Please enable JavaScript.
Coggle requires JavaScript to display documents.
Governance players - Coggle Diagram
Governance players
CS/GP
-
All of these risks should be assessed, mitigated wherever possible and the effectiveness of the mitigation evaluated by the board from time to time
The CS can carry out this role and present the risks to the board or they can ensure that these risks form part of the risks being managed and reported on by management
The CS is usually the person who prepares the first draft of the agenda for a board meeting, discussing it with senior management and then with the chair, who would normally approve it. The CS should then ensure that the following items are on the agenda of either the main board or of the relevant board committee
-
-
Reports providing assurance from internal and eternal auditors and compliance officers on the effectiveness of management's implementation
-
-
Reports from internal audit on suspected non-compliance or ineffectiveness of policies and frameworks
The CS as part of preparation for a board meeting receiving all of the papers for that meeting. A template for board papers should have been created which includes a section of risk. Management should be requested to describe within this section the risks associated with doing (or not doing) the proposed item
In addition, if the company secretary is secretary to the board committee responsible for risk, the CS would ensure that
-
The committee follows the terms of reference by developing, along with the chair of the committee, an annual plan setting out the work of the committee at each of their meetings
The committee follows its procedures and governance best practice. Advice should be provided to the chair of the committee where this is not happening
A report is written for the chair of the committee of the recommendations to board for approval. This is usually written by the CS especially where the time difference between the committee meeting and the board meeting is very short
Minutes of the meeting are drafted and that a list of actions from the meeting is developed and monitored. Feedback should be given at the next meeting, usually by the CS on actions from the previous meetings
-
Agendas are drafted for each meeting reflecting the annual plan. Where there is a combined committee, the CS should ensure that the agenda alternates from meeting to meeting between risk and audit items being first on the agenda so that the committee gives equal priority to both aspects of its role. The items should also be split on the agenda between those relating to audit and those relating to risk
Example agenda items
Audit
-
Review of internal audit reports on areas within annual plan and also requested investigations to ensure effective internal control system
Reviewing the annual audit of risk management processes. An organisation should ensure that internal audit do not become part of the risk process. If they do they will not be Abel to a duet it. Their responsibility is to provide assurance to the board that the process is effective by auditing it
Recommending for approval accounting policies and finance manuals, and any subsequent changes to them
-
-
-
Risk
Recommending for approval the risk policy and manual, and any subsequent changes to them
-
-
-
The CS may be asked to write papers for committee review on areas such as the independence of the external audit and the amount of non-audit work to be carried out by the external auditor and areas of risk and how they should be managed
The CS may also be called upon to assist the board with its assessment of the effectiveness of the risk management system and internal controls
As part of preparing for board meetings, the CS may be required to collect information and reports from management and internal audit on compliance with operational policies approved by the board as well as on the effectiveness of the risk management process and the internal control system
-
The CS due to their knowledge of governance and board activities would usually work closely what the internal and external auditors and the compliance officer
The CS would oversee the verification of the information within the annual report and accounts and also other documents communicating information to the outside world to ensure that the information within them is correct
The CS may be required to advise the board on business contuinity. They may be called upon to draft the BCP which will incorporate several disaster recovery plans, for instance concerning information technology and/or to communicate parts of the plan to the organisation's stakeholders both internally and externally
The CS is usually best placed to carry out this role due to the interaction and relationships they have with those contributing to the plan or needing to know about it
In conclusion the CS being the person ensuring good governance within an organisation, has an important role to play in strengthening the control environment by
Linking the various people, structures and processes within the control environment into a strong culture of control and risk management
Ensuring the various structures and processes within the control environment are integrated effectively in the overall workflow and decision making processes of the board
Internal auditors role
-
Special investigations
Internal auditors might conduct special investigations into particular aspects of the organisation's operations (systems and procedures) to check the effectiveness of operational controls
-
Value for money audits
This is an investigation into an operation or activity to establish whether it is economical, efficient and effecive
-
Risk assessment
Internal auditors might be asked to investigate aspects of risk management and in particular the adequacy of the mechanisms for identifying, assessing and controlling significant risks to the organisation from both internal and external sources
Commonly required to check the soundness of internal financial controls. In assessing the effectiveness of individual controls, and of an internal control system generally, the following factors should be considered
Whether the controls are manual or automated. Automated controls are by no means error or fraud proof but may be more reliable than similar manual controls
Whether controls are discretionary or non-discretionary. Non discretionary controls are checks and proceeders that must be carried out. Discretionary controls are those that do not have to be applied, either because they are voluntary or because an individual can choose to disapply them. Risks can infiltrate a system, eg when senior management chooses to disapply controls and allow unatuhrosied or unchecked procedures to occur
Whether the control can be circumvented easily because an activity can be carried out in a different way where similar controls do not apply
Whether the controls are effective in achieving their purpose. Are they extensive enough or carried out frequently enough? Are the controls applied rigourously? For example is a supervisor doing their job properly?
CEO role
-
Responsibility to ensure proper execution of risk management strategies and policies laid down by the board
The CEO should ensure that the risk and internal control frameworks extend into the organisation and resources, both financial and human, are made available to ensure they work effectively
The CEO should also ensure that a culture reflecting the risk appetite of the organisation is developed. This can be achieved through awareness sessions and through highlighting as an area to be assessed for reward performance in risk management
CRO role
Some large companies such as banks, other FIs and oil companies have appointed specialist executive managers responsible for risk
-
-
-