, the following areas:
- air quality
- water quality
- waste management
- contaminant clean-up
- chemical safety.
While making and executing strategic business decisions, organisations should ensure that they comply with these international rules and regulations as otherwise they may face fines (or worse). This is an integral part of good risk management.
International law and associated environmental regulation is complex. It consists of legally binding treaties and subsidiary protocols, such as the Kyoto Protocol on climate change. For most organisations these law protocols are incorporated into national regulation or, in the case of the European Union (EU), EU Directives. This means that, except in complex multinational enterprises, it may not be necessary for organisations to understand in detail these international laws and regulations.
Although environmental regulation might not be considered a key aspect of BETS’ operations, it is an important aspect for any organisation with the current focus on ESG.
Financial stability
The stability of the global financial system is a key source of risk for both financial and non-financial organisations. For non-financial organisations, a stable global financial system is necessary to ensure that they continue to have access to capital resources to help finance their activities. Financial system instability can trigger worldwide economic problems, such as disrupting payment systems. Outside of the immediate impact on BETS, ultimately, financial stability problems can cause major economic recessions and even economic collapse of businesses and nations alike.
There are few, if any, financial markets that are not interconnected in some way. Money markets are by their nature international, and stock markets such as the London Stock Exchange attract investors and other stakeholders from around the globe. Most other financial markets – such as commodities markets, bond markets and derivative markets, are also inherently international.
The net result of these interconnected markets is that financial problems in one country, or even in a single, large financial institution, can have global implications. This is known as systemic risk and financial market contagion.
The large number of causes for global financial market instability and the potentially severe consequences mean that international regulation is especially strong in this area. Multiple international agencies and most countries are involved.
Although BETS is not formally considered a financial organisation (it is categorised as an organisation in the Gaming Industry in the UK), it will still be subject to risks such as disruptions to payment systems and economic recessions.
Health and safety (H&S)
The protection of human rights is a major focus for international law and regulation. This includes protecting people from work-related sickness, disease and injury, and from harmful actions of organisations located near to their homes.
Overall responsibility for international health-and-safety regulation rests with the International Labour Organization (ILO). The ILO produces a wide range of standards and codes of practice. It also works to address areas of international concern, such as forced labour and child labour.
BETS will be subject to H&S regulation as any other in the UK, and will be undertaking H&S risk assessments and understanding and management of H&S to its employees (although their responsibilities to customers will be reduced as they no longer have betting shops).
International risk-management standards
In addition to targeted international regulations for specific areas of risk, such as financial stability or environmental pollution, there are a number of global standards for the practice of risk-management more generally. The idea behind these standards is to help organisations evaluate and improve the effectiveness of their risk management arrangements by sharing good practice on a global scale. Stakeholders may encourage organisations to follow these standards.
Organisations often use them to help benchmark their practices and find ways to improve the effectiveness of their risk-management arrangements. The standard is used by regulators, external and internal auditors, risk-management professionals and company secretaries/governance professionals to help improve the management of risk against an international benchmark for good practice.
ISO 31000:2018
The ISO provides a wide range of standards to help improve management practices. The ISO 31000 standard, first published in 2009, and revised in 2018, provides guidelines for managing risk in all types of organisations, regardless of their size, activities or industry sector.
This standard covers the essential aspects of risk-management practices in organisations. It provides a set of principles, a management framework, and a process that can be used to evaluate and further improve the organisation’s risk management arrangements. This supports the achievement of an organisation’s objectives and the creation and preservation of value to its stakeholders.
The 2018 update of ISO 31000 did not change the core philosophy of the original 2009 standard but is shorter and more concise, with the intention to make the various concepts easier to understand. It also places greater emphasis on top management leadership in the creation and preservation of organisational value through risk-management. There is a greater focus on the integrated nature of risk-management, whereby organisations should review and regularly update their risk-management practices to take account of new and changing risks, such as cyber and terrorism risks.
COSO Enterprise Risk-Management – Integrated Framework 2004 and 2017
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative of five private sector organisations in the USA.
COSO was created to provide thought leadership on risk management, internal control and fraud deterrence to help improve organisational performance and governance. COSO is a US-based organisation, but its influence is global. Many organisations and regulatory agencies around the world base their governance and risk-management practices on the guidance provided by COSO.
In 2017, COSO released a major update to its Enterprise Risk-management – Integrated Framework (COSO, 2017), which highlights the importance of considering risk in both the strategy-setting process and in driving the performance of an organisation. As such, it takes important steps toward ensuring risk is managed as an integrated part of managing an organisation.
COSO would not be a relevant framework for BETS, as it is a UK based organisation, even though it has a global influence.
ISO 19600:2014 – compliance-management systems
ISO 19600:2014 is the international standard for compliance-management systems. The standard is closely related to ISO 31000:2018 and is designed to help improve compliance-management practices in organisations. The standard has been designed as general guidance and does not cover issues in relation to specific areas of compliance (such as health-and-safety compliance and so on). The content of the standard includes:
* the role of the Board and senior management in providing leadership for compliance management;
* the roles of other organisational functions, including the risk function and the compliance function;
* drafting a compliance-management policy;
* agreeing compliance objectives and plans;
* communication and training;
* the operation of effective compliance-management systems;
* the evaluation of compliance-management performance; and
* dealing with non-compliance and improving the effectiveness of compliance management.
This standard could be relevant to BETS in a heavily regulated industry, where compliance and compliance systems will be a key aspect of management and assurance.
