Corporate governance, risk and internal controls

The relevance of risk management and internal control systems for corporate governance

The management of risk in an organisation is considered as part of corporate governance because it requires the development of structures, policies and procedures which when operationalised effectively, should create a culture that leads to a better performing organisation more likely to weather the shocks of the environment within which it operates leading to its continued sustainability

The board as part of its role in governing an organisation has a responsiblity to manage the risk that the organisation is prepared to take in achieving the strategic objectives it has set itself

How successful the board is in doing this can affect the performance of the organisation and in some cases where risk is not successfully managed can lead to the insolvency of the organisation

Part of the risk management process is to develop an internal control system.

Corporate governance best practice refers to a boards responsibility for ensuring the effectiveness of the organisation's risk management and internal control systems

The CS should advise the board on the significance of risk management to corporate governance and the board's responsibilities regarding risk management and the internal control system

The UK Corporate Governance Code Requirements

The board should establish procedures to manage risk, oversee the internal control framework and determine the nature and extent of the principal risks it is willing to take in order to achieve its long term strategic objectives

The Board should carry out a robust assessment of the company's emerging and principal risks. The board should confirm in the annual report that it has completed this assessment, including a description of its principal risks, what proceeders are in place to identify emerging risk and explanation of how these are being managed or mitigated

The board should monitor the company's risk management and internal control systems and at least annually carry out a review of their effectiveness and report on that review in the annual report. The monitoring and review should cover all material controls, including financial, operational and compliance controls

In practice, the CS should advise and facilitate the board to

Develop a set of strategic objectives for the company

Identify the principal risks it is willing to take to achieve its strategic objectives and those that could threaten the company's business model, future performance, solvency and liquduity

Carry out a robust assessment of the principal risks

Explain how the principal risks are being managed or mitigated

Monitor the risk management and internal control systems

At least annually carry out a review of the effectiveness of the risk management and internal control systems

Annually carry out an assessment of the future viability of the company for a period to be determined by the board considering the organisation's current position and the principal risks. This provision is instead of the current going concern statement which only covers a 12 month period. The change has been introduced as a period of 12 months may not be appropriate for every company, allowing the flexibility for boards to determine their own time periods was seen as beneficial

Report on these in the company's annual report and accounts

That the audit committee should review the company's internal financial controls. The review of the company's internal control and risk management systems could be done by the board itself, the audit committee or by a separate board risk committee. The company secretary should advise and facilitate the board to consider how this might best be done in their company

FRC Guidance

Makes clear that when developing an organisations risk management and internal control systems board should inhibit sensible risk taking that is critical to growth

The risk management process should support decision making in the organisation and be part of the normal business processes within the organisation

States that the board has ultimate responsibility for risk management and internal control and also the board is resposbinle for ensuring that an appropriate culture has been embedded throughout the organisation

Failure to ot embed them in the culture of the organisation is perceived by many to be cause of the failure of many organisations. Boards are now expected to take responsibility for ensuring that appropriate culture and reward systems have been embedded throughout the organisation

In addition to giving guidance on the board's responsibilities under the Code, the guidance also provides on how the board may exercise those responsibilities under the following points

The culture the board wishes to embed within the organisation and whether this has been acheved

How the board ensures that there is adequate discussion at board level on risk management and internal controls

Consideration of the skills, knowledge and experience of the board and management in risk management

The flow and quality of information to and from the board

What the board has agreed to delegate and to whom

What assurances the board requires on risk management and how this is to be obtained

FRC Guidance on the strategic report

click to edit