Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CG (Essential) > Risk structures, policies, and procedures > Flashcards

Risk structures, policies, and procedures Flashcards

1
Q

The board needs to ensure that the appropriate structures are in place at the proper levels within the organisation to manage risk.

In deciding what these structures should be, what 3 things should boards consider?

A
  1. Whether risk and internal controls should be considered by the whole board or be delegated to a committee of the board.
  2. If delegating to a committee, whether risk and internal controls should fall under one committee, the AC, or into two separate committees, AC for internal controls and the RC (risk committee) for risk.
  3. The division of responsibility between itself and management for risk management.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which organisations usually have a separate risk committee and why?

What are 4 benefits of having a separate risk committee?

A

Banks and other large financial institutions normally have separate risk committees due to the complexity of their risk exposure

  • The benefits are:
    1. It can focus solely on reviewing the organisation’s risk management
  1. It can give the board advice on risk appetite, the organisation’s risk tolerance, and strategies to manage risk
  2. It can provide input into strategy formulation by helping the board to understand the key risks
  3. The composition of the committee is not restricted by the requirements of UK CG Code
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are 4 risks of setting up a separate risk committee?

A
  1. Conflict between the audit and risk committees
  2. Danger of overlooking some risks = Each committee may think the other is considering a particular risk when in fact neither are
  3. Message sent to senior management that risk is no longer their responsibility
  4. Having sufficient directors with the required skills to constitute a separate risk committee
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What does the ICSA ‘Terms of reference for a risk committee’ suggest in relation to the composition of a separate risk committee? (3)

A
  1. RC should consist of at least 3 members all INEDs
  2. Members should have appropriate knowledge, skills, and expertise to fully understand risk appetite
  3. The finance director/CFO and the chief risk officer/CRO should attend committee meetings regularly.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What does the ICSA ‘Terms of reference for a risk committee’ suggest the role of a risk committee may include? (4)

A
  1. Providing assurance to the board that processes for risk management are effective
  2. Considering risk opportunities and making recommendations to the board
  3. Reviewing and approving statements to be included in the annual report concerning risk management
  4. Overseeing the CRO’s role and responsibilities
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is internal audit?

A

= an independent objective assurance and consulting activity designed to add value and improve an organisation’s operations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are 5 possible roles of the internal audit function?

A
  1. Value for Money (VFM) audits = determine if operation/activity is economical, efficient, and effective
  2. Reviewing compliance with laws or regulations
  3. Reviewing the internal control system = not the function of internal auditors to manage risks, only to monitor and report them, and to check that risk controls are efficient and cost-effective
  4. Risk assessment = investigate the adequacy of the mechanisms for identifying, assessing and controlling significant risks to the organisation
  5. Reports – To Audit Committee/Risk Committee and Board / Special investigations
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the 4 benefits of an in-house internal audit function?

What is the benefit of a co-sourced or outsourced internal audit function?

A
  1. Understands the organisation, its culture, operations and risk profile = should be able to add value to internal control and risk management processes
  2. can build networks and become integrated into the company’s business = become the ‘eyes and ears’ of the board regarding those activities
  3. provide assurance to stakeholders on the integrity of internal control and risk management systems
  4. could be a lower-cost option, depending on the make-up of the team

The organisation can leverage external resources, technology, skills and experience which may not be available to it with an in-house team

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Why might the independence and objectivity of internal auditors be compromised?

What does the FRC Guidance on Audit Committees suggest to protect their independence? (2)

How often should the board or AC review the internal audit function?

A

Independence and objectivity may be compromised because they are also employees within the organisation = if internal auditors report to the CEO, they will be reluctant to criticise the CEO

  • FRC Guidance on Audit Committees: to protect the independence of the internal audit function:
    1. AC should be responsible for appointment or removal of the head of internal audit
    2. AC should have a reporting line which enables it to be independent of the executives

Annually

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What does the UK CG Code say on whistleblowing?

A
  • Principle E = the workforce should be able to raise any matters of concern
  • Provision 6 = There should be a means for the workforce to raise concerns in confidence and – if they wish – anonymously = a whistleblowing procedure
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What should an effective whistleblowing procedure allow an employee to do?

A

Should allow for an employee to raise concerns about illicit behaviour usually:
1. Fraud
2. serious violations of laws or regulations
3. a miscarriage of justice
4. bribery etc.
5. price-fixing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What areas should a whistleblowing policy cover? (6)

A
  1. purpose, scope and coverage
  2. procedures for reporting a matter
  3. what happens when communication is received from a whistleblower
  4. anonymity of the whistleblower
  5. Communication with the whistleblower
  6. Protection of the whistleblower
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are the 3 parts of a cyber security policy?

What are the 2 sets of regulations that require disclosure for a breach of cybersecurity?

A
  1. Physical security of the technology = explains the importance of keeping the physical asset secure – locking doors, surveillance, alarms etc.
  2. Personnel management. = explain how to conduct day-to-day activities – password management, the use of memory sticks etc.
  3. Hardware and software = explains what type of technology and software to use and how networks should be configured to ensure they are secure.

Market Abuse Regulation and General Data Protection Regulations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are the Network and Information System (NIS) Regulations aimed at?

What are operates of essential services (OES)?

What are relevant digital service providers (RDSP)?

What do NIS regulations require organisations to do?

A

= aimed at improving the security of network and information systems of operators of essential services (OES) and relevant digital service providers (RDSP).

  • OES = entities in the energy, transport, health, drinking water and digital infrastructure sectors
  • RDSP = entities who provide their services to entities within the essential services sectors

Organisations required to take appropriate and proportionate measures to manage the risks posed to their NIS and to minimise impact.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What 5 things should an information disclosure policy include?

A
  1. Objectives and principles of the disclosure
    a. Main objective of disclosure = keep stakeholders informed about the company to enable them to make informed decisions when dealing with the company
    b. Principles = accurate, timely, complete, balanced between the positive and the negative etc.
  2. Authorised persons = Usually the CEO, CFO, and cosec will be authorised to make disclosures
  3. Public information = The policy will usually set out what information about the company is in the public domain
  4. Confidential information = The policy should also set out what information should be kept confidential e.g. trade secrets
  5. Insider information = information that would, if disclosed, move the company’s share price = policy should set out how it is to be handled
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is a disaster recovery plan?

What 6 things should a disaster recovery plan do?

A

= a plan of what needs to be done immediately after a disaster to recover from the event

  1. Specify which operations are essential and must be kept going.
  2. Identify and analyse all potential threats to essential operations.
  3. Identify possible reactions to the threats to essential operations
  4. Specify where operations should be transferred to (if they cannot continue in their normal location)
  5. Identify key personnel who are needed
  6. Communicate to stakeholders the impact of the disaster and the recovery measures that are being taken
17
Q

What is the difference between disaster recovery planning and business continuity planning?

What should a BCP seek to do?

A

DRP = planning for disaster that is unconnected with the company’s business and outside the control of management e.g. natural disasters and IT disruptions

BCP = goes beyond procedures that should be taken in an emergency = planning what a company needs to do to ensure that its key products and/or services continue to be delivered in the longer-term
i.e. a plan for the sustainability of the business

should seek to take advantage of the longer-term threats = give competitive advantage

18
Q

What are the 3 offences under the UK Bribery Act 2010?
How can an organisation avoid conviction?

A
  1. Offering bribes (active bribery) and receiving bribes (passive bribery).
  2. Bribery of foreign public officials for business benefit
  3. Failure to prevent a bribe being paid on the organisation’s behalf

R v Skansen Interiors Ltd = If it can show that it has ‘adequate processes’ to prevent bribery in place ( suitable whistleblowing procedures) and can demonstrate that the procedures work well in practice

19
Q

What are the 6 principles of the Ministry of Justice Guidance on the UK Bribery Act 2010?

A
  1. Proportionate procedures to the risk of bribery
  2. Top-level commitment to foster culture
  3. Regular risk assessment.
  4. Due diligence of 3rd parties
  5. Communication (including training) = embed in organisation
  6. Monitoring and review = improvements made where identified
20
Q

What are 7 issues the board should consider when implementing a whistleblowing procedure?

A
  1. Building a culture of openness and trust
  2. How are matters to be reported? - suggestion box or hotline?
  3. Who will receive issues? - cosec, AC chair, outsourced?
  4. Anonymity vs non-anonymity = prepared to accept anonymous reports (fake reports but harder to investigate)
  5. Improprieties covered by the policy = what is of sufficient seriousness to report
  6. Investigation, follow-up and reporting procedures
  7. Protection for genuine whistleblowers = victimisation for raising a concern will be a disciplinary offence

CG (Essential) (16 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions