KCB revision - SLIDE DECK 11 - Risk Flashcards
Why is risk becoming increasing important?
The increased speed of change within the environments which companies were operating.
The increased transparency occasioned by social media, the internet and the insatiable needs of 24-hour traditional media
The change in the type of risks from tangible measurable risks to intangible risks, such as reputational and cyber risks.
Risks are becoming more interconnected
An increasing recognition that risk management is not just a compliance discipline. It is more about building relationships between different parts of the business and developing behaviours and a culture of risk management which require a different skill set.
Ensuring Corporate Viability in an Uncertain World’, AIRMIC 2017
What role does Corporate Governance have within risk?
Defining the risk that the organization is prepared to take in delivering its strategy
Ensuring risks are managed are understood and managed
Ensuring that robust internal controls are in place to manage risks
Creating a risk culture
What information does the UKCG Code provide on risk?
The board should establish procedures to manage risk, oversee the internal control framework, and determine the nature and extent of the principal risks it is willing to take in order to achieve its long-term strategic objectives.’
Principle O, UKCG Code
‘The Board should carry out a robust assessment of the company’s emerging and principal risks. The board should confirm in the annual report that it has completed this assessment, including a description of its principal risks, what procedures are in place to identify emerging risks, and explanation of how these are being managed or mitigated.’
Provision 28, UKCG Code
‘The board should monitor the company’s risk management and internal control systems and, at least annually, carry out a review of their effectiveness and report on that review in the annual report. The monitoring and review should cover all material controls, including financial, operational and compliance controls.’
Provision 29, UKCG Code
The main roles and responsibilities of the audit committee should include……
Reviewing the company’s internal financial controls and internal control and risk management systems, unless expressly addressed by a separate board risk committee composed of independent non-executive directors, or by the board itself
Monitoring and reviewing the effectiveness of the company’s internal audit function or, where there is not one, considering annually whether there is a need for one and making a recommendation to the board
Provision 25, UKCG code
What are the differences between business risk and governance risk?
Business risk is the possibility a company will have lower than anticipated profits, broken down into the following categories:
Reputational risk: the risk of loss in customer loyalty or support due to an event that has damaged the company’s reputation.
Competition risk: the risk that business performance will be affected because of the actions of the company’s competitors.
Business environment risks: the risk that the business environment in which the company operates will change significantly. This may be due to political factors, regulatory factors, economic factors, social and environmental factors or technological factors.
Liquidity risk: the risk that the company will have insufficient cash to settle all of its liabilities on time.
Governance risk relates to the risks associated with the following:
Structure – from boards and steering groups to business models and policy frameworks.
Processes – from new product processes and communication channels to operations, strategic planning and risk appetite.
Information – from financial performance and audit reporting to management, risk and compliance reporting.
People and culture – from leadership at the top to accountability and transparency throughout the organisation, including relationships with regulators
Define the term internal controls in relation to risk?
An internal control system is made up of all of the structures, policies and procedures within an organisation related to the management of financial, operational and compliance risks.
Internal controls form that part of the internal control system which manage these risks.
What are the three main categories of internal controls in risk
There are three main types:
Preventative controls intended to prevent an adverse risk event from occurring, e.g. fraud by employees.
Detective controls for detecting risk events when they occur, so that the appropriate person is alerted, and corrective action taken.
Corrective controls for dealing with risk events that have occurred and their consequences.
Internal controls and the internal control system seek to provide ‘reasonable assurance’ regarding the achievement of objectives in the following categories:
Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable laws and regulations.
What are ‘internal control risks’ and why would they occur?
‘Internal control risks’ are risks that internal controls will fail to achieve their intended purpose, and will fail to prevent, detect or correct adverse risk events.
These risks can occur because:
they are badly designed, and so not capable of achieving their purpose as a control; or
they are well-designed, but are not applied properly, due to human error or oversight, or deliberately ignoring or
circumvention of the control (a form of operational risk event).
An internal control system needs to have procedures for identifying weak or ineffective internal controls.
