12 + 13 - Risk

Question 1

8 responsibilities of the CoSec re. internal management and internal control

Answer 1

• Develop strategic objectives
• Identify principal risks (to strategic objectives)
• Carry out ‘robust’ assessment of principal risks
• Explain how risks are being managed/mitigated
• Monitor risk man. and int. control systems
• Review effectiveness of systems at least annually
• Assess future viability of company re current position and principal risks
• Report on above in annual report

Question 2

Define internal control system

Answer 2

Structures, policies and procedures relating to management of business risk

Question 3

3 benefit of having an internal control system for managing business risk

Answer 3

• Ensuring financial records and reports are reliable and reducing the risk of financial fraud
• Improving effectiveness of operations
• Ensuring compliance with applicable laws and regulations

Question 4

What is FRC’s additional guidance on risk man. and int. control called?

Answer 4

Guidance on Risk Management, Internal Control and Related Financial and Business Reporting

Question 5

Define risk

Answer 5

The possibility that something unexpected or not planned for will happen

Question 6

What are the two types of risk an organisation should plan for?

Answer 6

• Downside risk
• Upside/opportunity risk

Question 7

3 examples of downside risk

Answer 7

• Fires
• Earthquakes
• IT breakdowns

Question 8

2 examples of upside risk

Answer 8

• Sales volumes being higher than expected
• Investment decision yielding better than expected results

Question 9

Define business risk

Answer 9

The possibility that a company will have lower than anticipated profits or will make a loss rather than a profit

Question 10

4 categories within ‘business risk’

Answer 10

• Reputational
• Competition
• Business environment
• Liquidity

Question 11

Explain reputational risk as a form of business risk

Answer 11

The risk of loss in customer loyalty or support in an event that had damaged the company’s reputation

Question 12

Explain competition risk as a form of business risk

Answer 12

The risk that business performance will be affected because of the actions of competitors (often competitor innovation)

Question 13

Explain business environment risk as a form of business risk

Answer 13

The risk that the business environment in which the company operates will change significantly, due to:
political factors
regulatory factors
economic factors
social and environmental factors
technological factors

Question 14

Explain liquidity risk as a form of business risk

Answer 14

The risk that the company will have insufficient cash to settle all of its liabilities on time, so will be forced out of business

Question 15

Governance risk relates to risks associated with: (4)

Answer 15

• Structure
• Processes
• Information
• People and culture

Question 16

Internal controls can be classified into which 3 main types?

Answer 16

• Preventative controls
• Detective controls
• Corrective controls

Question 17

Explain preventative controls as a type of internal control

Answer 17

Intended to prevent an adverse risk from occurring - e.g. fraud by employees

Question 18

Explain detective controls as a type of internal control

Answer 18

For detecting risk events when they occur, so that the appropriate person is alerted, and corrective action taken

Question 19

Explain corrective controls as a type of internal control

Answer 19

Dealing with risk events that have occurred and their consequences

Question 20

Who is ultimately responsible for managing risk?

Answer 20

The Board

Question 21

2 reasons why internal controls may fail

Answer 21

• They are badly designed, so incapable of achieving their purpose as a control
• They are well-designed, but are not applied properly, due to human error or oversight

Question 22

What are the 5 categories of risk?

Answer 22

• Financial
• Operational
• Compliance
• Strategic
• Reputational (often treated as falling within strategic)

Question 23

3 examples of financial risks

Answer 23

• Risk of errors or fraud in accounting systems
• Liquidity risk
• Credit risk

Question 24

3 examples of operational risks

Answer 24

• Theft of information from the org
• Inefficient or ineffective use of resources
• Errors and omissions by staff

Question 25

What is a strategic risk?

Answer 25

Usually an external risk occurring or arising in the business environment in which the organisation operates

Question 26

What is a compliance risk?

Answer 26

Non-compliance with important laws or regulations, leaded to legal action and/or fines

Question 27

5 examples of strategic risks

Answer 27

• Political risks
• Environmental risks
• Stakeholder risks
• Reputational risks
• Supplier risks

Question 28

4 methods of identifying risks

Answer 28

• Mind mapping
• Process mapping
• Stress testing
• Use of internally generated documents

Question 29

Which method or risk identification/assessment is most important re. exam?

Answer 29

Stress testing

Question 30

3 examples of internally generated documents to identify risks

Answer 30

• Business impact studies
• Market research reports
• Expert reports (such as on H&S)

Question 31

What is process mapping as a method to identify risks?

Answer 31

Involves mapping every process within an org to identify interdependent, critical and vulnerable functions and activities within org - related risks can then be managed

Question 32

What is stress testing as a method to identify risks?

Answer 32

Modelling a series of hypothetical circumstances to assess ability to withstand unexpected events or shocks.

Question 33

Benefits of stress testing as a method to indicate risks (2)

Answer 33

• Company can assess worst-case impact of particular events, and principal risks in relation to those events
• Company can assess the effectiveness of proposed measures to reduce or manage risk

Question 34

What should organisation consider to determine wither a risk is a principal risk?

Answer 34

• Likelihood or probability of occurrence (high, medium or low)
• Potential size and impact of the occurrence (significant, moderate or minor)

Question 35

2 things that should be considered by management when establishing criteria for risk assessment

Answer 35

• Risk appetite
• Risk tolerance

Question 36

Define risk appetite

Answer 36

The level of risk an org is willing to take in the pursuit of its objectives

Question 37

Define risk tolerance

Answer 37

The amount of risk in org is prepared to accept in order to achieve its financial objectives
* Quantitative measure *

Question 38

What should board consider after having assessed risks, to decide how to respond? (2)

Answer 38

Risk tolerance and risk appetite

Question 39

2 methods by which risks can be ranked so they can be prioritised

Answer 39

• Plotting them on a matrix measuring probability against severity
• Multiplying likelihood against impact ratings

Question 40

4 main response to risks, once they have been identified

Answer 40

• Avoidance
• Reduction
• Transfer
• Acceptance
• note these could all be used in response to same risk *

Question 41

What is meant by reduction as a response to risk?

Answer 41

Reducing the negative impact of the risk

Question 42

What is meant by avoidance as a response to risk?

Answer 42

Reduces likelihood of risk occurring - usually by shutting down or selling part of business causing the risk

Question 43

What is meant by transfer as a response to risk?

Answer 43

Transfer the risk to somewhere else - eg. insurance or outsourcing

Question 44

What is meant by acceptance as a response to risk?

Answer 44

No action is taken as it is deemed to be insignificant or uncontrollable

Question 45

3 considerations of board when determining response to risk

Answer 45

• The ‘exposure’ (ranking) of the risk
• Any negative consequences to the response(s)
• Whether they are responding to the original risk or responding to the response (leads to ineffective use of resources and creation of new risks)

Question 46

How does risk management benefit operational performance? (3)

Answer 46

• Increases likelihood of achieving business objectives
• Provides platform for regulatory compliance
• Facilitates monitoring and mitigation or risk in key projects and initiatives

Question 47

What must be included in strategic report re. risks and uncertanties?

Answer 47

Description of principal risks and uncertainties facing the company, with an explanation of how they are to be managed or mitigated

Question 48

How does risk management benefit financial performance? (2)

Answer 48

• Contributes to better credit rating/reduces insurance premium
• Builds investor, stakeholder and regulator confidence

Question 49

How does risk management benefit decision making? (2)

Answer 49

• Facilitates assurance and transparency of risks at board level
• Enables decisions to be made in light of impact of risks and in consideration of risk appetite and tolerance

Question 50

How to ensure board can effectively carry out responsibilities in relation to risk?

Answer 50

Ensure board members have an understanding of risk and risk management through training

Question 51

Role of board re. risk

Answer 51

• Deciding risk appetite
• Ensuring management manage risk with board’s guidelines for risk appetite
• Monitoring performance of management, to ensure business is being managed within the risk guidelines
• Monitoring risk management system for effectiveness

Question 52

9 common failures of boards re. risk

Answer 52

Failure:
- To take responsibility at board level
- To see importance of risk to org as a whole
- To capture major risks
- To consider integrated nature of risk
- To put in place appropriate control or other mitigants for risk
- To manage reputational risk
- To map out who has responsibility for what, at each level of org
- To consider, decide or articulate risk appetite
- To obtain and share timely and good quality info

Question 53

What is meant by failure to consider integrated nature of risk?

Answer 53

Board may split risk into silos (eg. legal risks dealt with by legal department), in doing so failing to understanding how a risk would affect the org as a whole

Question 54

2 main frameworks of risk management accepted globally

Answer 54

• UK system
• US COSO frameworks

Question 55

Risk management - Main difference between UK system and US COSO framework

Answer 55

UK integrates risk management and internal control systems whereas COSO framework deals with them separately

Question 56

Look at Code - which provision related to long-term viability statement

Answer 56

Provision 31

Question 57

What is the assessment period expected to be for risk? - re. long term viability statement

Answer 57

Significantly longer than 12 months

Question 58

Long-term viability statement requires ‘reasonable expectation that company will continue’ - expand on this

Answer 58

No requirement for certainty, so the board need not produce a detailed justification

Question 59

Which types of qualifications and assumptions should be stated in annual report in relation to long-term viability statement?

Answer 59

Company specific - not generic statements that are relevant or highly unlikely

Question 60

What is the purpose of corporate sustainability?

Answer 60

Ensuring the long-term survival of the organisation

Question 61

What does sustainability require?

Answer 61

• What are current and future needs?
• Time period to be considered when looking towards future
• Should sustainability be for company along, or the country and people within the country

Question 62

5 key elements (phases) in how a Board should plan for sustainability

Answer 62

• Determining sustainability needs by examining critical resources, assets and processes
• Identifying potential threats to the above
• Development of sustainability objectives and policies
• Development of business continuity plan based on above
• Sustainability indicators developed and monitored to assess effectiveness of plans

Question 63

Look at Code - which provision sets out responsibilities of audit committee?

Answer 63

Provision 25

Question 64

8 headings if answering question on reassessing specific risk and disclosures in annual report

Answer 64

• Role of the Board under Code
• Role of Audit committee under code
• Role of Board in reviewing and disclosing risks
• Role of Audit Committee in reviewing and disclosing principal risks
• Application to specific risk
• Link with viability statement
• Consequences of failing to assess correctly
• Disclosures in Audit Committee Report

Question 65

2 considerations of the board when deciding whether to establish an audit committee

Answer 65

• Whether there is a requirement (listed co’s and fin. institutions)
• Whether the level of discussion and monitoring required on risk management and internal controls is beyond the boards capabilities

Question 66

Why might companies establish a separate risk committee in addition to the audit committee?

Answer 66

If the audit committee is overwhelmed by its duties covering financial reporting and internal controls

Question 67

2 key benefits to establishing a separate risk committee in addition to audit committee

Answer 67

• It can focus solely on reviewing risk management, improving effectiveness and efficiency
• Composition of committee is not restricted by CG Code

Question 68

4 of the responsibilities of the risk committee

Answer 68

• Monitoring risk areas faced and reporting on them
• Monitoring behaviour of management to ensure there is not excessive risk taking
• Recommending changes in risk management policies
• Reviewing and approving statements in the annual report concerning risk management

Question 69

3 risks/disadvantages associated with establishing risk committee

Answer 69

• Conflict between audit and risks committees leads to undefined roles and danger of overlooking some risks
• Senior management gets impression that they are not responsible for risk
• Smaller boards may not have sufficient directors with the required skills to constitute separate committee

Question 70

What is a ‘co-sourced’ internal audit function?

Answer 70

Company hires a small team of internal auditors and uses an outside professional firm to supplement the team and provide strategic direction

Question 71

3 benefits of having in-house internal audit function

Answer 71

• Better understanding of the organisation, its culture, operations and risk profile
• Can build networks throughout the organisation, ensuring integration through business
• Could be a lower-cost option

Question 72

3 negatives to internal audit function

Answer 72

• Potential loss of external resources, experience and skills of external professional team
• Potentially less cost effective for a smaller company, as only adhoc service may be needed
• In house internal audit team may lose independence as may find it difficult to criticise their superiors

Question 73

Aim of internal audit

Answer 73

Help organisation accomplish its objectives by bringing systematic, disciplined approach to evaluate and improve effectiveness of risk management, control and governance processes

Question 74

How often should internal audit function be reviewed?

Answer 74

Annually

Question 75

Review of risk management and internal control systems should ensure that they: (3)

Answer 75

• Remain aligned with org’s strategic objectives
• Address risks facing the org
• Are being developed, applied and maintained appropriately for the org

Question 76

A whistleblowing policy should cover: (6)

Answer 76

• Purpose, scope and coverage
• Procedures for reporting a matter
• What happens when a report is a received
• Anonymity (or non-anonymity) of the whistleblower
• Communication with the whistleblower
• Protection of the whistleblower

Question 77

5 key features of effective whistleblowing policy

Answer 77

• Matters can be raised anonymously
• Employees confident they will be protected and not disadvantaged
• Matters raised are treated seriously and investigated promptly
• Board should receive regular reports
• Employees should be aware through induction and ongoing training

Question 78

Define whistleblowing

Answer 78

Process by which company’s employees can raise matters of concern in the workplace, such as fraud, safety or misbehaviour, which they do not feel able to raise through normal internal controls or procedures

Question 79

Importance of governance of information (2)

Answer 79

Governance of information is a critical risk and compliance issue for organisations, in particular, for companies with shares traded on the Stock Exchange.

Information must be managed effectively, and confidential information must be protected.

Question 80

3 key parts of governance of information

Answer 80

• Cyber security
• Data protection
• Compliance with requirements for disclosure of information

Question 81

Three parts to cybersecurity policy

Answer 81

• IT hardware and software systems need to be secure and resilient to latest forms of viruses and malware
• Regular item on Board agenda
• Employees should receive induction and ongoing training

Resilience of systems to cyber attacks needs to be reviewed and tested regularly

• Procedures and policies should be in place for responding to a cyber-attack including disaster recovery plans

Question 82

3 regulators requiring organisations to take cybersecurity seriously or to make disclosures following cybersecurity issues

Answer 82

• Market abuse regulation
• GDPR / Information Commissioner’s office
• Network and Information System Regulations 2020

Question 83

What must companies do re. data protection?

Answer 83

Ensure compliance with all UK data protection laws, including in particular the UK GDPR

Question 84

3 key features of procedures co’s should have in place to comply with inside information requirements

Answer 84

• Ensuring inside information is disclosed immediately, unless exception applies
• Announcing to market via a Regulatory Information Service at first instance
• If release is delayed, ensure it is disclosed internally only on a need to know basis

Question 85

3 examples of disasters - disaster recovery plans

Answer 85

• Natural disasters
• IT disruptions
• Major terrorist attacks

Question 86

In which industries are disaster recovery plans most needed?

Answer 86

Where a lengthy or widespread shutdown of operations could be catastrophic
Eg. banking or energy supply industry

Question 87

What should a disaster recovery plan do? (5) - key elements

Answer 87

• Specify which operations are essential and must be kept going
• Identify and analyse all potential threats to essential ops
• Identify possible reactions to potential threats (both immediate and ongoing)
• Identify who the essential staff are needed to keep essential operations running
• Identify who should be responsible for external communication about impact of disaster and recovery

Question 88

Purpose of a disaster recovery plan

Answer 88

Set out what should be done after a disaster event to try to manage and mitigate the negative effects, and effectively recover from the event

Question 89

3 offences under UK Bribery Act 2010

Answer 89

• Offering and receiving bribes
• Bribery of foreign public officials for business benefit
• Failure to prevent a bribe being paid on organisation’s behalf

Question 90

What is considered a valid defence of a charge against failing to prevent bribery?

Answer 90

Evidence that adequate procedures were in place to prevent bribery

Question 91

6 key principles in preventing bribery (Ministry of Guidance justice)

Answer 91

Proportionate procedures (procedures in place appropriate to risk of bribery)

Top-level commitment

Risk assessment (regular)

Due diligence (of third party intermediaries and agents acting on behalf of org)

Communication (within org to ensure policies are embedded and understood)

Monitoring and review (of procedures to identify weaknesses)

Question 92

Board should plan for internal conflicts because they can have the following impacts: (3)

Answer 92

• Take considerable time to resolve
• Financial losses
• Reputational harm

Question 93

What should the board do in response/in relation to conflicts?

Answer 93

• Plan ahead by anticipating potential disputes
• Ensure policies, procedures and legal docs are aimed at minimising risk of conflict
• Ensure there is evidence that policies and procedures are integrated into culture
• Identify a person to manage the dispute resolution process (cosec or lawyer)
• Review effectiveness of dispute resolution process
• Be prepared for mediation and possibly litigation to resolve conflicts

Question 94

5 steps CoSec should take to avoid board conflict

Answer 94

• Ensure roles are clearly set out in clear and concise way
• Ensure there is no misunderstanding as to what is expected from board members
• Delegation of authority to CEO is clearly documented
• Proper flows of information to and from board
• Encouraging creation of a good culture within the board

Question 95

To prove ‘adequate processes’ defence to bribery, a company needs to (among other things) (4)

Answer 95

• Have a specific bribery policy and procedures in place
• Have evidence of communication and implementation of policy, including training
• Have a mechanism for reporting breaches of policy
• Show evidence of discussions of high-risk activities and relationships and reasons for continuing or terminating them