Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Corporate Governance > Risk structures, policies, procedures, and compliance > Flashcards

Risk structures, policies, procedures, and compliance Flashcards

1
Q

What does the board need to ensure and consider when deciding what structures to put in place to fulfil its responsibilities for risk and internal control? (4)

A
  1. board will need to ensure that appropriate structures are put in place at the proper levels within the organisation to manage risk

The board needs to consider:
2. Whether risk and internal controls should be considered by the whole board or be delegated to a committee of the board.

  1. If delegating to a committee, whether risk and internal controls should fall under one committee, the AC, or into two separate committees, AC for internal controls and the RC (risk committee) for risk.
  2. The division of responsibility between itself and management for risk management.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What does the board need to consider when deciding whether to establish an audit committee? (2)

In the area of risk management and internal controls, what does provision 25 UK CG Code say the responsibilities of the AC includes? (3)

What should be the composition of the AC according to provision 24 UK CG Code? (2)

A
  1. Whether there is a requirement for the company to have an AC = yes if listed or a financial institution
  2. The level of discussion and monitoring required on risk management and internal controls = If greater than what board can manage = have an AC

Provision 25 = AC responsibilities include:
1. reviewing the company’s financial controls;
2. reviewing the internal control system and risk management system, unless given to a separate RC; and
3. monitoring and reviewing the effectiveness of the company’s internal audit function / considering annually whether there should be one.

Provision 24 = the AC should comprise:
1. at least 3 independent directors or 2 for smaller companies, two; and
2. at least 1 member who has recent and relevant financial experience.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which organisations usually have a separate risk committee and why?

What are 4 benefits of having a separate risk committee?

A

• Banks and other large financial institutions normally have separate risk committees due to the complexity of their risk exposure

• The benefits are:
1. It can focus solely on reviewing the organisation’s risk management

  1. It can give the board advice on risk appetite, the organisation’s risk tolerance, and strategies to manage risk
  2. It can provide input into strategy formulation by helping the board to understand the key risks
  3. The composition of the committee is not restricted by the requirements of UK CG Code
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are 4 risks of setting up a separate risk committee?

A
  1. Conflict between the audit and risk committees
  2. Danger of overlooking some risks = Each committee may think the other is considering a particular risk when in fact neither are
  3. Message sent to senior management that risk is no longer their responsibility
  4. Having sufficient directors with the required skills to constitute a separate risk committee
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What does the ICSA ‘Terms of reference for a risk committee’ suggest in relation to the composition of a separate risk committee? (3)

What may the role of a risk committee include? (3)

A

• ICSA ‘Terms of reference for a risk committee’ suggests:
1. RC should consist of at least 3 members all INEDs

  1. Members should have appropriate knowledge, skills, and expertise to fully understand risk appetite
  2. The finance director/CFO and the chief risk officer should attend committee meetings regularly.

• The role of a risk committee may include:
1. Providing assurance to the board that processes for risk management are effective

  1. Considering risk opportunities and making recommendations to the board
  2. Reviewing and approving statements to be included in the annual report concerning risk management
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is internal audit?

What does FRC Guidance on Audit Committees say on the need for one?

A

= an independent objective assurance and consulting activity designed to add value and improve an organisation’s operations

need for an internal audit function depends on factors such as company size, complexity of activities, and cost-benefit considerations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are the 3 types of internal audit?

A
  1. An in-house internal audit function = company maintains full responsibility for recruiting, developing, and managing an internal audit team.
  2. A co-sourced internal audit function = company hires a small team of internal auditors and uses an outside professional firm to provide strategic direction to them.
  3. Outsource the internal audit function = company uses an external professional firm to provide all internal audit activities.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are 4 benefits of an in-house internal audit function?

What is the benefit of co-sourcing or out-sourcing the internal audit function?

A
  1. Understands the organisation, its culture, operations and risk profile = should be able to add value to internal control and risk management processes
  2. can build networks and become integrated into the company’s business = become the ‘eyes and ears’ of the board regarding those activities
  3. provide assurance to stakeholders on the integrity of internal control and risk management systems
  4. could be a lower-cost option, depending on the make-up of the team
  5. The organisation can leverage external resources, technology, skills and experience which may not be available to it with an in-house team
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What does provision 25 UK CG Code say the AC should do in relation to the internal audit function? (3)

A
  1. Provision 25 = requires the AC to monitor and review the effectiveness of the internal audit function (if one exists)
  2. If no internal audit function = the audit committee should consider annually whether there is a need for one and make a recommendation to the board
  3. Reasons why there is no internal audit function should be explained in the annual report
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Why might the independence and objectivity of internal auditors be compromised?

What does the FRC Guidance on Audit Committees suggest to protect their independence?

How often should the board or AC review the internal audit function?

A

• Independence and objectivity may be compromised because they are also employees within the organisation = if internal auditors report to the CEO, they will be reluctant to criticise the CEO

• FRC Guidance on Audit Committees: to protect the independence of the internal audit function, the AC should be responsible for appointment or removal of the head of internal audit.

Annually

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Who are the 4 main governance players in supporting the board with their risk management responsibilities?

A
  1. Cosec / governance professional
  2. CEO
  3. CRO = Chief Risk Officer
  4. Internal auditors
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What 3 items should the cosec ensure are on the board’s (or the relevant committee’s) agenda in supporting the board with their risk management responsibilities?

A
  1. The approval of the organisation’s internal control policies and framework e.g. the approval of the organisation’s risk appetite.
  2. Reports from management on the implementation and effectiveness of the policies and framework.
  3. Evaluation of the risk management system which should occur at least annually
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What 3 things should the Cosec ensure the board committee responsible for risk has in supporting the board with their risk management responsibilities?

What is an example of an agenda item for audit?

What is an example item for risk?

A
  1. terms of reference and ensure committee follows them by developing an annual plan setting out the work of the committee
  2. report written to the chair of the committee(s) recommendations for board approval
  3. Agendas for each meeting reflecting the annual plan

agenda item for audit = evaluation of performance of external auditors

agenda item for risk = recommendations and review on the risk appetite and risk tolerance of the organisation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

How does the cosec have an important role in strengthening the control environment? (2)

A

By:
1. linking the various people, structures and processes within the control environment into a strong culture of control and risk management; and

  1. ensuring that the various structures and processes within the control environment are integrated effectively
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the CEO’s role in supporting the board with their risk management responsibilities?

What 3 things should the CEO ensure in doing this?

A

• Accountable to the board, responsibility to ensure proper execution of the risk management strategies and policies laid down by the board

• CEO should ensure that:
1. the risk and internal control frameworks extend into the organisation

  1. resources, both financial and human, are made available to ensure they work efficiently.
  2. a culture reflecting the risk appetite of the organisation is developed = achieved through awareness sessions
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What do the CRO’s responsibilities include in supporting the board with their risk management responsibilities? (4)

Who should appoint / remove the CRO?

Who should set the remuneration for the CRO?

A
  1. creating an integrated risk framework for the entire organisation
  2. appointing and working with risk champions to ensure risks are identified and mitigated
  3. communicating to key stakeholders the risk profile of the organisation
  4. organising training in risk management for the organisation

Walker Report = appointment / dismissal is a matter for the board

Remuneration committee should determine

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Work done by internal audit unit is not prescribed by regulation = its decided by management or the board (or AC).

What are 5 possible tasks of the internal auditors in supporting the board with their risk management responsibilities?

A
  1. Reviewing the internal control system = not the function of internal auditors to manage risks, only to monitor and report them, and to check that risk controls are efficient and cost-effective
  2. Special investigations = conduct special investigations into particular aspects of the organisation’s operations to check the effectiveness of operational controls
  3. Value for Money (VFM) audits = determine if operation/activity is economical, efficient, and effective
  4. Reviewing compliance by the organisation with particular laws or regulations
  5. Risk assessment = investigate the adequacy of the mechanisms for identifying, assessing and controlling significant risks to the organisation
18
Q

What 4 factors should be considered when internal auditors check the soundness of the internal financial controls?

A
  1. Whether the controls are manual or automated
  2. Whether controls are discretionary or non-discretionary
    ○ Non-discretionary controls = checks and procedures that must be carried out
    ○ Discretionary controls = those that don’t have to be applied
  3. Whether the control can be circumvented easily
  4. Whether the controls are effective in achieving their purpose
19
Q

Why should boards (or AC) routinely monitor and review the organisation’s systems of risk management and internal controls? (3)

A

to ensure that they:
1. remain aligned with the organisation’s strategic objectives;

  1. address the risks facing the organisation;
  2. are being developed, applied and maintained appropriately for the organisation
20
Q

What 4 matters should the annual review of the effectiveness of the systems of risk management and internal controls cover?

A

FRC Guidance on Risk Management, Internal Control and Related Financial and Business Reporting = annual review should consider:
1. the company’s risk appetite;
2. whether the desired culture has been embedded
3. the changes in the nature, likelihood and impact of principal risks
4. company’s ability to deal with these

21
Q

What does the UK CG Code say on whistleblowing?

A

• Principle E = the workforce should be able to raise any matters of concern

• Provision 6 = There should be a means for the workforce to raise concerns in confidence and – if they wish – anonymously = a whistleblowing procedure

22
Q

What should an effective whistleblowing procedure allow an employee to do?

A

Should allow for an employee to raise concerns about illicit behaviour usually:
1. Fraud
2. serious violations of laws or regulations
3. a miscarriage of justice
4. bribery etc.

23
Q

What 6 things will a whistleblowing procedure typically cover?

A
  1. purpose, scope and coverage;
  2. procedures for reporting a matter;
  3. what happens when communication is received from a whistleblower;
  4. anonymity of the whistleblower;
  5. communication with the whistleblower; and
  6. protection of the whistleblower
24
Q

What are 7 issues the board should consider when introducing a whistleblowing procedure?

A
  1. Building a culture of trust and openness = the culture needs to start at the top of the organisation (with the board) for it to be effective.
  2. How are matters to be reported? e.g. suggestion box or hotline specifically for raising issues
  3. Who is going to be responsible for receiving issues? = cosec, the chair of the AC, or outsourced firm etc.
  4. Anonymity vs non-anonymity
  5. Improprieties covered by the whistleblowing policy = what the organisation feels to be of sufficient seriousness that should be reported
  6. Investigation, follow-up and reporting procedures
  7. Protection for genuine whistleblowers
25
Q

What are the 3 parts of a cyber security policy?

A
  1. Physical security of the technology = explains the importance of keeping the physical asset secure – locking doors, surveillance, alarms etc.
  2. Personnel management. = explain how to conduct day-to-day activities – password management, the use of memory sticks etc.
  3. Hardware and software = explains what type of technology and software to use and how networks should be configured to ensure they are secure.
26
Q

How often should the internal auditors audit the compliance with the cybersecurity policy?

What should the boards do in relation to the cybersecurity policy? (2)

What are the 2 sets of regulations that require disclosure for a breach of cybersecurity?

A

Annually.

Boards should:
1. ensure management is implementing the policy
2. consider the requirements for disclosure if a breach occurs

Market Abuse Regulation and General Data Protection Regulations

27
Q

Under MAR, what are listed companies required to do in relation to a breach of cybersecurity?

What must the board do?

A

required to disclose any incident which was significant enough to be considered price sensitive

• The board must ensure there is a process to identify significant breaches and raise them to board level

28
Q

What do GDPR apply to?

What must happen if a cybersecurity incident occurs? (2)

A

= apply to the processing of personal data for European citizens

  1. If it leads to ‘the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data’ a disclosure is required to the Information Commissioner’s Office (ICO) without delay.
  2. If likely to result in a high risk to the rights and freedoms of natural persons, the affected individuals must be notified without delay
29
Q

What are the Network and Information System (NIS) Regulations aimed at?

What are operates of essential services (OES)?

What are relevant digital service providers (RDSP)?

What do NIS regulations require organisations to do?

A

= aimed at improving the security of network and information systems of operators of essential services (OES) and relevant digital service providers (RDSP).

• OES = entities in the energy, transport, health, drinking water and digital infrastructure sectors

• RDSP = entities who provide their services to entities within the essential services sectors

Organisations required to take appropriate and proportionate measures to manage the risks posed to their NIS and to minimise impact.

30
Q

What 5 things should an information disclosure policy include?

A
  1. Objectives and principles of the disclosure
    a. Main objective of disclosure = keep stakeholders informed about the company to enable them to make informed decisions when dealing with the company
    b. Principles = accurate, timely, complete, balanced between the positive and the negative etc.
  2. Authorised persons = Usually the CEO, CFO, and cosec will be authorised to make disclosures
  3. Public information = The policy will usually set out what information about the company is in the public domain
  4. Confidential information = The policy should also set out what information should be kept confidential e.g. trade secrets
  5. Insider information = information that would, if disclosed, move the company’s share price = policy should set out how it is to be handled
31
Q

What 4 matters should the cosec consider when handling insider information?

A
  1. Confidentiality of board papers = hand delivery rather than email, encrypting electronic documents
  2. Confidentiality of board discussions = Is the room in which the board is meeting soundproof?
  3. Insider lists = often required by regulators for listed companies = contain the names of people, internally and externally, who are aware of the project
  4. The communication plan for the project = indicate who should be communicated to, how, and when
32
Q

What is a disaster recovery plan?

A

= a plan of what needs to be done immediately after a disaster to recover from the event

33
Q

What 4 things should a disaster recovery plan do?

A
  1. Specify which operations are essential and must be kept going.
  2. Identify and analyse all potential threats to essential operations.
  3. Identify possible reactions to the threats to essential operations e.g. Specify where operations should be transferred to, if they cannot continue in their normal location.
  4. Identify who should be responsible for keeping the public informed about the impact of the disaster and the recovery measures that are being taken.
34
Q

What is the difference between disaster recovery planning and business continuity planning?

What should a BCP seek to do?

A

DRP = planning for disaster that is unconnected with the company’s business and outside the control of management e.g. natural disasters and IT disruptions

BCP = goes beyond procedures that should be taken in an emergency = planning what a company needs to do to ensure that its key products and/or services continue to be delivered in the longer-term
i.e. a plan for the sustainability of the business

should seek to take advantage of the longer-term threats = give competitive advantage

35
Q

What are the 3 offences under the UK Bribery Act 2010?
How can an organisation avoid conviction?

A
  1. Offering bribes (active bribery) and receiving bribes (passive bribery).
  2. Bribery of foreign public officials for business benefit
  3. Failure to prevent a bribe being paid on the organisation’s behalf

R v Skansen Interiors Ltd = If it can show that it has ‘adequate processes’ to prevent bribery in place ( suitable whistleblowing procedures) and can demonstrate that the procedures work well in practice

36
Q

What are the 6 principles of the Ministry of Justice Guidance on the UK Bribery Act 2010?

A
  1. Proportionate procedures to the risk of bribery
  2. Top-level commitment to foster culture
  3. Regular risk assessment.
  4. Due diligence of 3rd parties
  5. Communication (including training) = embed in organisation
  6. Monitoring and review = improvements made where identified
37
Q

What should the board do in relation to conflict prevention and resolution? (4)

A
  1. Plan ahead by anticipating potential disputes.
  2. Ensure company’s policies, procedures, and articles of association are aimed at minimising the risk of conflict and include provisions to deal with conflict where it arises.
  3. Ensure company’s policies, procedures etc., are actually integrated into the company’s culture
  4. Be prepared for mediation and as a backstop to resolve conflicts
38
Q

What should the cosec do to minimise boardroom disputes? (3)

A
  1. Ensure that the roles of the board members have been set out in a clear and concise way in their appointment letter.
  2. Advising the chair to agree with the board ground rules for behaviour, attire and so on, during board meetings.
  3. Encouraging the creation of a good culture within the board e.g. by building trusting relationships between board members = giving them opportunities to get to know each other over lunch etc.
39
Q

What does provision 40 UK CG Code say the remuneration committee should do when determining remuneration policy and practices in relation to risk? (2)

What is the purpose of this?

A

• Provision 40 = RC should ensure that:
1. reputational risks associated with excessive rewards are identified and mitigated

  1. behavioural risks which can come from target-based incentive plans are identified and mitigated

• Purpose = to reduce the likelihood of executives being paid large annual bonuses for achieving high levels of the performance in the short-term to the detriment of the long-term sustainability of the organisation

40
Q

What does the UK CG Code say the board should do in relation to senior executive remuneration and risk?

How can boards meet these requirements?

A

• Provision 37 = boards should include provisions that would enable a company to recover sums paid or withhold a payment of a sum where a senior executive has adversely affected the future performance and/or sustainability of the company

= boards can consider making bonus payments and other performance-related incentives over a period of time so that they are able to withhold or clawback payments should it be deemed necessary.

Corporate Governance (16 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions