Corporate governance, risk and internal controls
The relevance of risk management and internal control systems for corporate governance
The management of risk in an organisation is considered as part of corporate governance because it requires the development of structures, policies and procedures which when operationalised effectively, should create a culture that leads to a better performing organisation more likely to weather the shocks of the environment within which it operates leading to its continued sustainability
The board as part of its role in governing an organisation has a responsiblity to manage the risk that the organisation is prepared to take in achieving the strategic objectives it has set itself
How successful the board is in doing this can affect the performance of the organisation and in some cases where risk is not successfully managed can lead to the insolvency of the organisation
Part of the risk management process is to develop an internal control system.
Corporate governance best practice refers to a boards responsibility for ensuring the effectiveness of the organisation's risk management and internal control systems
The CS should advise the board on the significance of risk management to corporate governance and the board's responsibilities regarding risk management and the internal control system
The UK Corporate Governance Code Requirements
The board should establish procedures to manage risk, oversee the internal control framework and determine the nature and extent of the principal risks it is willing to take in order to achieve its long term strategic objectives
The Board should carry out a robust assessment of the company's emerging and principal risks. The board should confirm in the annual report that it has completed this assessment, including a description of its principal risks, what proceeders are in place to identify emerging risk and explanation of how these are being managed or mitigated
The board should monitor the company's risk management and internal control systems and at least annually carry out a review of their effectiveness and report on that review in the annual report. The monitoring and review should cover all material controls, including financial, operational and compliance controls
In practice, the CS should advise and facilitate the board to
Develop a set of strategic objectives for the company
Identify the principal risks it is willing to take to achieve its strategic objectives and those that could threaten the company's business model, future performance, solvency and liquduity
Carry out a robust assessment of the principal risks
Explain how the principal risks are being managed or mitigated
Monitor the risk management and internal control systems
At least annually carry out a review of the effectiveness of the risk management and internal control systems
Annually carry out an assessment of the future viability of the company for a period to be determined by the board considering the organisation's current position and the principal risks. This provision is instead of the current going concern statement which only covers a 12 month period. The change has been introduced as a period of 12 months may not be appropriate for every company, allowing the flexibility for boards to determine their own time periods was seen as beneficial
Report on these in the company's annual report and accounts
That the audit committee should review the company's internal financial controls. The review of the company's internal control and risk management systems could be done by the board itself, the audit committee or by a separate board risk committee. The company secretary should advise and facilitate the board to consider how this might best be done in their company
FRC Guidance
Makes clear that when developing an organisations risk management and internal control systems board should inhibit sensible risk taking that is critical to growth
The risk management process should support decision making in the organisation and be part of the normal business processes within the organisation
States that the board has ultimate responsibility for risk management and internal control and also the board is resposbinle for ensuring that an appropriate culture has been embedded throughout the organisation
Failure to ot embed them in the culture of the organisation is perceived by many to be cause of the failure of many organisations. Boards are now expected to take responsibility for ensuring that appropriate culture and reward systems have been embedded throughout the organisation
In addition to giving guidance on the board's responsibilities under the Code, the guidance also provides on how the board may exercise those responsibilities under the following points
The culture the board wishes to embed within the organisation and whether this has been acheved
How the board ensures that there is adequate discussion at board level on risk management and internal controls
Consideration of the skills, knowledge and experience of the board and management in risk management
The flow and quality of information to and from the board
What the board has agreed to delegate and to whom
What assurances the board requires on risk management and how this is to be obtained
FRC Guidance on the strategic report
click to edit