Risk structures, policies, procedures and compliance Flashcards
What does the board need to consider when deciding what structures to put in place to fulfil its responsibilities for risk and internal control?
The board has overall responsibility for the systems of risk management and internal controls within an organisation. To enable the board to carry out this responsibility, it needs to ensure that the appropriate structures are put in place at the proper levels within the organisation to manage risk. In deciding what these structures should be, the board needs to consider the following:
* Whether risk and internal controls should be considered by the whole board or be delegated to a committee of the board.
* If delegating to a committee, whether risk and internal controls should fall under one committee, the audit committee, or into two separate committees, the audit committee for internal controls and the risk committee for risk.
* The division of responsibility between itself and management for risk management.
Why might an organisation decide to have a risk committee?
In some cases, the audit committee may be overwhelmed by its other duties covering financial reporting and internal controls or may not have the necessary skill set required for the governance of risk. In these cases, the board may decide to establish a separate risk committee.
The size of the organisation and the sector the organisation is operating in may also determine whether responsibility for reviewing internal controls and risk management is dealt with in the same board committee, the audit committee, or whether two separate committees, one for audit and the other for risk, are established.
Banks and other large financial institutions normally have separate risk committees due to the complexity of their risk exposure. A growing number of listed non-financial companies, for example in the oil industry, are also finding it useful to establish a separate risk committee. The benefits of a separate risk committee are:
* It can focus solely on reviewing the organisation’s risk management and providing assurance to the board that risk management and the processes for the control over risk are effective.
* It can give the board advice and make specific recommendations on risk appetite, the organisation’s risk tolerance and strategies to manage risk.
* It can provide input into strategy formulation by helping the board to understand the key risks facing the organisation and the opportunities available to the organisation by managing those risks.
* The composition of the committee is not restricted by the requirements of the corporate governance code. An audit committee is required to be composed of all independent directors. A separate risk committee can have executive directors and non-board members to strengthen the skills and experience of the committee.
ho are the main governance players that support the board with their risk management responsibilities?
- The board.
- Audit and, if separate, risk committees.
- company secretary.
- CEO.
- Chief Risk Officer.
- Internal Auditor.
- All management and staff.
Why should boards routinely monitor and review the organisation’s systems of risk management and internal
controls?
The existence of risk management and internal control systems does not, on its own, indicate that risk and internal controls are being managed effectively within an organisation. The board (or audit committee) should, on an ongoing basis, monitor and review the systems to ensure that they:
* remain aligned with the organisation’s strategic objectives;
* address the risks facing the organisation;
* are being developed, applied and maintained appropriately for the organisation.
What matters should the annual review of the effectiveness of the systems of risk management and internal
controls cover?
The FRC Guidance on Risk Management, Internal Control and Related Financial and Business Reporting, states that the
annual review of effectiveness should consider:
* the company’s risk appetite;
* the desired culture within the company and whether this culture has been embedded within the organisation;
* the operation of the risk management and internal control systems, covering design, implementation, monitoring
and review and the identification of principal risks;
* the integration of risk management and internal controls with the company’s business model, strategy and business
planning processes;
* the changes in the nature, likelihood and impact of principal risks;
* the company’s ability to respond to changes in its business and the external environment;
* the extent, frequency and quality of management’s reporting on the organisation’s risk management;
* the issues dealt with by the board throughout the year under review;
* the effectiveness of the company’s public reporting processes.
What concerns should an employee raise through a whistleblowing procedure?
An effective whistleblowing procedure should allow for an employee to raise concerns about illicit behaviour, usually in
one of the following areas:
* fraud;
* a serious violation of a law or regulation by the company or by directors, managers or employees within the
company;
* a miscarriage of justice;
* offering or taking bribes;
* price-fixing;
* a danger to public health or safety, such as dumping toxic waste in the environment or supplying food that is unfit for
consumption;
* neglect of people in care; or
* in the public sector, gross waste or misuse of public funds.
What areas should a whistleblowing policy and procedure cover?
Typically, a whistleblowing policy and
procedures would cover the following:
* purpose, scope and coverage;
* procedures for reporting a matter;
* what happens when communication is received from a whistleblower;
* anonymity of the whistleblower;
* communication with the whistleblower; and
* protection of wb
What areas should be covered in a cybersecurity policy?
The cybersecurity policy should inform employees and other authorised users of the company’s technology the
requirements for protecting that technology and the information it contains from a cyberattack. The policy is usually made
up of three parts:
* Physical security of the technology. This section explains the importance of keeping the physical asset secure –
locking doors, surveillance, alarms etc.
* Personnel management. This section explains to employees how to conduct their day-to-day activities – password
management, keeping confidential certain information, the use of the internet, the use of memory sticks etc. Some
organisations go as far as restricting access to the internet and sealing the ports of computers for UBS devices in
an attempt to stop viruses and malware from being introduced into their systems.
* Hardware and software. This section explains to the technology administrators what type of technology and
software to use and how networks should be configured to ensure they are secure. Due to the technical nature of
this part of the policy, boards may wish to get independent advice on the recommendations of management in this
area.
What matters should the company secretary consider when handling insider information?
Managing insider information is a major part of the company secretary role. The following are some of the matters that
the company secretary may consider when handling insider information:
* Confidentiality of board papers. Extra care should be taken when distributing paper board packages. This might
mean using double envelopes, anti-tear envelopes, and even hand delivery rather than email or courier. If
documents are made available electronically through a board portal, the company secretary should make sure the
system is as secure as possible, for example, by encrypting documents.
* Careful consideration may have to be given to securing the computers used to prepare the papers to be included
in the package. If shared drives are used or computers are networked, the company secretary should know who
has access to these drives and networks. If a password is needed to access certain drives, the company secretary
should know that usually the administrator of the system (often an IT person or sometimes an outsourced person)
can access the drive/folder. It has been known in highly sensitive transactions for the papers to be prepared and
kept on an offsite server usually maintained by the company’s law firm.
* Confidentiality of board discussions. The company secretary should consider the following:
– Is the room in which the board is meeting soundproof?
– Can anyone see into the room from outside? Especially, if a PowerPoint presentation is made, will it be visible?
– Some listed companies even check for listening devices and coat windows so that no one can see in to ensure
confidentiality.
* Insider lists. These lists are often required by regulators for listed companies, although they can be used by any
company involved in a commercially sensitive project. To control the spread of confidential information, insider
lists contain the names of people, internally and externally, who are aware of the project. Only those on the list
can discuss the project. If someone else needs to be consulted, they have to be added to the list. The company
secretary is often the holder of the insider lists.
* The communication plan for the project. The company secretary may be asked on behalf of the board to work with
management to produce a communication plan for the project. This will indicate who should be communicated to,
how, and when. If the company is listed or is a regulated business, then any regulations for communications should
be reflected in the plan. For example, a listed company may have to make a regulatory announcement before it can
release information to others.
What is the difference between disaster recovery planning and business continuity planning?
A disaster recovery plan is a plan of what needs to be done immediately after a disaster to recover from the event. The
disaster is of a nature unconnected with the company’s business and outside the control of management. Examples of
disasters are:
* natural disasters, such as major fi res or fl ooding or storm damage to key installations or offices;
* IT disruptions; and
* major terrorist attacks.
Business continuity planning goes beyond procedures that should be taken in an emergency, such as a fi re or explosion
in a building. It is intended to establish, in advance, a plan of what a company needs to do to ensure that its key productsand/or services continue to be delivered in the longer-term, i.e. a plan for the sustainability of the business. A business
continuity plan should be developed from the disaster recovery planning and the risk management process. It should
seek to make the company ready to take advantage of the longer-term threats to the business, thus giving the company
competitive advantage over competitors who are not planning for the future sustainability of their business.
It is important for the board to be involved in both disaster recovery and business continuity planning as both are critical
to the on-going activity of the business.
What are the six principles of the Ministry of Justice Guidance on the UK Bribery Act 2010?
*
- Proportionate procedures. The procedures of a commercial organisation to prevent bribery should be proportionate
to the risk of bribery that it faces and the nature and scale of its commercial activities. - Top-level commitment. Top-level management should be committed to preventing bribery and should foster a culture
in their organisation in which bribery is considered unacceptable. - Risk assessment. There should be periodic, informed and regular assessment by organisations of the nature and
extent of potential bribery by people associated with it. - Due diligence. There should be due diligence of third party intermediaries and local agents who will act on behalf of
the organisation, with a view to identifying and mitigating bribery risk. - Communication (including training). Commercial organisations should seek to ensure that policies against bribery
are embedded and understood, by means of communication and training that is proportionate to the bribery risk that
the organisation faces. - Monitoring and review. There should be monitoring and review of the procedures designed to prevent bribery, and
improvements should be made when weaknesses are detected.
What should the company secretary do to minimise boardroom disputes?
The company secretary can take the following steps to minimise boardroom disputes:
* Ensure that the roles of the board members have been set out in a clear and concise way in their appointment letter.
* On appointment, a comprehensive induction programme should be held to ensure that there is no misunderstanding
as to what is expected from the board members.
* There is a board charter/governance manual setting out what the roles of the board, board committees and senior
management team are.
* Delegation of authority to the CEO is clearly documented.
* Proper flows of information to and from the board. The board requires sufficient information to make informed
decisions. Management require prompt communication of board decisions.
* In agenda development, ensuring that there is plenty of time allowed for discussion, debate and deliberation of the
matters brought to the board.
* Advising the chair to agree with the board ground rules for behaviour, attire etc. during board meetings.
* Creating the right environment within the boardroom for calm, effective meetings and decision making. This can
include:
– Shape of the table
– Seating arrangements
– Lighting and heating
– Make sure there are plenty of breaks
– Being prepared to break a tense situation by advising the chair to take a break, asking for clarity for the
minutes etc.
* Encouraging the creation of a good culture within the board. This can be achieved by building relationships and trust
between board members. Giving plenty of opportunity for board members to get to know each other through lunches
or dinners, annual board retreats, board trainings etc.
Chapter summary
Chapter summary
* The board is responsible for carrying out an annual review of the effectiveness of the internal control and risk
management systems. The board may delegate this responsibility to the audit committee. In some cases, the
delegation is to a risk committee. In the latter case, the audit committee would retain the task of reviewing the
effectiveness of financial risk controls.
- The review of the effectiveness of the internal control system would rely on the regular risk and internal audit reports
to the board or board committee responsible for receiving them. These may be supplemented by additional internal
audit reports and the external auditors end of audit report on any weaknesses in the company’s internal controls. - A company may have an internal audit function, the key responsibilities of which vary but often include
investigations into the operational effectiveness of financial, operational and compliance controls. Investigations can
be at the request of the board, the audit committee or senior management. - The internal audit function should be as objective and independent as possible. The head of the function should
have a reporting line into the chair of the audit committee. - The 2018 Code requires an annual review of the effectiveness of the internal audit function, and where there is not
one, for the board to consider the need for one. - An important part of the internal control system is an effective whistleblowing procedure. Many companies have
whistleblowing policies but their procedures for whistleblowing are not very robust. - The company secretary plays an important role in ensuring that risk is discussed at the board level by making sure
that it features on the board’s agenda at both full board and board committee level. - Cybersecurity is becoming an important issue for many organisations and boards should be taking an interest in
how it is being managed within the organisation. - The governance of information is also critical for many organisations. This was first recognised in the King Code in
South Africa. Boards should ensure that effective policies and procedures are in place to manage information flows
both internal and external. - Effective, well-documented and implemented procedures can assist in conflict prevention and resolution.
- The UK Bribery Act 2010 has made it a criminal offence to offer and receive bribes, to bribe foreign public officials
for business benefit and for failure to prevent a bribe being paid on the organisation’s behalf. - The board should ensure that the organisation’s reward system should be compatible with the risk management
