Systems of risk management and internal control Flashcards
The relevance of risk management and internal control systems for corporate governance:
Why is risk management considered part of CG?
What does the board have responsibility for?
What should the risk management process include?
What should the cosec advise the board on? (2)
= risk management requires the development of structures, policies and procedures which should create a culture that leads to a better performing organisation and continued sustainability
• The board has a responsibility to manage the risk that the organisation is prepared to take in achieving the strategic objectives it has set itself.
• Part of the risk management process is to develop an internal control system
Cosec should advise the board on the significance of risk management to CG and the board’s responsibilities regarding risk management and the internal control system
What does UK CG Code say the board should do in relation to internal control, risk management systems and internal audit?
Principle O (3)
Provision 28 (2)
Provision 29 (2)
What does provision 25 UK CG Code say the AC should review?
• Principle O = board should establish procedures:
1. to manage risk
2. oversee the internal control framework
3. determine the nature and extent of the principal risks it is willing to take
• Provision 28 = Board should:
1. carry out a robust assessment of the company’s emerging and principal risks
2. confirm in the annual report that it has completed this assessment
• Provision 29 = board should:
1. monitor the company’s risk management and internal control systems
2. at least annually, carry out a review of their effectiveness and report on it
• Provision 25 = AC should review the company’s internal financial controls
How should the cosec advise and facilitate the board in relation to internal control, risk management systems and internal audit? (4)
• Cosec should advise and facilitate the board to:
1. Develop a set of strategic objectives for the company;
- Identify principal risks it is willing to take to achieve its strategic objectives and those that are threatening
- Annually conduct a review of the effectiveness of the risk management and internal control systems
- Report on the above in the company’s annual report and accounts
What does the introduction of the FRC ‘Guidance on Risk Management, Internal Control and Related Financial and Business Reporting’ say the risk management process should support?
What does it state the board is responsible for?
Introduction = risk management process should support decision making in the organisation and be part of the normal business processes within the organisation
• States the ‘board is responsible for ensuring that an appropriate culture has been embedded throughout the organisation’
How does the FRC ‘Guidance on the Strategic Report’ define principle risks?
In determining which risks are the principal risks, what should entities do? (2)
= risks that could result in events or circumstances that might threaten the entity’s business model, future performance, solvency or liquidity, or result in significant value erosion
Entities should consider:
1. the potential impact and probability of the related events or circumstances arising
2. the timescale over which they may occur
What does risk refer to?
What is downside risk?
What is upside risk?
For an organisation to manage risk effectively what should it have?
How does the International Standard ISO31000 define risk?
• Risk refers to the possibility that something unexpected or not planned for will happen
Downside risk = risk that actual events will turn out worse than expected e.g. fires, IT breakdowns
Upside or opportunity risk = risk that actual events will turn out better than expected e.g. Sales volumes being higher than expected,
• should have processes in pace to manage both downside and upside risk = Boards should look at both when strategic planning
• ISO31000 = ‘the effective of uncertainty on objectives, whether positive or negative’ =
What is business risk?
What is it influenced by? (3)
What are the 4 categories?
= the possibility a company will have lower than anticipated profits or experience a loss rather than taking a profit
• influenced by numerous factors e.g. sales volume, input costs, competition etc.
- Reputational risk = the risk of loss in customer loyalty or support due to an event that has damaged the company’s reputation
- Competition risk = the risk that business performance will be affected because of the actions of the company’s competitors
- Business environment risks = the risk that the business environment in which the company operates will change significantly e.g. political, economic, regulatory, social and environmental factors
- Liquidity risk = the risk that the company will have insufficient cash to settle all of its liabilities on time, so will be forced out of business
What is governance risk? (4)
= relates to risks associated with:
1. Structure = from boards to business models and policy frameworks.
- Processes = from communication channels to strategic planning and risk appetite
- Information = from financial reporting to risk and management reporting
- People and culture = from leadership at the top to accountability and transparency throughout the organisation
What are the 3 main types of internal controls?
What are internal controls and the internal control system aimed at providing? (3)
What do the DTRs require in the annual report?
- Preventative controls intended to prevent an adverse risk event from occurring, e.g. fraud by employees.
- Detective controls for detecting risk events when they occur, so that the appropriate person is alerted, and corrective action taken.
- Corrective controls for dealing with risk events that have occurred and their consequences
Aimed at providing ‘reasonable assurance’ regarding the achievement of objectives in:
1. Effectiveness and efficiency of operations
2. Reliability of financial reporting
3. Compliance with applicable laws and regulations
DTRs require a description of the main features of the company’s internal control and risk management systems relating to the financial reporting process.
What are internal control risks?
Why do these risk occur? (2)
What does an internal control system need?
• = risks that internal controls will fail to achieve their intended purpose, and will fail to prevent, detect, or correct adverse risk events
• These risks can occur because:
1. they are badly designed, and so not capable of achieving their purpose as a control; or
2. they are well-designed, but are not applied properly, due to human error or oversight (a form of operational risk).
• An internal control system needs to have procedures for identifying weak or ineffective internal controls
What are the 2 most commonly used ‘models’ for risk management and internal control systems?
What did the Turnball Report suggest on the 3 types of controls?
What has the Turnball guidance now been replaced by?
How are the 2 model different?
Turnbull Report for UK and Committee of Sponsoring Organisations (COSO) for USA.
• there should be financial, operational and compliance controls to deal with the financial, operational and compliance risks identified by the company
• replaced by the FRC’s Guidance on Risk Management, Internal Control and Related Financial and Business Reporting (2014)
FRC guidance on risk follows a similar ‘model’ to COSO, however it considers risk management and internal control systems jointly and not as 2 separate systems
What are the 2 sets of documents that COSO guidance on risk management and internal controls published?
How many components and principles does each have?
- COSO Enterprise Risk Management – Integrating with Strategy and Performance (2017) = 5 components and 20 principles
- COSO Internal Control – Integrated Framework (2013) = 5 components and the COSO cube and 17 principles
What are the 7 steps in developing a risk management system?
- Risk identification
- Risk categories
- Methods of identifying risk
- Risk assessment
- Risk response and selecting one
- Risk monitoring
- Risk reporting
What are the 4 main risk categories?
What are 3 examples of financial risks?
What are operational and compliance risks?
What are 3 strategic risks?
Financial, operational, compliance, and strategic
Financial = internal risks:
1. failure to protect cash
2. Liquidity risk – the lack of cash in the business so it is unable to settle its liabilities on time.
3. Credit risk – customers failing to pay what they owe on time.
Operational = risks arising out of the failure of organisational processes and systems e.g. a terrorist act;
Compliance = risk that important laws or regulations will not be complied with properly leading to legal action and/or fines
• Strategic = external risks occurring in the business environment, such as
1. people risks;
2. ethical risks;
3. reputational risks
What are the 4 methods for identifying risks?
- Mind mapping = involves thinking of all the risks to the organisation.
- Process mapping = involves mapping every process within an organisation to identify interdependent, critical and vulnerable functions and activities within the organisation.
- Stress testing = organisations assess their ability to withstand extreme ‘shocks’ or unexpected events in the business environment they operate.
- Use of internally generated documents = typically business impact studies and market research reports
Once a risk has been identified, how should it be assessed to see if it qualifies as a principle risk? (2)
What is risk appetite?
What is risk tolerance?
How should risks be ranked so they can be prioritised? (2)
- A procedure should be established to assess:
a. the likelihood or probability of the occurrence; and
b. the potential size of the impact of the occurrence. - criteria should be developed to assess likelihood as high, medium or low and impact as significant, moderate or minor
• Risk appetite = the level of risk that an organisation is willing to take in the pursuit of its objectives = set by the board
• Risk tolerance = the amount of risk that an organisation is prepared to accept in order to achieve its financial objectives = quantitative measure e.g. value at risk (VaR)
- By plotting the assessed risks on a matrix.
2.By multiplying the likelihood ratings against the impact ratings.
What are the 4 main responses to risk?
- Avoidance = responses which reduce the likelihood of the risk occurring.
○ organisation shuts down or sells that part of the business that is causing the risk. - Reduction = responses that reduce the negative impact or take advantage of opportunities for positive impact.
- Transfer = responses that transfer the risk somewhere else, e.g. insurance or outsourcing.
- Acceptance = responses that retain the risk because it is deemed to be not a significant threat or the organisation has no control over it, e.g. regulatory risk
What 3 things should the board consider when determining the response to risks?
- The ‘exposure’ to the risk – is it high, medium or low?
- Any negative consequences of the response(s).
- Whether they are adding responses to existing ones rather than formulating new response to the risk.
What are the 3 most used methods for monitoring risk?
- Stress testing – the organisation assesses the robustness of the risk response by modelling extreme situations
- Developing measures to monitor the effectiveness of the risk response.
- Use of internal audit function
What are the 2 main communication channels in relation to risk reporting?
How might this be reported in each channel?
- management to board
- board to shareholders
Management to board = Management may use a risk register or dashboard to report to the board on the principal risks faced, the actions taken to deal with the risks, and the effectiveness of those actions
Board to shareholders = company’s strategic report must contain a description of the principal risks and uncertainties facing the company, together with an explanation of how they are to be managed or mitigated
What are the 3 main benefits of a risk management system and 2 mini benefits in relation to each?
• For operation performance:
1. Increases the likelihood of achieving business objectives.
2. Helps management to enhance risk awareness
• For financial performance:
3. Contributes to a better credit rating
4. Builds investor confidence
• For decision making:
5. Shares risk information across the organisation, contributing to informed decisions.
6. Facilitates transparency of risks at board level
The board has overall responsibility for risk management. What 3 things does this involve?
To carry out these responsibilities effectively, what should board members have?
What are 2 issues causing boards to become more interested in risk management?
- Deciding the organisation’s risk appetite.
- Monitoring the performance of management, to ensure that the business is being managed within the risk guidelines
- Monitoring the risk management system to ensure that it is effective and fit for purpose.
an understanding of risks and risk management = training is very important
- increased speed of change within the environments required a greater speed of response in terms of risk management.
- The change in the type of risks from tangible measurable risks to intangible risks, such as reputational and cyber risks, which required new methods of assessment and mitigation.
Describe the case of Volkswage 2005 known as ‘Dieselgate’.
What went wrong?
VW learned its cars could not meet US emissions standards so they deployed a software fix that reported lowered emissions levels during testing to meet the requirements.
Publicly announced goal for VW was growth = to make them the largest car maker by sales in the world
Remuneration policies were heavily performance related and relied on achievement of this goal = incentives to not be honest
What are 6 common failures of boards in relation to risks and internal controls?
- Failure to take responsibility at the board level
- Failure to capture the major risks of the organisation
- Failure to put in place the appropriate controls
- Failure to manage reputational risk
- Failure to map out clearly who has responsibility for what, at different levels of the organisation
- Failure to decide effectively the risk appetite
What does provision 31 UK CG Code say the board should do regarding the long-term viability statement? (2)
Is the assessment period 12 months?
• Provision 31 = board should:
1. explain in the annual report how it has assessed the prospects of the company, over what period it has done so and why it considers that period appropriate
2. state whether it has a reasonable expectation that the company will be able to continue in operation and meet its liabilities as they fall due over the period of their assessment
It is anticipated that the assessment period will be significantly longer than 12 months
What is corporate sustainability about?
What is the key aspect?
What does sustainability require the balance of?
What is the challenge with this? (3)
= about ensuring the long-term survival of the organisation
• key aspect = the management of the organisation’s economic, social and environmental impacts, whether negative or positive.
• Sustainability requires the balance of current needs against future needs.
• The challenge with this is determining:
1. What are current and future needs?
2. What is the time period to be considered when looking at future generations?
3. Who the sustainability should be for (e.g. the company, the country or the world)
What does Principle A of the UK CG Code say?
How does the board do this? (8 steps)
• Principle A = the board’s role ‘is to promote the long-term sustainable success of the company, generating value for shareholders and contributing to wider society
Step 1 = determine what the organisation’s sustainability needs are = examine the resources / processes critical for sustainability found in the organisation’s strategic objectives and risk management
Step 2 = identify potential threats to the supply and maintenance of them
Step 3 = develop sustainability objectives and policies in conjunction with management
Step 4 = develop a sustainability or business continuity plan (BCP) based on these
Step 5 = recommended the BCP to the board for approval
Step 6 = communicate the relevant parts of the BCP internally and externally
Step 7 = develop and monitor sustainability indicators to assess whether plans are effective
Step 8 = evaluate BCP annually