KCB revision - SLIDE DECK 11 - Risk Flashcards
Why is risk becoming increasing important?
The increased speed of change within the environments which companies were operating.
The increased transparency occasioned by social media, the internet and the insatiable needs of 24-hour traditional media
The change in the type of risks from tangible measurable risks to intangible risks, such as reputational and cyber risks.
Risks are becoming more interconnected
An increasing recognition that risk management is not just a compliance discipline. It is more about building relationships between different parts of the business and developing behaviours and a culture of risk management which require a different skill set.
Ensuring Corporate Viability in an Uncertain World’, AIRMIC 2017
What role does Corporate Governance have within risk?
Defining the risk that the organization is prepared to take in delivering its strategy
Ensuring risks are managed are understood and managed
Ensuring that robust internal controls are in place to manage risks
Creating a risk culture
What information does the UKCG Code provide on risk?
The board should establish procedures to manage risk, oversee the internal control framework, and determine the nature and extent of the principal risks it is willing to take in order to achieve its long-term strategic objectives.’
Principle O, UKCG Code
‘The Board should carry out a robust assessment of the company’s emerging and principal risks. The board should confirm in the annual report that it has completed this assessment, including a description of its principal risks, what procedures are in place to identify emerging risks, and explanation of how these are being managed or mitigated.’
Provision 28, UKCG Code
‘The board should monitor the company’s risk management and internal control systems and, at least annually, carry out a review of their effectiveness and report on that review in the annual report. The monitoring and review should cover all material controls, including financial, operational and compliance controls.’
Provision 29, UKCG Code
The main roles and responsibilities of the audit committee should include……
Reviewing the company’s internal financial controls and internal control and risk management systems, unless expressly addressed by a separate board risk committee composed of independent non-executive directors, or by the board itself
Monitoring and reviewing the effectiveness of the company’s internal audit function or, where there is not one, considering annually whether there is a need for one and making a recommendation to the board
Provision 25, UKCG code
What are the differences between business risk and governance risk?
Business risk is the possibility a company will have lower than anticipated profits, broken down into the following categories:
Reputational risk: the risk of loss in customer loyalty or support due to an event that has damaged the company’s reputation.
Competition risk: the risk that business performance will be affected because of the actions of the company’s competitors.
Business environment risks: the risk that the business environment in which the company operates will change significantly. This may be due to political factors, regulatory factors, economic factors, social and environmental factors or technological factors.
Liquidity risk: the risk that the company will have insufficient cash to settle all of its liabilities on time.
Governance risk relates to the risks associated with the following:
Structure – from boards and steering groups to business models and policy frameworks.
Processes – from new product processes and communication channels to operations, strategic planning and risk appetite.
Information – from financial performance and audit reporting to management, risk and compliance reporting.
People and culture – from leadership at the top to accountability and transparency throughout the organisation, including relationships with regulators
Define the term internal controls in relation to risk?
An internal control system is made up of all of the structures, policies and procedures within an organisation related to the management of financial, operational and compliance risks.
Internal controls form that part of the internal control system which manage these risks.
What are the three main categories of internal controls in risk
There are three main types:
Preventative controls intended to prevent an adverse risk event from occurring, e.g. fraud by employees.
Detective controls for detecting risk events when they occur, so that the appropriate person is alerted, and corrective action taken.
Corrective controls for dealing with risk events that have occurred and their consequences.
Internal controls and the internal control system seek to provide ‘reasonable assurance’ regarding the achievement of objectives in the following categories:
Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable laws and regulations.
What are ‘internal control risks’ and why would they occur?
‘Internal control risks’ are risks that internal controls will fail to achieve their intended purpose, and will fail to prevent, detect or correct adverse risk events.
These risks can occur because:
they are badly designed, and so not capable of achieving their purpose as a control; or
they are well-designed, but are not applied properly, due to human error or oversight, or deliberately ignoring or
circumvention of the control (a form of operational risk event).
An internal control system needs to have procedures for identifying weak or ineffective internal controls.
Name the stages to follow when developing a risk management system.
REMEMBER DARMR
Definition & Identification
Assessment
Response
Monitoring
Reporting
For the purpose of identification. risks can be divided into what categories?:
Financial
Liquidity
Credit
Operational
Strategic
Reputational
What methods might a company use to identify risk?
Methods of identifying risk:
Mind mapping: this is the simplest method and involves thinking of all the risks to the organisation. The drawback is that it is very random and not scientific and may miss important risks.
Process mapping: this method involves mapping every process within an organisation to identify interdependent, critical and vulnerable functions and activities within the organisation.
Stress testing: organisations assess their ability to withstand extreme ‘shocks’ or unexpected events in the business environment within which they operate.
Use of internally generated documents to see if any risks can be identified. Examples of these types of documents are:
Business impact studies
Market research reports
Expert reports on areas such as health and safety, development,
Once a risk has been identified, what assessment should be carried out and how will this be done?
RISK ASSESSMENT
Once a risk has been identified, it should be assessed to see if it qualifies as a principal risk of the organisation.
A procedure should be established to assess:
the LIKELIHOOD or probability of the occurrence; and
the potential size of the IMPACT of the occurrence.
A matrix is created using values and a score is assigned to each risk.
In establishing the criteria for risk assessment, the board, on management’s recommendation, should consider what?
Risk appetite is the level of risk that an organisation is willing to take in the pursuit of its objectives. It should be set by the board, who should review its level regularly as the business environment changes.
Risk tolerance is the amount of risk that an organisation is prepared to accept in order to achieve its financial objectives. It is expressed as a quantitative measure; for example, in banks, the value at risk (VaR) for a portfolio
Once the risk assessment has identified the risk, what 4 responses are used to develop the relevant response?
Avoidance: responses which reduce the likelihood of the risk occurring. This usually means that the organisation shuts down or sells that part of the business that is causing the risk.
Reduction: responses that reduce the negative impact or take advantage of opportunities for positive impact.
Transfer: responses that transfer the risk somewhere else.
Acceptance: responses that retain the risk because it is deemed to be not a significant threat or the organisation has no control over it.
A process for monitoring the effectiveness of the responses to the risks should be established. List examples of widely used methods.
Stress testing – the organisation assesses the robustness of the risk response by modelling extreme situations to see how effective the response is in reducing the risk.
Developing SMART measures to monitor the effectiveness of the risk response.
Use of internal audit
How should management report the risks and to who?
- The board via a risk register or dashboard detailing description, assessment rating, risk response, effectives rating and comments.
- The shareholders via the strategic report. The Strategic Report must contain a description of the principal risks and uncertainties facing the company, together with an explanation of how they are to be managed or mitigated.
Large public interest entities (PIEs) must include a description of the company’s business relationships, products and services which are likely to cause adverse impacts on principal risks related to environmental matters, the company’s employees, social matters, respect for human rights and anti-corruption and anti-bribery matters.
List the benefits of having a risk management system.
Remember 5 out of the following….
Increases the likelihood of achieving business objectives.
Uses incidents to highlight the risk environment and helps management to enhance risk awareness
Facilitates monitoring and mitigation of risk in key projects and initiatives.
Provides a platform for regulatory compliance
For financial performance
Protects and enhances value by prioritising and focusing attention on managing risk across an organisation.
Contributes to a better credit rating, as rating agencies are increasingly focusing on the risk management of organisations.
Builds investor, stakeholder and regulator confidence.
Reduces insurance premiums through demonstrating a structured approach to risk.
Shares risk information across the organisation, contributing to informed decisions.
Facilitates assurance and transparency of risks at board level.
Enables decisions to be made in the light of the impact of risks and the organisation’s risk appetite and tolerance.
What is the role of the co. secretary in risk?
DEVELOP
Develop a set of strategic objectives for the company relating to risk
Identify the principal risks it is willing to take to achieve its strategic objectives and those that could threaten the company’s ‘business model, future performance, solvency and liquidity’.
Carry out a ‘robust’ assessment of the principal risks.
ADVISE
Explain how the principal risks are being managed or mitigated.
MONITOR
Monitor the risk management and internal control systems.
At least annually, carry out a review of the effectiveness of the risk management and internal control systems.
Annually carry out an assessment of the future viability of the company for a period to be determined by the board considering the organisation’s current position and the principal risks
COMMUNCATE
Report on the above in the company’s annual report and accounts.
The board needs to ensure that the appropriate structures are in place at the proper levels within the organisation to manage risk. In deciding what these structures should be, what should the board needs to consider.
Whether risk and internal controls should be considered by the whole board or be delegated to a committee of the board.
If delegating to a committee, whether risk and internal controls should fall under one committee, the audit committee, or into two separate committees, the audit committee for internal controls and the risk committee for risk.
The division of responsibility between itself and management for risk management.
What is the purpose of the risk committee?
To focus solely on reviewing the organisation’s risk management and providing assurance to the board that risk management and the processes for the control over risk are effective.
List 5 benefits of having a risk committee.
BENEFITS
Focused only on Risk
Audit Committee may not have the required skills and experience
The composition of the committee is not restricted by the requirements of the corporate governance code.
It can give the board advice and make specific recommendations on risk appetite, the organisation’s risk tolerance and strategies to manage risk.
It can provide input into strategy formulation by helping the board to understand the key risks facing the organisation and the opportunities available to the organisation by managing those risks.
The UKCG Code is quiet on the constitution of the risk committee. Where can you find information in connection with this and what are the main points?
‘Terms of reference for a risk committee’, CGI 2020
The risk committee should consist of at least three members, all of whom should be independent directors.
The Committee should include at least one member of the audit committee and/or remuneration committee and/or include one non-executive director specifically responsible for risk.
Members of the committee should have appropriate knowledge, skills, and expertise to fully understand risk appetite and strategy/members as a whole should have relevant risk expertise.
The committee as a whole should have relevant competence relevant to the sector in which the company operates.
The finance director/CFO and the chief risk officer should attend committee meetings regularly.
List 5 things that the Terms of reference for a risk committee’, CGI 2020 paper advise is the risk committees role.
Providing assurance to the board that risk management and processes for control over risk are effective.
Monitoring risk areas faced by the company by receiving period reports on them and their management and, making recommendations to the board where appropriate.
Overseeing the CRO’s role and responsibilities and providing direction on them.
Providing information to the board to help with strategy formulation, for example with regard to risk appetite in the company’s strategy. This is achieved by helping the board to understand the key risks facing the company, its risk tolerances and its defences against those risks.
Monitoring the behaviour of management to ensure that there is not excessive risk taking and take appropriate actions if such behaviours are discovered.
Recommending to the board changes in the risk management policies.
Considering risk opportunities and making recommendations to the board.
Reviewing and approving statements to be included in the annual report concerning internal controls and risk management.
What is the role of the co. secretary in the audit committee
(learn as info. is the same for audit / risk / renumeration)
DEVELOPMENT
Developing the terms of reference for the committee
Conducting an induction for new members of the audit committee
Developing an annual calendar of activities for the committee
Ensuring that the committee has sufficient resources to carry out its role.
Organising professional development for committee members either individually or as a group.
Organising the annual evaluation of the performance of the committee and its chair
ADVISING
Advising the board on the appropriate composition for the committee
Assisting committee members in their understanding of current and emerging issues, especially those from shareholders, regulators and other stakeholders
Assisting the committee in sourcing advice of experts on issues under the committee’s responsibility.
MONITORING
COMMUNICATING
Drafting the risk report to be included in the annual report
Acting as secretary to the committee providing governance and procedural advice and logistical support to the committee, its chair and other members
What does the Institute of Internal Auditors say about the role of the internal audit function?
Internal audit functions should be an independent objective assurance and consulting activity designed to add value and improve an organisation’s operations.
It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.
List 5 roles / tasks and internal audit function may carry out.
Value for Money (VFM) audits. This is an investigation into an operation or activity to establish whether it is economical, efficient and effective.
Reviewing compliance by the organisation with particular laws or regulations. This is an investigation into the effectiveness of compliance controls.
Risk assessment Internal auditors might be asked to investigate aspects of risk management, and in particular the adequacy of the mechanisms for identifying, assessing and controlling significant risks to the organisation, from both internal and external sources.
Suitability of controls
Reports To Audit Committee/Risk Committee and Board
List benefits of having an in house audit function vs an outsourced internal audit function.
BENEFITS OF AN IN-HOUSE INTERNAL AUDIT FUNCTION
Understands the organisation, its culture, operations and risk profile and can add value to the organisation’s processes
Can build networks throughout the organisation, become integrated into the company’s business and as such become the ‘eyes and ears’ of the board
Provide assurance to stakeholders on the integrity of the organisation’s systems
Become an essential part of the checks and balances within the organisation
could be a lower-cost option, depending on the make-up of the team.
BENEFITS OF AN OUTSOURCED INTERNAL AUDIT FUNCTION
The organisation can leverage resources, technology, skills and experience which may not be available to it with an in-house team.
What does the FRC guidance say around objectiveness and independence of an internal audit function?
The FRC Guidance on audit committees provides….
Audit committee should approve the appointment or termination of appointment of the head of internal audit.
Internal audit should have access to the audit committee and board chair where necessary
Audit committee should ensure internal audit has a reporting line which enables it to be independent of the executive and so able to exercise independent judgement.
What responsibilities does the audit committee have to review the effectiveness of the internal audit function?
REVIEW OF EFFECTIVENESS
In its annual assessment of the effectiveness of the internal audit function the audit committee should:
Meet with the head of internal audit without the presence of management to discuss the effectiveness of the function
Review and assess the annual internal audit work plan
Receive a report on the results of the internal auditors’ work
Monitor and assess the role and effectiveness of the internal audit function in the overall context of the company’s risk management system
Why would workplaces need a whistleblowing policy and what information does the code provide in connection with this?
The need for whistleblowing arises when normal procedures and internal controls will not reveal the illicit activity, because the individuals responsible for the activity are somehow able to ignore or get around the normal controls.
UKCG Code advises
‘The workforce should be able to raise any matters of concern’.
Principle E, UKCG Code
‘There should be a means for the workforce to raise concerns in confidence and – if they wish – anonymously. The board should routinely review this and the reports arising from its operation. It should ensure that arrangements are in place for the proportionate and independent investigation of such matters and for follow-up action.’
Provision 6, UKCG Code
What areas of concerns would a whistleblowing policy cover.
Remember 5 inc. bullying. An effective whistleblowing procedure should allow for an employee to raise concerns about illicit behaviour usually in one of the following areas:
Fraud
A serious violation of a law or regulation by the company or by directors, managers or employees within the company
A miscarriage of justice
Bribery
Price-fixing
Danger to public health or safety, such as dumping toxic waste in the environment or supplying food that is unfit for consumption
Neglect of people in care
Waste or misuse of public funds#
Bullying
List the procedure for introducing a whistleblowing policy.
Identify purpose, scope and coverage
Develop procedures for reporting a matter
Develop process for dealing with, ensuring anonymity and protection of the whistleblower, whilst ensuring ongoing communication
Create policy and circulate throughout company
Provide reports to to the board (or audit committee)?
Ongoing monitoring of procedure
There is a growing recognition that cybersecurity should be high on the board’s agenda.
Companies no longer have a choice as to whether they mitigate against cyberattacks. It should be an important part of their risk management process.
What three areas is a Cyber security policy made up of?
The policy is usually made up of three parts:
Physical security of the technology
Personnel management
Hardware and software
What regulations aim to improve the security of network and information security systems of operators of essential services (OES) and relevant digital service providers (RDSP).
The Network and Information System Regulations 2020.
The regulations require the organisations which are subject to them to take appropriate and proportionate technical and organisational measures to manage the risks posed to their network and information systems and to minimisethe impact of any incidents that occur. Where incidents do occur, which have had a significant impact on the essential service, the entity must notify their competent authority within the timescales provided.
Boards are increasingly being expected to ensure that information and knowledge are managed effectively within their organisations and that they are protected..
What t would an information disclosure policy include?
Objectives and principles of the disclosure. The main objective of disclosure is to keep stakeholders informed about the company to enable them to make informed decisions when dealing with the company.
Authorised persons. The policy should set out who is authorised to disclose what information to which stakeholder group.
Public information. The policy will usually set out what information about the company is in the public domain.
Confidential information. The policy should also set out what information should be kept confidential
Insider information. This is information that would, if disclosed, move the company’s share price.
What is a disaster recovery plan and what types of instances would it be brought into action?
A plan of what needs to be done immediately after a disaster to recover from the event.
The disaster is of a nature unconnected with the company’s business and outside the control of management.
Examples of disasters are:
Natural disasters
IT disruptions
Major terrorist attacks
List the procedures when implementing a disaster recovery plan.
Specify which operations are essential and must be kept going.
Identify and analyse all potential threats to essential operations.
Identify possible reactions to the threats to essential operations.
Specify where operations should be transferred to.
Identify key personnel who are needed to maintain the systems required to keep essential operations running.
Communicate with all stakeholders affected by the disaster and the DRP.
What three criminal offences did the The UK Bribery Act 2010 introduce?
Offering bribes (active bribery) and receiving bribes (passive bribery).
Bribery of foreign public officials for business benefit.
Failure to prevent a bribe being paid on the organisation’s behalf.
A consequence of the Bribery Act is that UK companies must ensure that they have internal controls sufficient to prevent bribery by any of its employees or agents or detecting bribery when it occurs.
What are the principles set out by MOJ in connection with this?
Proportionate procedures. The procedures of a commercial organisation to prevent bribery by people associated with it should be proportionate to the risk of bribery that it faces and the nature and scale of its commercial activities.
Top-level commitment
Risk assessment. There should be periodic, informed and regular assessment by organisations of the nature and extent of potential bribery by people associated with it.
Due diligence for third party intermediaries and local agents who will act on behalf of the organisation, with a view to identifying and mitigating bribery risk.
Communication (including training).
Monitoring and review.
How can a company avoid conviction for failing to prevent bribery?
A company can avoid conviction of failing to prevent bribery if it can show that, although bribery may have occurred, it has in place ‘adequate processes’ to prevent bribery.