Name the stages to follow when developing a risk management system.
REMEMBER DARMR
Definition & Identification
Assessment
Response
Monitoring
Reporting
For the purpose of identification. risks can be divided into what categories?:
Financial
Liquidity
Credit
Operational
Strategic
Reputational
What methods might a company use to identify risk?
Methods of identifying risk:
Mind mapping: this is the simplest method and involves thinking of all the risks to the organisation. The drawback is that it is very random and not scientific and may miss important risks.
Process mapping: this method involves mapping every process within an organisation to identify interdependent, critical and vulnerable functions and activities within the organisation.
Stress testing: organisations assess their ability to withstand extreme ‘shocks’ or unexpected events in the business environment within which they operate.
Use of internally generated documents to see if any risks can be identified. Examples of these types of documents are:
Business impact studies
Market research reports
Expert reports on areas such as health and safety, development,
Once a risk has been identified, what assessment should be carried out and how will this be done?
RISK ASSESSMENT
Once a risk has been identified, it should be assessed to see if it qualifies as a principal risk of the organisation.
A procedure should be established to assess:
the LIKELIHOOD or probability of the occurrence; and
the potential size of the IMPACT of the occurrence.
A matrix is created using values and a score is assigned to each risk.
In establishing the criteria for risk assessment, the board, on management’s recommendation, should consider what?
Risk appetite is the level of risk that an organisation is willing to take in the pursuit of its objectives. It should be set by the board, who should review its level regularly as the business environment changes.
Risk tolerance is the amount of risk that an organisation is prepared to accept in order to achieve its financial objectives. It is expressed as a quantitative measure; for example, in banks, the value at risk (VaR) for a portfolio
Once the risk assessment has identified the risk, what 4 responses are used to develop the relevant response?
Avoidance: responses which reduce the likelihood of the risk occurring. This usually means that the organisation shuts down or sells that part of the business that is causing the risk.
Reduction: responses that reduce the negative impact or take advantage of opportunities for positive impact.
Transfer: responses that transfer the risk somewhere else.
Acceptance: responses that retain the risk because it is deemed to be not a significant threat or the organisation has no control over it.
A process for monitoring the effectiveness of the responses to the risks should be established. List examples of widely used methods.
Stress testing – the organisation assesses the robustness of the risk response by modelling extreme situations to see how effective the response is in reducing the risk.
Developing SMART measures to monitor the effectiveness of the risk response.
Use of internal audit
How should management report the risks and to who?
- The board via a risk register or dashboard detailing description, assessment rating, risk response, effectives rating and comments.
- The shareholders via the strategic report. The Strategic Report must contain a description of the principal risks and uncertainties facing the company, together with an explanation of how they are to be managed or mitigated.
Large public interest entities (PIEs) must include a description of the company’s business relationships, products and services which are likely to cause adverse impacts on principal risks related to environmental matters, the company’s employees, social matters, respect for human rights and anti-corruption and anti-bribery matters.
List the benefits of having a risk management system.
Remember 5 out of the following….
Increases the likelihood of achieving business objectives.
Uses incidents to highlight the risk environment and helps management to enhance risk awareness
Facilitates monitoring and mitigation of risk in key projects and initiatives.
Provides a platform for regulatory compliance
For financial performance
Protects and enhances value by prioritising and focusing attention on managing risk across an organisation.
Contributes to a better credit rating, as rating agencies are increasingly focusing on the risk management of organisations.
Builds investor, stakeholder and regulator confidence.
Reduces insurance premiums through demonstrating a structured approach to risk.
Shares risk information across the organisation, contributing to informed decisions.
Facilitates assurance and transparency of risks at board level.
Enables decisions to be made in the light of the impact of risks and the organisation’s risk appetite and tolerance.
What is the role of the co. secretary in risk?
DEVELOP
Develop a set of strategic objectives for the company relating to risk
Identify the principal risks it is willing to take to achieve its strategic objectives and those that could threaten the company’s ‘business model, future performance, solvency and liquidity’.
Carry out a ‘robust’ assessment of the principal risks.
ADVISE
Explain how the principal risks are being managed or mitigated.
MONITOR
Monitor the risk management and internal control systems.
At least annually, carry out a review of the effectiveness of the risk management and internal control systems.
Annually carry out an assessment of the future viability of the company for a period to be determined by the board considering the organisation’s current position and the principal risks
COMMUNCATE
Report on the above in the company’s annual report and accounts.
The board needs to ensure that the appropriate structures are in place at the proper levels within the organisation to manage risk. In deciding what these structures should be, what should the board needs to consider.
Whether risk and internal controls should be considered by the whole board or be delegated to a committee of the board.
If delegating to a committee, whether risk and internal controls should fall under one committee, the audit committee, or into two separate committees, the audit committee for internal controls and the risk committee for risk.
The division of responsibility between itself and management for risk management.
What is the purpose of the risk committee?
To focus solely on reviewing the organisation’s risk management and providing assurance to the board that risk management and the processes for the control over risk are effective.
List 5 benefits of having a risk committee.
BENEFITS
Focused only on Risk
Audit Committee may not have the required skills and experience
The composition of the committee is not restricted by the requirements of the corporate governance code.
It can give the board advice and make specific recommendations on risk appetite, the organisation’s risk tolerance and strategies to manage risk.
It can provide input into strategy formulation by helping the board to understand the key risks facing the organisation and the opportunities available to the organisation by managing those risks.
The UKCG Code is quiet on the constitution of the risk committee. Where can you find information in connection with this and what are the main points?
‘Terms of reference for a risk committee’, CGI 2020
The risk committee should consist of at least three members, all of whom should be independent directors.
The Committee should include at least one member of the audit committee and/or remuneration committee and/or include one non-executive director specifically responsible for risk.
Members of the committee should have appropriate knowledge, skills, and expertise to fully understand risk appetite and strategy/members as a whole should have relevant risk expertise.
The committee as a whole should have relevant competence relevant to the sector in which the company operates.
The finance director/CFO and the chief risk officer should attend committee meetings regularly.
List 5 things that the Terms of reference for a risk committee’, CGI 2020 paper advise is the risk committees role.
Providing assurance to the board that risk management and processes for control over risk are effective.
Monitoring risk areas faced by the company by receiving period reports on them and their management and, making recommendations to the board where appropriate.
Overseeing the CRO’s role and responsibilities and providing direction on them.
Providing information to the board to help with strategy formulation, for example with regard to risk appetite in the company’s strategy. This is achieved by helping the board to understand the key risks facing the company, its risk tolerances and its defences against those risks.
Monitoring the behaviour of management to ensure that there is not excessive risk taking and take appropriate actions if such behaviours are discovered.
Recommending to the board changes in the risk management policies.
Considering risk opportunities and making recommendations to the board.
Reviewing and approving statements to be included in the annual report concerning internal controls and risk management.
What is the role of the co. secretary in the audit committee
(learn as info. is the same for audit / risk / renumeration)
DEVELOPMENT
Developing the terms of reference for the committee
Conducting an induction for new members of the audit committee
Developing an annual calendar of activities for the committee
Ensuring that the committee has sufficient resources to carry out its role.
Organising professional development for committee members either individually or as a group.
Organising the annual evaluation of the performance of the committee and its chair
ADVISING
Advising the board on the appropriate composition for the committee
Assisting committee members in their understanding of current and emerging issues, especially those from shareholders, regulators and other stakeholders
Assisting the committee in sourcing advice of experts on issues under the committee’s responsibility.
MONITORING
COMMUNICATING
Drafting the risk report to be included in the annual report
Acting as secretary to the committee providing governance and procedural advice and logistical support to the committee, its chair and other members
What does the Institute of Internal Auditors say about the role of the internal audit function?
Internal audit functions should be an independent objective assurance and consulting activity designed to add value and improve an organisation’s operations.
It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.