Risk Management and Internal Control

Question 1

What is the responsibility of the BOD for risk?

Answer 1

Overall responsibility for risk management.

Board:

• decides the risk appetite of the company;
• requires mgmt to manage risks within the board guidelines for risk appetite;
• monitors the performance of mgmt, to ensure that the business is being managed within the risk guidelines set by the board; and
• monitors the risk mgmt system to ensure that it is effective and achieves its purpose.

Question 2

What is risk appetite and risk tolerance?

Answer 2

RISK APPETITE - level of risk that a company is willing to take in the pursuit of its objectives. Combination of the desire to take on risk in order to obtain a financial return and its risk capacity.

Should be reviewed regularly by the board and decisions taken about scale of risk desirable/acceptable.

RISK TOLERANCE - amount of risk that a company is prepared to accept in order to achieve its financial objectives, expressed as a quantitative measure, as a permitted range of deviation from a specific target or a maximum limit.

Could be expressed in numerical terms, such as maximum loss that the board would be willing to accept on a particular venture if events turn out adversely. Can also be expressed as a total ban on certain types of business activity or behaviour.

E.g. Company may be able to pursue business strategies where possible outcomes may range between £100M profits and loss of £40M over the next 5 years (the Risk Tolerance). The board may then decide that its Risk Appetite over the same period is therefore £50M profits and £10M loss.

Question 3

What may be the consequences of failing to consider business risk strategy or establish an effective risk management system?

Answer 3

Failure/collapse of the business.

If the company is exposed to risks that it cannot afford to eventuate then if this event does occur they can bankrupt themselves.

It can seriously damage its reputation which it attracts its customer base from so would therefore have a huge impact on its revenue.

In the current climate markets are extremely volatile with key political events taking place, this means that it is becoming more difficult to predict how to position yourselves (i.e. FX/currency exposure). If you are heavy in a high risk country or currency and that suddenly crashes due to a political event for example, you have essentially taken on too much risk for the potential upside and this can seriously damage a company financially.

Question 4

What is business risk and how might it be measured?

Answer 4

Split between:

1. STRATEGIC RISKS (external) - occur and arise in the external business environment in which a company operates in. Determined by the strategies that the company pursues.
2. OPERATING RISKS (internal) - losses that arise through ineffective controls within the processes and systems of a company’s business operations. Classified into 3 different types, OPERATIONAL RISK, FINANCIAL RISK, COMPLIANCE RISK.

Question 5

How might risks be categorised?

Answer 5

REPUTATION RISK - loss of customer loyalty/support following an event. Often arising from unethical behaviour (environment, human rights).

COMPETITION RISK - risk that business performance will differ from expected performance because of actions taken (not not) by rivals.

BUSINESS ENVIRONMENT RISKS - significant changes in business environment from political/regulatory factors, economic factors, social/environmental factors, tech factors (PEST factors).

RISKS FROM EXTERNAL EVENTS - financial conditions may change (adverse interest/FX rates), higher losses from bad debts or changes in prices in financial markets.

LIQUIDITY RISK - insufficient cash to settle liabilities on time, so may be forced out of business.

Question 6

What are the responsibilities of the audit committee for business risk and the business risk management system?

Answer 6

PROVISION 25 - Main roles of the audit committee include:

Monitoring the integrity of the FS and any formal announcements relating to the company’s financial performance, and reviewing significant financial reporting judgements contained in them;

Reviewing the company’s internal financial controls and internal control and risk management systems, unless expressly addressed by a separate board risk committee composed of independent NEDs, or by the board itself;

Monitoring and reviewing the effectiveness of the company’s internal audit function.

Question 7

What is the difference between a risk committee of the board and a risk management committee?

Answer 7

Board vs Executive Management.

Board level - responsibility for reviewing the effectiveness of the risk management system may be delegated to the audit committee (also likely to have responsibility for reviewing the internal control system).

Alternatively the board may prefer to establish a separate risk committee of the board.

Question 8

What are the principles and provisions of the UK Code with regard to business risk management?

Answer 8

Section 4 “Audit Risk and Internal Control”

PRINCIPLE M - the board should establish formal and transparent P+P to ensure the independence and effectiveness of internal and external audit functions and satisfy itself on the integrity of financial and narrative statements.

PRINCIPLE O - The board should establish procedures to manage risk, oversee the internal control framework, and determine the nature and extent of the principle risks the company is willing to take in order to achieve its long-term strategic objectives.

PROVISION 25 - Main roles of the audit committee include: reviewing the company’s internal financial controls and internal control and risk management systems, unless expressly addressed by a separate board risk committee composed of independent NEDs, or by the board itself.

PROVISION 28 - The board should carry out a robust assessment of the company’s emerging and principal risks. Confirming in annual report that it has completed this assessment, including a description of its principal risks, what procedures are in place to identify emerging risks and an explanation of how these are being managed/mitigated.

PROVISION 29 - The board should monitor the company’s risk management and internal control systems and, at least annually, carry out a review of their effectiveness and report on that review in the annual report. The monitoring and review should cover all material controls, including financial, operational and compliance controls.

Question 9

What are the main elements of a business risk management system?

Answer 9

1. Internal Environment
2. Objective Setting
3. Risk Identification
4. Risk Assessment
5. Risk Response
6. Control Activities
7. Information and Communication
8. Monitoring

Question 10

What is a risk register?

Answer 10

Risk registers are maintained by exec management and can be used by the risk committee of the board (or audit committee) as a way of reviewing the effectiveness of the risk management system.

Records risks identified.
Actions taken to investigate risk.
Identifying the person with management responsibility for the risk.
Measures taken to deal with the risks.
Recording the effects of control measures to assess whether control is effective or new measures required.
Recording regular reviews of risk to determine if it is getting more significant or less significant.

Question 11

What is the purpose of stress testing?

Answer 11

Assess a company’s ability to withstand extreme ‘shocks’ or unexpected events in the business environment.

Takes the company’s business plan or forecasting model and alters a key variable (e.g. a large price spike or a major resource such as oil).

It will assess whether the company could survive the shock. If there are doubts then the company should consider measures to reduce the risk (e.g. develop contingency plan or improve capital/liquidity).

Question 12

How might executives rewards be adjusted for business risk?

Answer 12

UK Code: Remuneration policies should be compatible with risk policies and systems.

Defer incentive payments, such as annual bonuses, over a number of years (3-5 years). These can then be adjusted each year depending on the company’s performance.

Question 13

COSO internal control system vs COSO ERM model

Answer 13

COSO Internal Control System

1. A Control Environment
2. Risk ID and Assessment
3. Internal Controls
4. Info and Communication
5. Monitoring

COSO ERM Model

1. Internal Environment
2. Objective Setting
3. Risk ID (same as 2)
4. Risk Assessment (same as 2)
5. Risk Response
6. Control Activities
7. Info and Communication (same as 4)
8. Monitoring (same as 5).

Question 14

CASE STUDY: Barings Bank (Nick Leeson)

Answer 14

1995 Barings Bank collapsed a s a result of losses incurred in trading in Asia by Nick Leeson.

NL sent to Singapore office in 1992 as a general manager. Took exam that qualified him to trade on the Singapore exchange SIMEX.

Acquired a position of considerable authority in the office and became head trader and head of back office operations as well as general manager.

Should have been controls in the bank to prevent speculative trades by the traders that would expose the bank to excessive risks. NL was of such a powerful position that he could ignore and override them.

NL took unauthorised speculative positions on SIMEX and Japan’s Osaka exchange. Hoped to make large profits and instead made losses, hiding them in an error account ‘88888’ whereby he was able to present figures appearing to be making large profits.

By the end of 1992 he had lost £2M, 1993 he had lost £23M and 1994 losses amounted to £208M. NL was able to fund these losses through borrowing money from other areas of the bank and client accounts.

Senior managers in London were not aware of what was happening. NL and his staff were paid large bonuses in light of what appeared to be large profits generated.

In Feb 1995 NL fled Singapore leaving behind losses of £827M. The bank could not afford this loss and collapsed soon after.

Question 15

What are the main elements of a system of internal control? Give 6 examples of financial risk within a company.

Answer 15

Control Environment

Risk ID and Assessment

Internal Controls

Information and Communication

Monitoring

1. Failure to protect cash
2. Failure to collect money owed by customers
3. Failure to record financial transactions in the book-keeping system
4. Financial transactions occurring without authorisation
5. Mis-reporting in the financial statements
   6.

Question 16

What might be the main operational risk or compliance risk concerns for a company that operates a chain of family holiday centers and sports centres?

Answer 16

OPERATIONAL RISK - internal processes may not be stuck to as strictly in other jurisdictions and can be more difficult to monitor their effectiveness on a day-to-day basis, thus exposing the company to operational risk.

COMPLIANCE RISK - key regulations such as health and safety must be adhered to, especially in consideration of the combination of families and sports centres where the risk of accidents occurring is high.

Question 17

For what reason are procedures for the authorisation of expenditures and approval of payments for expenditures an internal control?

Answer 17

Internal controls are devised and implemented to eliminate, reduce or control risks, such as authorisation of expenditures and approval of payments.

In carrying out both of these tasks the company is exposed to a variety of risks, such as theft, human error, fraud and therefore internal controls are required in order to prevent, detect and correct these risks.

Question 18

For what reason are procedures for the selection of appropriate applicants to fill job vacancies a part of an internal control system?

Answer 18

Operational risks include the risk of losses resulting from people and systems.

Internal control systems should be in place to mitigate these risks by ensuring that the right individuals are assigned to the vacancy and are competent or have the resources, training and development in place to ensure that they can complete their objectives effectively.

Question 19

Identify two or more examples of significant internal control failings in major companies in the past.

Answer 19

Barings Bank, Nick Leeson. Held general manager position as well as head trader and was therefore able to sign off his own unauthorised trades/positions highlighting the lack of insufficient internal controls to ensure the oversight and monitoring of such trades.

BP. Failure of health and safety systems and system controls. Led to an explosion at the Texas oil refinery where 15 people were killed and 500 injured. Direct financial losses as well as over 1000 civil legal actions against the company and an investigation if criminal charges should be brought to the company.

Question 20

What are the provisions in the UK Code relating to internal control?

Answer 20

PROVISION 29 - Board should monitor the company’s risk management and internal control systems and, at least annually, carry out a review of their effectiveness and report on that review in the annual report.
The monitoring and review should cover all material controls, including financial, operational and compliance controls.

Question 21

What are the responsibilities of an audit committee with respect to internal control and internal audit, as stated in the UK Code?

Answer 21

PROVISION 25 - The main roles and responsibilities of the AC should include:

Reviewing the company’s internal financial controls and review the company’s internal control and risk management systems, unless expressly addressed by a separate board risk committee composed of independent non-executive directors, or by the board itself;

Monitoring and reviewing the effectiveness of the company’s internal audit function or, where there is not one, considering annually whether there is a need for one and making a recommendation to the board.

Question 22

What are the main recommendations in the FRC Guidance on Risk Management, Internal Control and Related Financial and Business Reporting?

Answer 22

Board has responsibility for an organisation’s overall approach to risk management and internal control. Its responsibilities are:

Ensuring the design and implementation of appropriate risk management and internal control systems that identify the risks facing the company and enable the board to make a robust assessment of the principal risks;

Determining nature and extent of principal risks faced and those that the company is willing to take in achieving its strategic objectives (risk appetite);

Appropriate culture and reward systems embedded throughout organisation;

Agree how principal risks should be managed/mitigated to reduce likelihood of incidence/impact;

Monitoring/reviewing risk management and internal control systems and the management’s process of monitoring/reviewing and satisfying itself that they are functioning effectively and corrective action taken where necessary;

Ensuring sound internal and external information and communication processes and taking responsibility for external communication on risk management and internal control.

Question 23

How might an audit committee review the effectiveness of the company’s system of internal control?

Answer 23

Meet with the head of internal audit without the presence of management to discuss the effectiveness of the function;

Review and assess the annual internal audit work plan;

Receive a report on the results of the internal auditors’ work;

Monitor and assess the role and effectiveness of the internal audit function in the overall context of the company’s risk management system.

Question 24

What is the purpose of an internal audit function?

Answer 24

The role of internal audit is to provide independent assurance that an organisation’s risk management, governance and internal control processes are operating effectively.

Question 25

What tasks might be carried out by an internal audit department?

Answer 25

Reviewing the internal control system

Special investigations

Examining of financial and operating information

Value for money audits

Reviewing compliance by the organisation with particular laws or regulations

Risk assessment

Question 26

What should UK listed companies include in their annual report on internal control?

Answer 26

Include in their corporate governance statement a description of the main features of the company’s internal control and risk management systems relating to the financial reporting process.

Question 27

How can the independence of the head of internal audit be protected?

Answer 27

Audit committee should approve the appointment or termination of appointment of the head of internal audit.

Internal audit should have access to audit committee and board chairman where necessary. Should ensure it has a reporting line which enables it to be independent of the executive and so able to exercise independent judgement.

Question 28

Why should disaster recovery planning be a part of the internal control system of a large company?

Answer 28

To establish what should be done in the event of an extreme disaster that threatens the ability of the company to maintain its operations.

It will:

Specify essential operations;

ID computers/networks to which the system can be transferred to in the event of damage to the main system;

Specify where operations should be transferred to (if they cannot remain in current location);

ID key personnel needed to maintain system in operation; and

ID who should be responsible in keeping public informed about the impact of the disaster and what recovery measures are being taken.

Question 29

What are the penalties for bribery in the UK?

Answer 29

The Bribery Act 2010 has made bribery a criminal offence.

3 offenses created are:

1. Offering bribes and receiving bribes;
2. Bribery of foreign public officials for business benefit;
3. Failure to prevent a bribe being paid on the organisation’s behalf.

Question 30

How can strategic risks be reduced?

Answer 30

TOLERATE - accept risk. Not significant or external with no control over.

TRANSFER - move risk to someone else through JV’s or taking out insurance.

TRIM - suitable measures to reduce risks (probability of adverse risk event or impact if risk event occurs).

TERMINATE - avoid risk entirely, withdrawing from area of business operations where risk exists.

Question 31

What are the three classifications of internal controls?

Answer 31

1. PREVENTATIVE CONTROLS - prevent an adverse risk event from occurring (e.g. fraud by employees).
2. DETECTIVE CONTROLS - detecting risk events when they occur to alert appropriate person and take corrective measures.
3. CORRECTIVE CONTROLS - dealing with risk events that have occurred, and their consequences.

Question 32

What are the 6 principles of The Ministry of Justice’s guidance on the Bribery Act 2010?

Answer 32

1. PROPORTIONATE PROCEDURES - procedures to prevent bribery by people associated with it. Should be proportionate to the risk of bribery that it faces and the nature and scale of its commercial activities.
2. TOP-LEVEL COMMITMENT - should be committed to preventing bribery and foster a culture in their organisation in which bribery is considered unacceptable.
3. RISK ASSESSMENT - periodic, informed and regular assessment by organisations of the nature and extent of potential bribery by people associated with it.
4. DUE DILIGENCE - of third party intermediaries and local agents who will act on behalf of the organisation, with a view to identifying and mitigating bribery risk.
5. COMMUNICATION (INCL. TRAINING) - seek to ensure that policies against bribery and embedded and understood, by means of communication and training that is proportionate to the bribery risk that the organisation faces.
6. MONITORING AND REVIEW - procedures designed to prevent bribery and improvements should be made when weaknesses are detected.