“the new guidance presents a clear explanation of board responsibilities with regards to risk management..”
The Financial Reporting Council (FRC) published revised guidance entitled ‘Risk Management, Internal Control and Related Financial and Business Reporting’ in September 2014. It is referred to by the FRC as the ‘risk guidance’ and should be followed by all companies that are required to comply with the UK Corporate Governance Code. The guidance is effective from 1 October 2014 and reports of compliance with the guidance will be required for reporting periods ending 1 October 2015 and later.
Airmic was involved throughout the consultation and believes that the new guidance presents a clear explanation of board responsibilities with regards to risk management. Although the guidance directly relates to listed companies, the FRC believes that the guidance describes an appropriate approach for all types of companies with regard to risk management and internal control.
The risk guidance states that economic developments and some high-profile failures of risk management in recent years have reminded boards of the need to ensure that the company’s approach to risk has been properly considered in setting strategy. The guidance emphasises that the board’s responsibility for the organisation’s culture is essential to the way in which risk is considered and addressed. The assessment of risks should:
- be part of the normal business planning process
- support better decision-taking
- ensure the board and management respond promptly to risks when they arise
- ensure shareholders and other stakeholders are well informed about the principal risks and prospects of the company.
The guidance replaces the ‘Turnbull Report’ (2005) and states that ultimate responsibility for risk management and internal control rests with the board. The guidance also states that risk management should support better decision-making, rather than inhibit sensible risk-taking, in line with growth strategies and operations.
While risk managers may have day-to-day responsibility for implementation of risk management processes, it is up to the board to ensure that the appropriate systems and policies are in place. The board needs to ensure that understanding of risk is high, that risks are maintained within tolerable levels and that risk mitigation is appropriate.
The UK Corporate Governance Code (2014 edition) sets out the following principles in relation to the accountability provisions of the code:
- Financial and Business Reporting – the board should present a fair, balanced and understandable assessment of the company’s position and prospects
- Risk Management and Internal Control – the board is responsible for determining the nature and extent of the risks it is willing to take in achieving its strategic objectives and should maintain sound risk management and internal control.
In summary, the board has ultimate responsibility for risk management and internal control, including for the determination of the nature and extent of the principal risks it is willing to take to achieve its strategic objectives. It is also responsible for ensuring that an appropriate culture has been embedded throughout the organisation. This commentary outlines some of the factors that boards should consider in relation to the design, implementation, monitoring and review of the risk management and internal control systems. As stated by the FRC, risk management systems and processes cannot eliminate all risks, but it is the role of the board to ensure that they are robust and effective, and take account of such risks.
The FRC guidance lists six board responsibilities for risk management and internal control, and these six responsibilities are used to structure this commentary. These responsibilities are described in more detail in Table 1 in the next section. In summary, they relate to:
- Risk management processes – the design and implementation of appropriate risk management and internal control systems.
- Principal risks and risk appetite – the assessment of the nature and extent of the principal risks and the risks the organisation is willing to take.
- Risk culture and risk assurance – the development of appropriate culture and reward systems that have been embedded throughout the organisation.
- Risk profile and risk mitigation – the means by which the principal risks are managed or mitigated to reduce their likelihood and/or impact.
- Monitoring and review activities – the monitoring and review of risk management systems to ensure they are functioning effectively.
- Risk communication and reporting – the implementation of internal and external information and communication processes.