ERMM1 Unit 6 Corporate Governance and Risk Assurance PDF

ERMM1 Unit 6 Back Up Book for Printing Site: The Institute of Risk Management Printed by: jotham muchina Course: Principles of Risk and Risk Management ERM - Module One Date: Monday, 22 July 2024, 8:17 AM Book: ERMM1 Unit 6 Back Up Book for Printing Description The back up book allows you to print this units course content. This can be done by clicking on More and simply clicking ‘Print Book’. Table of contents 6.1 - Corporate governance 6.2 - Board structures 6.3 - Regulatory influences 6.4 - Board roles and responsibilities 6.5 - Assurance 6.1 - Corporate governance Section 6.1 enables you to explain different corporate governance models. Learning Outcomes After studying this unit, you should be able to examine the role of risk management within corporate governance and risk assurance. You should make sure you have access to the following resources before starting this unit: Hopkin and Thompson (2021), chapters 24, 29, 32, 33, 34, 35 Chartered Governance Institute (2022) – What is a board of directors? - https://www.thecorporategovernanceinstitute.com/insights/lexicon/what-is-a-board-of-directors/ FRC (Financial Reporting Council) (2018) – The UK Corporate Governance Code - https://www.frc.org.uk/getattachment/88bd8c45-50ea- 4841-95b0-d2f4f48069a2/2018-UK-Corporate-Governance-Code-FINAL.pdf FRC (2018) - Guidance on Board Effectiveness - 2018-guidance-on-board-effectiveness-final.pdf (frc.org.uk) FRC (2014) – Guidance on Risk Management, Internal Control and Related Financial and Business Reporting - https://www.frc.org.uk/getattachment/d672c107-b1fb-4051-84b0-f5b83a1b93f6/Guidance-on-Risk-Management-Internal-Control-and- Related-Reporting.pdf IRM (Institute of Risk Management) (2019) – How to hire a great chief risk officer - https://www.theirm.org/media/8461/how-to-hire-a- great-cro.pdf IIA (Institute of Internal Auditors) (2020) – Three Lines Model – an update of the Three Lines of Defence - https://www.theiia.org/globalassets/site/about-us/advocacy/three-lines-model-updated.pdf Wetherspoon (2021) - Annual report and accounts 2021 - https://www.jdwetherspoon.com/investors-home/reports-results-presentations How you choose to approach and organise your reading time is an individual choice. We will prompt you throughout this Unit Guide with specific readings associated with the Guide and the activities. This unit should take you approximately 30 hours, including the readings and the activities Introduction In this unit students will analyse corporate governance, regulatory requirements and the relevant risk management roles and responsibilities for boards and executive management. Information that management receives regarding risks and controls being managed and implemented effectively supports decision making and provides assurance to the organisation and external stakeholders that an organisation is an ongoing concern and has a long-term viability. The requirement of corporate governance, worldwide, is to ensure that the correct people are accountable for the decisions that an organisation makes, the actions it takes, and the impacts those actions have. In addition, corporate governance provides assurance that organisations are directed and controlled in a way that ensures success and sustainability, not just to protect shareholder interests, but also the interests of the other internal and external stakeholders. The board structure and the roles and responsibilities of members provides a level of guidance on a relevant risk management framework for an organisation. This in turn provides structure for assurance on the successful implementation of risk management and internal control. This unit examines the role of risk management in corporate governance and risk assurance in relation to internal controls and the control environment. Unit 6 is divided into five parts and at the end of each section you will be able to: Section 6.1 - Explain different corporate governance models. Section 6.2 - Assess the impact of different board structures on risk management of organisations. Section 6.3 - Determine the influence of regulatory bodies on risk management of organisations. Section 6.4 - Determine the roles and responsibilities of the Board for risk management in organisations. Section 6.5 - Evaluate the role and purpose of internal control and internal and external assurance for risk management in organisations. During this Unit Guide and within the lessons of the online course, you will be prompted with readings and activities. You should complete Unit 6 of the online course entirely before moving on to Unit 7. When/if you leave this Unit Guide to read or do an activity, you will be prompted to view the last unseen page when you return. 6.1.1.1 – Corporate governance – Part 1 The UK Corporate Governance Institute (2022) defines corporate governance as: “The way in which companies are governed and to what purpose. It identifies who has power and accountability, and who makes decisions. It is a toolkit that enables management and the board to deal more effectively with the challenges of running a company. Corporate governance ensures that businesses have appropriate decision-making processes and controls in place so that the interests of all stakeholders (shareholders, employees, suppliers, customers, and the community) are balanced.” Corporate governance is important to all private, public sector, governmental or not-for-profit organisations regardless of whether they are listed on a stock exchange or not. While the smallest organisations are not necessarily scrutinised as much as larger organisations, there are still aspects of good practice that can be employed. In the UK, the Financial Reporting Council (FRC) published their first corporate governance code in 1992, known then as the Cadbury Code of Best Practice. Certainly, there were well-managed companies before the introduction of a code, however a series of corporate failures led the accountancy profession, the London Stock Exchange, and others to come together to devise a code that would be used as the benchmark for effective board operations, oversight, and risk management. The code was updated by the Turnbull Report in 1999, which provided assistance to directors of listed companies on ensuring they had effective risk management and internal control systems for the management of risks to achieve their objectives. The latest update to the Code came in 2018, called the UK Corporate Governance Code which still defines corporate governance as ‘the system by which companies are directed and controlled’. The Code goes on to note: At the heart of this Code is an updated set of Principles that emphasise the value of good corporate governance to long-term sustainable success. By applying the Principles, following the more detailed Provisions, and using the associated guidance, companies can demonstrate throughout their reporting how the governance of the company contributes to its long- term sustainable success and achieves wider objectives. FRC (Financial Reporting Council), 2018, page 1.) 6.1.1.2 – Corporate governance – Part 2 The main features of the UK Corporate Governance Code are: 1. Leadership – Every company should be headed by an effective board which is collectively responsible for the long-term success of the company. 2. Division of Responsibilities – There should be a clear division of responsibilities between the leadership of the board and the executive leadership of the company’s business. 3. Composition, Succession and Evaluation – The board and its committees should have a combination of skills, experience, and knowledge. Annual evaluation of the board should consider its composition, diversity and how effectively members work together to achieve objectives. 4. Audit, Risk, and Internal Control – The board should establish procedures to manage risk, oversee the internal control framework, and determine the nature and extent of the principal risks the company is willing to take to achieve its long-term strategic objectives. 5. Remuneration – Remuneration policies and practices should be designed to support strategy and promote long-term sustainable success. Executive remuneration should be aligned to company purpose and values and be clearly linked to the successful delivery of the company’s long-term strategy. The most significant impact of the Code for risk practitioners is the board’s involvement with ensuring an effective risk management and internal control framework. As such, the principles within Section 4 of the Code are the most relevant from a risk management perspective, notably Principle O: “The board should establish procedures to manage risk, oversee the internal control framework, and determine the nature and extent of the principal risks the company is willing to take in order to achieve its long-term objectives”. The Code defines principal risks noting that they ‘should include, but are not necessarily limited to, those that could result in events or circumstances that might threaten the company’s business model, future performance, solvency or liquidity and reputation’. This definition is typically interpreted to be related to threats only, and the board should also consider those principal risks that offer a significant improvement to the business model, future performance, solvency or liquidity and reputation. In addition, the Code refers to material controls and material uncertainties. We will consider the terms ‘material’ and ‘materiality’ later in this section. 6.1.1.3 – Corporate governance – Part 3 The existence of a corporate governance code in the UK for over 25 years has improved boardroom performance and standards for the appointment of a set the directors, a balanced remuneration structure and effective relationships with shareholders. Although the Code applies only to companies listed on the London Stock Exchange, it is a format that is used much more widely, by private companies, charities, public services, and association, not just in the UK, but globally. In addition to the Code, in 2018 the FRC (Financial Reporting Council) issued ‘The Wates corporate governance principles for large private companies’. This was not only in recognition of the value of good corporate governance for all large organisations, but also to recognise the contribution of large private companies to productivity, general employment and in the provision of vital goods and services. The Wates principles were developed to help improve the transparency and accountability for an organisation’s actions and the impact those actions could have to wider stakeholders, including the workforce, suppliers, and customers, when problems arise. The FRC reviewed the application of the Wates Principles in early 2022, stating that their analysis “showed that companies are grasping the spirit of the Wates Corporate Governance Principles. However, overall, there is room for improvement in reporting.” Sir James Wates, the chair of the group who developed these Principles noted that “…we hope that some of the points raised in this report will help companies, even those not subject to the regulations, demonstrate good practice and make improvements going forward,”. 6.1.1.4 – Materiality As noted earlier, the Code requires organisations to consider material controls and material uncertainties and report on these. Currently, the term ‘materiality’ in this context is traditionally interpreted to refer to anything of importance regarding the finances of an organisation. The International Standards on Auditing (ISA) produced their report: ‘Materiality in the audit of financial statements’ in 2018, noting that it is difficult to define the term materiality, because it used in different contexts and the interpretation of the term differs in different parts of the world. Fundamentally however, something is financially material if it has the potential to affect the bottom line in a meaningful manner, or if by withholding that piece of information, an investor would not be able to make an informed decision. This is still the case in most instances, however with the increasing importance of sustainability and need to be able to use other forms of measurement beyond finance (such as social and natural capital), the word materiality can become confused. We will consider materiality again in Units 8 and 11. Section 6.1.1: Reading + Activity Alert read image + activity image Read pages 335 and 336 of Hopkin and Thompson, which introduce corporate governance in the UK. Then read page 1 and Section 4 of the Financial Reporting Council (FRC) (2018) ‘UK Corporate Governance Code, which provide a background to the code, and the key principles of the code and associated provisions relating to risk management and the internal control framework. Finally, read the Introduction of the FRC (2018) Guidance on Board Effectiveness, which was updated and re-issued in parallel with the 2018 FRC Code. Then complete the associated Activity on the next page. If you wish to pause now, you can return to this page after you have completed your reading. The Activity is comprised of one individual question which requires a short sentence or two response. activity image In a short sentence or two, answer the question. When you have submitted your answer, you can check it against ours. Read the Introduction of the FRC (2018) ‘Guidance on board effectiveness’ and identify the comments on “tone from the top”. Why do you think these comments are significant? Activity 6.1.1 Answer Revealed Read the Introduction of the FRC (2018) ‘Guidance on board effectiveness’ and identify the comments on “tone from the top”. Why do you think these comments are significant? The UK Corporate Governance Code places great emphasis on leadership and the effectiveness of the board. The Guidance on Board Effectiveness provides a comprehensive platform for boards and risk managers to design and implement a sound governance framework, with the actions and activities of the board key to the culture and leadership qualities in the organisation. 6.1.2.1 – Basis of corporate governance requirements The term ‘requirement’ can mean something that is ‘wanted’ or something that is ‘compulsory’. This is relevant to corporate governance requirements around the world, as some are ‘wanted’, and some are ‘compulsory’. Corporate governance requirements that are ‘wanted’ are usually referred as principles based. In this case, organisations are expected to comply with the principles set out, but it is not mandatory to do so. However, they do not comply with any of the principles, they must explain why. Principles based corporate governance is also referred to as ‘comply or explain’. Corporate governance requirements that are ‘compulsory’ are usually referred to as prescriptive based. In this case, organisation must comply with the principles set out, and there are penalties for non-compliance. Prescriptive based corporate governance is also referred to as ‘comply and sign’. The approach to corporate governance is typically set at a national level. For example, in the UK a principles-based approach to corporate governance is used and is supported by the relevant rules and regulations, whereas in the US (United States), a prescriptive based approach is used. 6.1.2.2 – Principle based governance The Introduction section to the UK Corporate Governance Code notes that the effective application of the principles should be supported by high-quality reporting on the provisions. As such, listed companies are required to report on how they have applied the main principles of the Code, and either to confirm that they have complied with the code's provisions or – where they have not – to provide an explanation. In following this reporting requirement companies are advised to avoid a ‘tick-box’ approach, and to operate the ‘comply or explain’ or ‘principle based’ regime, which applies in the UK. In other words, compliance with the code is not a legal requirement but listed companies are required to publish in their annual report and accounts where they might not be complying with the code, together with reasons why they are not complying. This is so their shareholders and other interested parties can judge the materiality (or importance) of the non-compliance. The principles-based approach is not just about an organisation explaining where it is or is not complying with requirements. It is more about an organisation considering how it applies the requirements appropriately, customising its approach to suit the organisation, not just, as said above, ticking boxes. In taking this customised approach the board are taking accountability for their strategy, their governance, reporting and assurance. Section 6.1.2: Reading + Activity Alert read image + activity image Read again pages 1 and 2 of the FRC (2018) Code regarding reporting on the Code, which explains the principles based, comply or sign approach to reporting. Then complete the associated Activity on the next page. If you wish to pause now, you can return to this page after you have completed your reading. The Activity is comprised of one individual question which requires a short sentence or two responses. activity image In a short sentence or two, answer the question. When you have submitted your answer, you can check it against ours. Read page 86 of JD Wetherspoon’s annual report and financial statements, 7 October 2021. Does JD Wetherspoon comply with the Principles of the UK Corporate Governance Code, and if not does it explain why not? Explain your reasons. https://www.jdwetherspoon.com/investors-home/reports-results-presentations Activity 6.1.2 Answer Revealed Read page 86 of JD Wetherspoon’s annual report and financial statements, 7 October 2021. Does JD Wetherspoon comply with the Principles of the UK Corporate Governance Code, and if not does it explain why not? Explain your reasons. https://www.jdwetherspoon.com/investors-home/reports-results-presentations The company sets out how it has applied the relevant principles and provisions of the 2018 code and identifies and explains where it has not. It believes it has complied with all principles except in the following circumstances: 3. Dialogue with shareholders 10. non-executive directors’ independence 12. Senior independent director 19. Chairman’s term 21. External board evaluation 30. Long-term shareholdings It is important to explain these exceptions to shareholders and other stakeholders via the annual report, as these explanations will help support investor decisions. 6.1.3.1 – Prescriptive based governance The UK Corporate Governance Code is principles based, using the ‘comply or explain’ approach. An alternative approach is ‘comply and sign’ also known as the prescriptive or rules based corporate governance. The prescriptive based approach is not just a regulatory requirement but is instilled into law with appropriate penalties in instances of non- compliance for directors of publicly listed organisations, usually in the form of a fine, imprisonment or both. As with the principles-based approach, the prescriptive approach to corporate governance has often also been deployed in response to large corporate failures, such as Sarbanes-Oxley in the US (United States) following the Enron and WorldCom scandals. The prescriptive approach provides organisations with clarity is terms of compliance with corporate governance regulations, with one set of rules for all listed organisations. In addition, the penalties for non-compliance mean that organisations are more likely to follow the regulations. We will return to Sarbanes-Oxley later in this unit. It is sometimes felt that the prescriptive based approach can lead to more of a ‘box-ticking’ approach to corporate governance, with organisations complying with the ‘letter of the law’ or trying to exploit loopholes in the requirements, but rather than looking for improvements in the governance of and reporting on their organisations’ activities. 6.1.4.1 – International corporate governance perspectives Most countries have formal corporate governance requirements, although the approach taken towards corporate governance differs between them. Some countries choose to model their approach on that used in the UK, for example, readers of the Singapore Corporate Governance Code will see several similarities to the UK approach. The Organisation for Economic Co-operation and Development and the G20 published the G20/OECD Principles of Corporate Governance (OECD 2015), a framework in use in many countries around the world. These principles are not mandatory. In other countries, a different approach may be taken, some examples of which are explored below. In France corporate governance rules are set out in statutory provisions in the French Commercial Code, in corporate governance recommendations set by the main French business associations. Although the recommendations are not mandatory, they are applied by companies. (AFEP/MEDEV) publish the Corporate Governance Code. In Germany, corporate governance is integrated into several different laws related to listed organisations. In addition, the German Corporate Governance Code (GCGC) updated in 2019, provides corporate governance rules and recommendations, although they are not legally binding. In the US, the New York Stock Exchange rules require an effective governance structure with many similarities to the UK, with the Sarbanes- Oxley Act 2002 including significant mandatory financial practice and corporate governance requirements. In South Africa, the King IV corporate governance code takes a slightly different approach, which has introduced an ‘apply and explain’ regime, which goes further than the ‘comply and explain’ regime by asking organisations to be transparent in the application of their corporate governance practices. Section 6.1.3: Reading Alert read image Read pages 336 to 344 of Hopkin and Thompson on the OECD principles of corporate governance and the London Stock Exchange (LSE) corporate governance framework. The corporate governance approach for financial services organisations and government agencies are is also explored. If you wish to pause now, you can return to this page after you have completed your reading. 6.2 - Board structures Section 6.2 enables you to assess the impact of different board structures on risk management of organisations. 6.2.1.1 Board composition We considered an organisation’s governance structure in Unit 2, Section 2, in relation to the Risk Architecture of a risk management framework, we explored how the structure of risk management activities should align with the management style and structure across the organisation. As part of this we explored the agency theory in exploring important relationships between the likes of shareholders / members / trustees and the board of directors, the CEO, executives and so on. Taking this concept further we now consider the structure of the board of directors in more detail. Nearly all organisations are managed by a board of directors, or trustees. This is a group of elected individuals who represent the shareholders or members of the organisation. The board is the highest governing authority within the management structure of an organisation and is responsible for organisation’s governance. Boards may comprise of executive directors or non-executive directors, or both. We will consider the board structure later in this section. Executive directors are full-time employees of the organisation. Examples of an executive director include the Chief Executive Officer and Chief Finance Officer. Depending on the nature of the organisation, other senior leaders may be considered to be executive directors. They may include those who work in a senior capacity regarding strategy, technical, sustainability, communications etc. Non-executive directors are not employees of the organisation and not involved in its day-to-day running. The Institute of Directors (2022) state that non-executive directors ‘provide a creative contribution to the board by providing independent oversight and constructive challenge to the executive directors’. NEDs should be independent of the organisation and its activities, and of businesses connected to it. It is also recognised as good practice that there should be more NEDs on the board than executive directors. The legal responsibilities of all directors are the same. For unquoted or non-regulated businesses there are often no requirements to have NEDs on the board, although many of these organisations have NEDs, as they are considered valuable because they bring perspective and experience from outside the business. We will consider the board roles and responsibilities further in Section 4. 6.2.1.2 Board structures There are many different models for board structures adopted by organisations, but they generally fall into two main categories: Unitary Two-tier (operational and supervisory) Unitary boards are those where executive and non-executive directors serve together on one board. This has been the model adopted by most organisations in the UK, US, Australia and South Africa. The advantages of a unitary board are that the board receives more detailed information, has greater involvement in the organisation and is closer to the organisational strategy. The disadvantages are that, from an external perspective there is little distinction between management and supervision, and conflicts of interest and loss of independence may develop. Two-tier boards are those where the responsibility for supervision (the non-executives) is separated from the responsibility for day-to-day operations (the executives). The operational board oversees the routine managerial tasks and transactions, whereas the supervisory board generally manages the long-term strategic planning and decision making and oversees the operating board. This two-tier board structure is the one adopted by many countries in continental Europe. The advantages of the two-tiered board are that although executives have more control over the appointment of NEDs, members are appointed on their expertise, the CEO is prevented from serving as the chair of the supervisory board and there is a reduction in bias in the decision-making process. The main disadvantage is that two-tiered boards tend to be larger than unitary boards. 6.2.1.3 Committees of the board Most boards will delegate work through committees which can focus on specific topics, such as governance. Some committees will be permanent, and some will be appointed on an ad hoc basis to deal with particular tasks, which will be disbanded once the objectives have been achieved. As such, dependent on the size, and governance arrangements and the objectives for the year, an organisation might have a number of committees, although the three most common are (as required by the UK Code): Nomination – responsible for the appointment of new directors and ensuring succession plans are in place for the board and the executive level immediately below it Remuneration – responsible for setting executive pay, which is a contentious issue in ensuring an organisation can attract and retain executive directors, at the same time avoid paying them too much Audit – responsible for an organisation’s financial reporting and reviewing the effectiveness of internal controls and risk management. Also, the conduit for whistle-blowing and following up on any issues of bad conduct within an organisation. More on the audit committee in Section 5. Some organisations appoint a further committee to separately oversee the effectiveness of risk management, which may be responsible for advising the board on: Risk appetite, generally Effect of strategy changes and strategic transactions on risk appetite Principal risks and their management Emerging risks Outcomes of stress testing Effectiveness of risk management and internal controls and approving relevant statements for the annual report Appropriateness of values, culture and reward systems Other combinations of these board committees include the Nomination and Remuneration Committee, the Audit and Risk Committee, and in smaller organisations there may be a Finance, Audit and Risk Committee. Other committees may also be in place and may include Operations Committee; Sustainability Committee; Finance Committee; Members Committee etc. The structure of the Board-level committees is fully dependent on the context of the organisation itself and as such, they may evolve as the organisation changes. Section 6.2.1: Reading + Activity Alert read image + activity image Read again page 344 of Hopkin and Thompson on unitary and two-tier board structures, and the Corporate Governance Institute (2022) article on ‘What is a board of directors?’ Then complete the associated Activity on the next page. If you wish to pause now, you can return to this page after you have completed your reading. The Activity is comprised of one individual question which requires a short sentence or two response. activity image In a short sentence or two, answer the question. When you have submitted your answer, you can check them against ours. Consider the board structure of your organisation. Is it a unitary or two-tier structure and what advantages or disadvantages to those structures bring? Activity 6.2.1 Answer Revealed Consider the board structure of your organisation. Is it a unitary or two-tier structure and what advantages or disadvantages to those structures bring? The structure of your board may be a reflection of the country in which your organisation is located or registered, where the organisations in the UK, US, etc usually have a unitary board, and those in continental Europe usually have a two-tiered board. However, this is not mandatory, and some organisations outside of continental Europe are moving towards a two-tiered board. Remember that the advantages of a unitary board are that the board receives more detailed information, has greater involvement in the organisation and is closer to the organisational strategy. The disadvantages are that, from an external perspective there is little distinction between management and supervision, and conflicts of interest and loss of independence may develop. Also, the advantages of the two-tiered board are that although executives have more control over the appointment of NEDs members are appointed on their expertise, rather than friendship, the CEO is prevented from serving as the chair of the supervisory board and there is a reduction in bias in the decision-making process. The disadvantages are that the two-tiered boards tend to be larger than unitary boards, and that NEDs stand to benefit from the success of an organisation’s stock which may reduce their independence. 6.3 - Regulatory influences Section 6.3 enables you to determine the influence of regulatory bodies on risk management of organisations. 