Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

Hayley K - Corporate Governance November 2022 > Chapter 13 - Risk Structures, Policies, Procedures & Compliance > Flashcards

Chapter 13 - Risk Structures, Policies, Procedures & Compliance Flashcards

(55 cards)

Start Studying
1
Q

Why is risk becoming increasingly important?

A
  • Speed of change of business environments needs faster speed of response
  • Increased transparency of social media etc., means companies are in a ‘glass bubble’
  • Change in types of risk from tangible to intangible such as reputation/cyber risks - these require new methods of assessment and mitigation
  • Risks are becoming more interconnected - need a holistic integrated approach
  • Increasing recognition RM is not just a compliance discipline - about building relationships and developing behaviours and a culture of risk management which require a different skillset
  • Growing awareness RM supports better decision-making and strategy development
  • Appreciation of the board’s role - need appropriate systems to integrate RM/need to foster RM both vertifically and horizontally within the organisation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the 5 stages of developing a risk management system?

A
  • Definition / identification
  • Assessment
  • Response
  • Monitoring
  • Reporting
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What key considerations should board make when putting risk management structures in place?

A
  • Whether to be considered by whole board or delegated to a committee (one committee or two)
  • Division of responsibility between itself / management re risk management
  • CoSec should play a role in advising on this which will differ from company to company.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What does the Code require in spect of Audit, Risk & Internal Control?

A
  • Princ.M - formal and transparent policies and procedures to ensure the independence and effectiveness of internal and external audit functions and satisfy itself on the integrity of financial and narrative statements.
  • Princ.N - board to present a fair, balanced and understandable assessment of the company’s position and prospects.

Princ.O requires the board to:
* Establish procedures to manage risk;
* Oversee the internal control network; and
* Determine the nature and extent of the principal risks the company is willing to take in order to achieve its long-term strategic objectives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Why are the issues of risk management and internal controls often delegated to committees?

A
  • Complexity of risks
  • Level of interest of stakeholders re org’s ability manage threats/taking advantage of risk opportunities
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Why might companies establish a separate risk committee?

A
  • AC overwhelmed / may not have necessary skill
  • Size/sector of org may determine where responsibility for IC/RM lies
  • Banks/large financial institutions - usually a separate RM - complexity of risk
  • Growing number non-listed financial co’s (ex. oil industry) find useful to have RC
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are the benefits of having a separate risk committee?

A
  • Can focus solely on risk management
  • Can provide assurance to board that RM processes are effective
  • Can advise board/make specific recs on risk appetite/tolerance & strategies to manage risk
  • Provide input into strategy formulation - help board understand risks/opportunities by managing them
  • Composition not restricted by UKCGC - can have exec, NED, whatever helps

`

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Per CGI’s ‘Terms of Reference for a Risk Committee’ (2020), what are some composition suggestions where company has a separate risk committee?

A
  • At least 3 members - all independent directors
  • At least one member of AC and/or RemCom / 1 NED specifically responsible for risk
  • As a whole - appropriate skills, knowledge, expertise
  • As a whole - relevant competence in organisation’s operating sector
  • FD/CFO and CRO should attend meetings reguarly - others when invited as and when
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are some potential duties/roles of a risk committee?

A
  • Provide assurance to board - RM / processes for control effective
  • Monitor risk areas by receiving periodic reports - make recs to board where approprtiate
  • Oversee CRO role/responsibilities and provide direction
  • Provide information to the board board to help with strategy formulation
  • Monitor management behaviour to ensure no excessive risk taking/taking appropriate action if so
  • Recommend changes in RM policies and/or processes to the board
  • Consider risk opportunities and make recommendations to the board
  • Review/approve statements to be included in AR that concern IC/RM
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are the risks of setting up a separate risk committee?

A
  • Potential AC v RC conflict- if roles/responsibilities not clearly defined (need to be set out clearly in ToR)
  • Danger of overlooking some risks - if one thinks the other might be considering
  • Message sent to snr management - risk no longer their responsibility (having a risk manual can help this)
  • Need for SUFFICIENT DIRECTORS with sufficient/required skills - small/medium companies may find this hard to overcome
  • Directors end up being appointed without sufficient risk management skills and knowledge
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the purpose of an internal audit function?

A

“…independent objective assurance/consulting activity designed to add value and improve an organisation’s operations…helps achieve objectives by bringing systematic, disciplined approach to evaluate/improve effectiveness of RM, control and governance processes” (IIA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are the benefits of an in-house internal audit function?

A
  • Understands the company, its culture, operation and risk profile - should be able to add value
  • Can build networks within organisation - become integrated into business & become ‘eyes and ears’ of the board
  • Provide assurance to stakeholders as to the integrity of the organisation’s internal control system
  • Become essential to checks/balances within organisation’s internal control system
  • Could be lower-cost - depending on makeup of the team
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the main benefit of co-sourcing or out-sourcing the internal audit function?

A

Organisation can leverage external resources, tech, skills and expertise which may not be available to it with an in-house team.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

How does FRC Guidance on ACs recommend that the independence/objectivity of the internal audit function be preserved?

A
  • AC should approve appoint/term of head of internal audit
  • Internal audit should have access to AC/chair of board where needed
  • AC to ensure internal audit has a reporting line which enables it to be independent from the executive and so can exercise indepedent judgement
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

How often does the IIA recommend the IA function carries out an indepedent review of their function?

A

Every 3 years.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What issues should the CoSec ensure are on the board’s agenda re IC/RM?

A
  • Approval of policies and framework
  • Management reports - implementation/effectivenessk
  • Assurance reports from int/ext audt and any compliance officers on effectivenesss of implementation
  • IA reports on suspected non-comp/ineffectiveness
  • Info on key risks facing org & how managed effectively
  • RM system evaluation - at least annually
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Where there is a separate risk committee, what might the company secretary do to aid/facilitate their purpose?

A
  • Ensure clear ToR and followed - work with chair to develop annual work plan
  • See that committee follows procedures/governance best practice and advise committee chair where not the case
  • Write report for committee chair of recommendations to the board to approve
  • Drafting of minutes with list of actions - deliver feedback at next meeting on action points
  • Consider the regular evaluation on the effectiveness of the committee
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What other duties might the cosec take on in respect of risk and internal controls?

A
  • Assist with assessment of effectiveness of RM/IC systems
  • Draft/review statements in reports setting out attitude to risk/management of risks
  • Collate info from management/staff to support board assessment of system’s effectiveness - verification of info
  • Manage process for production of annual report and accountson behalf of the board
  • Advise board on business continuity - maybe draft BCP and/or communicate the plan
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What 2 reasons are there that the Company Secretary has an important part to play in strengthening the control environement?

A
  • Linking various people, structures and processes within the control environment into a strong culture of control and risk management
  • Ensuring various structures and processes within the control environment are integrated effectively in overall workflow and decision-making process of the board.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What should the CEO ensure in relation to RM/IC?

A
  • Proper execution of RM/policies laid down by the board
  • That RM/IC frameworks extend into the organisation
  • That resources are available and work efficiently
  • That the organisation’s culture reflects the risk appetite developed
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What types of organisation most commonly have a CRO?

A

Large companies such as banks and other financial institutions; oil companies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is a CRO?

A

Chief Risk Officer- specialist executive manager responsible for risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What are the typical key responsibilities of a CRO?

Study These Flashcards
A
  • Create integrated risk framework
  • Appoint and work with risk champions
  • Ensure sufficient resources for risk management
  • Monitor progress of risk control/mitigation activities
  • Develop/disseminate risk dashboard, reports and measurements
  • Organise risk management training for the organisation
  • Commonly work with the CoSec and Internal Audit function
24
Q

What could the work of the internal auditor (IA) include (CRO)?

Study These Flashcards
A

Not prescribed by regulation - role/responsibilites are the decision of management or board, which can include:

  • Review suitablility of internal control systems – independent checks, monitoring and reporting of financial, op and compliance controls;
  • Special investigations – organisational operations;
  • Examination of financial / operational information – Investigate timeliness and accuracy in reports;
  • VFM audits – investigation into operation or activity to assess economic, efficiency or effectiveness value;
  • Reviewing compliance with laws or regulation;
  • Risk assessment – investigate aspects of risk management, particularly adequacy of mechanisms for identifying, assessing and controlling significant risks.
  • Reports to Audit Commitee/Risk Committee and Board
25
What factors should the internal auditor consider in assessing the effectiveness of internal controls?
* Manual **or** automated * Discretionary **or** non-discretionary * Can it be **circumvented** easily * Do they **effectively achieve purpose** (extensiveness/rigorousness/frequency)
26
What matters should the annual review of the effectiveness of RM/IC system effectiveness consider (as per FRC Guidance on Risk Management, Internal Controls and Other Financial and Business Reporting)?
* Company's risk **appetite** * Company's desired **culture** & whether **embeded** * **Operation** of of RM & IC systems - design, implementatio, monitoring, identification of principal risks * **Integration** of RM & IC controls with company busines model/strategy and business planning processes * **Changes** in **nature/liklihood/impact** of principal risks; * Company's **ablity to respond to changes** in business and external environment; * **Extent, frequency and quality** of management's **reporting** regarding RM * **Issues** dealt with by board throughout year under review * Effectiveness of the company's **public reporting process**
27
Who are the main governance players that support the board with RM responsibilities?
* Board * AC & if it has a separate one the RiskCom * All management and staff * CoSec/Gov Prof * CEO * CRO * Internal audit function
28
What are Risk policy and risk manual?
* Risk **Policy** - statement approved by board: extent/kind of risks **willing to take** in pursuit of objectives * Risk **Manual** - sets out how risk will be **managed** (some orgs will also have the board approve this)
29
Who should monitor risk management and internal control systems and why?
* Existance of systems does not by itself indicate that controls are being managed effectively. * The board (or AC) should on an ongoing basis monitor and review the systems to ensure that they: - Remain **aligned** with the organisation’s **strategic objectives;** - **Address** the **risks** facing the organisation; and - Are being **developed, applied and maintained appropriately** for the organisation. **PROV.29** - on an **annual** basis the board should review effectiveness of the systems of risk management and internal control.
30
What does the UKCGC say about employees / the workforce (in respect of whistleblowing)?
* **Princ.E** - workforce should be able to **raise** any matters of **concern** * **Prov.6**- there should be a means for the workforce to raise in **confidence**…if they wish - **anonymously** Board should **routinely review** system and reports arising from its operation Board to ensure arrange for **proportionate/independent investigation & follow up**
31
What areas might a whistle-blowing policy cover?
* Fraud * Serious law/regulation violation * Miscarriage of justice * Price-fixing * Dangers to public health/safety (ex. dumping toxic waste) * Neglect of people in care * Gross waste/misuse of public funds (in the public sector) * Bullying / harassment
32
When does the need for a whistle-blowing policy/procedure arise in an organisation?
When **normal** procedures and internal controls in place **do not reveal illicit activity** because the individuals responsible **somehow ignore or get around** them. The **person behind this may be part** of the suspected malpractice themselves.
33
How should a whistleblowing procedure be introduced?
1. Identify **purpose**, **scope**, **coverage** 2. Develop **procedures for reporting** a matter 3. Develop **process for dealing** with, ensuring **anonymity & protection** of the whistleblower, while ensuring **ongoing communication**. 4. **Create** policy and **circulate** throughout company 5. Provide **reports** to the board (or audit committee) 6. **Ongoing monitoring** of compliance
34
What are key factors in whistle-blowing policies/procedures actually being effective?
* Organisation must have a **culture of trust/openness from the top** - board seen to honour * Organisation should state they **take malpractice/misconduct seriously** and are committed to an **open culture** * **Managers** need to **understand** the policy/how procedure operates & **acknowledge concept** * All members of the org need to feel there’s **no downside to reporting** and that reprisal against reporters will not be tolerated * Policy should stipulate **who will receive reports** - appropriately trustworthy person * **Available to all**– accessible/clear format - consistent message well communicated (each employee should have access in hard copy or via the intranet / other form * Genuine **protection**: not fear of repercussion due to reporting, no fear penalty/punishment * Can ensure **anonymity** of reporters, if desired (**balance** with discouraging frivolous reports) * Good **ongoing communication** (inc. notification if their name is to be disclosed) * All reports should be **fed back** to the board or audit committee * All reports should be **followed-up independently and proportionately** * **Review** of policy and process to ensure functioning effectively
35
What might the company secretary do to help establish/maintain a process of whistle-blowing?
* Help **establish** * **Training** (for effective operation) * Maybe **support** reporters * Help **review** effectiveness
36
What are the three main laws/regulation in operation relating to cyber-security?
Market Abuse Regulations UK GDPR * NIS Regulations 2020
37
What 3 areas should be covered by a cybersecurity policy?
* **Physical Security** of the technology - importance of the security of physical assets (locking doors, setting alarms, etc.) * **Personnel Management** - how employees conduct their day-to-day business (ex. password management, use of USB devices, use of internet) * **Hardware & Software**- explaining to tech administrators what type of tech/software to use and how networks should be configured to ensure they are secure. Boards may wish to get independent advice on this due to its technical nature.
38
What are the potential consequences of poor cybersecurity/not considering cybersecurity risk (management)?
* **Economic loss** - compounded by * **Reputational** damage * Loss of **trade secrets** * Associated **costs** of **implementing disaster recovery plans**
39
What should the contents of an information disclosure policy cover?
* Objectives and principles of disclosure: * Authorised persons * Public information * Confidential information * Insider information
40
What role can the Company Secretary play in the governance of information?
* **Confidentiality** of papers * **Electronic** means - system secure as possible * **Securing** tech used to prepare papers * Confidentiality of **board discussion**s * Keep / maintain Insider **List** * **Communication plan for project**- may be asked to develop this on behalf of the board
41
What is a disaster recovery plan?
What needs to be done immediately after a disaster to recover from the event.
42
What constitutes a disaster (re DRP)?
Disaster = act of nature **unconnected** with company’s business/**outside the contro**l of management.
43
What is the process for the introduction of a disaster recovery plan?
1 - Identify **essential operations** 2- Identify/analyse all **potential threats** to these 3- Identify **possible reactions to the threats** to essential operations 4- Specify where operations should be **transferred** to (availability) 5 - Identify **key personnel** required to maintain systems (for the essential ops) 6 - **Communicate** to all stakeholders **effected** by the disaster/disaster recovery plan
44
Where are disaster recovery plans most needed?
Industries **where the lengthy/widespread shutdown of operations would be catastrophic**, for example: * Banking * Energy supply * Airline industry **** However, **all** companies **should have** one which is **regularly reviewed** with employees made fully aware of it and trained where appropriate.
45
What is the difference between disaster recovery planning and business continuity planning?
* **Disaster recovery plan** = what needs to be done **immediately after a disaster** to **recover** from the event. Disasters are of nature **unconnected with company’s business and outside the control of management** (Ex. natural disaster, IT disruptions, major terrorist attacks) * **Business continuity planning** goes beyond this - intends to establish (in **ADVANCE**) plan of **what company needs to do** to **ensure key products and/or services can be delivered in the longer term** - aka the **sustainability** of the business. * BCP should be **developed FROM the DRP & RM** process. Should seek to **take advantage of long-term threat**s to business- gives **competitive edge** over competitors who have not planned. * **Important board is involved** in BCP and DRP as both are **critical to company’s ongoing activity**.
46
What are the 3 offences under the Bribery Act 2010?
* **Offering** bribes (active) / **receiving** bribes (passive) * Bribery of **foreign** public **officials** for **business benefit** * **Failure to prevent** bribe being paid **on organisation’s behalf**
47
What were the 2 main consequences for businesses as a result of the UKBA 2010?
* Companies must ensure they **ICs** in place which are **sufficient to prevent bribery** by employees/agents * Must have **ICs sufficient to detect bribery** when it occurs
48
What are the 7 MoJ Principles regarding bribery?
* **Proportionate procedures** - procedures of a commercial organisation to prevent bribery should be proportionate to the risk of bribery that it faces and the nature and scale of its commercial activities. * **Top-level commitment** - top-level management committed to preventing bribery and fostering a culture in which bribery is considered unacceptable in the organisation. * **Risk assessment** - periodic, informed and regular assessment by organisations of the nature and extent of potential bribery by people associated with it. * **Due diligence** - of third party intermediaries / local agents acting on behalf of the org, with view to identifying and mitigating bribery risk. * **Comms (inc training)** - seek to ensure policies embedded and understood, by means of comms/training proportionate to the bribery risk the organisation faces. * **Monitoring and review** - of procedures designed to prevent. improvements to be made when weaknesses detected.
49
What is the main defence for a company being accused of failing to prevent bribery?
'**Adequate procedures**' defence:- Leading authority in case law - **R v Shansen Interiors Ltd** (2018)
50
What must a company ensure for an 'adequate procedures' defence to be successful in court?
* Took **steps** taken since introduction of Act * Have **specific** bribery **policy/procedures** in place * Have **evidence** of **comms/implementation** to all staff & **evidence** this has been **read and understood** * **Conduct risk assessment** generally and on a *transaction basis by country if trades internationally* * Have **mechanism** in place for staff/stakeholders to **report breaches** of policy/procedures re bribery * Have had **discussions** of high-risk activities & relationships **and reasons** continue to/limit/terminate such activities/relationships * Have **addressed risk of corruption** where conducting **business outside the UK**
51
What are some common groupings where conflict could arise within an organisation?
* Shareholders and company/board * Board and CEO/senior management team * Different individual board directors * Company/board and external stakeholders
52
What can the board do to prevent conflicts arising?
* **Plan ahead**- anticipate & identify potential disputes (based on experience/other orgs) * Ensure **policies, procedures and legal docs** are aimed at **minimising conflict** and **contain provisions to deal **with conflict where it arises * Ensure **policies and procedures** etc are actually **integrated** into company’s **culture** * **Identify** person to **manage** dispute resolution * **Review effectiveness** of dispute **resolution process** after any dispute * Be **prepared** for **mediation/litigation (ADR), as a backstop** to resolve conflict
53
What role can the Company Secretary potentially play in preventing/resolving conflict?
* Ensure **roles** of board **set out clearly / concisely** in their appointment letters * On appointment of a new director - coordinate a **comprehensive induction programme** to ensure there are **no misunderstandings** as to what is expected of board members * Ensure **board charter/governance manua**l setting out role of board, committees & snr management * Ensure any **delegation** of authority to the **CEO** is **cleary documented** * Ensure **proper information flows** - sufficient info to make **informed decisions** (board) and **prompt comm of board decisions to management** * Agenda development - ensure there is **plenty of time for discussion, debate and deliberation** * Create an **environment** for calm, effective meetings and decision-making (ex. layout, lighting/heating/space, breaks provide clarity and new insights, be **prepared to break tensions**/advise the chair for breaks, encourage a good board culture by building trust and relationships - ex. away days, dinners)
54
What do prov.37 and prov.40 of the Code state regarding the risks related to senior executive remuneration?
**Prov. 40** * RemCo to ensure reputational and other risks re excessive rewards are taken into account when determining remuneration policy and practices * Should also consider the potential behavioural risks that can arise from target-based incentives and ensure these are identified & mitigated * Aim is to reduce the likelihood of execs being paid large annual bonuses for short-term high achievement to the detriment of long-term sustainability **Prov.37** * When developing performance-related remuneration- boards should include malus and clawback provisions to recover/withdraw a payment where a senior exec has adversely affected the future perf and/or sustainability of the org.
55
How can a company ensure it complies with prov.37/40 regarding senior executive remuneration?
Board can consider paying bonuses/other long-term incentive rewards **over a period** - which gives them / allows them time to **withold or claw-back** payments if it needs to.

Hayley K - Corporate Governance November 2022 (19 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions