Past Exam Questions - Risk Structures and risk Mgt and Internal Controls Flashcards
JUNE 2022 - MY ANSWER
Willow Garden Centres Limited (Willow) is a large private company which operates ten garden
centres in England.
The Board of Willow has recently decided to adopt the Wates Corporate Governance Principles for
Large Private Companies (Wates Principles).
The Board has been discussing how to improve Willow’s approach to corporate social
responsibility (CSR). During the Board discussions, two of the executive directors expressed
concerns about increasing the focus on CSR issues. But the majority of the Board were in favour of
improving the company’s approach to CSR, including improving the company’s engagement with
its stakeholders and improving the disclosures in the annual report. As a first step, the Board has
set up a staff focus group on CSR matters. The Company Secretary, Molly Wong, is the Chair of
the focus group and has been asked to report back on the group’s findings and recommendations
at the next Board meeting. At the first meeting of the focus group, the main issues raised by the
staff members were:
- the company should disclose more about its environmental impact;
- there is no ability for staff to provide comments on CSR matters, which are not covered in the
annual staff survey; and - Willow does not have any Key Performance Indicators (KPIs) in relation to non-financial
performance.
Willow has recently been the subject of adverse social media criticism about one of the suppliers
for the products that it sells, because the supplier has been accused of using child labour. The
Board is concerned about the reputational impact of this criticism. The Board is also concerned
about Willow’s financial position. Willow’s profitability has deteriorated over the last year and the
Board thinks that the company’s future sales may be impacted by a competitor business, which
has announced that it is going to open two new garden centres near to two of the Willow garden
centres. The Board has decided to review the company’s risk register in light of these concerns,
taking into account the Wates Principles and best practice. Willow’s risk register was last reviewed
by the Board six months ago and it does not currently include reputational risk.
(b) Discuss how the Board of Willow should approach the review of the risk register and the
ways in which the reputational risks to Willow can be managed and mitigated.
(13 marks)
I would recommend that the board review the risk register even though this has been done in the last 6 months due to new events occurring and the current register not identifying all risks to the company.
Whilst willows risk register may contain some business risk (such as the financial, liquidity etc) the previous assessment seems to have fallen short as governance risk (such as reputational risks including third part ESG) have not been considered.
In developing a risk management system, I would recommend that a process below is used.
Defining the risk - using various methods to identify and define ALL relevant risk including reputational risks. This could be brainstorming, reviewing sector wide risk management systems for best practice, mind mapping or stress testing.
Assessment of risk - This would be to carry out a risk assessment based on the likelihood multiplied by the impact of the risk thus giving a risk score. This would them be ‘ragged’ on a risk assessment matrix. The board are also responsible for determining the risk appetite of Willow and the tolerance. e.g. what they are willing to accept in terms of risk. This in turn will be communicated and may change over time but is not normally a delegate responsibility.
Response - This would take the scores from the RA matrix and place a mitigation against each risk. Normally this would be AVOID, REDUCE, MANAGE or ACCEPT. From this, internal controls can be established to reduce or manage the risk
Monitor - Monitoring should then be carried out to determine the effectiveness of the internal controls. this would normally be done by management of Willow or delegated to an audit committee or internal audit function. As Willow is a LTD, there is no formal requirement for an audit committee.
Reporting - reporting on the effectiveness of the controls and risks should be carried out in 2 ways. To the board by management in the form of a risk register and to any shareholders in the annual reporting. Communication to all employees of the updated register and processes should take place as well as any training session for identified risk champions.
In terms of the different ways the reputational risk can be managed to Willow, the board should meet with the supplier and based on discussions, consider the following:
AVOID - Stop using the supplier due to their ESG performance on child labour.
REDUCE - Continue to sell the suppliers products but seek an alternative supplier ensuring they have good ESG standards. Through time, reduce and change supplier.
MANAGE - Advise supplier of ESG concerns and impact on Willow. Support them short term to try and source alternative labour and assist in the development of better ESG stds. Ask that they publish a statement highlighting their concern and what they are doing to rectify. Set timeframes for improvements.
ACCEPT - Do nothing. Accept that there may be some loss of business due to customer disapproving of the suppliers ESG.
JUNE 2022 - MARKERS ANSWER
Willow Garden Centres Limited (Willow) is a large private company which operates ten garden
centres in England.
The Board of Willow has recently decided to adopt the Wates Corporate Governance Principles for
Large Private Companies (Wates Principles).
The Board has been discussing how to improve Willow’s approach to corporate social
responsibility (CSR). During the Board discussions, two of the executive directors expressed
concerns about increasing the focus on CSR issues. But the majority of the Board were in favour of
improving the company’s approach to CSR, including improving the company’s engagement with
its stakeholders and improving the disclosures in the annual report. As a first step, the Board has
set up a staff focus group on CSR matters. The Company Secretary, Molly Wong, is the Chair of
the focus group and has been asked to report back on the group’s findings and recommendations
at the next Board meeting. At the first meeting of the focus group, the main issues raised by the
staff members were:
* the company should disclose more about its environmental impact;
* there is no ability for staff to provide comments on CSR matters, which are not covered in the
annual staff survey; and
* Willow does not have any Key Performance Indicators (KPIs) in relation to non-financial
performance.
Willow has recently been the subject of adverse social media criticism about one of the suppliers
for the products that it sells, because the supplier has been accused of using child labour. The
Board is concerned about the reputational impact of this criticism. The Board is also concerned
about Willow’s financial position. Willow’s profitability has deteriorated over the last year and the
Board thinks that the company’s future sales may be impacted by a competitor business, which
has announced that it is going to open two new garden centres near to two of the Willow garden
centres. The Board has decided to review the company’s risk register in light of these concerns,
taking into account the Wates Principles and best practice. Willow’s risk register was last reviewed
by the Board six months ago and it does not currently include reputational risk.
(b) Discuss how the Board of Willow should approach the review of the risk register and the
ways in which the reputational risks to Willow can be managed and mitigated.
(13 marks)
Answers should demonstrate a clear understanding of how the Board should identify and assess risk using a risk register (including relevant references to the Wates Principles) and show a good knowledge of the concept of reputational risk and how it can be managed and mitigated, applying this to the facts of the Willow scenario.
Answers could include the following content:
Role of the Board - risk register
The Board of Willow has overall responsibility for risk and risk management. Under the Wates Principles, which Willow has adopted, the Board should establish oversight for the identification and mitigation of risks (Principle 4).
The Board should put in place new procedures for the ongoing review of the risk register. It is not good practice if the risk register has not been reviewed for six months.
There should be procedures in place to ensure that senior management and the Board review the risk register on an ongoing basis. Although the Board does not need to review the risk register at each Board meeting, risk should be discussed at each meeting, including any significant increases in risks or any new emerging risks.
Identification of risks
The risk register should identify the company’s principal and emerging risks.
The Board will need to ensure that a detailed mapping exercise is carried out and that there is a proper identification and analysis of the company’s principal and emerging risks.
The risk register should divide the principal risks into categories. Risk categories can include financial risks, operational risks, compliance risks and strategic risks.
Reputational risk should be added to the register as a new risk – it will normally be treated as falling within the strategic risk category.
Assessment of risks
To determine what Willow’s principal risks are, and the significance of those risks, the Board should consider how significant each potential risk is, taking into account the likelihood of the risk occurring and the potential size of the impact should it occur.
Therefore, for each risk that has been identified, there needs to be an assessment of the likelihood (or probability) of that risk occurring, and the seriousness of the impact in the event that it does.
The likelihood can be assessed as high, medium or low, with the impact being assessed as significant, moderate or minor, or a numbering system could be used, for example using a range of 1-5 with 5 being very high.
The Board needs to ensure that the assessment is updated given that the risk register was last updated six months ago. For example, the financial risks to Willow’s profitability have increased, and so that needs to be reflected in the assessment rating for that risk in the risk register.
The risk relating to the competing business, which is planning to open two new garden centres near to two of Willow’s garden centres, also needs to be included as a new financial and strategic risk in the register. It is an emerging risk which may become significant in future.
The Board will also need to consider how each of the identified risks can be managed or mitigated because the ability to manage or mitigate a risk will be a factor in whether that risk will materialise and how great an impact that risk could have if it does materialise.
For example, the Board should consider how Willow can manage and mitigate the risks relating to the impact of the two new garden centres that are being opened by the competing business, such as by ensuring that it continues to differentiate itself on products, price and customer service and considering how it can do so.
Stress testing
For significant risks, there should be a stress testing exercise, to assess the company’s ability to withstand that risk. Stress testing means carrying out an assessment, by modelling a series of hypothetical circumstances, of a company’s ability to withstand unexpected events or shocks and to consider the worst-case impact of particular events. For example, the risks to Willow in relation to the two new centres that are to be opened by the competing business need to be stress tested by considering worst case scenarios in relation to how much business the two new garden centres might take away from Willow’s two nearby garden centres.
Reputational risk
Reputational risk is an increasingly important category of risk for companies. The accessibility and speed of social media means that reputational damage to a company can occur very easily and very rapidly. As mentioned above, reputational risk needs to be added to Willow’s risk register as it is not currently included.
The guidance in the Wates Principles specifically refers to the Board having a responsibility to ensure that there is effective risk management, including management of reputational risk.
Reputational damage can have a significant detrimental impact on a company’s business. If a company is regarded as having behaved unethically or to have failed to meet the standards of business conduct that are expected of it, then this can have an impact on whether customers are willing to buy Willow’s products, employee recruitment and retention, and whether other suppliers are happy doing business with Willow.
The allegations in relation to child labour create this risk. The fact that it is a supplier, rather than Willow itself, that the allegation relates to makes the reputational issue less acute. But it is nevertheless a serious allegation creating a risk to Willow’s reputation because the expectation is that businesses should ensure that their suppliers meet minimum ethical standards
.
Willow needs to have policies and processes in place to identify and manage reputational risk and have a crisis management plan in place when a serious reputational risk arises.
The Board of Willow needs to urgently agree its response to the child labour issue in order to reduce the harm that is being done to the company’s reputation. In particular, Willow needs to have an agreed communication strategy in relation to the allegation. Its external and internal messaging and clear communication of the actions that it is taking will be vital to mitigate the reputational damage that it is suffering. Willow should not claim that the allegations are untrue unless it has proof that this is the case. It needs to challenge the supplier about the allegations and ask it to provide evidence to show that the claims are untrue. It can then communicate that it has challenged the supplier about
the allegations.
Willow should consider terminating, or not renewing, the contract with the supplier if the supplier is unable to give it swift and sufficient reassurance.
Companies that take CSR issues into account, and adjust their operations and strategy
to reflect them, can reduce their reputational risk. Therefore, there is a link to the steps
that Willow is taking to improve its focus on CSR issues. That may therefore be one of
the steps that will enable Willow to manage and mitigate its reputational risks in the
longer-term.
NOVEMEBER 2021 - 9A - MY ANSWER
Drayton Manufacturing Limited (Drayton) is an unlisted, private company which manufactures
home furniture. It has three factories and a head office in the UK and has a UK workforce of
around 500 staff. It does not have any retail shops and instead sells directly to customers using
its website. It uses four main suppliers for the raw materials and parts needed in the
manufacturing process.
The Drayton Board consists of five directors: a Chair, two non-executive directors, a Chief Executive and a Finance Director.
Following its last audit, the external auditor of Drayton raised two areas of concern with the
Board.
These concerns were firstly whether there was sufficient control over large purchase
orders made by the factories for materials and parts and secondly whether the company was
sufficiently prepared to respond to a cyber-security attack.
As a result of the concerns raised by the external auditor, the Finance Director of Drayton wants to improve the company’s internal controls. The company does not currently have an in-house internal audit function and instead it outsources the internal audit function by using an external professional firm to provide advice on internal control issues. The Finance Director is considering whether Drayton should establish an in-house internal audit function to replace the externally provided function.
The Drayton Board wants to improve the company’s engagement with its employees, suppliers
and customers. The Board is also considering what disclosures it will need to make in its next
annual report about engagement with stakeholders.
Drayton is a large company for the purposes of the Companies Act 2006 accounts requirements and it has also recently adopted the Wates Corporate Governance Principles for Large Private Companies. Until now, Drayton has engaged with its employees by carrying out an annual staff survey; with its suppliers by the Chief Executive meeting with each of its four main suppliers each year to get feedback; and with its customers by using the customer feedback facility on its website. The feedback from the staff survey this year included complaints from employees about the working conditions in the factories. The customer feedback has also been mixed, with an increased number of complaints
about slow delivery times.
(a) Analyse what elements of Drayton’s internal control systems the Finance Director of
Drayton should review in order to address the concerns raised by the external auditors,
and what role an internal audit function could play in improving internal controls and risk
management, including the advantages and disadvantages of using an in-house internal
audit function.
(10 marks)
The Wates principals for large private companies have limited information on audit requirements and internal controls so the finance director may wish to look at the UK CG Code and guidance on audit committees for further guidance in this area. Although this is not a mandatory requirement for a large private company, it may be useful for future should the company look to be a PLC.
Section 4 of the UKCG Code Principles , M, N and O provide guidance on audit, risk and internal control,
In particular principal O advises tat there should be established procedures to manage risk, oversee the internal control framework, and determine the nature and extent of the principal risks the company is willing to take in order to achieve its long-term strategic objectives.
The company’s management has day-to-day responsibility for the risk management and
internal control systems, including the financial controls, and these should form an
integral part of the company’s day-to-day business processes.
In analysing whether to implement a audit function, he should review the following:
Preventative control - The board has ultimate responsibility for an organisation’s risk management and internal control systems, however this may be delegated by the board to management / employees. have the board set out clear delegation of authority including limits?
Preventative control - Do clear processes, policies and procedures existing and have they been properly communicated. Have employees had the correct t training?
Reactive control - If procedures do exist and these have been outwritten, what actions have occurred and by who? Has the control been adjusted to take this into account and recommunication.
Has there been checks and balances in place to ensure controls are effective>?
In connection with the cyber security, the FD should review the risk register to see if this has been identified as a risk. If not, the risk register should be updated by the board (this should take place as std every 6 months). The board should have already agreed the risk appetite and risk tolerance of the company so this should be reviewed to check if it has changed.
The board should understand the important of cyber security and implement a risk management system and relevant internal controls based on a RA matrix. They should define and identify the cyber security risk to Drayton, taking into consideration they only sell online and have no retail stores, score the likelihood multiplied by impact of a cyber attack, score and rank the assessment, decide on what their response will be (avoid, transfer, accept, reduce) and then monitor and measure.
what role an internal audit function could play in improving internal controls and risk
management, including the advantages and disadvantages of using an in-house internal
audit function.
Some advantages / disadvantages of having an internal audit function, include:
In depth expertise of the business vs. limited knowledge from an external provider.
Additional independent assurance for the board that the controls are being managed effectively
Direct contact from internal audit to board without day to day mgt involvement
More frequent internal audits rather than annually by external provider
Implementation and important or risk and audit carried out through all departments in company over a period of time - more difficult to do when external.
NOVEMEBER 2021 - 9A - MARKERS ANSWER
Drayton Manufacturing Limited (Drayton) is an unlisted, private company which manufactures
home furniture. It has three factories and a head office in the UK and has a UK workforce of
around 500 staff. It does not have any retail shops and instead sells directly to customers using
its website. It uses four main suppliers for the raw materials and parts needed in the
manufacturing process. The Drayton Board consists of five directors: a Chair, two non-executive
directors, a Chief Executive and a Finance Director.
Following its last audit, the external auditor of Drayton raised two areas of concern with the
Board. These concerns were firstly whether there was sufficient control over large purchase
orders made by the factories for materials and parts and secondly whether the company was
sufficiently prepared to respond to a cyber-security attack. As a result of the concerns raised by
the external auditor, the Finance Director of Drayton wants to improve the company’s internal
controls. The company does not currently have an in-house internal audit function and instead it
outsources the internal audit function by using an external professional firm to provide advice on
internal control issues. The Finance Director is considering whether Drayton should establish an
in-house internal audit function to replace the externally provided function.
The Drayton Board wants to improve the company’s engagement with its employees, suppliers
and customers. The Board is also considering what disclosures it will need to make in its next
annual report about engagement with stakeholders. Drayton is a large company for the
purposes of the Companies Act 2006 accounts requirements and it has also recently adopted
the Wates Corporate Governance Principles for Large Private Companies. Until now, Drayton
has engaged with its employees by carrying out an annual staff survey; with its suppliers by the
Chief Executive meeting with each of its four main suppliers each year to get feedback; and with
its customers by using the customer feedback facility on its website. The feedback from the staff
survey this year included complaints from employees about the working conditions in the
factories. The customer feedback has also been mixed, with an increased number of complaints
about slow delivery times.
(a) Analyse what elements of Drayton’s internal control systems the Finance Director of
Drayton should review in order to address the concerns raised by the external auditors,
and what role an internal audit function could play in improving internal controls and risk
management, including the advantages and disadvantages of using an in-house internal
audit function.
(10 marks)
Answers should demonstrate a clear understanding of the nature of a company’s internal
control system, why it is important in managing risk and what role an in-house internal audit
function can play in relation to internal controls and risk, applying it to the Drayton scenario.
Answers could include the following content
Internal controls
A company’s internal control system means the structures, policies and procedures that it has
in place to manage its business risks, that is its financial, operational and compliance risks.
The internal controls that should be used to manage business risks can be divided into three
types:
* Preventative controls – to prevent an adverse risk from happening.
* Detective controls – for detecting risk events when they occur.
* Corrective controls – for dealing with risk events that occur and their consequences.
The internal controls can also be categorised by reference to the type of risk that they are
designed to manage, that is financial controls, operational controls and compliance controls.
In order to be effective, the internal controls need to be well designed, so that they can
achieve their purpose, and they must be applied properly in practice.
Concerns raised by the auditor
In the case of Drayton, the auditor has identified a financial risk relating to large purchase
orders, which it is concerned is not being managed properly.
Drayton needs to improve its internal controls to ensure that sufficient control measures are in
place in relation to purchase orders. This would include reviewing the authorisation process
and authorisation levels to ensure that they are appropriate and adequate, reviewing how the
controls are implemented and monitored (including for example how approvals are recorded)
and checking that the controls are being adhered to in practice.
The auditor has also identified an operational risk, relating to the response measures that
Drayton has in place if there is a cyber-attack affecting the company’s IT systems. This is a
corrective control matter. Drayton needs to have a disaster recovery plan in place to manage
and mitigate the impact of a cyber-attack, it should review its cyber-security policies and
procedures and it should ensure that the relevant staff have up-to-date knowledge and
training on how to respond to a cyber-attack.
Role of internal audit
The key purpose of an internal audit function is to evaluate and improve the effectiveness of a
company’s internal controls and risk management system.
An internal audit team should help the Board to identify whether the appropriate internal
controls and risk management steps are in place.
The internal audit team also focuses on particular areas of concern in relation to risk and so
should be the team that Drayton uses to review the control issues raised by the auditors.
Using an in-house internal audit team
By using an in-house internal audit team, Drayton would be using a team of its own
employees to perform the function, rather than outsourcing the function to an external
professional firm.
The benefits of an in-house internal audit team are that the team would understand the
organisation, its culture, operations and risk profile. It can be properly integrated into the
business and be an ongoing part of the checks and balances which are a key part of the
internal controls. It can become the ‘eyes and ears’ of the Board in relation to risk
management and internal controls.
The disadvantage of using an in-house internal audit team would be the potential loss of the
external resources, experience and skills made available by using an external professional
organisation. Use of an in-house team can also sometimes be less cost effective for a smaller
company, in contrast to buying in the service on an ad hoc basis from an external firm.
Drayton would need to weigh up the cost of creating an in-house internal audit team against
the benefits of the ongoing focus on internal controls and risk management, and the creation
of internal knowledge and skills, that such a team would bring, particularly given the concerns
raised by the external auditor.
If an in-house internal audit team is being used, it is vital that they retain their independence
and do not just report to the Finance Director, because otherwise they would find it difficult to
criticise the Finance Director or other senior managers. They need to be objective when they
investigate and monitor the company’s controls. They therefore need to be independent of
executive management and in order to do so should have a reporting line to the nonexecutive Chair or to the other non-executive director of Drayton.
NOVEMBER 2020 - Q5 - MY ANSWER
Describe what is meant in risk management by ‘stress testing’ and why stress testing should be
used as part of a company’s risk assessment process.
Stress testing is a term used in risk management to see if the responses which are in place via the risk assessment are effective and appropriate.
An example of stress testing may to run a simulation exercise to test a risk and then measure how the mitigations performed and whether there were weakness.
this would allow for changes to the responses be made or may identify other issues which were not originally considered when defining the risk.
Stress testing should be used to ensure risks are properly assessed, scored and responses are appropriate and effective.
A company should stress test so that they can iron out and make any amendments ahead of a real scenario.
They should test the companies overall resilience to a situation as close to real life as possible to ensure their risk assessment and internal controls are compliant and highlight weaknesses.
NOVEMBER 2020 - Q5 - MARKER ANSWER
Describe what is meant in risk management by ‘stress testing’ and why stress testing should be
used as part of a company’s risk assessment process.
Stress testing means carrying out an assessment, by modelling a series of hypothetical circumstances, of a company’s ability to withstand unexpected events or shocks. (1)
Stress testing should be used in order to help to identify which are the company’s principal risks. (1)
Stress testing can help to identify the likelihood or probability of an occurrence and the potential size of the impact of the occurrence of a particular event or circumstance. (1)
By carrying out a stress testing exercise, a company can assess the potential worst case impact of particular events. (1)
Stress testing can also help to assess the effectiveness of the measures to reduce or manage risk. (1)
Reward other valid responses.
