Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Test your knowledge questions > Test your knowledge - Part 4 > Flashcards

Test your knowledge - Part 4 Flashcards

1
Q

Name and explain the two main categories of risk.

A

Name and explain the two main categories of risk?

A) Strategic risks - those within the external environment (which are largely outside the control of the company)

B) Operational risks - those internal to the company (and which can be managed by internal controls)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Give examples of three types of risk within each of the above categories.

A

Give examples of three types of risk within each of the above categories:

Strategic risks:

  • reputation
  • competition
  • business environment (industry)
  • financial (economic)
  • compliance/legal
  • social/environmental

Operational risks:

  • financial (decreased revenues, increased costs, liquidity)
  • technology/systems/procedures
    compliance/regulatory/legal
  • governance
  • health and safety
  • data/premises/assets security
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

List the main elements of an effective risk management system?

A

List the main elements of an effective risk management system

  • Governance and culture
  • Strategy and objective setting
  • Performance
  • Review and revision
  • Information and communications

(Per the COSO ERM Model)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are the four responses or actions that can be taken in respect of risk?

A

What are the four responses or actions that can be taken in respect of risk?

  1. Avoid - reduces the likelihood of the risk occurring (eg. Shutting down or selling part of a business causing the risk)
  2. Accept - retains the risk as not deemed a significant threat or organization has no control over it (eg. Regulatory risk)
  3. Reduce - reduces the negative impact or takes advantage of opportunities for positive impact
  4. Transfer - responses that transfer the risk somewhere else, e.g insurance or outsourcing
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What does the main principle of the UK Corporate Governance Code say in relation to risk management and internal controls?

A

What does the main principle of the UK Corporate Governance Code say in relation to risk management and internal controls?

Principle O states that the board should establish procedures to manage risk, oversee the internal control framework, and determine the nature and extent of the principal risks the company is willing to take in order to achieve its long-term strategic objectives.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Explain the difference between downside risk and upside risk, giving an example of each?

A

Explain the difference between downside risk and upside risk, giving an example of each?

  1. Downside risk – a risk that actual events will turn out worse than expected. Examples: fires, consequences of bad weather, earthquakes, IT breakdown.
  2. Upside risk – a risk that actual events will turn out better than expected and will provide unexpected profits. Examples: sales volumes being higher than planned, an investment decision could lead to higher than expected returns, take-up of a product or service being more than anticipated.
  3. Some risks (change in interest rates or change in consumer buying patterns) could be ‘two way’ with both upside and downside potential.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Describe three types of internal controls?

A

Describe three types of internal controls?

There are financial, operational and compliance controls within an organisation related to the management of each of those types of risks.

OR

There are preventative, detective and corrective controls.

  1. Preventative controls are intended to prevent an adverse risk event from occurring. i.e retail and shop lifting (tagging items)
  2. Detective controls are for detecting risk events when they happen so that the appropriate person is alerted and corrective action can be taken.
  3. Corrective controls are for dealing with risk events that have occurred and their consequences.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

List the 5 elements of the COSO framework for an internal control system?

A

List the 5 elements of the COSO framework for an internal control system?

  • A control environment
  • Risk identification and assessment
  • Internal controls
  • Information and communication
  • Monitoring
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

How does the FRC Guidance on Audit Committees suggest that the independence of the internal audit function can be protected?

A

How does the FRC Guidance on Audit Committees suggest that the independence of the internal audit function can be protected?

  • Audit committee should approve the appointment or termination of the head of internal audit
  • Internal audit should have access to the audit committee and board chairman where necessary
  • Audit committee should ensure internal audit has a reporting line which enables it to be independent of the executive and so able to exercise independent judgement.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which provision of the UK Corporate Governance Code relates to monitoring and reviewing the effectiveness of risk management and internal control systems and what does it recommend?

A

Which provision of the UK Corporate Governance Code relates to monitoring and reviewing the effectiveness of risk management and internal control systems and what does it recommend?

Provision 29 states that the board should monitor the company’s risk management and internal control systems and, at least annually, carry out a review of their effectiveness and report on this in the annual report. The monitoring and review should cover all material controls, including financial, operational and compliance controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which provision of the UK Corporate Governance Code relates to whistleblowing procedures and what does it recommend?

A

Which provision of the UK Corporate Governance Code relates to whistleblowing procedures and what does it recommend?

Provision 6 states….

that there should be a means for the workforce to raise concerns in confidence and – if they wish – anonymously. The board should routinely review this and the reports arising from its operation.

It should ensure that arrangements are in place for the proportionate and independent investigation of such matters and for follow-up action.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are listed companies required to do under the DTRs in respect of internal control weaknesses?

A

What are listed companies required to do under the DTRs in respect of internal control weaknesses?

The DTRs require the disclosure in the annual report of a description of the main features of the company’s internal control and risk management systems relating to the financial reporting process. There is also an obligation for boards of directors to report significant internal control weaknesses when they occur, if the company’s financial performance or position would be adversely affected as a result.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Give some examples of the methods that can be used to identify risk.

A

Give some examples of the methods that can be used to identify risk?

Various methods can be used to identify risks, including:

  • mind mapping (the simplest method involving thinking of all the risks to an organisation);
  • process mapping where every process is reviewed to identify interdependent, critical and vulnerable functions and activities;
  • stress testing where an organisation assesses the ability to withstand extreme unexpected events and use the findings to identify the areas of risk that need to be managed; and
  • the use of internal documents such as business impact studies and market research reports and expert reports on specific subjects.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are the three main benefits of risk management?

A

The three main benefits of risk management are:

  • for operational performance
  • for financial performance
  • for decision making
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are the main elements within a disaster recovery plan?

A

A disaster recovery plan would typically contain:

  1. details of which operations are essential and must be maintained;
  2. Identification of operations that are reliant on IT systems;
  3. details of where operations and staff can be moved to in the usual location is not usable;
  4. identification of key personnel who are needed to maintain the systems required to keep essential operations running;
  5. identification of who should be responsible for communicating with staff; and
  6. identification of who should be responsible for keeping the public informed about the impact of the disaster and recovery measures being taken.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Responsibilities of the board in risk management?

A

Responsibilities of the board in risk management:

  1. ensure ‘appropriate’ systems for identifying risks and make a ‘robust assessment’ of those risks;
  2. determine nature and extent of principal risks and those risks company is willing to take to achieve strategic objectives (risk appetite);
  3. ensure appropriate culture and reward systems are embedded throughout the company;
  4. agree how to manage or mitigate principal risks to reduce probability and/or impact;
  5. review effectiveness of risk management and internal control systems and take corrective action where necessary; and
  6. ensure there are sound processes for internal and external communications on risk management and internal control.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Business risks?

A

Business Risks:

The possibility of a company having lower than anticipated profits or experience a loss
Categories:

  1. Reputational risk
  2. Competition risk
  3. Business environment risks
  4. Liquidity risks
18
Q

Governance Risk?

A

Governance Risks:

Risks associated with:

  1. Structure
  2. Processes
  3. Information
  4. People and culture
19
Q

DTR: Disclosure of internal control weaknesses

A

DTR: Disclosure of internal control weaknesses:

Neither the UK CG Code nor the FRC Guidance call for disclosure of failures in internal controls or weaknesses in the system, or measures that have been taken to deal with them.

Under the DTR, the board of a listed company has an obligation to report significant internal control weaknesses, when they occur, if the company’s financial performance or position would be badly affected as a result.

20
Q

Risk management and internal control ‘models’

A

Risk management and internal control ‘models’:

The most commonly used ‘models’ are

In the UK:

The Turnbull Report/Guidance (now replaced by FRC Guidance). Considers risk management and internal controls jointly

In the USA:

Committee of Sponsoring Organisations (COSO). Considers risk management and internal controls as two separate systems

21
Q

The Turnbull Report

A

The Turnbull Report:

Recommended that there should be financial, operational and compliance controls to deal with risks in each of these areas.

  1. Financial – internal controls to provide reasonable assurance around transactions, access to assets and keeping proper records
  2. Operational – internal controls that help to reduce risks or identify failures in operational systems. Designed to prevent, detect and/or correct operational failures
  3. Compliance – concerned with making sure that organisation complies with all requirements of relevant legislation and regulations
22
Q

Elements of an effective Risk Management System (COSO Enterprise Risk Management (ERM) Model, 2017)

A

Elements of an effective Risk Management System (COSO Enterprise Risk Management (ERM) Model, 2017)…

  1. Governance and culture

Governance sets the organization’s tone on oversight responsibilities and culture pertains to ethical values, desired behaviours and understanding of risk

  1. Strategy and objective-setting

Process for setting objectives for the company that are consistent with the organisation’s aims and the board’s risk appetite

  1. Performance

Risks that may impact the achievement of strategy and business objectives need to be identified and assessed

  1. Review and revision

By reviewing performance an organisation can consider how well the risk management components are functioning and what revision are needed over time.

  1. Information and communication

Continual process of obtaining and sharing necessary information from internal and external sources, and flowing up, down and across the organisation

23
Q

Examples of Strategic Risks?

A

Examples of Strategic Risks:

  1. Competition
  2. Market
  3. Financial (Economic)
  4. Reputation
  5. ‘PEST’ factors: political and regulatory, economic, social and environmental and technology
  6. ‘PESTLE’ analysis: political, economic, social, technological, legal, environmental
24
Q

Examples of Operational Risks?

A

Examples of Operational Risks:

  1. Financial (including liquidity)
  2. Compliance/legal
  3. Technology
  4. Health and Safety
  5. Premises/assets security
  6. Data security
  7. Cyber security
25
Q

Categories of Risk - examples (Finance)

A

Categories of Risk - examples (Finance risk):

Errors or fraud in accounting systems or weak controls to protect financial assets:

  1. Failure to record transactions
  2. Failure to collect money owed
  3. Failure to protect cash
  4. Failure to impose stringent payment policies
26
Q

Categories of Risk - examples (Operational Risk)?

A

Categories of Risk - examples (Operational Risk):

Risk of losses resulting from inadequate or failed internal processes, people and systems or external events. They include:

  1. Risk of breakdown
  2. Risk of losing information
  3. Risk of terrorist attack
  4. Losses arising from mistakes by staff
27
Q

Categories of Risk - examples (Compliance Risk)?

A

Categories of Risk - examples (Compliance Risk):

Failure to comply with laws or regulations resulting in fines or legal action.

28
Q

Risk identification?

A

Risk identification…

Methods:

  1. Mind mapping - this is the simplest method and involves thinking of all the risks to the organisation. risks will need to be categorised and then assessed. However, it may miss risks which are identified in a more systematic or scientific way.

An example of this method is a company secretary asking board members to write what they believe are the top three risks to the organisation on a piece of paper. These are then collated and analysed.

  1. Process mapping - This method involves mapping every process within an organisation to identify interdependent, critical and vulnerable functions and activities within the organisation. The related risks can then be managed.
  2. Stress testing - organisations assess their ability to withstand extreme ‘shocks’ or unexpected events in the business environment within which they operate.

The findings of these stress testing would indicate area of risk to be managed.

  1. Internally generated documents – eg. business impact studies, market research, historical experiences, lessons learned, expert reports (health & safety, research & development)
29
Q

Risk Appetite and Tolerance?

A

Risk Appetite and Tolerance…

Risk Appetite

The level of risk that a company is willing to take in the pursuit of its objectives

Risk Tolerance

Amount of risk that the company is prepared to accept in order to achieve its financial objectives, expressed as a quantitative measure, such as a permitted range of deviation from a specified target, or maximum limit

30
Q

Risk assessment?

A
  1. A procedure should be established to assess:
  • the likelihood or probability of the occurrence; and
  • the potential size of the impact of the occurrence
  1. Criteria should be developed to assess:
  • the likelihood as high, medium or low; and
  • the impact as significant, moderate or minor
  1. Once assessed risks should be ranked so they can be prioritized which is often done by:
  • plotting the assessed risks on a matrix; or
  • multiplying the likelihood and impact ratings to obtain a ranking for each
31
Q

Risk monitoring and reporting

A

Risk monitoring and reporting?

Monitoring methods:

  1. Stress testing - modeling extreme situations to see how effective the response is in reducing the risk
  2. Developing measures to monitor the effectiveness of the risk response
  3. Use of internal audit

Reporting

  1. Management to the board – using a risk register or dashboard
  2. Board to shareholders – description of principal risks and uncertainties included within Strategic Report
32
Q

Long-term viability statement?

A

Long-term viability statement:

Provision 31 of Corporate Governance code and listing rules now require companies to give a viability statement.

Under UK CG Code listed companies required to make a long-term viability statement explaining:

  • how it has assessed the prospects of the company;
  • over what period it has done so; and
  • why it considers that period appropriate.

Anticipated that the assessment period will be significantly longer than 12 months.

Any qualifications and assumptions should be company specific, not generic statements.

33
Q

Internal Audit function Vs Outsourced Audit function?

A

Internal Audit function Vs Outsourced

FRC Guidance on Audit Committees: the need for internal audit function will depend on company size, diversity, complexity of activities, number of employees, cost-benefit considerations.

Board or audit committee will the need to consider whether they establish:

  1. In-house function with full responsibility of the team
    - Benefits: understanding of organization; able to build networks; provide assurance to stakeholders on integrity of systems/controls; essential part of checks and balances; could be lower-cost option.
  2. Co-sourced function, with a core internal team supplemented with an outside professional firm.
    - Benefits: mixture of those as for in-house and outsourced.
  3. Outsourced function, using an external professional firm to provide all internal audit activities
    - Benefits: company can leverage external resources, technology, skills and experience which may not be available in-house
34
Q

Whistleblowing?

A

Whistleblowing…

Employee who provides information about their company that they reasonably believes provides evidence of:

  1. Fraud
  2. A serious violation of a law or regulation by the company, its directors, managers or employees
  3. A miscarriage of justice
  4. Offering or taking bribes
  5. Price fixing
  6. A danger to public health and safety
  7. Neglect of people in care
  8. In the public sector, gross waste of misuse of public funds
35
Q

Whistleblowing best practice?

A

Whistleblowing best practices…

  1. Encourage employees to report illegal or unethical behaviour but discourage malicious and unfounded allegations
  2. Encourage discussion with colleagues and line management with whistleblowing used when no other way to resolve the issue
  3. Company not tolerate discrimination against whistleblowers
  4. Company should have fair system in place and employees should know these procedures
36
Q

Whistleblowing procedure?

A

Whistleblowing procedure..

  1. Should be documented and made available to each employee
  2. Should set out the key aspects of the procedure
  3. Contain a statement about the seriousness which the company takes malpractice or misconduct
  4. . Provide examples of malpractice and misconduct
  5. Provide procedures for investigation
  6. Set out implications for malicious and knowingly false reports
  7. External whistleblowing route provided
  8. Promised confidentiality, as far as possible
37
Q

Cybersecurity risk?

A

Cybersecurity risk..

Growing recognition that cybersecurity should be high on the board’s agenda and is an important part of the risk management process.

Disclosure of breaches:

  1. MAR – any incident significant enough to be considered price sensitive
  2. GDPR – Disclosure to ICO of any accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to personal data. Disclosure to affected individuals if incident likely to result in high risk to the rights and freedoms of natural persons.
  3. Network and Information System (NIS) Regulations 2018 – relevant to operators in energy, transport, health, drinking water and digital infrastructure sectors. Incidents with significant impact on the service must be notified to the competent authority
38
Q

Bribery?

A

Bribery…

Criminal offences (UK Bribery Act 2010)

The act or practice of giving or accepting a bribe. Bribery often occurs when a person offers money or something else of value to a public official for the purpose of gaining influence over him or her.

The purpose of bribery is to exert influence or pressure over the official’s actions. Bribery is a crime for which both parties may be charged.

Applies to UK businesses regardless of whether the act of bribery occurs inside or outside the UK.

Companies can protect themselves by having “proportionate procedures” in place to prevent bribery which can be used as a valid defence

  • Failure to prevent a bribe being paid on the organisation’s behalf is a criminal offence.
39
Q

Conflict prevention and resolution?

A

Conflict prevention and resolution…

Boards should:

  1. plan ahead by anticipating potential disputes
  2. ensure policies, procedures, legal documents and disclosures are aimed at minimizing risk of conflict
  3. ensure there is evidence that policies/procedures are actually integrated into the culture (not just documents on shelves)
  4. identify a person to manage dispute resolution process (company secretary/lawyer)
  5. review the effectiveness of the dispute resolution process
  6. be prepared for mediation and, as last resort, litigation to resolve conflicts
40
Q

Boardroom conflict?

A

Boardroom conflict

Steps a company secretary can take to minimise boardroom disputes:

  1. Ensure roles have been set out clearly
  2. Hold comprehensive induction for new directors
  3. Have a board charter/governance manual setting out roles of board, committees, senior management
  4. Clearly document delegation of authority to the CEO
  5. Proper flows of information to/from the board
  6. Time allowed on agendas for discussion and debate
  7. Advise chair to agree board rules for behaviour, attire etc
  8. Create right environment in the boardroom for calm, effective meetings and decision-making
  9. Being prepared to break a tense situation by advising chair to take a break, asking for clarity for the minutes
  10. Encourage creation of a good culture within the board

Test your knowledge questions (7 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions