Name and explain the two main categories of risk.
Name and explain the two main categories of risk?
A) Strategic risks - those within the external environment (which are largely outside the control of the company)
B) Operational risks - those internal to the company (and which can be managed by internal controls)
Give examples of three types of risk within each of the above categories.
Give examples of three types of risk within each of the above categories:
Strategic risks:
- reputation
- competition
- business environment (industry)
- financial (economic)
- compliance/legal
- social/environmental
Operational risks:
- financial (decreased revenues, increased costs, liquidity)
- technology/systems/procedures
compliance/regulatory/legal - governance
- health and safety
- data/premises/assets security
List the main elements of an effective risk management system?
List the main elements of an effective risk management system
- Governance and culture
- Strategy and objective setting
- Performance
- Review and revision
- Information and communications
(Per the COSO ERM Model)
What are the four responses or actions that can be taken in respect of risk?
What are the four responses or actions that can be taken in respect of risk?
- Avoid - reduces the likelihood of the risk occurring (eg. Shutting down or selling part of a business causing the risk)
- Accept - retains the risk as not deemed a significant threat or organization has no control over it (eg. Regulatory risk)
- Reduce - reduces the negative impact or takes advantage of opportunities for positive impact
- Transfer - responses that transfer the risk somewhere else, e.g insurance or outsourcing
What does the main principle of the UK Corporate Governance Code say in relation to risk management and internal controls?
What does the main principle of the UK Corporate Governance Code say in relation to risk management and internal controls?
Principle O states that the board should establish procedures to manage risk, oversee the internal control framework, and determine the nature and extent of the principal risks the company is willing to take in order to achieve its long-term strategic objectives.
Explain the difference between downside risk and upside risk, giving an example of each?
Explain the difference between downside risk and upside risk, giving an example of each?
- Downside risk – a risk that actual events will turn out worse than expected. Examples: fires, consequences of bad weather, earthquakes, IT breakdown.
- Upside risk – a risk that actual events will turn out better than expected and will provide unexpected profits. Examples: sales volumes being higher than planned, an investment decision could lead to higher than expected returns, take-up of a product or service being more than anticipated.
- Some risks (change in interest rates or change in consumer buying patterns) could be ‘two way’ with both upside and downside potential.
Describe three types of internal controls?
Describe three types of internal controls?
There are financial, operational and compliance controls within an organisation related to the management of each of those types of risks.
OR
There are preventative, detective and corrective controls.
- Preventative controls are intended to prevent an adverse risk event from occurring. i.e retail and shop lifting (tagging items)
- Detective controls are for detecting risk events when they happen so that the appropriate person is alerted and corrective action can be taken.
- Corrective controls are for dealing with risk events that have occurred and their consequences.
List the 5 elements of the COSO framework for an internal control system?
List the 5 elements of the COSO framework for an internal control system?
- A control environment
- Risk identification and assessment
- Internal controls
- Information and communication
- Monitoring
How does the FRC Guidance on Audit Committees suggest that the independence of the internal audit function can be protected?
How does the FRC Guidance on Audit Committees suggest that the independence of the internal audit function can be protected?
- Audit committee should approve the appointment or termination of the head of internal audit
- Internal audit should have access to the audit committee and board chairman where necessary
- Audit committee should ensure internal audit has a reporting line which enables it to be independent of the executive and so able to exercise independent judgement.
Which provision of the UK Corporate Governance Code relates to monitoring and reviewing the effectiveness of risk management and internal control systems and what does it recommend?
Which provision of the UK Corporate Governance Code relates to monitoring and reviewing the effectiveness of risk management and internal control systems and what does it recommend?
Provision 29 states that the board should monitor the company’s risk management and internal control systems and, at least annually, carry out a review of their effectiveness and report on this in the annual report. The monitoring and review should cover all material controls, including financial, operational and compliance controls.
Which provision of the UK Corporate Governance Code relates to whistleblowing procedures and what does it recommend?
Which provision of the UK Corporate Governance Code relates to whistleblowing procedures and what does it recommend?
Provision 6 states….
that there should be a means for the workforce to raise concerns in confidence and – if they wish – anonymously. The board should routinely review this and the reports arising from its operation.
It should ensure that arrangements are in place for the proportionate and independent investigation of such matters and for follow-up action.
What are listed companies required to do under the DTRs in respect of internal control weaknesses?
What are listed companies required to do under the DTRs in respect of internal control weaknesses?
The DTRs require the disclosure in the annual report of a description of the main features of the company’s internal control and risk management systems relating to the financial reporting process. There is also an obligation for boards of directors to report significant internal control weaknesses when they occur, if the company’s financial performance or position would be adversely affected as a result.
Give some examples of the methods that can be used to identify risk.
Give some examples of the methods that can be used to identify risk?
Various methods can be used to identify risks, including:
- mind mapping (the simplest method involving thinking of all the risks to an organisation);
- process mapping where every process is reviewed to identify interdependent, critical and vulnerable functions and activities;
- stress testing where an organisation assesses the ability to withstand extreme unexpected events and use the findings to identify the areas of risk that need to be managed; and
- the use of internal documents such as business impact studies and market research reports and expert reports on specific subjects.
What are the three main benefits of risk management?
The three main benefits of risk management are:
- for operational performance
- for financial performance
- for decision making
What are the main elements within a disaster recovery plan?
A disaster recovery plan would typically contain:
- details of which operations are essential and must be maintained;
- Identification of operations that are reliant on IT systems;
- details of where operations and staff can be moved to in the usual location is not usable;
- identification of key personnel who are needed to maintain the systems required to keep essential operations running;
- identification of who should be responsible for communicating with staff; and
- identification of who should be responsible for keeping the public informed about the impact of the disaster and recovery measures being taken.
Responsibilities of the board in risk management?
Responsibilities of the board in risk management:
- ensure ‘appropriate’ systems for identifying risks and make a ‘robust assessment’ of those risks;
- determine nature and extent of principal risks and those risks company is willing to take to achieve strategic objectives (risk appetite);
- ensure appropriate culture and reward systems are embedded throughout the company;
- agree how to manage or mitigate principal risks to reduce probability and/or impact;
- review effectiveness of risk management and internal control systems and take corrective action where necessary; and
- ensure there are sound processes for internal and external communications on risk management and internal control.
Business risks?
Business Risks:
The possibility of a company having lower than anticipated profits or experience a loss
Categories:
- Reputational risk
- Competition risk
- Business environment risks
- Liquidity risks
Governance Risk?
Governance Risks:
Risks associated with:
- Structure
- Processes
- Information
- People and culture
DTR: Disclosure of internal control weaknesses
DTR: Disclosure of internal control weaknesses:
Neither the UK CG Code nor the FRC Guidance call for disclosure of failures in internal controls or weaknesses in the system, or measures that have been taken to deal with them.
Under the DTR, the board of a listed company has an obligation to report significant internal control weaknesses, when they occur, if the company’s financial performance or position would be badly affected as a result.
Risk management and internal control ‘models’
Risk management and internal control ‘models’:
The most commonly used ‘models’ are
In the UK:
The Turnbull Report/Guidance (now replaced by FRC Guidance). Considers risk management and internal controls jointly
In the USA:
Committee of Sponsoring Organisations (COSO). Considers risk management and internal controls as two separate systems
The Turnbull Report
The Turnbull Report:
Recommended that there should be financial, operational and compliance controls to deal with risks in each of these areas.
- Financial – internal controls to provide reasonable assurance around transactions, access to assets and keeping proper records
- Operational – internal controls that help to reduce risks or identify failures in operational systems. Designed to prevent, detect and/or correct operational failures
- Compliance – concerned with making sure that organisation complies with all requirements of relevant legislation and regulations
Elements of an effective Risk Management System (COSO Enterprise Risk Management (ERM) Model, 2017)
Elements of an effective Risk Management System (COSO Enterprise Risk Management (ERM) Model, 2017)…
- Governance and culture
Governance sets the organization’s tone on oversight responsibilities and culture pertains to ethical values, desired behaviours and understanding of risk
- Strategy and objective-setting
Process for setting objectives for the company that are consistent with the organisation’s aims and the board’s risk appetite
- Performance
Risks that may impact the achievement of strategy and business objectives need to be identified and assessed
- Review and revision
By reviewing performance an organisation can consider how well the risk management components are functioning and what revision are needed over time.
- Information and communication
Continual process of obtaining and sharing necessary information from internal and external sources, and flowing up, down and across the organisation
Examples of Strategic Risks?
Examples of Strategic Risks:
- Competition
- Market
- Financial (Economic)
- Reputation
- ‘PEST’ factors: political and regulatory, economic, social and environmental and technology
- ‘PESTLE’ analysis: political, economic, social, technological, legal, environmental
Examples of Operational Risks?
Examples of Operational Risks:
- Financial (including liquidity)
- Compliance/legal
- Technology
- Health and Safety
- Premises/assets security
- Data security
- Cyber security
