Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

Hayley K - Corporate Governance November 2022 > Chapter 12 - Systems of Risk Management & Internal Control > Flashcards

Chapter 12 - Systems of Risk Management & Internal Control Flashcards

1
Q

Why are risk management and internal controls relevant to corporate governance?

A
  • Management of risk requires structures, policies, procedures to be developed, which when operationalised efficiently lead to long-term sustainable success
  • This should create a culture - better performing org that is more likely to deal with shocks of the environment it operates in- which leads to its continued sustainability.
  • Board, in governing, should be managing the risk the organisation is willing to take in achieving its strategic objectives.
  • Level of success can affect performance/solvency of the company
  • Development of internal controls - CG best practice refers to boards responsibility to ensure systems for RM and IC are effective
  • CoSec should advise board on significance of RM to CG / their responsibilities re RM/IC systems
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are 2 essential tasks re the governance aspect of RM/IC??

A
  • Ensuring that robust internal controls are in place to manage risks and that these are reviewed and monitored.
  • Define risk tolerance & risk appetite
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the CoSec’s role in respect of risk management & internal controls?

A

Advise/facilitate:

  • Develop set of strategic objectives
  • Identify principal risks willing to take to achieve & that may ‘threaten business model, future performance, solvency & liquidity’
  • Carry out a robust assessment of principal risks
  • Explain how emerging risks are mitigated / managed
  • Monitor IC & RM systems
  • At least annual review of RM/IC system effectiveness
  • Annual assessment of the future viability company for a period to be determined by the board, considering its current position & principal risks.
  • Report on all of the above in the annual report and accounts
    (Help devise, implement and monitor a whistle-blowing policy)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What does the UKCGC have to say on the issues of risk management and internal controls?

A
  • PRINC O: establish procedures to manage risk/oversee the control framework, and determine the nature/extent of principal risks willing to take to achieve long-term strategic objectives”.
  • PROV.25 - AC should review the company’s internal financial controls. The review of the company’s internal control and risk management systems could be done by the board itself, AC or separate board risk committee. CoSec should advise and facilitate.
  • PROV 28: - Board should carry out a robust assessment of emerging/principal risks.
    Confirm in AR it has completed assessment including descriptions of principal risks, RM procedures and explanation(s) of risk mitigation process.
  • PROV 29: Board should monitor RM/IC systems
    At least annually- carry out review of effectiveness and report in the AR
    Report should cover all material controls (fin, ops, compliance)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are downside risk and upside risk?

A
  • Downside risk – a risk that actual events will turn out worse than expected. Such risks can be measured in terms of the amount which profits could be worse than expected. The expected outcome is the forecast or budget expectation. E.G. fire, consequences of bad weather systems, earthquakes, IT breakdowns etc.
  • Upside risk– a risk that actual events will turn out better than expected and provide unexpected profits. E.G. sale volume higher than expected, investment providing higher than expected returns etc.

To manage risk effectively - organisations should have processes in place to manage both.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Define business risk

A

Possibility company will have lower than anticipated profits/experience a loss rather than taking a profit.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are the four types of business risk?

A
  • Reputational: risk of loss of customer loyalty/support due to event damaging org’s reputation
  • Competition: risk business performance will be affected due to acts of orgs competitors
  • Business Environment: risk that the business environment it operates in will change significantly (ex. politics, regulation, economic factors, social & environment, technology)
  • Liquidity: insufficient cash to settle liabilities on time, will be forced out of business
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the four types of governance risk?

A
  • Structure - boards / steering groups to business models & policy frameworks
  • Processes - new product processes / comms channels to operations, strategic planning & risk appetite
  • Information - financial performance & audit reporting to management, risk and compliance reporting
  • People & Culture - ‘the top’ to accountability/transparencythroughout org, inc. rship with regulators
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What 7 questions should boards should ask themselves when considering risks to their specific organisation?

A
  • What risks?
  • How measured?
  • Worst-case scenario of each
  • Likelihood of BAD outcome from each
  • Risk appetite?
  • Risk tolerance?
  • How to manage?
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is an internal control system?

A

A system made up of all structures, policies and procedures within an organisation related to the management of financial, operational and compliance risks (often known as business risk)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are the 3 main categories(timescale) of internal control?

A

Preventative - prevent adverse risk from occurring (ex. fraud by employees)

Detective - detect risk events as they occur so appropriate person alerted/corrective measures taken

Corrective - deal with occurrences and their consequences

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

According to COSO what are the 3 categories in which internal controls/internal control systems should provide ‘reasonable assurance regarding the achievement of objectives?

A
  • Effectiveness/efficiency of operations
  • Reliability of financial reporting
  • Compliance with applicable laws/regulations
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are the reporting requirements in respect of IC/RM?

A
  • DTRs - disclosure in Annual Report
  • Description of main features of IC/RM systems re financial reporting
  • Boards may feel obliged to report significant IC weaknesses under DTR if they feel company financial performance or position would be adversely affected as a result.
  • Code/FRC Guide - do not, themselves, require any disclosure regarding failures/weaknesses of IC/RM
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What 2 reasons can internal control risks occur?

A
  • Bad design: so would not be capable of achieving their purpose as a control
  • Well-designed, poorly applied : human error, oversight, circumvention/ignoring (an example of operational risk)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are the 2 most commonly used models for rm/ic?

A
  • Developed by Turnbull (UK)
  • COSO (USA)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the difference between UK framework for IC/RM and US (COSO)

A
  • UK - based on Turnbull - considers RM and IC together
  • US - COSO - 2 separate parts (Internal Control Integrated Framework / Enterprise Risk Management - Integrating Strategy With Performance)
17
Q

What is the responsibility of the board for risk and internal controls as per the UKCGC?

A

Principle O
‘board establishes processes for managing risk, overseeing internal control frameowork and determining the nature and extent of principal risks willing to take in order to achieve the company’s long-term strategic objectives

Supported by:

  • Prov.28 - robust assessment of emerging and principal risks, confirmed in AR including describing principal risks and processes put in place to identify emerging risks and how these are managed and mitigated.
  • Prov.29:- must monitor both & at least annually evaluate the effectiveness of both systems and report on this in the AR. It should monitor and review all material controls (operational, financial, compliance)
  • review tocover ALL MAT CONTROLS (fin, ops, compliance)
18
Q

For the purposes of identification what are the 6 categories of risk?

A
  • Financial
  • Liquidity
  • Credit
  • Operational
  • Strategic
  • Reputational
19
Q

What are the main categories of risk?

A

Financial - internal (ex. failure to protect cash, credit risk, liquidity risk, operational risks)

Compliance - important laws/regs not complied with leading to legal action/fines

Strategic - tend to be external occuring/arising due to business environment (ex. people risks, reputation, marketplace risks, ethical risks)

  • Board should be aware the controls themselves can create risk if they fail.
  • When identifying risk - SHOULD AIM TO DEFINE AS SPECIFICALLY AS POSSIBLE - so it is correctly managed.
20
Q

What are 4 main methods of identifying risk?

A
  • Mind mapping – involves thinking of all the risks to an organisation;
  • Process mapping – involves mapping every process within an organisation to identify independent, critical and vulnerable functions and activities within an organisation;
  • Stress testing – organisations stress test their ability to withstand extreme ‘shocks’ or unexpected events in the business environment they operate;
  • Use of internally generated documents – typically business impact studies, market research reports, expert reports etc
21
Q

What is the main challenge in identifying risks?

A

Risk of identifying business problems rather than identifying risk associated with the problem = results in time/resource used on perceived financial risk but may actually be another type (ex. people risk)

22
Q

What are risk appetite and risk tolerance?

A
  • Risk appetite is the level of risk that an organisation is willing to take in the pursuit of its objectives. It should be set by the board, who should review its level regularly as the business environment changes.
  • Risk tolerance is the amount of risk that an organisation is prepared to accept in order to achieve its financial objectives. It is expressed as a quantitative measure; for example, in banks, the value at risk (VaR) for a portfolio.
23
Q

What are the 5 main stages of developing a risk management system?

A
  • Definition & Identification
  • Assessment
  • Response
  • Monitoring
  • Reporting
24
Q

What are the 2 main methods of assessing risk

A
  • Matrix plotting all risks - probability against severity of consequences
  • Multiplying likelihood/Probability Rating X Size Impact Rating = sub-categorisation to RED/AMBER/GREEN
25
What are the 4 forms of risk response?
* **AVOIDANCE**: reduce likelihood. Usually means shut down/sell part of business creating risk. * **REDUCTION**: reduce negative impact/take advantage of opportunities of positive impact * **TRANSFER**: move risk elsewhere (e.g. insurance or outsourcing) * **ACCEPTANCE**- retain risk as deemed not to be significant threat
26
What are the 3 main / common ways of monitoring risk?
* **Stress testing** – the organisation assesses the robustness of the risk response by modelling extreme situations; * Developing **SMART measures** to monitor effectiveness of the risk response; * Use of the **internal audit** function.
27
How should risk be reported on?
* USE OF RISK REGISTER OR DASHBOARD **MANAGEMENT TO BOARD** * Board needs *information from management* on principal risks and effectiveness how these aremanaged. * Enables the board to then *evaluate* effectiveness. **BOARD TO SHAREHOLDERS** * Strategic Report - description of principal risks/uncertainties and how they are to be managed or mitigated. *Extra strategic report equirements for PIEs* * Business model * Products/services which could have adverse effect on principal risks re environment * Employees * Social matters * Respect for human rights * Anti-bribery * Anti-Corruption
28
What are the benefits of risk management systems?
**OPERATIONAL** - Increase likelihood of **achieving** business **objectives** - Incidents used to highlight risk environment and helps management **enhance risk awareness** - Facilitates**monitoring/mitigation** of risk for key projects / initiatives - Provides platform for **regulatory compliance** and building **goodwill** **FINANCIAL** - **Protects/enhances value** - prioritises/focuses attention on managing risks across org - Contributes to better** credit rating** - increasingly focus on RM by agencies - Increases **confidence** (invs, stakeholders, regs)/ builds **SH value** - Reduction of **insurance premiums** - demos a structured approach to risk **DECISION-MAKING** - Shares risk info across org- contributes to **informed decisions** - **Facilitates assurance & transparency** of risk at board level - Decisions can be made in light of the **impact** of risks and the org's risk **appetite/tolerance** guidelines
29
What is the board's main responsibility (overall role) regarding risk management and internal controls?
**THE BOARD HAS OVERALL RESPONSIBILITY FOR RISK MANAGEMENT & INTERNAL CONTROLS** **Examples**: * Decide **risk appetite** * Ensure management manage risk within their guidelines for **risk appetite** * Monitor management performance to ensure risk managed within **board guidelines** set * Monitor RM system : ensure **effective/achieves** its purpose *Responsibility for evaluating the effectiveness of RM/IC systems can be delegated to audit committee, or risk committe if it has one.*
30
Why are boards becoming more interested in risk management?
* Increased **speed of change** within operating = greater response speed needed * Increased **transparency** (social med etc)/24hr news = companies operate in **glass bubble** which has its associated risks * Change in **TYPE** of risks - **tangible to intangible** (ex. reputation, cyber) - require new methods of assessment/mitigation * Risks more **interconnected** - more **integrated/holistic** approach required * RM not just seen as a **compliance discipline** - building relationships/developing behaviours and culture of risk management - requires a different **skill set** * Growing **awareness** that RM should support **better decision-making** and **strategy development** * Appreciation of **board’s role** in RM - have **appropriate systems in place** to support integration of RM throughout the org / **foster collaboration** in RM - **both vertically and horizontally** within the organisation.
31
What are the common failures of boards in relation to risk management and internal controls?
* Failure to take **responsibility at board level** * Failure to **see the importance** of risk to the organisation as a whole * Failure to **capture the major risks** of the organisation * Failure to consider the **integrated nature** of risk * Failure to put in place **appropriate controls/other mitigants** * Failure to **manage reputational** risk * Failure by board to **map** out **clearly** **who is responsible for what** at **different levels** of the organisation * Failure to **consider, decide, or articulate** **effectively**, the **risk appetite** of the organisation * Failure to obtain and share **timeley and good quality** **information**.
32
Who must make a long-term viability statement and what is it?
* UK Listed companies (in addition to whether appropriate they adopt the 'going concern' basis of accounting) **Prov 31** “….take into account current position/principal risks… explain in AR how assessed prospects / over what period / why period appropriate. Whether board has reasonable expectation company can continue to be in operation/meet liabilities as fall due over period under assessment …drawing attention to any qualifications/assumptions as required….”
33
What should the long-term viability statement *robustly* assess?
* Principal risks * Future performance * Solvency * Liquidity
34
What factors should the board consider when determining the time period to be covered by its long-term viability statement?
* Stewardship responsibilities * Previous statements has made made (especially in raising capital) * Nature of business / stage of development * Investment / planning periods
35
What is corporate sustainability?
Corporate sustainability is ensuring the long-term survival of the organisation.
36
What does corporate sustainability planning recognise?
The **interactivity** of **economic**, **social** and **environmental** impacts on **strategic planning** and **risk** **management** within the organisation.
37
What is the main challange of corporate sustainability planning?
**Balancing** current needs with long-term/future needs.
38
What does the board need to determine for corporate sustainability planing?
* **What ARE** current/future needs?different stakeholders will have differing views) * **Time** period to be considered for 'future generations' * **Who for**? (company alone, country it operates in, all countries and peoples?)
39
How does the board deliver Principle A (UKCGC) "to promote the long-term sustainable success of the company.....value for shareholders and contributing to wider society" ?
* **Determine** sustainability needs * Once established- **identify potential threats** to supply/maintenance * **Sustainability objectives/policies** developed in conjunction with management * Develop a **sustainbility Plan/BCP** dev based on sustainable objectives and policies- this should align with org's ethical values (will include IT, DRP, buildings etc) / (CoSec may sometimes lead on developin) * Once plan is complete, should be **reported** to board and **approved** by them * Determine **which bits of BCP to communicate to who** (externally and internally) - confidentiality factors / will differ based on type of organisation * Agree **channels of communication** - will depend on types of recipient/what tech is available * Develop/monitor **sustainability indicators** - which will work to assess if plans are effective * Board **evaluate** BCP annually - that it is still the right plan / operating as expected * Key **stakeholders informed** re sustainability planning (inc. strategic planning/RM)

Hayley K - Corporate Governance November 2022 (19 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions