Please enable JavaScript.
Coggle requires JavaScript to display documents.
Risk Management Internal Control (A company's systems of risk…
Risk Management Internal Control
Risk management and internal control should be incorporated within the company’s normal management and governance processes, not treated as a separate compliance exercise;
to being responsible for ensuring sound risk management and internal control systems, boards should explain the company’s business model and should determine the nature and extent of the principal risks they were willing to take to achieve the company’s strategic objectives.
The report on the review of the risk management and internal control systems is normally included in the corporate governance section of the annual report and accounts, but this reflects common practice rather than any mandatory requirement and companies can choose where to position it in their report.
The board has ultimate responsibility for risk management and internal control, including for the determination of the nature and extent of the principal risks it is willing to take to achieve its strategic objectives and for ensuring that an appropriate culture has been embedded throughout the organisation.
The board has responsibility for an organisation’s overall approach to risk management and internal control. The board’s responsibilities are:
ensuring the design and implementation of appropriate risk management and internal control systems that identify the risks facing the company and enable the board to make a robust assessment of the principal risks;
determining the nature and extent of the principal risks faced and those risks which the organisation is willing to take in achieving its strategic objectives (determining its “risk appetite”);
ensuring that appropriate culture and reward systems have been embedded throughout the organisation;
agreeing how the principal risks should be managed or mitigated to reduce the likelihood of their incidence or their impact;
monitoring and reviewing the risk management and internal control systems, and the management’s process of monitoring and reviewing, and satisfying itself that they are functioning effectively and that corrective action is being taken where necessary; and
ensuring sound internal and external information and communication processes and taking responsibility for external communication on risk management and internal control.
When reviewing reports during the year, the board should consider:
whether the causes of the failing or weakness indicate poor decision-taking, a need for more extensive monitoring or a reassessment of the effectiveness of management's on-going processes
whether necessary actions are being taken promptly to remedy any significant failings or weaknesses;
how they have been managed or mitigated;
how effectively the risks have been assessed and the principal risks determined;
The annual review of effectiveness should, in particular, consider:
the operation of the risk management and internal control systems
covering the design, implementation, monitoring and
review and identification of risks and
determination of those which are principal to the company;
The board should monitor the company’s risk management and internal control systems and, at least annually, carry out a review of their effectiveness, and report on that review in the annual report. The monitoring and review should cover all material controls, including financial, operational and compliance controls.
A company's systems of risk management and internal control will include:
a. risk assessment; management or mitigation of risks, including the use of control processes;
b. information and communication systems;
c. processes for monitoring and reviewing their continuing effectiveness
The risk management and internal control systems encompass the policies, culture, organisation, behaviours, processes, systems and other aspects of a company that, taken together:
facilitate its effective and efficient operation by enabling it to assess current and emerging risks, respond appropriately to risks and significant control failures and to safeguard its assets;
help to reduce the likelihood and impact of poor judgement in decision-making; risk-taking that exceeds the levels agreed by the board; human error; or control processes being deliberately circumvented;
help ensure the quality of internal and external reporting;
help ensure compliance with applicable laws and regulations, and also with internal policies with respect to the conduct of business.