Systems of RM and IC

Question 1

How does the International Standard ISO31000 define risk?

What does risk refer to?

What is downside risk?

What is upside risk?

Answer 1

= the effective of uncertainty on objectives, whether positive or negative.

Risk refers to the possibility that something unexpected or not planned for will happen.

Downside risk = risk that actual events will turn out worse than expected e.g. fires, IT breakdowns

Upside or opportunity risk = risk that actual events will turn out better than expected e.g. Sales volumes being higher than expected

Question 2

Which principle and 2 provisions in the UK CG Code relate the board’s responsibilities for internal control, risk management systems and internal audit?

Answer 2

Principle O = board should establish procedures:
1. to manage risk
2. oversee the internal control framework
3. determine the nature and extent of the principal risks it is willing to take

Provision 28 = Board should:
1. carry out a robust assessment of the company’s emerging and principal risks
2. confirm in the annual report that it has completed this assessment

Provision 29 = board should:
1. monitor the company’s risk management and internal control systems
2. at least annually, carry out a review of their effectiveness and report on it

Question 3

What is business risk?

What is it influenced by? (3)

What are the 4 categories?

Answer 3

= the possibility a company will have lower than anticipated profits or experience a loss rather than taking a profit

• influenced by numerous factors e.g. sales volume, input costs, competition etc.

1. Reputational risk = the risk of loss in customer loyalty or support due to an event that has damaged the company’s reputation
2. Competition risk = the risk that business performance will be affected because of the actions of the company’s competitors
3. Business environment risks = the risk that the business environment in which the company operates will change significantly e.g. political, economic, regulatory, social and environmental factors
4. Liquidity risk = the risk that the company will have insufficient cash to settle all of its liabilities on time, so will be forced out of business

Question 4

What is governance risk? (4)

Answer 4

= relates to risks associated with:
1. Structure = from boards to business models and policy frameworks.

2. Processes = from communication channels to strategic planning and risk appetite
3. Information = from financial reporting to risk and management reporting
4. People and culture = from leadership at the top to accountability and transparency throughout the organisation

Question 5

What are the 3 main types of internal controls?

What are internal controls and the internal control system aimed at providing? (3)

What are internal control risks?

Answer 5

1. Preventative controls intended to prevent an adverse risk event from occurring, e.g. fraud by employees.
2. Detective controls for detecting risk events when they occur, so that the appropriate person is alerted, and corrective action taken.
3. Corrective controls for dealing with risk events that have occurred and their consequences

Aimed at providing ‘reasonable assurance’ regarding the achievement of objectives in:
1. Effectiveness of operations
2. Reliability of financial reporting
3. Compliance with applicable laws and regulations

• = risks that internal controls will fail to achieve their intended purpose, and will fail to prevent, detect, or correct adverse risk events

Question 6

What are the 2 most commonly used ‘models’ for risk management and internal control systems?

What has the Turnball guidance now been replaced by?

How are the 2 model different?

Answer 6

Turnbull Report for UK and Committee of Sponsoring Organisations (COSO) for USA.

• replaced by the FRC’s Guidance on Risk Management, Internal Control and Related Financial and Business Reporting (2014)

FRC guidance on risk follows a similar ‘model’ to COSO, however it considers risk management and internal control systems jointly and not as 2 separate systems

Question 7

What are the 6 steps in developing a risk management system?

Answer 7

1. Categorising
2. Identifying
3. Assessment
4. Response
5. Monitoring
6. Reporting

Question 8

CATEGORISING RISKS
What are the 4 main risk categories?

What are 3 examples of financial risks?

What are operational risks?

What are compliance risks?

What are 3 strategic risks?

Answer 8

Financial, operational, compliance, and strategic

Financial = internal risks:
1. failure to protect cash
2. Liquidity risk – the lack of cash in the business so it is unable to settle its liabilities on time.
3. Credit risk – customers failing to pay what they owe on time.

Operational = risks of organisational processes and systems failing e.g. a terrorist act;

Compliance = risk that important laws or regulations will not be complied with properly leading to legal action and/or fines

• Strategic = external risks occurring in the business environment, such as
  1. people risks;
  2. ethical risks;
  3. reputational risks

Question 9

IDENTIFYING RISKS
What are the 4 methods for identifying risks?

Answer 9

1. Mind mapping = involves thinking of all the risks to the organisation.
2. Process mapping = involves mapping every process within an organisation to identify interdependent, critical and vulnerable functions and activities within the organisation.
3. Stress testing = organisations assess their ability to withstand extreme ‘shocks’ or unexpected events in the business environment they operate.
4. Use of internally generated documents = typically business impact studies and market research reports

Question 10

ASSESSING RISKS
Once a risk has been identified, how should it be assessed to see if it qualifies as a principle risk? (2)

What is risk appetite?

What is risk tolerance and how is it measured?

How should risks be ranked so they can be prioritised? (2)

Answer 10

1. A procedure should be established to assess:
   a. the likelihood or probability of the occurrence; and
   b. the potential size of the impact of the occurrence.
2. criteria should be developed to assess likelihood as high, medium or low and impact as significant, moderate or minor

• Risk appetite = the level of risk that an organisation is willing to take in the pursuit of its objectives = set by the board
• Risk tolerance = the amount of risk that an organisation is prepared to accept in order to achieve its financial objectives = quantitative measure e.g. value at risk (VaR)

1. By plotting the assessed risks on a matrix.
   2.By multiplying the likelihood ratings against the impact ratings.

Question 11

RESPONDING TO RISKS
What are the 4 main responses to risk?

Answer 11

1. Avoidance = responses which reduce the likelihood of the risk occurring.
   ○ organisation shuts down or sells that part of the business that is causing the risk.
2. Reduction = responses that reduce the negative impact or take advantage of opportunities for positive impact.
3. Transfer = responses that transfer the risk somewhere else, e.g. insurance or outsourcing.
4. Acceptance = responses that retain the risk because it is deemed to be not a significant threat or the organisation has no control over it, e.g. regulatory risk

Question 12

MONITORING RISKS
What are the 3 most used methods for monitoring risk?

Answer 12

1. Stress testing – the organisation assesses the robustness of the risk response by modelling extreme situations
2. Developing measures to monitor the effectiveness of the risk response.
3. Use of internal audit function

Question 13

REPORTING RISKS
What are the 2 main communication channels in relation to risk reporting?

How might this be reported in each channel?

Answer 13

1. management to board
2. board to shareholders

Management to board = Management may use a risk register or dashboard to report to the board on the principal risks faced, the actions taken to deal with the risks, and the effectiveness of those actions

Board to shareholders = company’s strategic report must contain a description of the principal risks and uncertainties facing the company, together with an explanation of how they are to be managed or mitigated

Question 14

What are 5 benefits of a risk management system?

Answer 14

1. Increases the likelihood of achieving business objectives.
2. Helps management to enhance risk awareness
3. Builds investor confidence
4. Shares risk information across the organisation, contributing to informed decisions.
5. Facilitates transparency of risks at board level

Question 15

What is the role of the board in risk management and internal control? (4)

Answer 15

1. Deciding the organisation’s risk appetite
2. Ensuring that management manage risk within the board’s guidelines for risk appetite
3. Monitoring the performance of management
4. Monitoring the risk management system to ensure that it is effective and achieves its purpose.

Question 16

The UK Corporate Governance Code requires a long-term viability statement to be included in a company’s annual report (Provision 31).

Explain how a Board should comply in practice with this requirement (5)

Answer 16

1. FRC’s Guidance on Risk Management, Internal Control and Related Financial and Business Reporting, says that the factors that the Board should take into account, when deciding on the period of assessment, include the nature of the business and its investment and planning periods.
2. The assessment period is expected to be significantly longer than 12 months.
3. The most common period chosen by listed companies is 3 years.
4. “Reasonable expectation” is not certainty, so the Board does not have to produce a detailed justification for its assessment. (But the Board needs to be reasonably satisfied that the company will be able to continue in operation and remain viable over the period of their assessment)
5. In relation to risks, the Board will need to ensure that stress tests have been carried out to assess the company’s ability to withstand the occurrence of its principal risks and to mitigate the impact of those risks.

Question 17

What is an internal control system made up of?

Answer 17

The structures, policies, and procedures within an organisation related to the management of financial, operational, and compliance risks

(Internal controls form part of the internal control system)