Risk Management and Internal Controls
What is the role of the board in risk management and internal control?
THE board has ultimate responsibility for risk management and internal control, including for the determination of the nature and extent of the principal risks it is willing to take to achieve its strategic objectives and for ensuring that an appropriate culture has been embedded throughout the organisation.
This guidance provides a high-level overview of some of the factors boards should consider in relation to the design, implementation, monitoring and review of the risk management and internal control systems. Such systems cannot eliminate all risks, but it is the role of the board to ensure that they are robust and effective and take account of such risks.
The board has responsibility for an organisation’s overall approach to risk management and internal control. Such responsibilities include ensuring the design and implementation of appropriate risk management and internal control systems that identify the risks facing the company. Furthermore, determining the nature, extent of the principal risks faced and those risks which the organisation is willing to take in achieving its strategic objectives.
Additionally, ensuring that appropriate culture and reward systems have been embedded throughout the organisation and agreeing how the principal risks should be managed or mitigated to reduce the likelihood of their impact. Monitoring and reviewing the risk management, internal control systems, the management’s process of monitoring and reviewing and satisfying itself that they are functioning effectively. Taking responsibility for external communication on risk management and internal control.
The board’s specific responsibility for determining whether to adopt the going concern basis of accounting and related disclosures of material uncertainties in the financial statements is a sub set of these broader responsibilities. A company that is able to adopt the going concern basis of accounting and does not have related material uncertainties to report, for the purposes of the financial statements, is not necessarily free of risks that would threaten the company’s business model, future performance, solvency or liquidity. The board is responsible for ensuring this distinction is understood internally and communicated externally.
What is the role of management in risk management and internal control?
The role of management is to implement and take day-to-day responsibility for board policies on risk management and internal control. But the board needs to satisfy itself that management has understood the risks, implemented and monitored appropriate policies and controls, and are providing the board with timely information so that it can discharge its own responsibilities. In turn, management should ensure internal responsibilities and accountabilities are clearly established, understood and embedded at all levels within the organisation. Employees should understand their responsibility for behaving according to the culture.
How does the board exercise its responsibilities?
The board should establish the tone for risk management and internal control and put in place appropriate systems to enable it to meet its responsibilities effectively. These will depend upon factors such as the size and composition of the board, the scale, diversity and complexity of the company’s operations and the nature of the principal risks the company faces. But in deciding what arrangements are appropriate the board should consider, amongst other things, the culture it wishes to embed in the company, and whether this has been achieved.
As with all aspects of good governance, the effectiveness of risk management and internal control ultimately depend on the individuals responsible for operating the systems that are put in place. In order to ensure the appropriate culture is in place it is not sufficient for the board simply to set the desired values. It also needs to ensure they are communicated by management, incentivise the desired behaviours and sanction inappropriate behaviour and assess whether the desired values and behaviours have become embedded at all levels. This should include consideration of whether the company’s leadership style and management structures, human resource policies and reward systems support or undermine the risk management and internal control systems.
How to ensure there is adequate discussion at the board?
The board should agree the frequency and scope of its discussions on strategy, business model and risk, how its assessment of risk is integrated with other matters considered by the board and how to assess the impact on the company’s risk profile of decisions on changes in strategy, major new projects and other significant commitments. The board needs to ensure that it engages in informed debate and constructive challenge and keeps under review the effectiveness of its decision-making processes.
Moreover, the skills, knowledge and experience of the board and management. The board should consider whether itself and any committee or management group to which it delegates activities, has the necessary skills, knowledge, experience, authority and support to enable it to assess the risks the company faces and exercise its responsibilities effectively. Boards should consider specifically assessing this as part of their regular evaluations of their effectiveness.
It should ensure that the assumptions and models underlying this information are clear so that they can be understood and if necessary challenged. Risks can crystallise quickly and the board should ensure that there are clear processes for bringing significant issues to its attention more rapidly when required, and agreed triggers for doing so. Finally, the board should monitor the quality of the information it receives and ensure that it is of a sufficient quality to allow effective decision-making.
- Chirindo is the Enterprise Risk Management Institute of Zimbabwe (ERMIZ) award winner for Risk Manager of the year 2022.