6.3.1.1 – Regulatory influences We have mentioned some of the influences over corporate government in earlier sections in this unit. These influences are usually country- wide, affecting all organisations that operate or are registered in that country. The influences usually come in the form of independent bodies or legislation, which are established to provide guidance on and/or mandate requirements for organisations (usually listed) regarding their governance and have the authority to oversee and / or power to prosecute or fine organisations for non-compliance. We will consider three key influences over corporate governance: The UK’s Financial Reporting Council (FRC) The US’s Sarbanes-Oxley Act The Organisation for Economic Cooperation and Development 6.3.1.2 – Financial Reporting Council (FRC) The FRC originated in the 1980s as a private sector body promoting high quality financial reporting, consisting of the Accounting Standards Board and the Financial Reporting Review Panel. Following large corporate scandals it took on audit and accountancy regulations in 2004, actuarial oversight and standard setting in 2006 and became an independent entity in 2011. The FRC now regulates auditors, accountants and actuaries, setting the corporate governance, reporting and auditing standards and holding those responsible for delivering them to account. As such they monitor and take enforcement actions when things go wrong and as an independent, transparent organisation they also consult with and report to the UK government. The FRC (2021) note that their role as a strong regulator is ‘central to creating trust in the quality of corporate governance, corporate reporting and audit, and actuarial work, and ensuring confidence from investors’. They also note that having a strong independent regulator underpins confidence in the UK market, which is based around a virtuous circle of: Market confidence Engage investors Better governance Better quality reporting Rigorous audit As noted in this and previous units, the FRC are responsible for the UK Corporate Governance Code, the related Guidance on Board Effectiveness and the Wates Corporate Governance Principles for large private companies. In addition to the standards and codes, the FRC provide guidance and supporting reports, procedures, regulations, frameworks, thematic reviews and case studies for investors, accountants, actuaries, auditors and directors. As such, the FRC have a significant influence on corporate governance in the UK, and, in collaboration with their international peers, also have an influence on corporate governance exercised in many other countries. 6.3.1.3 – Sarbanes Oxley (SOX) The Sarbanes-Oxley Act of 2002 was instigated in response to the corporate scandals involving Enron, WorldCom and Global Crossing. It came into force in 2006, requiring companies listed on the US stock exchange to disclose accurate financial information. This is an example of the ‘comply and sign’ approach to corporate governance, where non-compliance can result in executives facing fines and imprisonment. As noted in Hopkin and Thompson, the key sections of SOX relating to risk management are Sections 302 and 404: Section 302 – states that the Chief Executive Officer and Chief Financial Office are directly responsible for the accuracy, documentation and submission of all financial reports and the internal control structure. Section 404 – states that all annual financial reports must report that management are responsible for an ‘adequate’ internal control structure, and an assessment by management of the effectiveness of that structure, with any weaknesses being reported. In addition, registered external auditors must attest to the accuracy of management’s declaration that the internal accounting controls are in place, operational and effective. SOX also requires a recognised risk management framework to be implemented, with the recommendation that the COSO ERM framework is used. As such, SOX has an influence on both risk management and corporate governance, particularly in relation to companies listed on a US stock exchange. Following major UK corporate collapses, new corporate governance requirements have been developed for the UK which will apply to financial years ending December 2023 or after. This new regime is being unofficially named UK SOX, moving the UK corporate governance requirements closer to the US regulations. The new regime will place substantial new reporting requirements on directors, requiring investment and time to ensure compliance. 6.3.1.4 – OECD The Organisation for Economic Co-operation and Development (OECD), which introduced the OECD in Section 1, is an international, not-for- profit organisation that establishes international standards and policies, collaborating with representatives from governments, parliaments, international organisations, businesses, and society in general. The OECD’s overall approach is three-fold: To provide knowledge and advice to inform policies and help steer decision making To engage and influence policy makers to enable ideas and experiences to be shared To encourage countries and other partners to develop international standards to enable a consistent approach to be taken in key areas and to provide a forum for co-operation to reach shared objectives. The OECD developed ‘Guidelines on the corporate governance of state-owned enterprises’ in 2005 to give advice to countries on how to manage their responsibilities as company owners. These guidelines were updated in 2015, with a further update in 2023, which includes a focus on specific areas of: climate change and other environmental, social and governance (ESG) risks; the growth of new digital technologies and emerging opportunities and threats; crisis and risk management; and excessive risk taking in the non-financial corporate sector. Although the UK and US are members of the OECD, they are not required to implement the corporate governance requirements, however, they have, by nature of their membership, influenced and been influenced by the OECD guidance. Section 6.3.1: Reading + Activity Alert read image + activity image Read pages 418 to 421 of Hopkin and Thompson, on Sarbanes Oxley and risk reports by US companies. Also, read again pages 336 to 338 on the OECD principles of corporate governance. Then complete the associated Activity on the next page. If you wish to pause now, you can return to this page after you have completed your reading. The Activity is comprised of one individual question which requires a short sentence or two response. activity image In a short sentence or two, answer the question. When you have submitted your answer, you can check it against ours. Read the Pioneer Food Group case study on pages 333 and 334 of Hopkin and Thompson. As a South African company, taken over by the US PepsiCo Group, which corporate governance regulation do you think will have an influence over Pioneer Food Group and why? Activity 6.3.1 Answer Revealed Read the Pioneer Food Group case study on pages 333 and 334 of Hopkin and Thompson. As a South African company, taken over by the US PepsiCo Group, which corporate governance regulation do you think will have an influence over Pioneer Food Group and why? The Pioneer Food Group agreed a takeover by PepsiCo Group, which was sanctioned by regulators in 2020. The PepsiCo Group is registered on one of the US stock exchanges and is therefore required to comply (and sign) with Sarbanes Oxley, and by association it is recommended that they follow the COSO ERM framework. As such, Pioneer Food Group are required to file their annual reports to the US Securities and Exchange Commission. However, as a company based in South Africa they comply with the King IV code of corporate governance, which has a similar approach to the UK code, although for King IV there is the ‘apply and explain’ approach. Organisations with vested interests in different countries can find they are required to report against different requirements at the same time. 6.4 - Board roles and responsibilities Section 6.4 enables you to determine the roles and responsibilities of the Board for risk management in organisations. 6.4.1.1 – Board roles and responsibilities In Unit 2, Section 2, we considered some of the different risk management roles and responsibilities in organisations. In this section we consider the responsibilities of the board and the chief risk officer in their strategic management and corporate governance roles. From the boards perspective of ‘statutory duty,’ both executive and non-executive directors have clear duties, both from a legal and a regulatory perspective. This is discussed in Hopkin and Thompson. There are also risk management related responsibilities for board, which are over and above, but also integral to these legal and regulatory duties. Section 6.4.1 Reading Alert read image Read again pages 276 to 280 of Hopkin and Thompson on statutory responsibilities of management, role of the non-executive director, role of the risk manager and role of the chief risk officer. If you wish to pause now, you can return to this page after you have completed your reading. 6.4.1.2 – Board members When someone in your organisation refers to a board member, they are often referring to one of the non-executive directors, even where there is a unitary board which consists of executive and non-executive directors (NEDs). Regardless of the board structure, NEDs should be independent of the operational activities of an organisation and should be subject matter experts in areas that are relevant to the organisation. Where NEDs are considered independent, they may be referred to as INEDs. Hopkin and Thompson provide a list of responsibilities for NEDs across the key elements of strategy, performance, risk, controls, people, confidence, independence and knowledge. The UK’s Institute of Directors (2018) goes further in their fact sheet on ‘What is the role of the non-executive director’, to consider the responsibilities of NEDs: Provide a creative contribution to the board by providing independent oversight and constructive challenge to the executive directors. Strategic direction. Provide a creative and informed contribution and to act as a constructive critic in looking at the objectives and plans devised by the chief executive and the executive team. Monitoring performance Monitor the performance of executive management, especially with regard to the progress made towards achieving the determined company strategy and objectives. Remuneration Responsible for determining appropriate levels of remuneration of executive directors. Communication Help connect the business and board with networks of potentially useful people and organisations. Risk Satisfy themselves on the integrity of financial information and that financial controls and systems of risk management are robust and defensible. Audit Ensure that the company accounts properly to its shareholders by presenting a true and fair reflection of its actions and financial performance and that the necessary internal control systems are put into place and monitored regularly and rigorously. The key responsibility noted above is that of the NED as a ‘constructive’ critic. From a risk management perspective, this challenge from NEDs should enable them to be assured of the integrity of financial information but also that the systems of risk management are robust and defensible. This is particularly relevant where a NED sits on the audit committee – we will look at the role of the audit committee later in this unit. 6.4.1.3 – Board as a group The Board, as a group, has key responsibilities for risk management and internal control. The FRC (2014) paper, ‘Guidance on risk management, internal control and related financial and business reporting’, considers those responsibilities: Ensure the design and implementation of appropriate risk management and internal control systems that identify the risks facing the company and enable the board to make a robust assessment of the principal risks. Determine the nature and extent of the principal risks faced and those risks which the organisation is willing to take in achieving its strategic objectives (determining its “risk appetite”). Ensure that appropriate culture and reward systems have been embedded throughout the organisation. Agree how the principal risks should be managed or mitigated to reduce the likelihood of their incidence or their impact. Monitor and reviewing the risk management and internal control systems, and the management’s process of monitoring and reviewing, and satisfying itself that they are functioning effectively, and that corrective Action is being taken where necessary. Ensure sound internal and external information and communication processes and taking responsibility for external communication on risk management and internal control. The FRC (2014) paper also notes that management implement day-to-day responsibility for risk management and internal control, but that the board need to be satisfied that management understand and are controlling those risks effectively and are providing the board with timely information so that it can discharge its responsibilities. Many organisations focus on the responsibilities of the board and accept information on risk management and internal control without considering or challenging how their responsibilities are exercised. In exercising those responsibilities, the FRC suggest the board should also consider: The desired risk management culture. The quality and frequency of discussions on risk in relation to strategy, major projects and other significant commitments. The board’s and management’s risk management skills, knowledge and experience. The regularity and quality of risk information flow to and from the board. The delegation of risk management and internal control activities. The final level assurance the board requires and how it is obtained. Effectively, the board should be asking the question from the final arrow in the simple four-step risk management process: ‘Considering the context in which the organisation is operating and the objectives we are trying to achieve, and the risks we face and our ability to manage them, can we achieve our objectives?’. Where the answer is ‘no’, the board should be a part of the decision-making process in managing principal risks further, changing the objectives, or accepting appropriate risks at their current level. Section 6.4.2 Reading Alert read image Read Sections 2 and 3 of the FRC (2014) paper, ‘Guidance on risk management, internal control and related financial and business reporting’ on the board responsibilities for risk management and internal control and exercising responsibilities, which provide further detail on those responsibilities of the board. 6.4.1.4 – Chief Risk Officer (CRO) As noted by Hopkin and Thompson, the Chief Risk Officer (CRO) is a champion of the ERM process, bringing together what may often be different risk management processes (tailored for different requirements, for example, health and safety or finance) within an organisation to form a cohesive overview of the risks faced and managed by the organisation. This also involves working with others to establish the effective management of risks, monitor progress and assist in reporting relevant risk information up, down and across an organisation. In the IRM (2019) paper on ‘How to hire a great Chief Risk Officer’ it is noted that the CRO is the most senior executive with the responsibility and accountability for the risk management processes, regardless of the actual job title, so, for example, this could be Head of ERM. The responsibilities of the CRO are considered under four key headings: Insights and context - using knowledge of internal and external influences to ensure robust risk management in responsive and agile organisations. Strategy and Performance - developing a risk management strategy to meet organisational needs Risk Management Process - managing the risk management process Organisational Capability - developing and managing a skilled, agile and responsive risk organisation In some sectors, such as financial services, there is a regulatory requirement for an organisation to have a CRO. Other organisations have decided that there is value in appointing a CRO as their mature their risk management framework and process. As the most senior executive in the organisation with responsibility and accountability for risk management, organisations can benefit by the CRO reporting to both the CEO and the board of directors, but this is not always the case. A Deloitte (2018) survey of 94 leading financial institutions suggested that having the CRO meet with the board on a regular basis, sometimes without executive management present, can ‘allow the board to receive an unvarnished assessment’ of the organisation’s risks and risk management process. Where the CRO does not have direct access to CEO and / or the board, it can affect the value of that role. The responsibilities of a CRO are complex and should be developed and tailored with great care for an organisation to ensure the role adds value to the organisation and that it is resilient in the face of a rapidly evolving environment. The IRM (2019) paper also provides information on identifying the key competencies required of a CRO, which we will consider further in Unit 12. Section 6.4.3 Reading + Activity Alert read image + activity image Read pages 6 to 9 of the IRM (2019) paper ‘How to hire a great Chief Risk Officer’ on the changing CRO role, understanding the role and identifying the competencies for a CRO. Then complete the associated Activity on the next page. If you wish to pause now, you can return to this page after you have completed your reading. The Activity is comprised of two individual questions which require a short sentence or two response. In a short sentence or two, answer the question. When you have submitted your answer, you can check it against ours. What do you think the value of a Chief Risk Officer is? Activity 6.4.3 Answer Revealed What do you think the value of a Chief Risk Officer is? The IRM (2019) paper, ‘How to hire a great CRO’, considers some of the benefits of the CRO and the value that the role can bring to an organisation: As a trusted business partner and part of the leadership team helping and encouraging the organisation to take the appropriate amount of risk and build a healthy risk culture. Ability, with the risk team, to create strong relationships and collaborate proactively and ethically with functions ranging from compliance, operations, customer service, finance and human resources through to sales and technology. This is far removed from the typical, and rather old-fashioned, perception of a risk function: a function concerned only with downside risk management via complex number crunching or bureaucratic box ticking. Support the board in setting the right tone from the top, in respect of risk ethics and building a healthy risk culture. Supporting the board in articulating the risk appetite, as a balance between risk and reward in achieving its strategy and objectives. Helping the board consider risk to the business model and the resilience and sustainability needed to achieve that eventually. Positive interaction with external parties across the extended enterprise. 6.5 - Assurance Section 6.5 enables you to evaluate the role and purpose of assurance (external and internal) and internal control for risk management in organisations. 6.5.1.1 Role of internal audit The Institute of Internal Auditors, Inc. (IIA) on their website defines internal auditing as: "an independent, objective assurance and consulting activity designed to add value and improve an organisation's operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes". It states that the profession of internal audit is fundamentally concerned with evaluating an organisation’s management of risk. This is achieved through a number of means, most notably through examination of actual business or organisational practices and controls and assessing them against the required practices. Any shortfall or non-compliance with the required controls is discussed with the local management to identify the reasons why, and either a return to full compliance is agreed or the required control environment is reviewed and amended, resetting the requirements to be followed going forward. By this means, the work of the internal audit function enhances the effectiveness and efficiency of the business. The Chartered Institute of Internal Auditors (CIIA) goes further in their article on ‘What is internal audit?’ to consider what internal auditors do, their value to an organisation and the difference between internal and external audit. In addition, they consider the important role for internal audit in assessing the management of risk and assisting management in the improvement of internal controls, amongst other risk related activities, and in sharing share this with local and senior managers. Again, this helps to reinforce the strength and utility of risk management activities and indicates why the risk and internal audit functions work closely with operational managers. A key characteristic of internal audit is the need to maintain independence from operational management. Most organisations have an audit committee (a committee of the main board), and this will receive reports and discuss risks and controls with the auditors, both internal and external. The members of the audit committee are likely to be the independent non-executive directors of the organisation – very senior people who will have a strong interest in seeing the reports on exactly how the control environment is operating in practice. The aim is for internal audit to be able to report their findings direct to the audit committee in a ‘safe’ environment, without the risk of pressure from management to hide or under-state the issue. Typically, the head of internal audit will report directly to the chair of the audit committee and not to a line executive, such as the chief executive or chief operating officer. In some organisations, the internal audit function may sit within a corporate structure (such as the finance team) and on a day-to-day operational basis the head of internal audit may report to the finance director. This does not change the effectiveness of having a direct reporting line to the audit committee. The ‘end customer’ of internal audit is the board of directors, who place reliance on their assurances on the system of internal control. No system guarantees immunity from the effects of risks, but the board seeks a considered view on how the risk environment is controlled. We will consider internal and external audit further later in this section. Section 6.5.1: Reading + Activity Alert read image + activity image Read pages 397 to 402 of Hopkin and Thompson on the scope and role of internal audit, the steps in undertaking an internal audit, and the relationship between internal audit and risk management. Then complete the associated Activity on the next page. If you wish to pause now, you can return to this page after you have completed your reading. The Activity is comprised of one individual question which requires a short sentence or two response. activity image In a short sentence or two, answer the question. When you have submitted your answer, you can check it against ours. Using the diagram in Figure 33.1 of Hopkin and Thompson on the ‘role of internal audit in ERM,’ consider the role that internal audit has in your organisation. Do you think that internal audit are undertaking the appropriate roles to ensure their independence? Activity 6.5.1 Answer Revealed Using the diagram in Figure 33.1 of Hopkin and Thompson on the ‘role of internal audit in ERM,’ consider the role that internal audit has in your organisation. Do you think that internal audit are undertaking the appropriate roles to ensure their independence? Hopkin and Thompson’s Figure 33.1 Role of internal audit in ERM As seen in Hopkin and Thompson’s figure 33.1 there are some roles that internal audit should not be undertaken, and some that can be undertaken as long as safeguards are in place to ensure independence. 6.5.2.1 Assurance Internal audit carries out a critical phase of the risk management process in providing independent assurance on the effectiveness of the control environment and assesses the operation of the risk management strategy and activities within the organisation. Risk assurance is the phrase that is intended to indicate the information and analysis that is provided to managers and directors with regard to the status of the risk and control environment in an organisation – it is the internal process we use to create checks and balances within our governance and risk frameworks. As we have discussed in connection with corporate governance, the board is responsible for risk management, and they therefore need and seek assurance that the risk strategy is working. A central feature of an effective risk assurance framework is the audit activity and of course the work of external auditors in providing particularly important risk information (and assurance) for directors. Internal Audit teams can use a number of techniques to provide robust assurance. These include statistical sampling techniques, risk prioritisation techniques and assurance mapping. Organisations need an efficient and effective framework in place to give sufficient, continuous and reliable assurance on their governance, management of risk and internal control. Assurance mapping is a mechanism for linking assurances to the risks and recognising the sources of these assurances within an organisation. Assurance mapping is defined by the ICAEW as “a structured means of identifying and mapping the main sources and types of assurance in an organisation across the four lines of defence and coordinating them to best effect.” We will consider the three (four) lines model next. 6.5.2.2 Assurance models - Three lines of defence A common model for identifying and understanding these contributions has been the three lines of defence. Although the three lines of defence model has been updated and is now referred to as the three lines of assurance model, some organisations still use the three lines of defence approach. As such, an overview of the three lines of defence model is given here. The Institute of Internal Auditors (IIA) published its ‘three lines of defence’ (3LOD) model in 2013 to provide a framework for managing risk and exercising control within an organisation, with associated responsibilities. This model is commonly used in the financial services sector but has been widely adopted by organisations in other sectors and industries. The main features of the model were: Governing body and senior management - sitting above the three lines, setting strategy and objectives. First line – primary responsibility for managing and controlling the risks. Second line – comprising risk management and compliance functions in support of the first line controls through facilitation and monitoring of risk management practices. Third line – providing independent assurance on the effectiveness of governance, risk management and internal controls, across the first and second line. ‘Fourth line’ - External auditors / regulators – consideration of governance and the control structure. Note that the three lines are related to an individual’s tasks not role position in the organisational structure. Therefore, it is possible for an individual (in most organisations) to fill both first- and second-line roles. In the 3LOD model, note that the primary responsibility for the application of the risk management framework (RMF) lies with business management (the first line of defence). Support for and challenges to the risk management activities – including the identification, measurement, monitoring, management and reporting of risk – are usually performed by an independent risk function (the second line of assurance) acting as a ‘critical friend’ to the first line of defence. The design of the RMF is also primarily the responsibility of the second line of defence. Independent and objective assurance on the robustness of the RMF, and the appropriateness and effectiveness of internal control, is provided by internal audit (the third line of assurance). Figure 6.5.1 – The three lines, indicates the roles taken by front-line management, the risk management function and the internal audit function. Figure 6.5.1 – The three lines 6.5.2.3 Assurance models - Three lines of assurance However, there have been challenges in the implementation of the three lines of assurance model. Accountancy and business consultant, BDO (2021), considers these challenges in their article ‘The three lines of defence model has been updated – what does it mean for internal audit?’. The main issue has been the assumption that the different lines are distinct from each other, and the risk management and internal controls apply vertically and linearly. As such, the rigid application of the model has created silos where each line provides assurance on risk management and internal control from their own perspective causing gaps and overlaps. BDO also note that the first and second lines, in practice are not clearly defined, where many organisations have first line functions providing second line assurance, and second line functions undertaking first line risk management and control activities. In addition, the focus on ‘defence’ means that opportunities have been ignored. Finally, for the financial services sector, the three lines model has been insufficient in providing assurance, with the lack of independence in the second line and skills gaps in the second and third line bringing the suggestion for a four lines of defence model for financial institutions. These challenges have led to IIA (2020) publishing ‘The IIA’s Three Lines Model – and update of the Three Lines of Defence’. BDO (2021) note that the main changes to the model are: The recognition that all roles work collaboratively to create and protect value for an organisation. The adoption of a principles-based approach, providing more flexibility in implementing the model as governing bodies, management and internal audit do not fit into rigid lines. Removal of the rigid distinction between the first and second lines in recognition of the fluidity between the lines. Roles are defined more clearly. Recognition of the contribution that risk management makes in achieving objectives and creating value. Removal of ‘defence’ from the title to focus on creation and protection of value. Regulators and external auditors have not been included as distinct fourth line. Section 6.5.2: Reading + Activity Alert read image + activity image Read pages 402 to 406 of Hopkin and Thompson, on risk management and internal audit, including the three lines model. Note that the three lines of defence model from the Orange Book has been included. Also, read the IIA (2020) ‘Three Line Model – an update of the Three Lines of Defence’ Then complete the associated Activity on the next page. If you wish to pause now, you can return to this page after you have completed your reading. The Activity is comprised of one individual question which requires a short sentence or two response. In a short sentence or two, answer the question. When you have submitted your answer, you can check it against ours. Does your organisation use the three lines model as the structured risk assurance mapping framework? If so, does your organisation use the three lines of defence or the updated three lines of assurance model? Depending on the model adopted, which ‘line’ do you work within, and do you understand why? If your organisation does not use the three lines model, how do you map your risk assurance? Activity 6.5.2 Answer Revealed Does your organisation use the three lines model as the structured risk assurance mapping framework? If so, does your organisation use the three lines of defence or the updated three lines of assurance model? Depending on the model adopted, which ‘line’ do you work within, and do you understand why? If your organisation does not use the three lines model, how do you map your assurance? Where the three lines model is in place, risk practitioners will be in the second line of the model. If the 3LOD is being used, that role will be strictly related to the provision of advice and support with no responsibility for managing risk. Whereas it is true that risk practitioners are not usually the owners of risk and therefore not involved in management of risks, there are instances where that is not the case. As such, this blurring of the first and second line can cause confusion, with instances where employees note that they are in line ‘one and three quarters.’ The update model allows for that blurring between lines one and two, recognising that individuals in either line can undertake activities in the other line. 6.5.3.1 External assurance External assurance has traditionally been limited to verification of an organisation’s financial viability. The remit of external assurance has expanded over the last decade, where stakeholder expectations are focusing not just on the financial aspects of an organisation but on the transparent and better communication regarding their sustainable practices, initiatives and performance. External assurance can provide that increased confidence in an organisation’s disclosures on sustainability, by providing an independent, third- party review in much the same way as external auditors verify the financial statements and compliance with accounting standards. Disclosures regarding sustainability being supported by updates the assurance standards which now include the requirement that organisations should monitor, measure and be accountable for how their actions affect the broader ecosystems. This is reflected in the concept of double materiality that we considered in Section 6 of this unit. External assurance on an organisation’s impact on the broader ecosystem go beyond ethics, conduct risk and corporate social responsibility. The requirements to disclose information on an organisation’s impact on climate change and the increasing focus on environmental, social and governance (ESG) aspects of an organisation’s activities require many organisations to rethink their strategy and all organisations to consider how they provide external assurance outside of their financial stability. We will consider sustainability, carbon targets and ESG in more detail in Unit 8. 6.5.3.2 External audit We considered the three lines of defence or the three lines of assurance earlier, where the third line, internal audit, provided independent assurance to the board of the effectiveness of risk management and internal controls in an organisation. In accordance with relevant laws or regulations, this internal view of assurance is verified by an independent examination by external auditors which consider whether the financial statements provide a ‘true and fair’ reflection of the organisation financially, and that the accounts have been appropriately prepared in accordance with accounting standards. In Section 3, we considered the requirements of Sarbanes-Oxley, where Section 404 of the Act requires that registered external auditors must attest to the accuracy of management’s declaration that the internal accounting controls are in place, operational and effective. Later, we will consider the role of the audit committee further. Here is important to note that the UK Corporate Governance Code requires that the audit committee to: Conduct the tender process and recommend to the board the appointment, reappointment or removal of the external auditor. Review and monitor the external auditors independence and objectivity. Review the effectiveness of the external audit process. Develop and implement policy on the engagement of the external auditor to supply non-audit services. External auditors primarily report to the shareholders or external stakeholders of an organisation. External auditor reports increase the credibility of an organisation’s financial statements, providing greater confidence and greater transparency to shareholders. Section 6.5.3: Reading + Activity Alert read image + activity image Read again Provision 25 of the FRC (2018) UK Corporate Governance Code on the roles and responsibilities of the audit committee, particularly points relating to external audit. Then complete the associated Activity on the next page. If you wish to pause now, you can return to this page after you have completed your reading. The Activity is comprised of one individual question which requires a short sentence or two response. activity image In a short sentence or two, answer the question. When you have submitted your answer, you can check it against ours. Who provides external auditing services to your organisation? Where do they verify that the financial statements of your organisation are a true and fair reflection of your organisation’s viability? Activity 6.5.3 Answer Revealed Who provides external auditing services to your organisation? Where do they verify that the financial statements of your organisation are a true and fair reflection of your organisation’s viability? Your external auditors should be qualified accountants, registered with a professional body, such as the Institute of Internal Auditors. External auditors verify the financial statements in an organisation’s annual report. Following the requirements of the UK Corporate Governance Code, the external auditor provides amongst other considerations, their opinion on whether the financial statements provides and true and fair view of the organisations financial affairs, and that the statements have been prepared in accordance with the relevant accounting standards and legal requirements. 6.5.4.1 Internal assurance We earlier defined risk assurance as the information and analysis that is provided to managers and directors with regard to the status of the risk and control environment in an organisation – it is the internal process we use to create checks and balances within our governance and risk frameworks. Deloitte (2108), in their paper on ‘integrated risk assurance’, suggest that organisations need an efficient framework for seeing the whole risk picture with assurance reports to the board that are not heavy on detail, nor light on oversight of what really matters to the organisation. Internal risk assurance comes from a variety of sources. Hopkin and Thompson consider the different sources of risk assurance under five headings: Culture measurement Audit reports Unit reports Performance of the unit Unit documentation Another key source of internal risk assurance is through the use of ‘self-certification’ of controls. This self-certification is usually referred to as a ‘control risk self-assessment’ (CRSA). CRSA is as an arrangement whereby local management complete a regular (often annual) return and level of risk assurance has been achieved in that local area. In the financial services sector, when considering operational risks, the self-certification is known as a ‘risk and control self-assessment’ or RCSA. Whatever the term, this self-certification is often undertaken through the use of a structured survey or questionnaire. Another popular approach for conducting an RCSA is to hold structured facilitated workshops, where risks and controls are identified and assessed in the local area. In more risk mature organisations, key risk indicators may be used to assess the level of compliance with individual areas of risk and control, rather than using a blanket ‘yes or no’ in terms of compliance. This approach ensures that attention can be focused on relevant areas of concern, for example, controls that are failing completely in relation to a significant risk, and rather than waiting for an annual review of risks and controls, the information can show more ‘real-time’ concerns again allowing focused management attention. Section 6.5.4: Reading Alert read image Read pages 414 and 415 of Hopkin and Thompson on control risk self-assessment and the benefits of risk assurance. If you wish to pause now, you can return to this page after you have completed your reading. 6.5.4.2 The audit committee We have considered internal and external reporting in Unit 4, Section 5, which is part of the internal and external assurance provided by an organisation. We have also considered how the risk management, reporting and assurance is aligned with the governance of the organisation through the risk management framework (RASP) and the risk strategy in Unit 2. As such, when providing assurance in an organisation, there needs to be alignment between risk management and governance. As noted in Section 2, it is a requirement of the UK Corporate Governance Code that organisations should establish an audit committee. Hopkin and Thompson also note that an increasing number of organisations who are not publicly listed, have decided that it is appropriate to establish an audit committee. An audit committee generally consists of NEDs, with executive directors in attendance where appropriate. The audit committee is led by a NED but not the chair of the organisation and is considered a sub-committee of the board. The audit committee is considered the guardian of compliance within an organisation, but its terms of reference are wider than that. The Corporate Governance Institute (2022), in their paper on the ‘terms of reference for the audit committee’, will note that audit committee should have oversight of the group as a whole, with their duties including activities involved in: Financial reporting. Narrative reporting. Internal controls and risk management systems. Internal audit. External audit. Hopkin and Thompson provide further information on the responsibilities of the audit committee in alignment with the duties noted above. Section 6.5.5: Reading + Activity Alert read image + activity image Read pages 407 to 413 of Hopkin and Thompson on audit committees and risk assurance. Also, read Section 4 of the FRC (2018) UK Corporate Governance Code, which considers the role of the audit committee as part of audit, risk and internal control. Then complete the associated Activity on the next page. If you wish to pause now, you can return to this page after you have completed your reading. The Activity is comprised of one individual question which requires a short sentence or two response. activity image In a short sentence or two, answer the question. When you have submitted your answer, you can check it against ours. Find out who are the members of your organisation’s audit committee. Why do you think the committee should be independent of the day-to-day business? Activity 6.5.5 Answer Revealed Find out who are the members of your organisation’s audit committee. Why do you think the committee should be independent of the day-to- day business? Independence of the audit function, and the audit committee of the board, gives the auditors the ability to raise questions about working practices, uninfluenced by potential difficulties of being actively involved in the process being reviewed. When problems or non-compliance with operating practices are discovered, the audit team can challenge the operational managers in regard to the issues and seek remediation actions. The audit committee is an important conduit of risk assurance to the board, providing information and analysis on the risk and control environment that the board might not be able to access in other ways. 6.5.4.3 Organisational viability The key reason for implementing risk management and internal control systems, and for ensuring these are operating effectively through the different forms of assurance is to give confidence to both internal and external stakeholders that the organisation has a viable future. The term used to describe this viable future (usually for the next 12 months) is an organisation is a ‘going concern’. Accounting standards require companies to adopt the ‘going concern’ basis of accounting unless an organisation decides to or has no option but to liquidate or cease trading. Where there are ‘material’ uncertainties that could affect an organisation’s ability to continue as a going concern, these need to be disclosed through the annual or half-year financial reports. We considered the term material in Section 1 of this Unit, defining a risk or issue financially material if it has the potential to affect the bottom line, or if by withholding that piece of information, an investor would not be able to make an informed decision. In addition to the going concern basis of accounting, the UK Corporate Governance Code also requires organisations to state whether they have a reasonable expectation that they will be able to continue in operation and meet their liabilities as they fall due over the period of their assessment. This is called the longer-term viability statement. The period of assessment is expected to be significantly longer than 12 months from the approval of the financial statements, and should take into account a number of factors, such as the nature of the business and its stage of development. It is also worth noting an additional term regarding materiality at this stage. Double materiality has been developed as financial supervisors and policy makers, including the European Commission, have recognised the importance to disclose and assess climate-related financial risks. The double materiality concept considers not just the financial impact of an organisation’s risks and issues, but also the actual and potential impacts of their decisions on people, society and the environment. We will cover the going concern and longer-term viability statement in Unit 9 on organisational resilience and the concept of double materiality in Unit 8 on sustainability. Section 6.5.6: Reading read image Read Appendices A and B of the FRC (2014) ‘Guidance on risk management, internal controls and related financial and business reporting’ on the going concern basis of accounting and material uncertainties and the longer-term viability assessment. If you wish to pause now, you can return to this page after you have completed your reading. 6.5.5.1 Internal control and the control environment – Part 1 We considered real controls in Section 4, how they should take charge and change or modify a risk. This section looks further at how effective those controls are and how auditing and other risk assurance approaches fit within the risk management framework. This is often referred to as the control environment. A key governance requirement is the reporting to the board of key risk information and risk status indicators, and we will review the part these activities play. We will also examine some key principles in the management of corporate reputation and how good risk management is a vital support to brand and reputation protection. The developments in corporate governance described in earlier sections brought special focus on building a coherent control environment in organisations. The corporate governance codes have placed the responsibility on directors to ensure there are sound risk management and internal control systems. The FRC (2014) ‘Guidance on risk management, internal control and related financial and business reporting’ notes that an internal control system encompasses the policies, processes, tasks, behaviours and other aspects of a company that, taken together: Facilitate its effective and efficient operation by enabling it to assess current and emerging risks, respond appropriately to risks and significant control failures and to safeguard its assets. help to reduce the likelihood and impact of poor judgement in decision-making; risk-taking that exceeds the levels agreed by the board; human error; or control processes being deliberately circumvented. help ensure the quality of internal and external reporting. help ensure compliance with applicable laws and regulations, and also with internal policies with respect to the conduct of business. The system will include: 1. control activities. 2. information and communications processes. 3. processes for monitoring the continuing effectiveness of the system of internal control. 6.5.5.2 Internal control and the control environment – Part 2 The system of internal control should: Be embedded in the operations of the company and form part of its culture. Be capable of responding quickly to evolving risks to the business arising from factors within the company and to changes in the business environment. Include procedures for reporting immediately, to appropriate levels of management, any significant control failings or weaknesses that are identified together with details of corrective action being undertaken. The full control environment extends beyond internal controls, just as risks are both internal and external. In Unit 1 we discussed the relevance of the risk and business environment and how this changes over time. It therefore follows that the system of controls in place should be kept under review to ensure it is suitable to deal with the current and foreseeable risk environment. But what do we mean by ‘control environment’? It can be viewed as the whole range and interaction of controls that address risks. Hopkin and Thompson cite three different definitions of internal control in table 32.1. As noted previously, real controls take charge of and change risks, highlighted in Figure 6.5.2 – Real controls, which we have already seen in Unit 4. SATARLA – reproduced with permission Figure 6.5.2 – Real controls 6.5.5.3 Internal control and the control environment – Part 3 It is often the case that more than one activity is in place to manage a risk, for example data collection and guidance, but it is the use of that data and implementation of the guidance that is needed for the risk to be truly controlled. Taking the example of fraud by employees, the control environment may include the following data collection and guidance: Data collection: Pre-employment screening for references and criminal and personal background. Periodic audit of finances and stock checks. Guidance A policy of legal prosecution against all employees found guilty of fraud (and publication of the prosecution). Regular refresher tests for staff. Accounting and asset protection measures to prevent fraudulent use, theft or damage. (Note that the audit data collection will also be an input to manage other risks, such as errors or misstatements). Standard operational practice such as insisting staff take a two-week holiday per year. Each action is carried out independently, but as long as the data collected is used and the guidance is implemented, they all work as a system towards the same aim of reducing employee fraud. If any of the data is not used or the guidance not followed, then the risk is not controlled effectively, or not controlled at all. Section 6.5.7: Reading + Activity Alert read image + activity image Read Section 4 of the FRC (2014) ‘Guidance on risk management, internal control and related financial and business reporting’ on establishing the risk management and internal control systems. Also read pages 387 to 389 of Hopkin and Thompson on the nature and purpose of internal control. Then complete the associated Activity on the next page. If you wish to pause now, you can return to this page after you have completed your reading. The Activity is comprised of one individual question which requires a short sentence or two response. activity image In a short sentence or two, answer the question. When you have submitted your answer, you can check it against ours. Consider the control environment in your own organisation and assess how well it meets the above guidance. Are there areas where improvements can be made? Activity 6.5.7 Answer Revealed Consider the control environment in your own organisation and assess how well it meets the above guidance. Are there areas where improvements can be made? Remember that methods of collecting data and providing guidance will only control a risk if they are used and implemented. A control environment is only effective where that is the case. When thinking about the control environment seek information on the written procedures manuals or work process instructions. Ask what policies and terms of reference exist in your organisation. You may wish to discuss the question with your department that looks after the organisation's insurances – looking at what claims have been made following an insured loss in order to get a feel for the effectiveness of the control environment. This will give an indication of weaknesses in controls – where the data collected is not being used or the guidance implemented. There are often areas in organisations where improvements in processes, cost effectiveness and efficiency are planned – see what areas are under review in your organisation. 6.5.6.1 Criteria of control Hopkin and Thompson consider the criteria of control framework (CoCo), produced by the Canadian Institute of Chartered Accountants (1995). This is a structured means of measuring the quality of the control environment within an organisation, and as such, is another method of providing assurance on risk management and internal control. Despite the date of issue of this framework in 1995, it is still relevant today in evaluating internal control. The CoCo framework has four components, with 20 underlying principles. The four components of CoCo are: Purpose – understanding the purpose of a task. Commitment - commitment to perform a task well. Capability – support in the implementation of the task. Monitoring and learning - monitoring of the task to learn lessons and improve. Hopkin and Thompson consider the strong interface between risk management and internal control, and how the principles of the CoCo framework link to the LILAC approach to risk culture. As such, the CoCo framework is used by many organisations to benchmark their risk management approach against, to provide assurance on the quality of the control environment, and as a means of evaluating the risk culture of an organisation. Section 6.5.8: Reading Alert read image Read pages 389 to 395 of Hopkin and Thompson, on the control environment and its features and the CoCo framework. If you wish to pause now, you can return to this page after you have completed your reading.

ERMM1 Unit 6 Corporate Governance and Risk Assurance PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue