1. THE ROLE OF THE BOARD IN RISK MANAGEMENT
1.1. The Board of Directors has a Governance responsibility for Risk Management Systems
1.2. Companies should have a structured framework for managing risk, and the Directors should satisfy themselves that this framework is suitable and adequate
1.3. BUSINESS RISK IS ANY FUTURE EVENT OR ACTION THAT MIGHT HAVE AN IMPACT ON THE ACHIEVEMENT OF STRATEGIC OBJECTIVES, THAT WILL COVER BOTH THREATS AND OPPORTUNITIES
1.4. The Corporate Governance Code requires that the Audit Committee (or a separate risk Committee) to review the adequacy of the system of Internal Control and Risk Management Systems
1.5. A further requirement of the Code is that the Audit Committee should monitor the internal Audit function and review its effectiveness.
If the Company does not have an internal Audit function, the Committee should annually review the need for one.
2. RESPONSIBILITY FOR RISK MANAGEMENT AND INTERNAL CONTROL SYSTEMS
2.1. Risk can be defined as the chance that future events or outcomes or circumstances will differ from what is currently expected
2.2. Risk is the possibility that something will go wrong, however unexpected events or developments may also create opportunities for growth and developing a Company’s business
2.3. The Board has ultimate responsibility for Risk Management and Internal Control. It is responsible for deciding the Company’s risk strategy and business model and it should understand and agree the level of risk that goes with this.
2.4. It should have oversight of the implementation by Management of a Strategy and operational risk management systems
The Board is also responsible for ensuring that an appropriate “Risk Culture” is embedded within the Company and the people working for it
2.5. Management has the responsibility for developing and implementing the Company’s strategic and routine operational risk management systems within the strategy set by the Board and subject to Board oversight
3. The Corporate Governance Code
3.1. The Corporate Governance Code states that Boards should establish procedures to manage Risk, oversee the internal control framework, and determine the nature and extent of the principal risks the Company is willing to take in order to achieve its long-term objectives
3.2. The Governance Code specify responsibilities for both the Audit Committee and the Board with regard to risk management and internal control
3.3. The Audit Committee’s responsibilities should include:
3.3.1. Reviewing the Company’s internal financial controls and internal control and risk management systems
3.3.2. Monitoring and reviewing the effectiveness of the Company’s internal Audit function
3.3.3. Where there is the internal audit function, considering each year whereby there is a need for one and making a recommendation to the Board
3.3.4. The Board may delegate to a separate risk committee the responsibility for reviewing the Company’s internal financial controls and internal control and risk management system
4. THE BOARD’S RESPONSIBILITIES WITH REGARDS TO INTERNAL CONTROL AND RISK MANAGEMENT ARE TO:
4.1. Carry out an assessment of the Company’s emerging and principal risk
4.2. Confirm in the annual report that it has made these assessments and describe the principal risks and the procedures that are tin place to identify emerging risks
4.3. Monitor the Company’s risks and management and internal control systems
4.4. The review should cover all material controls including financial, operational and compliance controls
4.5. Annually carry out a review of the Company’s risk management and internal control systems
4.6. Report on the review in the Annual Report
5. STRATEGIC RISK
5.1. Business risk is normally classified into two Board types
STRATEGIC RISK
OPERATING RISK
5.2. Strategic risks are risks associated with the Business Strategies that the Company pursues
Operating risk are risks that arise in the Company’s systems, processes and procedures
5.3. The Board of Directors should consider risk when it makes strategic decisions. It should choose strategies that are expected to be profitable, but that takes the strategic risk to a level that it considers acceptable
5.4. When considering strategic risk, it is always useful to consider different categories of strategic risk when conducting a review as follows:
POLITICAL
ECONOMIC
SOCIAL
TECHNILOGY
ENVIRONMENTAL
LEGAL;
FIDUCIARY DUTIES
STOCK EXCHANGE REQUIREMENST
EVOLVING BEST PRACTICE
6. CYBER RISKS
6.1. It is often challenging for even the most tech astute business leaders to keep up with the scope and pace of developments relating to big data, cloud computing and IT implementations, cyber risk etc.
6.2. These developments carry a complex set of risk, the most serious among them can compromise sensitive information and significantly disrupt business processes
6.3. The pervasiveness of CYBER RISK, significant increase concerns about financial information, internal controls, and a wide variety of risks including reputational risk that can result from a cyber incident
6.4. Oversight of a successful Cyber risk management program requires proactive engagement and is often the responsibility of the full Board. A level of oversight may be sometimes delegated to a Risk Committee and or Audit Committee
6.5. Where the Audit Committee holds some responsibility for Cyber risk management, the committee should obtain a clear understanding of the areas it is expected to oversee in companies where audit Committee in its capacity of overseeing financial risk and monitoring policies and procedures, may be asked to play a strategic role in monitoring management’s response to cyber threats
Audit Committees may also take the lead in monitoring cyber trends and threats to the company
7. RISK OVERSIGHT QUESTIONS TO CONSIDER
7.1. Has the risk governance structure being defined
7.2. How do the various committees oversee risks?
7.3. Does the board consider the relationship between strategy and risk?
7.4. Does management provide the Board with the information needed to oversee the management risk effectively?
7.5. What are the company’s policies and processes for managing the major financial risks, exposure the company could face?
7.6. Has management assigned ownership for each risk factor that has been identified?
7.7. How might the Company’s incentive programmes encourage inappropriate focus on short term financial gains, and are the Company’s audit committee and board aligned on such risks
7.8. Are there early warning mechanisms in place to monitor emerging financial risk and how effective are they?
7.9. What is the role of technology in the risk management programme and when was it last evaluated?
7.10. Is Cyber risk receiving time and focus and the Audit Committee Agenda
