Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

Corporate Governance > Systems of risk management and internal control > Flashcards

Systems of risk management and internal control Flashcards

1
Q

The relevance of risk management and internal control systems for corporate governance:
Why is risk management considered part of CG?

What does the board have responsibility for?

What should the risk management process include?

What should the cosec advise the board on? (2)

A

= risk management requires the development of structures, policies and procedures which should create a culture that leads to a better performing organisation and continued sustainability

• The board has a responsibility to manage the risk that the organisation is prepared to take in achieving the strategic objectives it has set itself.

• Part of the risk management process is to develop an internal control system

Cosec should advise the board on the significance of risk management to CG and the board’s responsibilities regarding risk management and the internal control system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What does UK CG Code say the board should do in relation to internal control, risk management systems and internal audit?

Principle O (3)

Provision 28 (2)

Provision 29 (2)

What does provision 25 UK CG Code say the AC should review?

A

• Principle O = board should establish procedures:
1. to manage risk
2. oversee the internal control framework
3. determine the nature and extent of the principal risks it is willing to take

• Provision 28 = Board should:
1. carry out a robust assessment of the company’s emerging and principal risks
2. confirm in the annual report that it has completed this assessment

• Provision 29 = board should:
1. monitor the company’s risk management and internal control systems
2. at least annually, carry out a review of their effectiveness and report on it

• Provision 25 = AC should review the company’s internal financial controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

How should the cosec advise and facilitate the board in relation to internal control, risk management systems and internal audit? (4)

A

• Cosec should advise and facilitate the board to:
1. Develop a set of strategic objectives for the company;

  1. Identify principal risks it is willing to take to achieve its strategic objectives and those that are threatening
  2. Annually conduct a review of the effectiveness of the risk management and internal control systems
  3. Report on the above in the company’s annual report and accounts
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What does the introduction of the FRC ‘Guidance on Risk Management, Internal Control and Related Financial and Business Reporting’ say the risk management process should support?

What does it state the board is responsible for?

A

Introduction = risk management process should support decision making in the organisation and be part of the normal business processes within the organisation

• States the ‘board is responsible for ensuring that an appropriate culture has been embedded throughout the organisation’

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

How does the FRC ‘Guidance on the Strategic Report’ define principle risks?

In determining which risks are the principal risks, what should entities do? (2)

A

= risks that could result in events or circumstances that might threaten the entity’s business model, future performance, solvency or liquidity, or result in significant value erosion

Entities should consider:
1. the potential impact and probability of the related events or circumstances arising
2. the timescale over which they may occur

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What does risk refer to?

What is downside risk?

What is upside risk?

For an organisation to manage risk effectively what should it have?

How does the International Standard ISO31000 define risk?

A

• Risk refers to the possibility that something unexpected or not planned for will happen

Downside risk = risk that actual events will turn out worse than expected e.g. fires, IT breakdowns

Upside or opportunity risk = risk that actual events will turn out better than expected e.g. Sales volumes being higher than expected,

• should have processes in pace to manage both downside and upside risk = Boards should look at both when strategic planning

• ISO31000 = ‘the effective of uncertainty on objectives, whether positive or negative’ =

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is business risk?

What is it influenced by? (3)

What are the 4 categories?

A

= the possibility a company will have lower than anticipated profits or experience a loss rather than taking a profit

• influenced by numerous factors e.g. sales volume, input costs, competition etc.

  1. Reputational risk = the risk of loss in customer loyalty or support due to an event that has damaged the company’s reputation
  2. Competition risk = the risk that business performance will be affected because of the actions of the company’s competitors
  3. Business environment risks = the risk that the business environment in which the company operates will change significantly e.g. political, economic, regulatory, social and environmental factors
  4. Liquidity risk = the risk that the company will have insufficient cash to settle all of its liabilities on time, so will be forced out of business
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is governance risk? (4)

A

= relates to risks associated with:
1. Structure = from boards to business models and policy frameworks.

  1. Processes = from communication channels to strategic planning and risk appetite
  2. Information = from financial reporting to risk and management reporting
  3. People and culture = from leadership at the top to accountability and transparency throughout the organisation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are the 3 main types of internal controls?

What are internal controls and the internal control system aimed at providing? (3)

What do the DTRs require in the annual report?

A
  1. Preventative controls intended to prevent an adverse risk event from occurring, e.g. fraud by employees.
  2. Detective controls for detecting risk events when they occur, so that the appropriate person is alerted, and corrective action taken.
  3. Corrective controls for dealing with risk events that have occurred and their consequences

Aimed at providing ‘reasonable assurance’ regarding the achievement of objectives in:
1. Effectiveness and efficiency of operations
2. Reliability of financial reporting
3. Compliance with applicable laws and regulations

DTRs require a description of the main features of the company’s internal control and risk management systems relating to the financial reporting process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are internal control risks?

Why do these risk occur? (2)

What does an internal control system need?

A

• = risks that internal controls will fail to achieve their intended purpose, and will fail to prevent, detect, or correct adverse risk events

• These risks can occur because:
1. they are badly designed, and so not capable of achieving their purpose as a control; or
2. they are well-designed, but are not applied properly, due to human error or oversight (a form of operational risk).

• An internal control system needs to have procedures for identifying weak or ineffective internal controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are the 2 most commonly used ‘models’ for risk management and internal control systems?

What did the Turnball Report suggest on the 3 types of controls?

What has the Turnball guidance now been replaced by?

How are the 2 model different?

A

Turnbull Report for UK and Committee of Sponsoring Organisations (COSO) for USA.

• there should be financial, operational and compliance controls to deal with the financial, operational and compliance risks identified by the company

• replaced by the FRC’s Guidance on Risk Management, Internal Control and Related Financial and Business Reporting (2014)

FRC guidance on risk follows a similar ‘model’ to COSO, however it considers risk management and internal control systems jointly and not as 2 separate systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are the 2 sets of documents that COSO guidance on risk management and internal controls published?

How many components and principles does each have?

A
  1. COSO Enterprise Risk Management – Integrating with Strategy and Performance (2017) = 5 components and 20 principles
  2. COSO Internal Control – Integrated Framework (2013) = 5 components and the COSO cube and 17 principles
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are the 7 steps in developing a risk management system?

A
  1. Risk identification
  2. Risk categories
  3. Methods of identifying risk
  4. Risk assessment
  5. Risk response and selecting one
  6. Risk monitoring
  7. Risk reporting
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are the 4 main risk categories?

What are 3 examples of financial risks?

What are operational and compliance risks?

What are 3 strategic risks?

A

Financial, operational, compliance, and strategic

Financial = internal risks:
1. failure to protect cash
2. Liquidity risk – the lack of cash in the business so it is unable to settle its liabilities on time.
3. Credit risk – customers failing to pay what they owe on time.

Operational = risks arising out of the failure of organisational processes and systems e.g. a terrorist act;

Compliance = risk that important laws or regulations will not be complied with properly leading to legal action and/or fines

• Strategic = external risks occurring in the business environment, such as
1. people risks;
2. ethical risks;
3. reputational risks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are the 4 methods for identifying risks?

A
  1. Mind mapping = involves thinking of all the risks to the organisation.
  2. Process mapping = involves mapping every process within an organisation to identify interdependent, critical and vulnerable functions and activities within the organisation.
  3. Stress testing = organisations assess their ability to withstand extreme ‘shocks’ or unexpected events in the business environment they operate.
  4. Use of internally generated documents = typically business impact studies and market research reports
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Once a risk has been identified, how should it be assessed to see if it qualifies as a principle risk? (2)

What is risk appetite?

What is risk tolerance?

How should risks be ranked so they can be prioritised? (2)

A
  1. A procedure should be established to assess:
    a. the likelihood or probability of the occurrence; and
    b. the potential size of the impact of the occurrence.
  2. criteria should be developed to assess likelihood as high, medium or low and impact as significant, moderate or minor

• Risk appetite = the level of risk that an organisation is willing to take in the pursuit of its objectives = set by the board

• Risk tolerance = the amount of risk that an organisation is prepared to accept in order to achieve its financial objectives = quantitative measure e.g. value at risk (VaR)

  1. By plotting the assessed risks on a matrix.
    2.By multiplying the likelihood ratings against the impact ratings.
17
Q

What are the 4 main responses to risk?

A
  1. Avoidance = responses which reduce the likelihood of the risk occurring.
    ○ organisation shuts down or sells that part of the business that is causing the risk.
  2. Reduction = responses that reduce the negative impact or take advantage of opportunities for positive impact.
  3. Transfer = responses that transfer the risk somewhere else, e.g. insurance or outsourcing.
  4. Acceptance = responses that retain the risk because it is deemed to be not a significant threat or the organisation has no control over it, e.g. regulatory risk
18
Q

What 3 things should the board consider when determining the response to risks?

A
  1. The ‘exposure’ to the risk – is it high, medium or low?
  2. Any negative consequences of the response(s).
  3. Whether they are adding responses to existing ones rather than formulating new response to the risk.
19
Q

What are the 3 most used methods for monitoring risk?

A
  1. Stress testing – the organisation assesses the robustness of the risk response by modelling extreme situations
  2. Developing measures to monitor the effectiveness of the risk response.
  3. Use of internal audit function
20
Q

What are the 2 main communication channels in relation to risk reporting?

How might this be reported in each channel?

A
  1. management to board
  2. board to shareholders

Management to board = Management may use a risk register or dashboard to report to the board on the principal risks faced, the actions taken to deal with the risks, and the effectiveness of those actions

Board to shareholders = company’s strategic report must contain a description of the principal risks and uncertainties facing the company, together with an explanation of how they are to be managed or mitigated

21
Q

What are the 3 main benefits of a risk management system and 2 mini benefits in relation to each?

A

• For operation performance:
1. Increases the likelihood of achieving business objectives.
2. Helps management to enhance risk awareness

• For financial performance:
3. Contributes to a better credit rating
4. Builds investor confidence

• For decision making:
5. Shares risk information across the organisation, contributing to informed decisions.
6. Facilitates transparency of risks at board level

22
Q

The board has overall responsibility for risk management. What 3 things does this involve?

To carry out these responsibilities effectively, what should board members have?

What are 2 issues causing boards to become more interested in risk management?

A
  1. Deciding the organisation’s risk appetite.
  2. Monitoring the performance of management, to ensure that the business is being managed within the risk guidelines
  3. Monitoring the risk management system to ensure that it is effective and fit for purpose.

an understanding of risks and risk management = training is very important

  1. increased speed of change within the environments required a greater speed of response in terms of risk management.
  2. The change in the type of risks from tangible measurable risks to intangible risks, such as reputational and cyber risks, which required new methods of assessment and mitigation.
23
Q

Describe the case of Volkswage 2005 known as ‘Dieselgate’.
What went wrong?

A

VW learned its cars could not meet US emissions standards so they deployed a software fix that reported lowered emissions levels during testing to meet the requirements.

Publicly announced goal for VW was growth = to make them the largest car maker by sales in the world
Remuneration policies were heavily performance related and relied on achievement of this goal = incentives to not be honest

24
Q

What are 6 common failures of boards in relation to risks and internal controls?

A
  1. Failure to take responsibility at the board level
  2. Failure to capture the major risks of the organisation
  3. Failure to put in place the appropriate controls
  4. Failure to manage reputational risk
  5. Failure to map out clearly who has responsibility for what, at different levels of the organisation
  6. Failure to decide effectively the risk appetite
25
Q

What does provision 31 UK CG Code say the board should do regarding the long-term viability statement? (2)

Is the assessment period 12 months?

A

• Provision 31 = board should:
1. explain in the annual report how it has assessed the prospects of the company, over what period it has done so and why it considers that period appropriate
2. state whether it has a reasonable expectation that the company will be able to continue in operation and meet its liabilities as they fall due over the period of their assessment

It is anticipated that the assessment period will be significantly longer than 12 months

26
Q

What is corporate sustainability about?

What is the key aspect?

What does sustainability require the balance of?

What is the challenge with this? (3)

A

= about ensuring the long-term survival of the organisation

• key aspect = the management of the organisation’s economic, social and environmental impacts, whether negative or positive.

• Sustainability requires the balance of current needs against future needs.

• The challenge with this is determining:
1. What are current and future needs?
2. What is the time period to be considered when looking at future generations?
3. Who the sustainability should be for (e.g. the company, the country or the world)

27
Q

What does Principle A of the UK CG Code say?

How does the board do this? (8 steps)

A

• Principle A = the board’s role ‘is to promote the long-term sustainable success of the company, generating value for shareholders and contributing to wider society

Step 1 = determine what the organisation’s sustainability needs are = examine the resources / processes critical for sustainability found in the organisation’s strategic objectives and risk management

Step 2 = identify potential threats to the supply and maintenance of them

Step 3 = develop sustainability objectives and policies in conjunction with management

Step 4 = develop a sustainability or business continuity plan (BCP) based on these

Step 5 = recommended the BCP to the board for approval

Step 6 = communicate the relevant parts of the BCP internally and externally

Step 7 = develop and monitor sustainability indicators to assess whether plans are effective

Step 8 = evaluate BCP annually

Corporate Governance (16 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions